[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[freehaven-cvs] Tweak paper throughout. We actually _do_ describe r...
Update of /home/freehaven/cvsroot/doc/fc04
In directory moria.mit.edu:/tmp/cvs-serv27858
Modified Files:
minion-systems.tex
Log Message:
Tweak paper throughout. We actually _do_ describe replies throughout;
I think "bidirectional" is okay to say at the end. Add a reply
reference to the intro or abstract if I disagree.
Index: minion-systems.tex
===================================================================
RCS file: /home/freehaven/cvsroot/doc/fc04/minion-systems.tex,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -d -r1.12 -r1.13
--- minion-systems.tex 10 Sep 2003 02:00:00 -0000 1.12
+++ minion-systems.tex 10 Sep 2003 16:43:41 -0000 1.13
@@ -25,9 +25,9 @@
performing traffic analysis to reveal the {\it presence} of such
communication.
-Mixminion is an open-source, deployed research system that resists
-known forms of traffic analysis, allowing parties to communicate
-without revealing their identities.
+Mixminion is an open-source, deployed system under active development.
+It resists known forms of traffic analysis, allowing parties to
+communicate without revealing their identities.
\end{abstract}
\begin{center}
@@ -37,7 +37,6 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\section{Introduction: Anonymity and Digital Commerce}
-
In this paper, we argue that strongly anonymous (traffic analysis
resistant) communications are valuable to the business and finance
community, and we present Mixminion, an anonymous communication system
@@ -59,7 +58,7 @@
\item Whether (and how often) the CEO of a Fortune 500 corporation has
been exchanging email with the CEO of a rumored buyout partner.
\item Which suppliers' websites a given purchaser is visiting.
-\item Which prospective customers a vendor has emailed, and which of
+\item Which prospective customers a vendor has emailed and which of
them responded via email.
\item In some digital cash designs, the volume and frequency of
transactions between participants and between participants and
@@ -69,40 +68,38 @@
communications can become a target of traffic analysis. In this way,
an eavesdropper may learn:
\begin{itemize}
-\item Which locations are working late.
-\item Which locations are consulting job-hunting websites.
+\item Which locations have employees working late.
+\item Which locations have employees consulting job-hunting websites.
\item Which research groups are communicating with a company's patent
lawyers.
\item What volume of communication an R\&D group is exchanging with a
production line.
\end{itemize}
-While firewalls or VPNs can conceal a network's interior view,
-they do not provide any further privacy against traffic analysis
-attacks.
+While firewalls or virtual private networks can conceal a network's
+interior view, they do not provide any further privacy against traffic
+analysis attacks.
These attacks are certainly feasible today. On the simplest level,
corporate website administrators routinely survey logs to learn which
competitors and customers have viewed which parts of their websites,
and how often. The more sophisticated attacks are almost certainly
-within capabilities of the NSA-supported ECHELON eavesdropping system
-(which has been probably used to advance the commercial interests of
-its sponsor nations), or the capabilities of any COMINT-sophisticated
-nation inclined to use its resources for economic goals. But while
-companies doing secure digital commerce are right to consider the
-threat of mid-sized foreign governments, the threat of espionage from
-competing companies may be more compelling. The risk of a competitor
-bribing a janitor in a nearby telcom, or sneaking eavesdropping
-equipment into a colocation facility, is not well explored in
-the public literature.
+within capabilities of a nation able and inclined to use signals
+intelligence resources for economic goals, as the US has (probably)
+done the NSA-backed ECHELON system. Finally, in between the threat of
+unsophisticated analysis and the threat of mid-sized foreign
+governments, lies the potentially more compelling risk of espionage
+from competing companies. The risk of a competitor bribing an
+employee at a nearby telecom, or sneaking eavesdropping equipment into
+a colocation facility, is not well explored in the public literature.
Traffic analysis resistance is also a critical component to more
advanced financial cryptography systems, such as anonymous digital
cash schemes and private auctions: without anonymous transport, these
schemes provide very little of the privacy that they promise.
-In this short paper, we discuss several existing systems and designs to
-defeat traffic analysis. We focus on Mixminion, an open-source
-application with a deployed research network.
