[freehaven-cvs] shift the threat model,

[arma@seul.org (Roger Dingledine)]

Update of /home/freehaven/cvsroot/doc/routing-zones
In directory moria.mit.edu:/home2/arma/work/freehaven/doc/routing-zones

Modified Files:
	routing-zones.tex 
Log Message:
shift the threat model,
mention that morphmix is broken,
fix node selection


Index: routing-zones.tex
===================================================================
RCS file: /home/freehaven/cvsroot/doc/routing-zones/routing-zones.tex,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -d -r1.20 -r1.21
--- routing-zones.tex	27 Jan 2004 07:47:33 -0000	1.20
+++ routing-zones.tex	27 Jan 2004 07:49:04 -0000	1.21
@@ -37,12 +37,15 @@
 Specifically, we implement a variant of a recently proposed technique
 that passively estimates the AS-level path between two arbitrary
 end-hosts without having access to either end of the path. Using this
-technique, we analyze the AS-level paths that are likely to result
+technique, we analyze the AS-level paths that are likely to be used
 in two deployed anonymity networks: Mixmaster and Tor. We find several
 cases in each network where multiple nodes are in the same administrative
 domain. Further, many paths between nodes, and between nodes and popular
 endpoints, traverse the same domains.
 
+we show that the designs in tarzan and morphmix to ensure node
+independence by examining IP prefix are ineffective
+
 We define a \emph{jurisdictional independence} metric to characterize
 the vulnerability of an anonymity network to this adversary, assess
 the stability of the two networks (how much vulnerability
@@ -133,24 +136,6 @@
 vulnerability to eavesdropping does not decrease proportionally with the
 number of mix nodes in the path.
 
-\section{Threat Model}
-\label{sec:threat-model}
-
-We aim to improve anonymity against an adversary who can monitor a single
-AS. Such an adversary might be a curious ISP or a corrupt law enforcement
-officer abusing his subpoena powers.
-
-This threat model is based on the assumption that the ability to control
-more than one AS is significantly more rare, either because far fewer
-ISPs exist that control multiple ASes,
-% Is that true?
-or because law enforcement will be less willing to face the increased
-accountability and risk associated with obtaining multiple unapproved
-subpoenas. 
-
-By requiring the adversary to control multiple ASes, we raise the bar
-for breaking the anonymity of the system.
-
 \section{Background}
 
 In this section, we provide necessary background information on
@@ -188,33 +173,9 @@
 intersection or disclosure attacks against high-latency systems
 \cite{disad-free-routes,statistical-disclosure,e2e-traffic}.
 
-Our goal is to assess the risk from an adversary who controls one
-Internet routing zone, and consider protocol changes that will require
-the adversary to own at least two such zones to do any damage. Thus we
-consider only endpoint attacks---as we show above they can be sufficient
-to break anonymity, and without observing both endpoints the adversary
-cannot possibly learn about both the initiator (Alice) and the responder
-(Bob).
-
-Note that a successful endpoint attack against a high-latency system like
-Mixmaster takes a lot more time and effort than a successful endpoint
-attack against a low-latency system like Tor. Our work here is thus
-more clearly applicable to low-latency systems; but because even an
-observer of a few nodes may over time be able to break the anonymity of
-a high-latency mix network~\cite{e2e-traffic}, our work also has impact
-on protecting such high-latency systems from a one-zone adversary.
-
-Onion Routing analysis~\cite{onion-routing:pet2000} has shown that
-an adversary controlling $c$ of the $n$ nodes in the network can use
-endpoint attacks to break $\frac{c}{n}$ of the transactions. In this
-case we consider an adversary who controls a single routing zone that
-contains $c$ of the $n$ nodes. By requiring the connection from Alice
-to the anonymity network and the connection from the anonymity network
-to Bob to travel over separate zones, as long as the two zones do not
-collude, we can bring this fraction of observed transactions to $0$.
-
-Mixmaster, Mixminion, and Tor are deployed networks with dozens of
-nodes each. We will describe their path selection algorithms in
+Mixmaster, Mixminion, and Tor are deployed networks with
+dozens of nodes each. We will describe their threat models in
+Section~\ref{sec:threat-model} and their path selection algorithms in
 Section~\ref{sec:path-selection}.
 
 {\bf XXX talk about http://riot.eu.org/anon/remap.html here, since it's
@@ -359,6 +320,59 @@
 need to make further modeling assumptions, which we describe in
 Section~\ref{sec:mix_aspath}.
 
