[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [obfsproxy/master] Reformat threat model doc



commit 2bc1d70055dc35751f73bdda5c66dba37eec0778
Author: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Date:   Thu Dec 29 10:04:10 2011 -0500

    Reformat threat model doc
---
 doc/obfs2_threat_model.txt |   81 +++++++++++++++++++++++++------------------
 1 files changed, 47 insertions(+), 34 deletions(-)

diff --git a/doc/obfs2_threat_model.txt b/doc/obfs2_threat_model.txt
index 08385ae..ed2c694 100644
--- a/doc/obfs2_threat_model.txt
+++ b/doc/obfs2_threat_model.txt
@@ -1,50 +1,63 @@
-threat model:
+              Threat model for the obfs2 obfuscation protocol
 
-       Adversary capabilities:
+                              George Kadianakis
+                               Nick Mathewson
 
-The adversary controls the infrastructure of the network within her
-jurisdiction, and she can potentially monitor, block, alter, and
-inject traf�c anywhere within this region.
+0. Abstract
 
-The censor also holds a blacklist of network protocols, which she is
-interested in blocking.
+   We discuss the intended threat model for the 'obfs2' protocol
+   obfuscator, its limitations, and its implications for the protocol
+   design.
 
-      Adversary attacks:
+   The 'obfs2' protocol is based on Bruce Leidl's obfuscated SSH layer,
+   and is documented in the 'doc/protocol-spec.txt' file in the obfsproxy
+   distribution.
 
-The censor passively monitors traffic and looks for content
-signatures, in an attempt to distinguish network protocols. Upon
-detecting a blacklisted protocol, the censor blocks the connection.
+1. Adversary capabilities and goals
 
-     Goals of obfs2:
+   The adversary controls the infrastructure of the network within and
+   at the edges of her jurisdiction, and she can potentially monitor,
+   block, alter, and inject traf�c anywhere within this region.
 
-obfs2 attempts to counter the above attack by removing content
-signatures from network traffic. obfs2 encrypts the traffic stream
-with a stream cipher, which results in the traffic looking uniformly
-random.
+   The censor also holds a blacklist of network protocols, which she is
+   interested in blocking.
 
-     Discussion:
+2. Adversary attacks:
 
-obfs2 shortcomings:
+   The censor passively monitors traffic and looks for content
+   signatures, in an attempt to distinguish network protocols. Upon
+   detecting a blacklisted protocol, the censor blocks the connection.
 
-obfs2 was designed as a pluggable transports proof-of-concept: it is
-simple, useable and easily implementable. It does _not_ try to protect
-against sophisticated adversaries:
+3. Goals of obfs2
 
-obfs2 does not try to protect against Tor protocol fingerprints, like
-the packet size or packet timing.
+   obfs2 attempts to counter the above attack by removing content
+   signatures from network traffic. obfs2 encrypts the traffic stream
+   with a stream cipher, which results in the traffic looking uniformly
+   random.
 
-obfs2 does not try to protect against attackers capable of measuring
-traffic entropy.
+4. Discussion
 
-obfs2 does not try to protect against Deep Packet Inspection machines
-that expect the obfs2 protocol. Such machines can trivially retrieve
-the decryption key off the traffic stream and use it to decrypt obfs2
-and detect the Tor protocol.
+4.1. obfs2 shortcomings
 
-In other words, obfs2 does not try to protect against anything other
-than fingerprintable TLS content patterns.
+   obfs2 was designed as a pluggable transports proof-of-concept: it is
+   simple, useable and easily implementable. It does _not_ try to protect
+   against sophisticated adversaries:
 
-That said, obfs2 is not useless. It protects against many real-life
-Tor traffic detection methods currentl deployed, since most of them
-use static SSL handshake strings as signatures.
+   obfs2 does not try to protect against Tor protocol fingerprints, like
+   the packet size or packet timing.
+
+   obfs2 does not try to protect against attackers capable of measuring
+   traffic entropy.
+
+   obfs2 does not try to protect against Deep Packet Inspection machines
+   that expect the obfs2 protocol. Such machines can trivially retrieve
+   the decryption key off the traffic stream and use it to decrypt obfs2
+   and detect the Tor protocol.
+
+   In other words, obfs2 does not try to protect against anything other
+   than fingerprintable TLS content patterns.
+
+   That said, obfs2 is not useless. It protects against many real-life
+   Tor traffic detection methods currentl deployed, since most of them
+   use static SSL handshake strings as signatures.
 



_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits