# [or-cvs] throw down the gauntlet.

Update of /home2/or/cvsroot/tor/doc/design-paper
In directory moria.mit.edu:/home2/arma/work/onion/cvs/tor/doc/design-paper

Modified Files:
challenges.tex tor-design.bib
Log Message:
throw down the gauntlet.

Index: challenges.tex
===================================================================
RCS file: /home2/or/cvsroot/tor/doc/design-paper/challenges.tex,v
retrieving revision 1.28
retrieving revision 1.29
diff -u -d -r1.28 -r1.29
--- challenges.tex	31 Jan 2005 09:09:15 -0000	1.28
+++ challenges.tex	1 Feb 2005 10:31:14 -0000	1.29
@@ -235,6 +235,7 @@
% this para should probably move to the scalability / directory system. -RD

\section{Threat model}
+\label{sec:threat-model}

Tor does not attempt to defend against a global observer.  Any adversary who
can see a user's connection to the Tor network, and who can see the
@@ -243,8 +244,8 @@
communication partners.  Defeating this attack would seem to require
introducing a prohibitive degree of traffic padding between the user and the
network, or introducing an unacceptable degree of latency (but see
-\ref{subsec:mid-latency} below).  Thus, Tor only
-attempts to defend against external observers who can observe both sides of a
+Section \ref{subsec:mid-latency}).  Thus, Tor only
+attempts to defend against external observers who cannot observe both sides of a
user's connection.

Against internal attackers, who sign up Tor servers, the situation is more
@@ -279,7 +280,7 @@
% Sure. In fact, better off, since they seem to scale more easily. -rd

in practice tor's threat model is based entirely on the goal of dispersal
-and diversity. george and steven describe an attack \cite{draft} that
+and diversity. george and steven describe an attack \cite{attack-tor-oak05} that
lets them determine the nodes used in a circuit; yet they can't identify
alice or bob through this attack. so it's really just the endpoints that
remain secure. and the enclave model seems particularly threatened by
@@ -317,43 +318,75 @@

\subsection{Image and security}

-Image: substantial non-infringing uses. Image is a security parameter,
-since it impacts user base and perceived sustainability.
-
-good uses are kept private, bad uses are publicized. not good.
-
-Public perception, and thus advertising, is a security parameter.
-
-users do not correlate to anonymity. arma will do this.
-Communicating security levels to the user
-A Tor gui, how jap's gui is nice but does not reflect the security
-they provide.
-
-\subsection{Usability and bandwidth and sustainability and incentives}
+A growing field of papers argue that usability for anonymity systems
+contributes directly to their security, because how usable the system
+is impacts the possible anonymity set~\cite{back01,econymics}. Or
+conversely, an unusable system attracts few users and thus can't provide
+much anonymity.

-low-pain-threshold users go away until all users are willing to use it
+This phenomenon has a second-order effect: knowing this, users should
+choose which anonymity system to use based in part on how usable
+\emph{others} will find it, in order to get the protection of a larger
+anonymity set. Thus we might replace the adage usability is a security
+parameter''~\cite{back01} with a new one: perceived usability is a
+security parameter.'' From here we can better understand the effects
+of publicity and advertising on security: the more convincing your
+advertising, the more likely people will believe you have users, and thus
+the more users you will attract. Perversely, over-hyped systems (if they
+are not too broken) may be a better choice than modestly promoted ones,
+if the hype attracts more users~\cite{usability-network-effect}.

-Sustainability. Previous attempts have been commercial which we think
-adds a lot of unnecessary complexity and accountability. Freedom didn't
-collect enough money to pay its servers; JAP bandwidth is supported by
-continued money, and they periodically ask what they will do when it
-dries up.
+So it follows that we should come up with ways to accurately communicate
+the available security levels to the user, so she can make informed
+decisions. Dresden's JAP project aims to do this, by including a
+comforting anonymity meter' dial in the software's graphical interface,
+giving the user an impression of the level of protection for her current
+traffic.

-"outside of academia, jap has just lost, permanently"
+However, there's a catch. For users to share the same anonymity set,
+they need to act like each other. An attacker who can distinguish
+a given user's traffic from the rest of the traffic will not be
+distracted by other users on the network. For high-latency systems like
+Mixminion, where the threat model is based on mixing messages with each
+other, there's an arms race between end-to-end statistical attacks and
+counter-strategies~\cite{statistical-disclosure,minion-design,e2e-traffic,trickle02}.
+But for low-latency systems like Tor, end-to-end \emph{traffic
+confirmation} attacks~\cite{danezis-pet2004,SS03,defensive-dropping}
+allow an attacker who watches or controls both ends of a communication
+to use statistics to correlate packet timing and volume, quickly linking
+the initiator to her destination. This is why Tor's threat model is
+based on preventing the adversary from observing both the initiator and
+the responder.

