Protection Profiles for Remailer Mixes

  • Giovanni Iachello
  • Kai Rannenberg
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2009)


In the past independent IT security evaluation according to published criteria has not realized its potential for the assessment of privacy enhancing technologies (PETs). The main reason for this was, that PETs were not covered appropriately in the evaluation criteria. This situation has changed somewhat, and therefore this paper reports on a case study, in which we developed Protection Profiles for remailer mixes. One reason for the development of these Protection Profiles was to test the privacy related components in the new Evaluation Criteria for IT Security - Common Criteria (International Standard 15408, ECITS/CC) and to develop improvements. Another reason was to contribute to an independent evaluation of privacy enhancing technologies. The experiment shows, that the ECITS/CC enable PPs for remailer mixes, but that there are still improvements necessary. The paper presents the Protection Profiles and the structured threat analysis for mixes, on which the Protection Profiles are based.


Access Control Security Attribute Administrative Domain Component Description Privacy Enhance Technology 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    British Standards Institution: Code of practice for information security management (BS 7799-1: 1999); Specification for information security management systems (BS 7799-2: 1999)Google Scholar
  2. 3.
    Common Criteria Implementation Board: Common Criteria for IT Security Evaluation, V. 2.0, May 1998;
  3. 4.
    Common Criteria Implementation Board: Common Criteria for IT Security Evaluation, V. 2.1, August 1999; and
  4. 5.
    Common Criteria Project: List of Protection Profiles;
  5. 6.
    European Commission: IT Security Evaluation Criteria, V. 1.2; 1991-06-28; Office for Official Publications of the EC; also
  6. 7.
    Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM, 1981, Vol. 24, No. 2, pp. 84–88CrossRefGoogle Scholar
  7. 8.
    Chris Corbett: ITSEC in Operation-an Evaluation Experience, Proc. 4th Annual Canadian Computer Security Conference, May 1992, Ottawa, Canada, pp. 439–460Google Scholar
  8. 9.
    Lance Cottrell: Mixmaster & Remailer Attacks;
  9. 10.
    Privacy Protection and Data Security task Force of the German Society for Informatics: Statement of Observations concerning the Information Technology Security Evaluation Criteria (ITSEC) V1.2; 24 February 1992, edited in Data Security Letter, No 32, April 1992Google Scholar
  10. 11.
    Giovanni Iachello: Single Mix Protection Profile, Revision 1.11, May 1999;
  11. 12.
    Giovanni Iachello: Protection Profile for an Unobservable Message Delivery Application using Mixes, Revision 1.7, June 1999;
  12. 13.
    Giovanni Iachello: User-Oriented Protection Profile for an Unobservable Message Delivery Application using Mix networks, Revision 2.4, June 1999;
  13. 14.
    Giovanni Iachello: IT Security Evaluation Criteria, and Advanced Technologies for Multilateral Security-The Mix Example; Tesi di Laurea; Universität Freiburg, Institut für Informatik und Gesellschaft, Abt. Telematik and Università degli Studi di Padova; June 1999;
  14. 15.
    ISO/IEC: Guidelines for the management of IT security (GMITS); Parts 1–5; Technical Report 13335 (part 5 still under development)Google Scholar
  15. 16.
    ISO/IEC: Evaluation Criteria for IT Security (ECITS), Parts 1–3; International Standard 15408;1999-12–16Google Scholar
  16. 17.
    Anja Jerichow, Jan Müller, Andreas Pfitzmann, Birgit Pfitzmann, Michael Waidner: Real-Time Mixes: A Bandwidth-Efficient Anonymity Protocol; IEEE Journal on Selected Areas in Communications 16/4 (May 1998) 495–509CrossRefGoogle Scholar
  17. 18.
    Kai Rannenberg: Recent Development in Information Technology Security Evaluation-The Need for Evaluation Criteria for multilateral Security; in Richard Sizer, Louise Yngström, Henrik Kaspersen und Simone Fischer-Hübner: Security and Control of Information Technology in Society-Proceedings of the IFIP TC9/WG 9.6 Working Conference August 12–17, 1993, onboard M/S Ilich and ashore at St. Petersburg, Russia;NorthHolland, Amsterdam 1994, pp. 113–128; ISBN 0-444-81831-6Google Scholar
  18. 19.
    Kai Rannenberg: What can IT Security Certification do for Multilateral Security? pp. 515–530 in Günter Müller, Kai Rannenberg: Multilateral Security in Communications-Technology, Infrastructure, Economy; Addison-Wesley-Longman, München, Reading (Massachusetts)::: 1999; ISBN 3-8273-1360-0Google Scholar
  19. 20.
    M. K. Reiter and A. D. Rubin. Crowds: Anonymity for web transactions. ACM Transactions on Information and System Security 1(1):66–92, November 1998.CrossRefGoogle Scholar
  20. 21.
    Paul F. Syverson, David M. Goldschlag, Michael G. Reed: Anonymous connections and onion routing; in: Proceedings of the 1997 IEEE Symposium on Security and Privacy; IEEE Pres, Piscataway NJGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Giovanni Iachello
    • 1
  • Kai Rannenberg
    • 2
  1. 1.Telematics, IIGFreiburg UniversityGermany
  2. 2.Microsoft Research CambridgeUK

Personalised recommendations