[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[freehaven-cvs] move the threat model to the top; more work on backg...
Update of /home/freehaven/cvsroot/doc/routing-zones
In directory moria.mit.edu:/home2/arma/work/freehaven/doc/routing-zones
Modified Files:
routing-zones.tex
Log Message:
move the threat model to the top; more work on background
Index: routing-zones.tex
===================================================================
RCS file: /home/freehaven/cvsroot/doc/routing-zones/routing-zones.tex,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -d -r1.5 -r1.6
--- routing-zones.tex 18 Jan 2004 07:39:55 -0000 1.5
+++ routing-zones.tex 19 Jan 2004 17:51:54 -0000 1.6
@@ -50,7 +50,7 @@
\cite{defensive-dropping,SS03}.
Anonymity designs use three major strategies to mitigate these attacks.
-\begin{itemize}
+\begin{tightlist}
\item {\bf{Batching and pooling:}} The network collects a group of input
messages and reorders them before they exit, to prevent the adversary
from learning which message in the batch originated from a given sender
@@ -72,15 +72,19 @@
both endpoints for a given communication can entirely block some
attacks on low-latency networks, and slow down intersection attacks on
high-latency networks.
-\end{itemize}
+\end{tightlist}
Dispersal can be achieved by increasing the number of nodes in the
network, so an adversary of a given strength sees less of the network
-\cite{econymics,bennett:pet2003}; by arranging the overlay topology so
-messages can enter or exit at more places in the network \cite{something};
+\cite{econymics,bennett:pet2003,morphmix:fc04}; by arranging the overlay
+topology so messages can enter or exit at more places in the network
+(e.g. as opposed to a cascade topology \cite{disad-free-routes});
or by \emph{jurisdictional arbitrage} --- coordinating network behavior
so each transaction includes zones (e.g. jurisdictions) controlled by
-several different adversaries \cite{something}.
+several different adversaries.
+% would be nice to cite something for jurisdictional arbitrage, but i
+% seem to be the only person who's said that phrase in a paper, and
+% i think it would look bad.
In this paper we investigate a variant of jurisdictional arbitrage
based on Internet routing zones. By taking into account the topology
@@ -88,6 +92,23 @@
are to certain classes of adversary, and take steps to decrease that
vulnerability. Specifically, we show <the things that we learn later>.
+\section{Threat Model}
+
+We aim to improve anonymity against an adversary who can monitor a single
+AS. Such an adversary might be a curious ISP or a corrupt law enforcement
+officer abusing his subpoena powers.
+
+This threat model is based on the assumption that the ability to control
+more than one AS is significantly more rare, either because far fewer
+ISPs exist that control multiple ASs,
+% Is that true?
+or because law enforcement will be less willing to face the increased
+accountability and risk associated with obtaining multiple unapproved
+subpoenas.
+
+By requiring the adversary to control multiple ASs, we raise the bar
+for breaking the anonymity of the system.
+
\section{Background}
In this section, we provide necessary background information on
@@ -100,15 +121,44 @@
\subsection{Anonymity networks}
-describe nested crypts, and mix networks in general, to show the endpoint
-attack is the right issue
+Chaum \cite{chaum81} proposed hiding the correspondence between sender
+and recipient by wrapping messages in layers of public-key cryptography,
+and relaying them through a path composed of \emph{mixes}. Each mix
+in turn decrypts, delays, and re-orders messages, before relaying them
+toward their destinations.
- - High-latency vs. low-latency anonymity networks, and the
- different assumptions that are reasonable to make in each case
- => conclusion is that for low-latency stuff, you can't mix
- arbitrarily. this is the domain where our approach is most
- applicable
-but also similarly useful for high-latency systems
+Subsequent anonymity systems have diverged in two directions. Systems
+like Babel \cite{babel} and Mixminion \cite{minion-design} aim to defend
+against powerful adversaries, but at the cost of high and variable
+latency. Other systems, such as Onion Routing or its successor Tor
+\cite{tor-design,or-jsac98}, support low-latency transactions such as
+web browsing at the cost of a weaker threat model.
+
+Anonymity networks aim to protect against a wide variety of both passive
+and active attacks \cite{back01,raymond00}, but in this paper we do
+not consider the details of the anonymity network itself. Instead,
+we treat the network as a black box and consider only the endpoints
+(entry node and exit node) for each given transaction. Endpoint
+attacks include simple timing and counting attacks against
+low-latency systems \cite{SS03,defensive-dropping}, and long-term
+intersection or disclosure attacks against high-latency systems
+\cite{disad-free-routes,statistical-disclosure,e2e-traffic}.
+
+Because the low-latency systems are so susceptible to endpoint attacks,
+
+We get away
+with this because endpoint attacks are sufficient to break anonymity,
+and because endpoint attacks are probably the best approach for our
+passive adversary.
+
+note that a successful endpoint attack against Mixminion takes a lot
+more time than a successful endpoint attack against Tor. so our work
+here is more clearly applicable to low-latency systems, but it still
+should have some impact on protecting high-latency systems from this
+adversary too.
+
+mixmaster, mixminion, and tor are deployed networks with x,y,z nodes
+each.
just as with \cite{onion-routing:pet2000}, an adversary observing a zone
with c nodes wins $\frac{c}{n}^2$ of the transactions with no effort.
@@ -118,7 +168,6 @@
\subsection{Overview of Internet Routing and Topology}
-
Our overall goal is to determine the networks that packets will
traverse between each node of a mix-net. To do this, we must first
understand how packets are routed between two arbitrary hosts on the
@@ -179,7 +228,7 @@
policy}, rather than on shortest paths. For example, an AS will
typically prefer to route traffic to a destination via one of its
customers (who pays it for connectivity) than via one of its providers
-(who it must pay to send traffic towards) or one of its peers. In
+(whom it must pay to send traffic towards) or one of its peers. In
Figure~\ref{fig:policy_summary}, an AS will typically prefer a route to
a destination via its customer, if one exists, over one through a peer
or a provider. These relationships also determine which routes one AS
@@ -245,23 +294,6 @@
selection. Finally, we present our techniques for estimating the
AS-level path between two arbitrary hosts on the Internet.
-\subsection{Threat Model}
-
-We aim to improve anonymity against an adversary who can monitor a single
-AS. Such an adversary might be a curious ISP or a corrupt law enforcement
-officer abusing his subpoena powers.
-
-This threat model is based on the assumption that the ability to control
-more than one AS is significantly more rare, either because far fewer
-ISPs exist that control multiple ASs,
-% Is that true?
-or because law enforcement will be less willing to face the increased
-accountability and risk associated with obtaining multiple unapproved
-subpoenas.
-
-By requiring the adversary to control multiple ASs, we raise the bar
-for breaking the anonymity of the system.
-
\subsection{Mix Networks}
A. Overview of how systems like Tor select mix nodes, and our
approximation of this (for the purposes of analyzing the
***********************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe freehaven-cvs in the body. http://freehaven.net/