+In this short paper, we discuss several existing systems and designs
+to defeat traffic analysis. We focus on Mixminion, an open-source
+application with a deployed research network under active development.
\subsection{Background}
David Chaum launched the study of anonymous communications in 1981,
@@ -127,16 +124,17 @@
implemented the Mixmaster system \cite{mixmaster-attacks,mixmaster-spec},
or ``Type II'' remailers, which added message padding, message pools,
and other mix features lacking in the original Cypherpunk remailers.
-Unfortunately, Mixmaster does not support replies or anonymous recipients
---- people who want these functions must use the older and less secure
-Cypherpunk network.
+Unfortunately, Mixmaster does not support replies or anonymous
+recipients. Thus, people who need {\it bidirectional} anonymous
+communication must use the older and less secure
+Cypherpunk network.
In parallel with the evolution of mix nets for mail-like
communication, other work has progressed on systems suitable for
faster communication. These systems range from the simple centralized
Anonymizer \cite{anonymizer}, to distributed sets of servers like Freedom
\cite{freedom2-arch} and Onion Routing \cite{onion-routing:pet2000},
-to designs for totally decentralized p2p networks like Tarzan
+to designs for totally decentralized peer-to-peer networks like Tarzan
\cite{tarzan:ccs02}
and Morphmix \cite{morphmix:wpes2002}. But while these systems are
more suitable than mixes for low-latency applications such as web browsing,
@@ -146,7 +144,7 @@
timing of message sending and delivery will quickly link
senders and recipients. Although these systems block
certain kinds of traffic analysis, they cannot defend against an
-adversary with significant COMINT abilities.
+adversary with significant eavesdropping abilities.
\section{Mixminion: Open source strong anonymity}
Mixminion is the reference implementation of the Type III mix-net,
@@ -166,11 +164,11 @@
single-use reply channels. These replies are indistinguishable from
forward messages to all parties except their senders and recipients.
\item {\bf Forward-secure, email-independent transfer protocol.}
- Integration with mail transfer agents (such as Sendmail) has
- been a fragile issue with earlier remailer networks. Type III uses
- its own TLS-based transfer protocol to relay messages between
- mixes. The protocol is forward secure so future mix compromises
- cannot compromise past traffic recorded by an eavesdropper.
+ Integration with mail transfer agents (such as Sendmail) has been a
+ fragile issue with earlier remailer networks. Type III uses its own
+ TLS-based transfer protocol to relay messages between mixes. The
+ protocol is forward-secure: that is, future mix compromises cannot
+ compromise past traffic recorded by an eavesdropper.
\item {\bf Integrated directory design.} Earlier deployed mix-nets
have left the issue of mix discovery to a set of unspecified,
uncoordinated, out-of-band keyservers. Type III introduces
@@ -218,7 +216,7 @@
blocks. Although we have a specification for a workable pseudonym
server, the server is not yet implemented.
\item {\bf Abuse prevention.} One of the best ways to attack users'
- anonymity is by mounting a denial of service attack against some or
+ anonymity is by mounting a denial of service (DoS) attack against some or
all of the Type III mix-net, in order to force users onto
compromised servers, or to force them to use other (less secure)
channels. At the same time, we need a way to let uninterested recipients
@@ -255,13 +253,14 @@
financial communities.
Mixminion aims to be the first deployed anonymous communication system
-that provides strong traffic analysis resistance, emphasizes usability,
-and that can be sustained for the long term. These challenging goals
-require more research on anonymity designs, more work on human/computer
-interaction and interfaces, and more awareness of the need for privacy
-around the world. We feel that pushing the envelope on all fronts and
-exploring the relationships between these requirements is the best way
-to bring the world closer to ubiquitous securable communications.
+that provides strong traffic analysis resistance, emphasizes
+usability, supports bidirectional communication, and that can be
+sustained for the long term. These goals require more
+research on anonymity designs, more work on human/computer interaction
+and interfaces, and more awareness of the need for privacy around the
+world. We feel that pushing the envelope on all fronts and exploring
+the relationships between these requirements is the best way to bring
+the world closer to ubiquitous securable communications.
\bibliographystyle{plain}
\bibliography{minion-systems}
***********************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe freehaven-cvs in the body. http://freehaven.net/