[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [freehaven-dev] Who's on First protocol

On Sat, Dec 16, 2000 at 05:27:19PM -0500, dmolnar@belegost.mit.edu wrote:
> I came across this - the "Who's on First" protocol
> http://skuz.net/potatoware/wof/
> is a proposal for a new kind of remailer...
I looked in detail at the wof-summ.txt file, and have some
observations. It looks like a neat system, and better than the
currently-deployed mixmaster/cypherpunks systems, but it's not very
well analyzed and has a couple of assumptions which are flawed. Still,
it has some neat ideas which I hadn't considered elsewhere.

It doesn't solve some of the main problems that we've been trying to
solve for remailer systems, but it does address some others.

More detailed thoughts:

* they support a huge number of services and features. each of
  those is a potential security/anonymity problem. (user ignorance ->
  user error)

* they specify that each packet should take a different route.
  (cf Crowds paper for argument against)
  indeed, they even fragment packets and send each fragment along a
  different route. they implement a complex receipt system to only resend
  lost fragments; they could benefit from using IDA for robustness
  and simplicity (eg a global receipt, rather than per fragment).
  Communication channel protocols SHOULD NOT implement their own
  routing/transport protocols.

* doesn't solve the accountability problem, which from our perspective
  is a total killer...

* when a wof packet is going through its route, for each next hop that
  the current hop doesn't know about, it queries a node-server. what
  are the anonymity implications from the node-server observing "A asks
  about B, B asks about C, C asks about David"?

* as written, the node communication protocol claims to provide forward
  secrecy but does not. they should do a real key agreement protocol,
  rather than one side saying "here's the session key." (i think this is

* they recommend frequent changes of reply blocks. this seems counter
  to the goal of anonymity, because of the intersection attack -- at
  every change, the adversary goes closer to learning the virtual node's

* the notion of chained virtual nodes (and thus chained reply blocks)
  is a neat one. it allows reply blocks which don't contain all the
  information in one place -- this means that if the NSA can trivially
  break reply blocks, they have to do some more work (locating and then
  compromising or observing virtual nodes) in order to link messages.

* their notion of 'zone' is also neat. A node publishes which zone it
  is in (eg, geographic area), and people sending messages can choose
  a path which includes a variety of zones. (cf jurisdictional arbitrage.)