System Model

v In
the first module, we develop the LIME System Model.

v The
owner is responsible for the management of documents and the consumer receives
documents and can carry out some task using them.

v The
auditor is not involved in the transfer of documents, he is only invoked when a
leakage occurs and then performs all steps that are necessary to identify the

v When
documents are transferred from one owner to another one, we can assume that the
transfer is governed by a non-repudiation assumption. This means that the
sending owner trusts the receiving owner to take responsibility if he should
leak the document. As we consider consumers as untrusted participants in our
model, a transfer involving a consumer cannot be based on a non-repudiation
assumption. Therefore, whenever a document is transferred to a consumer, the
sender embeds information that uniquely identifies the recipient. We call this
fingerprinting. If the consumer leaks this document, it is possible to identify
him with the help of the embedded information.


v In
this module, we develop attackers in our model as consumers that take every
possible step to publish a document without being held accountable for their
actions. As the owner does not trust the consumer, he uses fingerprinting every
time he passes a document to a consumer. However, we assume that the consumer
tries to remove this identifying information in order to be able to publish the
document safely.

v As
already mentioned previously, consumers might transfer a document to another
consumer, so we also have to consider the case of an untrusted sender. This is
problematic because a sending consumer who embeds an identifier and sends the
marked version to the receiving consumer could keep a copy of this version,
publish it and so frame the receiving consumer.

v Another
possibility to frame other consumers is to use fingerprinting on a document
without even performing a transfer and publish the resulting document.