IMPLEMENTATIONMODULES:v LIMESystem Modelv AttackersModulev DataLineage Generation Modulev OutsourcingModule MODULES DESCSRIPTION:LIMESystem Modelv Inthe first module, we develop the LIME System Model, which consists of systementities data owner, data consumer and auditor.consumerdv Theowner is responsible for the management of documents and the consumer receivesdocuments and can carry out some task using them. v Theauditor is not involved in the transfer of documents, he is only invoked when aleakage occurs and then performs all steps that are necessary to identify theleaker. v Allof the mentioned roles can have multiple instantiations when our model isapplied to a concrete setting. We refer to a concrete instantiation of ourmodel as scenario.
v Whendocuments are transferred from one owner to another one, we can assume that thetransfer is governed by a non-repudiation assumption. This means that thesending owner trusts the receiving owner to take responsibility if he shouldleak the document. As we consider consumers as untrusted participants in ourmodel, a transfer involving a consumer cannot be based on a non-repudiationassumption. Therefore, whenever a document is transferred to a consumer, thesender embeds information that uniquely identifies the recipient. We call thisfingerprinting. If the consumer leaks this document, it is possible to identifyhim with the help of the embedded information.
AttackersModulev Inthis module, we develop attackers in our model as consumers that take everypossible step to publish a document without being held accountable for theiractions. As the owner does not trust the consumer, he uses fingerprinting everytime he passes a document to a consumer. However, we assume that the consumertries to remove this identifying information in order to be able to publish thedocument safely. v Asalready mentioned previously, consumers might transfer a document to anotherconsumer, so we also have to consider the case of an untrusted sender. This isproblematic because a sending consumer who embeds an identifier and sends themarked version to the receiving consumer could keep a copy of this version,publish it and so frame the receiving consumer.
v Anotherpossibility to frame other consumers is to use fingerprinting on a documentwithout even performing a transfer and publish the resulting document.DataLineage Generation Modulev Theauditor is the entity that is used to find the guilty party in case of aleakage. He is invoked by the owner of the document and is provided with theleaked document. In order to find the guilty party, the auditor proceeds suchthat the auditor initially takes the owner as the current suspect.v Theauditor appends the current suspect to the lineage. The auditor sends theleaked document to the current suspect and asks him to provide the detectionkeys k1 and k2 for the watermarks in this document as well as the watermark.The auditor outputs the lineage.
The last entry is responsible for the leakage.OutsourcingModulev Inthis module, we develop a typical outsourcing scenario. An organization acts asowner and can outsource tasks to outsourcing companies which act as consumersin our model. It is possible that the outsourcing companies receive sensitivedata to work on and as the outsourcing companies are not necessarily trusted bythe organization, fingerprinting is used on transferred documents. v Theoutsourcing company itself can outsource tasks to other outsourcing companiesand thus relay the documents, again using fingerprinting. It is important tonotice that a single organization can outsource to may different outsourcingcompanies in parallel, thus creating a tree-shaped transfer diagram. v Ifnow at any point one of the involved outsourcing companies leaks a confidentialdocument, the organization can invoke the auditor to find the responsibleparty.
The auditor then asks the organization to reveal the first set offingerprints in the leaked document, which leads the auditor to one of theoutsourcing companies. This outsourcing company can in turn reveal additionalfingerprints in the leaked document in order to point to the next outsourcingcompany and to prove its own innocence.v Finally,the auditor creates the complete lineage and is able to determine the guiltyparty. The responsible party can be clearly found using LIME.