[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Sending unique/recogniziable remailer keys to suspectmixminion users



On Sun, 2003-08-10 at 08:53, Thomas J. Boschloo wrote:
> Hello group, I wrote my own 'mixminion' protocol in February 2003
>  (IIRC), and a big problem that I couldn't solve was key-distribution
>  from the remailer to the user.

Hello again.  (If it's not too much to ask, please call the protocol you
design something different from 'Mixminion'.  I don't want to confuse
users.)

 [...]
> For my protocol this is fatal. But it also seems to apply to protocols
>  like Mixminion (I haven't read the paper recently, sorry) en
>  Mixmaster. A suspect Mixmaster user could be given a special key upon
>  key request. Then, upon faulty decryption with the 'normal' remailer
>  key, every planted 'suspect' key is tried and once it decrypts
>  succesfully with one of these 'planted' keys, the whole chain up to
>  this point of decryption is compromised.

This is one of the reasons that Type III currently doesn't support key
retrieval from individual servers.  Instead, clients retrieve trees from
directory servers.

You asked a very similar question in February, when you said:

        > I think these things are very basic ingredients to any type of
        > public key communications, so what does Mixminion do to solve
        > a Key Tagging Attack as I will call it here?

and I outlined Mixminion's planned approach in
http://archives.seul.org/mixminion/dev/Feb-2003/msg00018.html :
        
        Our solution to this is to have directory servers, as described
        in the spec and the paper.  These servers keep a list of active
        Type III nodes, and act as pingers to check on node
        performance.  Once a day, the servers agree on a list of
        recommended nodes -- nodes which they believe will be good for
        at least the next 24 hours -- and publish a list of those nodes,
        their keys, and their capabilities.  This list is signed by
        *all* the directory servers.  If any directory server signs a
        different list, or a list with different keys, users will be
        able to tell that directory server is misbehaving.  The
        directory servers generate only a single directory, so every
        user will have the same official set of servers and keys.  In
        order to deceive any the users, a majority of the directory
        servers must be corrupted or compromised. 
        
(The message in question goes into more detail.  Unfortunately, the
agreement protocol is still in the works, but I think we're getting
closer and closer.)

-- 
Nick

Attachment: signature.asc
Description: This is a digitally signed message part