[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Reply blocks and tagging protection: a third variant

To: mixminion-dev@freehaven.net
Subject: Re: Reply blocks and tagging protection: a third variant
From: Nick Mathewson <nickm@alum.mit.edu>
Date: 09 Apr 2002 11:33:06 -0400
Delivered-To: archiver@seul.org
Delivered-To: mixminion-dev-outgoing@seul.org
Delivered-To: mixminion-dev@seul.org
Delivery-Date: Tue, 09 Apr 2002 11:33:09 -0400
In-Reply-To: <Pine.LNX.4.44.0204090809140.12906-100000@blackbird.lcs.mit.edu>
References: <Pine.LNX.4.44.0204090809140.12906-100000@blackbird.lcs.mit.edu>
Reply-To: mixminion-dev@freehaven.net
Sender: owner-mixminion-dev@freehaven.net

On Tue, 2002-04-09 at 09:16, George Danezis wrote:
> On Sun, 7 Apr 2002, Roger Dingledine wrote:
> > Which leads to the issue of putting destination information in the payload
> > vs the header. I'm still not convinced by George's statement that it
> > should go in the payload. First off, it seems hard to put destination
> > info in the payload of a reply block: I just don't know how it could work
> > with our encryption system. The guy using your reply block should not be
> > able to learn (parts of) your delivery info, eg by keeping transport_type
> > but changing email_address, in order to learn transport_type. Second,
> > in order for tagged (and thus random) messages to not be recognizable,
> > some messages must be plausibly all-random. These messages are the ones
> > that are encrypted to somebody, either a forward message encrypted to
> > the recipient or a reply message which has been multiply-encrypted. If
> > the destination info is in plaintext, then these payloads aren't
> > all-random. So tagged messages are discernable.
> 
> The idea is not to explicitly put all routing information in the payload. 
> Routing information should stay in the two headers. The point I tried to 
> make is that the second header depends on the correct decryption of the 
> payload and therefore if the payload is modified it is not possible to 
> continue with the delivery.

But the final email address in your latest design is part of the payload
(if it's anywhere).  That's routing information.  If I can trash the
payload (after the header switch), then I can distinguish email messages
with valid addresses from trash messages.  [I would have this
opportunity if somebody generated a SURB for which I controlled the
first and last hops.  Your design prevents this situation by making
every SURB recipient run their own node; see next graph.]

(AFAICT, the design you have specifically prevents anybody from securely
receiving SURB replies via email without running their own node.  This
is a limitation: not everybody who would like to receive such replies
necessarily has a high-availability connection of their own.)

> Note that this property is stronger then just 
> including a hash to check the payload that a malicious node could ignore.

I agree strongly with this point.

 [...]
> This property could be 
> implemented by a "strip N and decode using payload" operation but I think 
> it is unnecessary to provide more general operations than strictly 
> necessary (unless there are other reasons). 

Well, using the operation above removes the need for a pair of headers,
and thus (IMO) simplifies the design a good bit, and prevents wasted
space.

Really, the double-header design already two forwarding operations,
namely "tr=0", and "tr=1".  The "strip N and decode using payload"
operation is equivalent to "swap headers and decode using payload", but
just saves the trouble of having a pair of headers.  

-- 
Nick

References:
- Re: Reply blocks and tagging protection: a third variant
  - From: George Danezis <gd@theory.lcs.mit.edu>

Prev by Date: Re: Reply blocks and tagging protection: a third variant
Next by Date: Re: Reply blocks and tagging protection: a third variant
Prev by thread: Re: Reply blocks and tagging protection: a third variant
Next by thread: Re: Reply blocks and tagging protection: a third variant
Index(es):
- Date
- Thread