[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ANN] M.0.0.3rc2: Reply block issue



Dear Nick and All,

This has popped up in the past, but at the time it was a theoretical issue 
while now we have an actual implementation. 

Executive summary: I believe, and I need other's opinions on this, that it
is important that a user specified tag should be attached to each SURB,
and revealed when a reply is decoded.

Long version: Think of the following scenario: I (George) sends two 
anonymous messages to Nick and Roger, pretending to be Grace and Glory 
respectively. Both messages contain some reply blocks so that Nick and 
Roger can reply to me. 

Roger and Nick are good friends and believe that Grace and Glory are 
actually the same woman (well man in this case). In order to test this 
Nick gives his reply block to Roger, who using it writes an email to 
Glory. I receive the email, as Glory, and I reply as if nothing wrong had 
happened. Therefore their hypothesis that Grace is indeed Glory is 
confirmed. 

The solution to this problem is to 'bound' SURBS to particular pseudonyms 
(in a very loose sense). Therefore in the TAG field of the SURB I include 
'To: Glory' and 'To: Grace' respectively. When I receive the email from 
Roger, writing to Glory, the decoded messages is clearly addressed 'To: 
Grace' and this cannot be modified by the network. Therefore I know that I 
should reply saying 'I am sorry Roger you must be mistaken. I am not 
Glory, but Grace'.

The above is actually related to a security policy that we have thought 
off and published at the end of the IH2001 paper:
http://www.cl.cam.ac.uk/~rnc1/Patterns_of_Failure.pdf
It is advocating strict compartments between the what the pseudonyms and 
real person knows, and analyzes and other information flows using covert 
channel analysis. 

The above is quite important if one want to build more complex systems on 
top of the mixminion implementation in python.

Let me know what you think,

George