[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: tagging attacks and forward-message/reply-message distinction

To: mixminion-dev@freehaven.NET
Subject: Re: tagging attacks and forward-message/reply-message distinction
From: George Danezis <gd@theory.lcs.mit.edu>
Date: Wed, 3 Apr 2002 13:21:43 -0500 (EST)
Delivered-To: archiver@seul.org
Delivered-To: mixminion-dev-outgoing@seul.org
Delivered-To: mixminion-dev@seul.org
Delivery-Date: Wed, 03 Apr 2002 13:21:44 -0500
In-Reply-To: <E16sm73-00005h-00@imp>
Reply-To: mixminion-dev@freehaven.net
Sender: owner-mixminion-dev@freehaven.net

On Wed, 3 Apr 2002, Zooko wrote:
> 
> [...]

Indeed I agree with all these.
 
> 
>  --- proposed improvement
> 
> At a cost of two times message expansion, we can combine both kinds of messages 
> in such a way that each node in the chain cannot tell whether it is processing a 
> forward-travelling or reply message.
> 
> Each message has three parts: header, "forward" payload (which I'll call an 
> A-payload), and "reply" payload (which I'll call a B-payload).
> 
> The node that is processing a message decrypts his header, checks MACs on the 
> headers and on the A-payload but not on the B-payload, applies the CTR-mode 
> {en,de}-cryption to both payloads, and forwards.
> 
> When the message is a forward-travelling message, then the actual message (and 
> reply block) are hidden inside the encrypted A-payload.  When the message is 
> a reply message, then the message is hidden inside the encrypted B-payload.  But 
> what is the contents of the A-payload when the message is actually a reply?  It 
> is dummy garbage which looks like an encrypted payload, and which matches the 
> MACs that the original sender included in the reply block!
> 
> Where did the replier gets this dummy A-payload?  It is generated 
> deterministically by the replier from a secret that the original sender included 
> along with the reply block in the original A-payload.
> 
> Now for every part of the message we have one or other the guarantee: either it 
> comes with a MAC and it gets verified at every hop, or it gets re-encrypted at 
> every hop and nobody ever sees the resulting decrypted plaintext except for the 
> original sender.
> 
> The dummy B-payload in forward-travelling messages is random garbage which is 
> redirected to /dev/null by the receiver.  In order to get our 1.b. guarantee 
> against tagging attacks, we cannot use this data for anything.
> 

I think the above would work. It is a bit wasteful to double the size for 
every message.

I am still thinking of it.

George

References:
- tagging attacks and forward-message/reply-message distinction
  - From: Zooko <zooko@zooko.com>

Prev by Date: Re: crypto usage in my tagging-attack-prevention proposal
Next by Date: Timestamps and delaying [Re: Addressing the tagging attacks]
Prev by thread: Re: tagging attacks and forward-message/reply-message distinction
Next by thread: Re: tagging attacks and forward-message/reply-message distinction
Index(es):
- Date
- Thread