[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[freehaven-cvs] Update attacks section, mention Free Haven, fix prot...

To: freehaven-cvs@freehaven.net
Subject: [freehaven-cvs] Update attacks section, mention Free Haven, fix prot...
From: rabbi@seul.org
Date: Fri, 17 Sep 2004 09:07:37 -0400 (EDT)
Delivered-to: archiver@seul.org
Delivered-to: freehaven-cvs-outgoing@seul.org
Delivered-to: freehaven-cvs@seul.org
Delivery-date: Fri, 17 Sep 2004 09:08:06 -0400
Reply-to: freehaven-dev@freehaven.net
Sender: owner-freehaven-cvs@freehaven.net
Update of /home2/freehaven/cvsroot/doc/pynchon-gate
In directory moria.mit.edu:/tmp/cvs-serv11012

Modified Files:
	pynchon.tex pynchon.bib 
Log Message:
Update attacks section, mention Free Haven, fix protocol issues.


Index: pynchon.tex
===================================================================
RCS file: /home2/freehaven/cvsroot/doc/pynchon-gate/pynchon.tex,v
retrieving revision 1.30
retrieving revision 1.31
diff -u -d -r1.30 -r1.31
--- pynchon.tex	17 Sep 2004 08:09:42 -0000	1.30
+++ pynchon.tex	17 Sep 2004 13:07:35 -0000	1.31
@@ -74,14 +74,18 @@
 %countermeasures to basic attacks against the system.
 \end{abstract}
 
-\section{Introduction}
+\section{Introduction} 
 Pseudonymous messaging services seek to provide users with a way to send
 messages that originate at a pseudonymous address (or ``nym'') unlinked to
-the user, and to receive messages send to that address, without allowing an
-attacker to deduce which users are associated with which pseudonyms.  But, as
-we will argue below, most existing deployed solutions are either vulnerable
-to traffic analysis, or require unacceptably large amounts of bandwidth and
-storage as the number of users and volume of traffic increase.
+the user, and to receive messages send to that address, without allowing
+an attacker to deduce which users are associated with which pseudonyms.
+These systems can be used specifically to provide a mechanism for a user
+to communicate without revealing her identity, or can be used as a
+building-block for other systems which need a bi-directional communication
+channel, such as Free Haven~\cite{freehaven-berk}. But, as we will argue
+below, most existing deployed solutions are either vulnerable to traffic
+analysis, or require unacceptably large amounts of bandwidth and storage
+as the number of users and volume of traffic increase.
 
 We propose the Pynchon Gate, a novel design that uses distributed-trust
 private information retrieval (PIR)~\cite{pir} primitives to build a secure,
@@ -321,6 +325,11 @@
 to obtain information about nym holders by comparing network and user
 behavior when a given message or packet is transmitted multiple times.
 
+\subsubsection{Tagging and known-cleartext attacks.} An attacker may alter
+a message, or observe the cleartext of a message, so that he may be able
+to later link an input message with a given output retrieved by the
+nym-holder.
+
 \subsubsection{{\it Who am I?} attack.} 
 An attacker may send messages intended for nym Alice to nym Bob instead,
 to confirm that Alice and Bob are the same nym-holder~\cite{gd-thesis}.
@@ -328,7 +337,19 @@
 \subsubsection{Usage pattern and intersection attacks.}
 
 An attacker may analyze network usage and anonymity set members over time
-to sub-divide anonymity sets such that a given user is identified.
+to sub-divide anonymity sets such that a given user is identified. In
+addition to passive observation of the network, there are a number of
+active attacks which can facilitate usage pattern attacks. An attacker may
+flood a nym, to observe a corresponding increase in traffic by the
+recipient. If attacks on portions of the pseudonymity infrastructure
+affect some users differently than others, an attacker may exploit such
+attacks on components of the system to facilitate an intersection attack
+against a user of the system as a whole. For instance, in a reply-block
+system, an attacker could disable certain mixes, and observe which nyms
+ceased receiving traffic. If the nym holder has a fixed-route reply block,
+this would enable the attacker to identify the mixes used in the
+nym-holder's reply-block path, and increase his chances of successfully
+linking the nym with the nym-holder's true name.
 
 \subsubsection{Statistical-disclosure attacks.}
 
@@ -389,14 +410,16 @@
 with the nym server, so at a minimum the nym server must be able to
 receive email in addition to any optional support for other protocols.
 Future developments in forward anonymity protocols may alleviate this
-reliance on email.} and pass these messages to each independently-operated
-distributor node in the network. Through the use of a client which can
-communicate with the distributor nodes, the owner of a given pseudonym is
-able to make a series of requests from several distributor nodes, enabling
-her to receive her message without the individual nodes determining the
-identity of the pseudonym being requested. The protocol used is resistant
-to collusion: even if there are $(k-1)$ nodes operated by the adversary
-the adversary cannot learn the requested pseudonym.
+reliance on email. In our system, the nym server may communicate directly
+with Mixminion nodes via the direct communication mechanism in Mixminion.}
+and pass these messages to each independently-operated distributor node in
+the network. Through the use of a client which can communicate with the
+distributor nodes, the owner of a given pseudonym is able to make a series
+of requests from several distributor nodes, enabling her to receive her
+message without the individual nodes determining the identity of the
+pseudonym being requested. The protocol used is resistant to collusion:
+even if there are $(k-1)$ nodes operated by the adversary the adversary
+cannot learn the requested pseudonym.
 
