[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[freehaven-cvs] clean up the background section some
Update of /home/freehaven/cvsroot/doc/routing-zones
In directory moria.mit.edu:/home2/arma/work/freehaven/doc/routing-zones
Modified Files:
routing-zones.bib routing-zones.tex
Log Message:
clean up the background section some
Index: routing-zones.bib
===================================================================
RCS file: /home/freehaven/cvsroot/doc/routing-zones/routing-zones.bib,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -d -r1.5 -r1.6
--- routing-zones.bib 26 Jan 2004 09:15:25 -0000 1.5
+++ routing-zones.bib 26 Jan 2004 17:43:44 -0000 1.6
@@ -1,3 +1,13 @@
+@Misc{mixmaster-spec,
+ author = {Ulf M{\"o}ller and Lance Cottrell and Peter
+ Palfrader and Len Sassaman},
+ title = {Mixmaster {P}rotocol --- {V}ersion 2},
+ year = {2003},
+ month = {July},
+ howpublished = {Draft},
+ note = {\url{http://www.abditum.com/mixmaster-spec.txt}},
+}
+
@inproceedings{morphmix:fc04,
title = {Practical Anonymity for the Masses with MorphMix},
author = {Marc Rennhard and Bernhard Plattner},
Index: routing-zones.tex
===================================================================
RCS file: /home/freehaven/cvsroot/doc/routing-zones/routing-zones.tex,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -d -r1.9 -r1.10
--- routing-zones.tex 26 Jan 2004 09:12:18 -0000 1.9
+++ routing-zones.tex 26 Jan 2004 17:43:44 -0000 1.10
@@ -125,7 +125,7 @@
attacks that each type of mix network must protect against. Because we
argue that designers of mix networks should, in certain cases, pay
attention to the IP-level path traversed by a path through a mix
-network, we provide some background on Internet routing.
+network, we also provide some background on Internet routing.
\subsection{Anonymity networks}
@@ -136,11 +136,12 @@
toward their destinations.
Subsequent anonymity systems have diverged in two directions. Systems
-like Babel \cite{babel} and Mixminion \cite{minion-design} aim to defend
-against powerful adversaries, but at the cost of high and variable
+like Babel \cite{babel}, Mixmaster \cite{mixmaster-spec}, and Mixminion
+\cite{minion-design} aim to defend against powerful adversaries, but at
+the cost of requiring high and variable
latency. Other systems, such as Onion Routing or its successor Tor
\cite{tor-design,or-jsac98}, support low-latency transactions such as
-web browsing at the cost of a weaker threat model.
+web browsing, but necessarily have a weaker threat model.
Anonymity networks aim to protect against a wide variety of both passive
and active attacks \cite{back01,raymond00}, but in this paper we do
@@ -148,31 +149,38 @@
we treat the network as a black box and consider only the endpoints
(entry node and exit node) for each given transaction. Endpoint
attacks include simple timing and counting attacks against
-low-latency systems \cite{SS03,defensive-dropping}, and long-term
+low-latency systems \cite{SS03}, and long-term
intersection or disclosure attacks against high-latency systems
\cite{disad-free-routes,statistical-disclosure,e2e-traffic}.
-Because the low-latency systems are so susceptible to endpoint attacks,
-
-We get away
-with this because endpoint attacks are sufficient to break anonymity,
-and because endpoint attacks are probably the best approach for our
-passive adversary.
-
-note that a successful endpoint attack against Mixminion takes a lot
-more time than a successful endpoint attack against Tor. so our work
-here is more clearly applicable to low-latency systems, but it still
-should have some impact on protecting high-latency systems from this
-adversary too.
+Our goal is to assess the risk from an adversary who controls one
+Internet routing zone, and consider protocol changes that will require
+the adversary to own at least two such zones to do any damage. Thus we
+consider only endpoint attacks---as we show above they can be sufficient
+to break anonymity, and without observing both endpoints the adversary
+cannot possibly learn about both the initiator (Alice) and the responder
+(Bob).
-mixmaster, mixminion, and tor are deployed networks with x,y,z nodes
-each.
+Note that a successful endpoint attack against a high-latency system like
+Mixminion takes a lot more time and effort than a successful endpoint
+attack against a low-latency system like Tor. Our work here is thus
+more clearly applicable to low-latency systems; but because even an
+observer of a few nodes may over time be able to break the anonymity of
+a high-latency mix network~\cite{e2e-traffic}, our work also has impact
+on protecting such high-latency systems from a one-zone adversary.
-just as with \cite{onion-routing:pet2000}, an adversary observing a zone
-with c nodes wins $\frac{c}{n}^2$ of the transactions with no effort.
+Onion Routing analysis~\cite{onion-routing:pet2000} has shown that
+an adversary controlling $c$ of the $n$ nodes in the network can use
+endpoint attacks to break $\frac{c}{n}$ of the transactions. In this
+case we consider an adversary who controls a single routing zone that
+contains $c$ of the $n$ nodes. By requiring the connection from Alice
+to the anonymity network and the connection from the anonymity network
+to Bob to travel over separate zones, as long as the two zones do not
+collude, we can bring this fraction of observed transactions to $0$.
-so if we can make a good improvement in protection with not too much
-effort, we should.
+Mixmaster, Mixminion, and Tor are deployed networks with dozens of
+nodes each. We will talk more about their path selection algorithms in
+Section~\ref{sec:path-selection}.
\subsection{Overview of Internet Routing and Topology}
***********************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe freehaven-cvs in the body. http://freehaven.net/