[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: On reply blocks and tagging attacks (was Re: Problems with bit-twiddlers)



On Tue, Apr 02, 2002 at 01:24:35PM -0500, George Danezis wrote:
> > (If we want to allow people to use the reply block anonymously, we
> > might declare that only the first 8 of the 16 hops can be pre-filled;
> > thus the sender can add up to 8 more before he sends it. Intermediate
> > hops can still add a single bonus hop a la Babel, but not more than one.)
> 
> This is very difficult to do since the creators of the two headers cannot 
> know the secrets inside the others in order to compute the hashes. 
> Suddenly the only architecture to bridge between normal and reply modes are 
> special modules.

True.

So that means that we can't anonymously use reply blocks? That is a
flaw which must be fixed.

One approach is to separate 'forward' and 'reply' messages in the eyes of
the mix-net. Let them be handled differently. (We would need a protocol
for bridging between the two.)

It's worth noting that if we do this, the reply messages will be getting
successively *wrapped* in encryption; it's up to the recipient to pull
off the decryptions to read them. So they will always look random when
they are delivered. So the stomping attacks Nick described are harder
to detect. Right?

Can you guys elaborate on some of the attacks and problems that arise
when we allow the adversary to partition forward messages from replies?
Right now I'm thinking it's not so bad an idea. But maybe that's because
I haven't thought it through far enough. :)

--Roger