[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[freehaven-cvs] make the threat model not suck

To: freehaven-cvs@freehaven.net
Subject: [freehaven-cvs] make the threat model not suck
From: arma@seul.org (Roger Dingledine)
Date: Tue, 27 Jan 2004 17:03:13 -0500 (EST)
Delivered-to: archiver@seul.org
Delivered-to: freehaven-cvs-outgoing@seul.org
Delivered-to: freehaven-cvs@seul.org
Delivery-date: Tue, 27 Jan 2004 17:03:35 -0500
Reply-to: freehaven-dev@freehaven.net
Sender: owner-freehaven-cvs@freehaven.net

Update of /home/freehaven/cvsroot/doc/routing-zones
In directory moria.mit.edu:/home2/arma/work/freehaven/doc/routing-zones

Modified Files:
	routing-zones.bib routing-zones.tex 
Log Message:
make the threat model not suck


Index: routing-zones.bib
===================================================================
RCS file: /home/freehaven/cvsroot/doc/routing-zones/routing-zones.bib,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -d -r1.12 -r1.13
--- routing-zones.bib	27 Jan 2004 18:48:13 -0000	1.12
+++ routing-zones.bib	27 Jan 2004 22:03:11 -0000	1.13
@@ -4,6 +4,15 @@
   note = {\url{http://www.palfrader.org/echolot/}},
 }
 
+@techreport{freedom21-security,
+  title = {Freedom Systems 2.1 Security Issues and Analysis}, 
+  author = {Adam Back and Ian Goldberg and Adam Shostack}, 
+  institution = {Zero Knowledge Systems, {Inc.}}, 
+  year = {2001}, 
+  month = {May}, 
+  type = {White Paper}, 
+}
+
 @misc{riot-remap,
   author = {Riot Admin},
   title = {The Remailer Geographical Mapping Project},

Index: routing-zones.tex
===================================================================
RCS file: /home/freehaven/cvsroot/doc/routing-zones/routing-zones.tex,v
retrieving revision 1.24
retrieving revision 1.25
diff -u -d -r1.24 -r1.25
--- routing-zones.tex	27 Jan 2004 18:48:13 -0000	1.24
+++ routing-zones.tex	27 Jan 2004 22:03:11 -0000	1.25
@@ -151,7 +151,8 @@
 Mixminion~\cite{minion-design} aim to defend against powerful adversaries,
 but at
 the cost of requiring high and variable latency. Other systems, such as
-Onion Routing or its successor Tor~\cite{tor-design,or-jsac98}, support
+Onion Routing or its successor Tor~\cite{tor-design,or-jsac98} and the
+Freedom network~\cite{freedom21-arch}, support
 low-latency transactions such as web browsing, but necessarily have a
 weaker threat model.
 
@@ -328,53 +329,49 @@
 We aim to improve anonymity against an adversary who can monitor a single
 AS. Such an adversary might be a curious ISP or a corrupt law enforcement
 officer abusing his subpoena powers.
-
 This threat model is based on the assumption that the ability to control
 more than one AS is significantly more rare, either because far fewer
 ISPs exist that control multiple ASes, or because law enforcement will
 be less willing to face the increased accountability and risk associated
 with obtaining multiple unapproved subpoenas.
+%By requiring the adversary to control multiple ASes, we raise the
+%bar for breaking the anonymity of the system.
 
-By requiring the adversary to control multiple ASes, we raise the
-bar for breaking the anonymity of the system. To understand more,
-we must consider which attacks are easiest and most effective
-against different classes of anonymity network. We divide
-attacks into network attacks and endpoint attacks, as described in
-Section~\ref{subsec:background-anonymity}. Intra-network attacks exploit
-design issues in the protocol to reduce Alice's anonymity set. For
-example, an adversary who learns the first half of Alice's path in a
-\emph{high-latency} network like Mixmaster learns where to make his next
-phone call to track Alice's recipient.
-
-Such intra-network attacks are also applicable to \emph{low-latency}
-networks like Tor. Paths are short in these networks to
-maintain usability---typically they are 3 hops, to 
-
-
-
-
-
-
-endpoint attacks can be sufficient
-to break anonymity,
+To investigate further, we must consider which attacks are most
+effective against different classes of anonymity network. We divide
+attacks into intra-network attacks and endpoint attacks, as described
+in Section~\ref{subsec:background-anonymity}.
 
-Note that a successful endpoint attack against a high-latency system like
-Mixmaster takes a lot more time and effort than a successful endpoint
-attack against a low-latency system like Tor. Our work here is thus
-more clearly applicable to low-latency systems; but because even an
-observer of a few nodes may over time be able to break the anonymity of
-a high-latency mix network~\cite{e2e-traffic}, our work also has impact
-on protecting such high-latency systems from a one-zone adversary.
+Most clearly successful is the endpoint attack on low-latency networks:
+an adversary observing both Alice and Bob can quickly learn that they
+are communicating. Onion Routing analysis~\cite{onion-routing:pet2000}
+has shown that an adversary observing $c$ of the $n$ nodes in the network
+can use endpoint attacks to break $\frac{c}{n}$ of the transactions. By
+requiring the connection from Alice to the anonymity network and the
+connection from the anonymity network to Bob to travel over separate
+ASes, as long as the ASes do not collude, we can prevent all of these
+observed transactions.
 
-Onion Routing analysis~\cite{onion-routing:pet2000} has shown that
-an adversary controlling $c$ of the $n$ nodes in the network can use
-endpoint attacks to break $\frac{c}{n}$ of the transactions. In this
-case we consider an adversary who controls a single routing zone that
-contains $c$ of the $n$ nodes. By requiring the connection from Alice
-to the anonymity network and the connection from the anonymity network
-to Bob to travel over separate zones, as long as the two zones do not
-collude, we can bring this fraction of observed transactions to $0$.
+Intra-network attacks on low-latency networks can also be useful. In
+particular, paths in Tor and the (no longer deployed) Freedom protocol
+are generally 3 hops---short enough to maintain usability, but not so
+short that two nodes can be certain of linking Alice to Bob if they
+decide to collude~\cite{freedom21-security,tor-design}. An adversary
+who can observe two links on the path breaks this assumption. If such
+an adversary is common, these designs should reconsider path length.
 
+A successful endpoint attack against a high-latency system like
+Mixmaster takes a lot more time and effort than one against a low-latency
+system like Tor. But because an observer of even a few nodes may over
+time be able to link Alice to her recipients~\cite{e2e-traffic}, our
+work also has impact on protecting such high-latency systems from a
+one-AS adversary.  Further, intra-network observations on Mixmaster,
+along with flooding messages into the network~\cite{trickle} or
+just waiting for periods of low normal traffic, may be able to aid
+the attack by partitioning the set of messages that mix with Alice's
+message~\cite{disad-free-routes,minion-design}. As a simple example,
+an adversary who learns the first half of Alice's path learns where to
+make his next phone call to track Alice's recipient.
 
 \section{Modeling Techniques}
 

***********************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe freehaven-cvs       in the body. http://freehaven.net/

Prev by Author: [freehaven-cvs] checkpoint: playing with background and threat model
Next by Author: [freehaven-cvs] further tweaks and edits
Previous by thread: [freehaven-cvs] checkpoint: playing with background and threat model
Next by thread: [freehaven-cvs] more complete results for 6.1
Index(es):
- Author
- Thread