[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Addressing the tagging attacks

To: mixminion-dev@freehaven.net
Subject: Re: Addressing the tagging attacks
From: George Danezis <gd@theory.lcs.mit.edu>
Date: Wed, 3 Apr 2002 13:10:13 -0500 (EST)
Delivered-To: archiver@seul.org
Delivered-To: mixminion-dev-outgoing@seul.org
Delivered-To: mixminion-dev@seul.org
Delivery-Date: Wed, 03 Apr 2002 13:10:14 -0500
In-Reply-To: <1017852248.8881.16.camel@blinking-device.reputation.com>
Reply-To: mixminion-dev@freehaven.net
Sender: owner-mixminion-dev@freehaven.net

On 3 Apr 2002, Nick Mathewson wrote:

> On Wed, 2002-04-03 at 11:32, George Danezis wrote:
>  [...]
> > - Instead of having a type (2 bytes) field in the header we only have
> >   1 bit that lets the node know if it is the last one or not (and will
> >   include the Type in the payload to minimize the value of the tagging
> >   attacks that are still possible). 
> 
> I don't get the implications of this.  How does delivery work?  How does
> the last node know whether to deliver to Bob or not?  Do all recipients
> need to run nodes?
> 

The situation is exactly as before but the information about the type of 
packet is in the payload instead of the header. If the "bit" is zero 
everything happens as before. If the "bit" is 1 then the decoding routine 
kicks in (if it is a SURB based packet), and the packet is given to the 
module layer that looks inside it (where the type information now should 
be) and decides to give it to some particular module for processing.

Final recipients of sender anonymous messages do not need to run nodes or 
specialized software since you can have gateways from MixMinion-SMTP etc. 
Recipients that benefit from anonymity properties will need to run an 
application that understands MixMinion but do not have to be relays 
themselves (they simply do not advertise keys, and the software only 
supports packets with the "bit" set to 1 and drops the others).

[...]
> >We can have a standard module (like DROP) that gets the SURB from the
> >payload, creates a new message using it and sends it out. It is
> >possible therefore for only 1 node to tell that a message is sent
> > using one mechanism or the other (which is also true if you send a 
> > message directly only using a SURB).
> 
> How do you create a routing block from a SURB?  Or are all SURBs
> block-length?

A SURB is a full "routing block" (around 2kb). That has the advantage that 
they are fixed length, and one can infer how many hops they contain.

> 
> > Security?
> [...]
> > As discussed before on the list only the last mix can tell if a
> > message payload is tagged, and it can only distinguish between messages
> > with different timestamps(*), since all of the body is going to be
> > completely random. It cannot tell what type the message (since the
> > type information is in the body).
> 
> Whoa, I don't think this is right.  The node that extracts a SURB from
> the body will be able to tell scrambled from non-scrambled messages,
> right?
> 
> And if the typecode is in the body, that last node will be able to tell
> messages with scrambled bodies from messages without.
> 

Indeed this node is the only untrusted node that would be able to say that 
the message was tagged. And what does that mean for security?

The scenario is the following: Sender S wants to send a message to 
receiver R using his SURB (that contains a path through A+B+C). In order 
to protect his privacy S decides to first relay the message through X+Y+Z 
and ask (Bad node) to change it into a SURB based message and pass it on.

As you have guessed (Bad node) and X are evil nodes and collaborate in 
order to perform the tagging attack. (Bad node) is tho only one that might 
confirm messages tagged by X (C is not and the Receiver want to protect 
his anonymity).

Sender -X-Y-Z-> (Bad node that    -A-B-C-> Receiver
                 translates SURBS)

So X changes the body of the message and when the message arrives at (Bad 
node) it notices that it is scrambled. Since they have only done this to 
this particular message today, and they also know all the other bad guys 
that have promised not to run tagging attacks today they believe that S 
is the originator of the message.

So what? (Bad node) is still not able to link S to any communication, 
since the content of the body that contained the SURB to be used is 
permanently destroyed. The only information that (Bad node) gets is that 
the message arrived from S which in this case in particular (conversion 
between normal and SURB transport) only tell him that S has sent a message 
and nothing else.

Note that this is not important in this particular case because some 
transport information is always encoded inside the payload (the SURB) and 
destroyed is the payload is tagged. If (Bad node) was the final recipient 
then indeed the Sender S would have his anonymity compromised.

What about the following fix:

We cut the size of the "routing block" to half and always include two of 
them in the same way as we do in order to convert from "normal" to SURB 
transport. We use one to route the packet until a particular node that 
then takes the second block from inside the payload and sends it in the 
network again. In that way the model presented above 9and its security) 
holds for the forward path as well.So in that case any tagging attack can 
only compromise half the route and the other half will be secure?

The above fix also presents the advantage that since all nodes are using 
this method (even for forward "normal" routing) it is not any more 
possible to tell if the conversion is done from "normal" to SURB or from 
"normal" to "normal" routing.

> And doesn't this imply that it's no longer possible to receive messages
> without client software?

The situation is the same as before. The clients that do not need 
anonymity can access the network through gateways and only those those who 
get security have to understand the MixMinion protocols (but they do not 
have to be nodes)

> > (*) Timestamps
> > 
> > As it has been described in the previous email timestamps 
> > are becoming a nightmare. Now I found out they they allow an attacker to 
> > separate the messages per day. Should be consider having a "deadline" 
> > instead of a timestamp? So that packets are not valid after that deadline 
> > that could be quite large (although intermediate nodes need to keep some 
> > state per packet until that deadline).
> 
> No, that's still vulnerable. If Alice sends a message on April 1 that's
> valid till April 30, Mallory can delay it till April 30, when there
> won't be many messages at all with an April 30 deadline.
> 

That is a tough one, and seems to be quite orthogonal to the tagging stuff 
(although it contributes to it). Anyone has any ideas?

Yours,

George

Follow-Ups:
- Timestamps and delaying [Re: Addressing the tagging attacks]
  - From: Nick Mathewson <nickm@alum.mit.edu>

References:
- Re: Addressing the tagging attacks
  - From: Nick Mathewson <nickm@alum.mit.edu>

Prev by Date: crypto usage in my tagging-attack-prevention proposal
Next by Date: Re: crypto usage in my tagging-attack-prevention proposal
Prev by thread: Re: Addressing the tagging attacks
Next by thread: Timestamps and delaying [Re: Addressing the tagging attacks]
Index(es):
- Date
- Thread