 By using a PIR-based message retrieval system we retain the convenience,
 reliability, and security of the ``send everything everywhere'' method,
@@ -500,7 +523,7 @@
 from that bucket to the hash tree root. These distributors communicate to
 the client application using the \emph{Pynchon Gate PIR Protocol}.
 
-\subsection{The Pynchon Gate Client}
+\subsection{The Pynchon Gate PIR Protocol}
 \label{subsec:client-design}
 
 The \emph{Pynchon Gate Client} application resides on the nym owner's
@@ -577,12 +600,13 @@
 make sure that each of the distributors they use agree about the value of
 the hash root.
 
-The hash tree root used for bucket authentication uses a distinct tree
-structure from the tree organization of the data in the buckets. The
-authentication tree is a simple binary hash tree which can be computed
-implicitly given the entire list of buckets. Binary hash trees enable the
-path from any given bucket to the root to be expressed as compactly as
-possible.
+%The hash tree root used for bucket authentication uses a distinct tree
+%structure from the tree organization of the data in the buckets. The
+%authentication tree is a simple binary hash tree which can be computed
+%implicitly given the entire list of buckets. Binary hash trees enable the
+%path from any given bucket to the root to be expressed as compactly as
+%possible.
+% XXXX This is not correct.
 
 Distributors append to each bucket the path from that bucket to the hash
 tree root. With this information, the client can verify the integrity of
@@ -773,7 +797,7 @@
 We would like to thank Russell O'Connor, for review of several candidate
 PIR systems; Adam Back, for his optimization on the message request
 protocol; Lucky Green, for valuable comments; Ben Laurie, for review of an
-early sketch of the Pynchon Gate Protocol; Sonia Ara\~na, Roger
+early sketch of the Pynchon Gate PIR Protocol; Sonia Ara\~na, Roger
 Dingledine, Peter Palfrader, and Adam Shostack for proof-reading and
 comments on the paper. Finally, thanks to the many members of the
 Cypherpunks mailing list who have contributed much to the field of

Index: pynchon.bib
===================================================================
RCS file: /home2/freehaven/cvsroot/doc/pynchon-gate/pynchon.bib,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -d -r1.14 -r1.15
--- pynchon.bib	16 Sep 2004 21:06:33 -0000	1.14
+++ pynchon.bib	17 Sep 2004 13:07:35 -0000	1.15
@@ -65,6 +65,19 @@
   year = {2004},
 }
 
+@inproceedings{freehaven-berk,
+  title = {The Free Haven Project: Distributed Anonymous Storage Service}, 
+  author = {Roger Dingledine and Michael J. Freedman and David Molnar}, 
+  booktitle = {Proceedings of Designing Privacy Enhancing Technologies: Workshop on Design
+        Issues in Anonymity and Unobservability}, 
+  year = {2000}, 
+  month = {July}, 
+  editor = {H. Federrath}, 
+  publisher = {Springer-Verlag, LNCS 2009}, 
+  www_important = {1}, 
+  www_ps_url = {http://freehaven.net/doc/berk/freehaven-berk.ps}, 
+  www_section = {Anonymous publication}, 
+}
 
 @inproceedings{universal,
   title = {Universal Re-Encryption for Mixnets}, 
@@ -90,7 +103,7 @@
 @inproceedings{mixmaster-reliable,
   title = {Comparison between two practical mix designs}, 
   author = {Claudia D\'{\i}az and Len Sassaman and Evelyne Dewitte}, 
-  booktitle = {Proceedings of 9th European Symposiumon Research in Computer Security
+  booktitle = {Proceedings of 9th European Symposium on Research in Computer Security
         (ESORICS)}, 
   year = {2004}, 
   month = {September}, 
@@ -515,4 +528,4 @@
    series = {LNCS},
    www_section = traffic,
    www_pdf_url = "http://freehaven.net/doc/e2e-traffic/e2e-traffic.pdf";,
-}
\ No newline at end of file
+}

***********************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe freehaven-cvs       in the body. http://freehaven.net/
Prev by Author: [freehaven-cvs] More minor fixes. Last commit until morning.
Next by Author: [freehaven-cvs] Better performance table. I should split the 4th col...
Previous by thread: [freehaven-cvs] Add a badly formatted performance table
Next by thread: [freehaven-cvs] Better performance table. I should split the 4th col...
Index(es):
- Author
- Thread