[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [freehaven-dev] Some possible weaknesses?

On Wed, 2 Feb 2000, Roger Dingledine wrote:

> Can you elaborate on what you mean by 'killing trade requests until an
> introducing node kills a new file'? (I don't understand it.) You mean refuse
> to let the newbie join the servnet? I'd think that would be the time for the
> newbie to go find another introducing server...

Finding a new server may be good enough..in fact it probably is.but I'll
elaborate anyway. 

Here's what I was thinking :

We have a publisher P, who is not a member of the servnet.
We have an introducing node I, who is a member of the servnet. 
We have an adversary A, who has the power to prevent arbitrary 
                          messages from reaching either P or I. 

This is for the case where I is introducing a new file to the servnet on
behalf of P. Maybe I is acting as a "public freehaven node", something we
briefly mentioned on Sunday. 

So the protocol looks like this :

1. P sends a file to I. 
2. I splits the file into n shares f_1 ... f_n 
3. I now trades away each share to other servnet nodes

The policy I am assuming for argument is as follows : 

If the node I cannot trade away the shares f_1 ... f_n within some
amount of time T, then I declares "introduction failed" and deletes
the shares. 

Note :

This policy is why I have a distinct publisher and introducer. If the
publisher is himself a servnet node, then there doesn't seem to be 
any good reason he would arbitrarily delete his own file like this. 
While if the node is only creating these shares as a favor or in 
return for money, such a policy seems to make more sense, since
local resources need to be freed up sometime. 

The questions : 

Can the adversary A determine that I is attempting to trade a new file
into the servnet?

If the adversary destroys trading messages to and from I, can he _force_ I
to declare "introduction failed" by making it impossible to trade the
shares away?

a related question : can the adversary A distinguish trading messages
from other messages, and so selectively destroy only those messages? 

I know we have said that a node which is vulnerable to denial of service
should not be on the servnet. For most denial of service attacks, 
our trust system will enforce this -- stop taking reconstruction requests,
and people stop trusting you. 

but are there "selective" denial of service attacks which do not show up
in the trust system in the same way, and so could allow an adversary
to cause harm over and over again without automatically being caught?

Since, as you've pointed out, the publisher can find some other I, 
do we care?