-Usability: fc03 paper was great, except the lower latency you are the
-less useful it seems it is.
+Like Tor, the current JAP implementation does not pad connections
+(apart from using small fixed-size cells for transport). In fact,
+its cascade-based network toplogy may be even more vulnerable to these
+attacks, because the network has fewer endpoints. JAP was born out of
+every user had a fixed bandwidth allocation, but in its current context
+would be prohibitively expensive.\footnote{Even if they could find and
+maintain extra funding to run higher-capacity nodes, our experience with
+users suggests that many users would not accept the increased per-user
+bandwidth requirements, leading to an overall much smaller user base. But
+see Section \ref{subsec:mid-latency}.} Therefore, since under this threat
+model the number of concurrent users does not seem to have much impact
+on the anonymity provided, we suggest that JAP's anonymity meter is not
+correctly communicating security levels to its users.

-[nick will write this section]
+On the other hand, while the number of active concurrent users may not
+matter as much as we'd like, it still helps to have some other users
+who use the network. We investigate this issue in the next section.

\subsection{Reputability}

-Yet another factor in the safety of a given network is its reputability:
-the perception of its social value based on its current users. If I'm
-the only user of a system, it might be socially accepted, but I'm not
-getting any anonymity. Add a thousand Communists, and I'm anonymous,
-but everyone thinks I'm a Commie. Add a thousand random citizens (cancer
-survivors, privacy enthusiasts, and so on) and now I'm hard to profile.
+Another factor impacting the network's security is its reputability:
+the perception of its social value based on its current user base. If I'm
+the only user who has ever downloaded the software, it might be socially
+accepted, but I'm not getting much anonymity. Add a thousand Communists,
+and I'm anonymous, but everyone thinks I'm a Commie. Add a thousand
+random citizens (cancer survivors, privacy enthusiasts, and so on)
+and now I'm harder to profile.

The more cancer survivors on Tor, the better for the human rights
activists. The more script kiddies, the worse for the normal users. Thus,
@@ -370,11 +403,30 @@
network used entirely by cancer survivors might welcome some Communists
onto the network, though of course they'd prefer a wider variety of users.

+Reputability becomes even more tricky in the case of privacy networks,
+since the good uses of the network (such as publishing by journalists in
+dangerous countries) are typically kept private, whereas network abuses
+or other problems tend to be more widely publicized.
+
The impact of public perception on security is especially important
during the bootstrapping phase of the network, where the first few
widely publicized uses of the network can dictate the types of users it
attracts next.

+\subsection{Usability and bandwidth and sustainability and incentives}
+
+low-pain-threshold users go away until all users are willing to use it
+
+Sustainability. Previous attempts have been commercial which we think
+adds a lot of unnecessary complexity and accountability. Freedom didn't
+collect enough money to pay its servers; JAP bandwidth is supported by
+continued money, and they periodically ask what they will do when it
+dries up.
+
+"outside of academia, jap has just lost, permanently"
+
+[nick will write this section]
+
\subsection{Tor and file-sharing}

[nick will write this section]

Index: tor-design.bib
===================================================================
RCS file: /home2/or/cvsroot/tor/doc/design-paper/tor-design.bib,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -d -r1.7 -r1.8
--- tor-design.bib	31 Jan 2005 09:09:15 -0000	1.7
+++ tor-design.bib	1 Feb 2005 10:31:14 -0000	1.8
@@ -1151,12 +1151,24 @@
title = {Synchronous Batching: From Cascades to Free Routes},
author = {Roger Dingledine and Vitaly Shmatikov and Paul Syverson},
booktitle = {Proceedings of Privacy Enhancing Technologies workshop (PET 2004)},
+  editor = {David Martin and Andrei Serjantov},
year = {2004},
month = {May},
series = {LNCS},
note = {\url{http://freehaven.net/doc/sync-batching/sync-batching.pdf}},
}

+@InProceedings{e2e-traffic,
+  author = "Nick Mathewson and Roger Dingledine",
+  title = "Practical Traffic Analysis: Extending and Resisting Statistical Disclosure",
+  booktitle= {Privacy Enhancing Technologies (PET 2004)},
+  editor = {David Martin and Andrei Serjantov},
+  month = {May},
+  year = {2004},
+  series = {LNCS},
+  note = {\url{http://freehaven.net/doc/e2e-traffic/e2e-traffic.pdf}},
+}
+
@Misc{dtls,
author =      {E. Rescorla and N. Modadugu},
title =       {{Datagram Transport Layer Security}},
@@ -1166,6 +1178,14 @@
note =        {\url{http://www.ietf.org/internet-drafts/draft-rescorla-dtls-02.txt}},
}

+@InProceedings{usability-network-effect,
+   author={Roger Dingledine and Nick Mathewson},
+   title={Anonymity Loves Company: Usability and the Network Effect},
+   booktitle = {Designing Security Systems That People Can Use},
+   year = {2005},
+   publisher = {O'Reilly Media},
+}
+
%%% Local Variables:
%%% mode: latex
%%% TeX-master: "tor-design"

`