[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[freehaven-cvs]

To: freehaven-cvs@xxxxxxxxxxxxx
Subject: [freehaven-cvs]
From: rabbi@xxxxxxxx
Date: Sat, 11 Mar 2006 14:19:26 -0500 (EST)
Delivered-to: archiver@seul.org
Delivered-to: freehaven-cvs-outgoing@seul.org
Delivered-to: freehaven-cvs@seul.org
Delivery-date: Sat, 11 Mar 2006 14:19:30 -0500
Reply-to: freehaven-dev@xxxxxxxxxxxxx
Sender: owner-freehaven-cvs@xxxxxxxxxxxxx
Update of /home2/freehaven/cvsroot/doc/pingers
In directory moria:/tmp/cvs-serv31282

Modified Files:
	leuchtfeuer.tex 
Log Message:
...


Index: leuchtfeuer.tex
===================================================================
RCS file: /home2/freehaven/cvsroot/doc/pingers/leuchtfeuer.tex,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -d -r1.4 -r1.5
--- leuchtfeuer.tex	11 Mar 2006 18:51:58 -0000	1.4
+++ leuchtfeuer.tex	11 Mar 2006 19:19:24 -0000	1.5
@@ -78,11 +78,11 @@
 \label{pingers}
 
 Mix-nets are intended to protect users' anonymity and conceal their communication patterns.
-In a distributed-trust anonymity system such as this, the user must trust that the \emph{system} will provide these protections, but is not required to trust all of the individual nodes themselves. Mix-nets consist of \emph{mixes} which accept input traffic in the form of messages encrypted to the mix's public key, then they delay and reorder the traffic, and forward it onward to its pre-addressed destination. Messages are sent through user-selected\footnote{Or client-selected.} chains of mixes, with each message typically encrypted and addressed, in a nested fashion, to three to five mixes in the mix-net. The security of the system is based on the premise that a user's traffic may be safely routed through nodes which the attacker controls, as long as the user's client has selected a path through the network that includes a sufficient number of honest nodes. Multiple distributed-trust mix-net variants have been deployed on the Internet since the early 1990's. 
+In a distributed-trust anonymity system such as this, the user must trust that the \emph{system} will provide these protections, but is not required to trust all of the individual nodes themselves. Mix-nets consist of \emph{mixes} which accept input traffic in the form of messages encrypted to the mix's public key, then they delay and reorder the traffic, finally forwarding it onward to its pre-addressed destination. Messages are sent through user-selected\footnote{Or client-selected.} chains of mixes, with each message typically encrypted and addressed, in a nested fashion, to three to five mixes in the mix-net. The security of the system is based on the premise that a user's traffic may be safely routed through nodes which the attacker controls, as long as the user's client has selected a path through the network that includes a sufficient number of honest nodes. Multiple distributed-trust mix-net variants have been deployed on the Internet since the early 1990's. 
 
 The components of the extant mix-nets are operated on a volunteer basis, often by parties unknown to the users. Since many volunteer operators lack the resources to offer the same level of high-availability access assurance as commercial network service providers, and individual mixes may come and go as the circumstances facilitating their volunteer operation change, it is essential that users of the mix-net be able to learn a current list of available, correctly-performing mixes, and their corresponding public keys, so that their messages will be delivered reliably and swiftly. 
 
-The first reliability servers for mix-nets to be deployed~\cite{rlist} existed to provide information about the Cypherpunk remailer network~\cite{hal-remailer}, and are known to users and operators of email-oriented mixes (or \emph{remailers}) as \emph{pingers}. While there have been multiple pingers written for the Cypherpunk and Mixmaster~\cite{mixmaster-spec} remailer networks over the last decade, more than two-thirds of the pingers currently in operation are running Echolot~\cite{echolot}.
+The first reliability monitoring servers for mix-nets to be deployed~\cite{rlist} existed to provide information about the Cypherpunk remailer network~\cite{hal-remailer}, and are known to users and operators of email-oriented mixes (or \emph{remailers}) as \emph{pingers}. While there have been multiple pingers written for the Cypherpunk and Mixmaster~\cite{mixmaster-spec} remailer networks over the last decade, more than two-thirds of the pingers currently in operation are running Echolot~\cite{echolot}.
 
 \subsection{Echolot}
 
@@ -127,13 +127,16 @@
 
 If a pinger is operated by an attacker, it becomes possible to
 specifically target individual users by providing them with unique
-information about the network, in order to partition them into an
+information about the network in order to partition them into an
 anonymity set of size 1. Users can attempt to prevent against this attack
 by obtaining their pinger results from a widely-published location, such
 as Usenet, though this does not completely solve the partitioning attack
 problem, and introduces additional reliability constraints on the quality
 of the pinger information.
 
+Additionally, many users retrieve from the pinger updated keys for the remailers at the same time they update their stats. The pinger\footnote{or an attacker performing a man-in-the-middle attack on the data retrieval session.} could manipulate the user into using keys other than those the user intended to. An attacker who controlled both the pinger used by his target, and a number of mixes in the network, could observe the target's messages moving through his mixes by performing a key-swapping attack with the pinger. By providing the target with a public key other than the one generally available for the mixes he controls, the target's messages would be easily distinguishable when processed by his mixes.
+
+
 % More attacks?  FIXME
 % - most users also fetch keys with the stats
 %   -> an attacker could not just give Alice a different list of nodes, but
@@ -141,7 +144,7 @@
 %      remailers, so he can easily distinguish her messages when he seems them
 %      at his node
 
-\section{Leuchtfeuer: a unified directory view}
+\section{Leuchtfeuer: a unified directory agreement protoocol}
 
 The solution to the partitioning attacks mentioned in the previous section
 involves providing all clients with the same view of the network. Each

***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxx with
unsubscribe freehaven-cvs       in the body. http://freehaven.net/
Prev by Author: [freehaven-cvs] spelling
Next by Author: [freehaven-cvs] Finish section 4.4, conclusion.
Previous by thread: [freehaven-cvs]
Next by thread: [freehaven-cvs]
Index(es):
- Author
- Thread