+\section{Threat Models}
+\label{sec:threat-model}
+
+We aim to improve anonymity against an adversary who can monitor a single
+AS. Such an adversary might be a curious ISP or a corrupt law enforcement
+officer abusing his subpoena powers.
+
+This threat model is based on the assumption that the ability to control
+more than one AS is significantly more rare, either because far fewer
+ISPs exist that control multiple ASes, or because law enforcement will
+be less willing to face the increased accountability and risk associated
+with obtaining multiple unapproved subpoenas.
+
+By requiring the adversary to control multiple ASes, we raise the bar
+for breaking the anonymity of the system. But we must consider the two
+types of anonymity network separately.
+
+\subsection{High-latency anonymity networks}
+
+Deployed remailer networks use latency and batching to
+
+
+
+\subsection{Low-latency anonymity networks}
+
+
+
+Our goal is to assess the risk from an adversary who controls one
+Internet routing zone, and consider protocol changes that will require
+the adversary to own at least two such zones to do any damage. Thus we
+consider only endpoint attacks---as we show above they can be sufficient
+to break anonymity, and without observing both endpoints the adversary
+cannot possibly learn about both the initiator (Alice) and the responder
+(Bob).
+
+Note that a successful endpoint attack against a high-latency system like
+Mixmaster takes a lot more time and effort than a successful endpoint
+attack against a low-latency system like Tor. Our work here is thus
+more clearly applicable to low-latency systems; but because even an
+observer of a few nodes may over time be able to break the anonymity of
+a high-latency mix network~\cite{e2e-traffic}, our work also has impact
+on protecting such high-latency systems from a one-zone adversary.
+
+Onion Routing analysis~\cite{onion-routing:pet2000} has shown that
+an adversary controlling $c$ of the $n$ nodes in the network can use
+endpoint attacks to break $\frac{c}{n}$ of the transactions. In this
+case we consider an adversary who controls a single routing zone that
+contains $c$ of the $n$ nodes. By requiring the connection from Alice
+to the anonymity network and the connection from the anonymity network
+to Bob to travel over separate zones, as long as the two zones do not
+collude, we can bring this fraction of observed transactions to $0$.
+
+
 \section{Modeling Techniques}
 
 In this section, we describe how we model mix-nets and Internet routing
@@ -383,20 +397,14 @@
 to avoid needing to deal with abuse complaints.)
 
 We abstract away the details of fetching this list: assume Alice ends up
-with a set $N$ of possible choices, of which $E \subset N$ are exit nodes.
-First she picks the last node on her path, at random, from $E$. In the
-case of Mixmaster, she then picks an entry node at random from $N$,
-and she's done. In Tor, she picks from the set $N$ minus the exit node
-she just picked. Note that we also abstract away the details of picking
-internal path nodes; see Section~\ref{subsec:background-anonymity}.
-
-%That is, in Mixmaster,
-%you could pick the same node with probability $(1/|N|)(1/|E|)$. Whereas
-%in Tor you never do.
+with a set $N$ of possible choices, of which $E \subseteq N$ are exit nodes.
+We also assume that all nodes in the network are listed as working.
 
-%I would guess for large or widespread adversaries the two strategies
-%will be approximately equivalent, but that's something to find out
-%rather than something to assume. :)
+To build a path of length $\ell$, Alice first picks an exit node at
+random from $E$, and then picks the other $\ell-1$ nodes from $N$. In the
+\emph{remailer network} case she picks nodes such that no node appears
+twice in a row; in the \emph{onion routing} case she picks nodes such
+that no node appears twice anywhere in the path.
 
 \subsection{AS-level Mix Network Path Estimation}\label{sec:mix_aspath}
 
@@ -618,11 +626,13 @@
 independence in node placement; it is clear from our survey of Mixmaster
 and Tor that these types of prefix-based mechanisms are, in general,
 ineffective, and they can lead the user of the mix network into a false
-sense of security.  For example, Tarzan suggests subdividing the node
+sense of security.  For example, Tarzan and MorphMix suggest subdividing
+the node
 space into {\tt /16} prefixes, and subsequently into {\tt /24} prefixes
 and selecting nodes from distinct subsets of the IP prefix space to
 reduce the likelihood that two mix nodes are in the jurisdiction of a
-single AS~\cite{freedman:ccs02}.  Unfortunately, this technique does not
+single AS~\cite{freedman:ccs02,morphmix:fc04}.  Unfortunately, this
+technique does not
 necessarily increase the likelihood of jurisdictional independence: of
 the five pairs Mixmaster nodes that are located in the same AS, three of
 these pairs (those in ASes 3269, 7132, and 23504) not only have distinct

***********************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe freehaven-cvs       in the body. http://freehaven.net/