[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [freehaven-dev] Who's on First protocol
On Sat, Dec 16, 2000 at 05:27:19PM -0500, email@example.com wrote:
> I came across this - the "Who's on First" protocol
> is a proposal for a new kind of remailer...
I looked in detail at the wof-summ.txt file, and have some
observations. It looks like a neat system, and better than the
currently-deployed mixmaster/cypherpunks systems, but it's not very
well analyzed and has a couple of assumptions which are flawed. Still,
it has some neat ideas which I hadn't considered elsewhere.
It doesn't solve some of the main problems that we've been trying to
solve for remailer systems, but it does address some others.
More detailed thoughts:
* they support a huge number of services and features. each of
those is a potential security/anonymity problem. (user ignorance ->
* they specify that each packet should take a different route.
(cf Crowds paper for argument against)
indeed, they even fragment packets and send each fragment along a
different route. they implement a complex receipt system to only resend
lost fragments; they could benefit from using IDA for robustness
and simplicity (eg a global receipt, rather than per fragment).
Communication channel protocols SHOULD NOT implement their own
* doesn't solve the accountability problem, which from our perspective
is a total killer...
* when a wof packet is going through its route, for each next hop that
the current hop doesn't know about, it queries a node-server. what
are the anonymity implications from the node-server observing "A asks
about B, B asks about C, C asks about David"?
* as written, the node communication protocol claims to provide forward
secrecy but does not. they should do a real key agreement protocol,
rather than one side saying "here's the session key." (i think this is
* they recommend frequent changes of reply blocks. this seems counter
to the goal of anonymity, because of the intersection attack -- at
every change, the adversary goes closer to learning the virtual node's
* the notion of chained virtual nodes (and thus chained reply blocks)
is a neat one. it allows reply blocks which don't contain all the
information in one place -- this means that if the NSA can trivially
break reply blocks, they have to do some more work (locating and then
compromising or observing virtual nodes) in order to link messages.
* their notion of 'zone' is also neat. A node publishes which zone it
is in (eg, geographic area), and people sending messages can choose
a path which includes a variety of zones. (cf jurisdictional arbitrage.)