Lineage Generation Module
the first module, we develop the LIME System Model, which consists of system
entities data owner, data consumer and auditor. There are three different roles
that can be assigned to the involved parties in LIME: data owner, data consumer
data owner is responsible for the management of documents and the consumer
receives documents and can carry out some task using them.
auditor is not involved in the transfer of documents, he is only invoked when a
leakage occurs and then performs all steps that are necessary to identify the
of the mentioned roles can have multiple instantiations when our model is
applied to a concrete setting. We refer to a concrete instantiation of our
model as scenario.
documents are transferred from one owner to another one, we can assume that the
transfer is governed by a non-repudiation assumption. This means that the
sending owner trusts the receiving owner to take responsibility if he should
leak the document. As we consider consumers as untrusted participants in our
model, a transfer involving a consumer cannot be based on a non-repudiation
assumption. Therefore, whenever a document is transferred to a consumer, the
sender embeds information that uniquely identifies the recipient. We call this
fingerprinting. If the consumer leaks this document, it is possible to identify
him with the help of the embedded information.
this module, we develop attackers in our model as consumers that take every
possible step to publish a document without being held accountable for their
actions. As the owner does not trust the consumer, he uses fingerprinting every
time he passes a document to a consumer. However, we assume that the consumer
tries to remove this identifying information in order to be able to publish the
already mentioned previously, consumers might transfer a document to another
consumer, so we also have to consider the case of an untrusted sender. This is
problematic because a sending consumer who embeds an identifier and sends the
marked version to the receiving consumer could keep a copy of this version,
publish it and so frame the receiving consumer.
possibility to frame other consumers is to use fingerprinting on a document
without even performing a transfer and publish the resulting document.
Lineage Generation Module
auditor is the entity that is used to find the guilty party in case of a
leakage. He is invoked by the owner of the document and is provided with the
leaked document. In order to find the guilty party, the auditor proceeds such
that the auditor initially takes the owner as the current suspect.
auditor appends the current suspect to the lineage. The auditor sends the
leaked document to the current suspect and asks him to provide the detection
keys k1 and k2 for the watermarks in this document as well as the watermark.
The auditor outputs the lineage. The last entry is responsible for the leakage.
this module, we develop a typical outsourcing scenario. An organization acts as
owner and can outsource tasks to outsourcing companies which act as consumers
in our model. It is possible that the outsourcing companies receive sensitive
data to work on and as the outsourcing companies are not necessarily trusted by
the organization, fingerprinting is used on transferred documents.
outsourcing company itself can outsource tasks to other outsourcing companies
and thus relay the documents, again using fingerprinting. It is important to
notice that a single organization can outsource to may different outsourcing
companies in parallel, thus creating a tree-shaped transfer diagram.
now at any point one of the involved outsourcing companies leaks a confidential
document, the organization can invoke the auditor to find the responsible
party. The auditor then asks the organization to reveal the first set of
fingerprints in the leaked document, which leads the auditor to one of the
outsourcing companies. This outsourcing company can in turn reveal additional
fingerprints in the leaked document in order to point to the next outsourcing
company and to prove its own innocence.
the auditor creates the complete lineage and is able to determine the guilty
party. The responsible party can be clearly found using LIME.