[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Draft: Directory agreement in Type III

To: mixminion-dev@freehaven.net
Subject: Re: Draft: Directory agreement in Type III
From: Nick Mathewson <nickm@freehaven.net>
Date: Wed, 20 Aug 2003 14:27:01 -0400
Delivered-to: archiver@seul.org
Delivered-to: mixminion-dev-outgoing@seul.org
Delivered-to: mixminion-dev@seul.org
Delivery-date: Wed, 20 Aug 2003 14:27:54 -0400
In-reply-to: <20030820131644.GA23429@bananasplit.info>
References: <1060881741.12007.69.camel@totoro.wangafu.net> <20030820131644.GA23429@bananasplit.info>
Reply-to: mixminion-dev@freehaven.net
Sender: owner-mixminion-dev@freehaven.net

On Wed, 2003-08-20 at 09:16, Steve Crook wrote:
 [..]
> When Minion is launched, it will be difficult to estimate the rate at
> which nodes/pingers/directory servers will join.  Based on this, is it
> not possible that a resourceful attacker could introduce services which
> would enable him to control the quorum?

[Steve and I discussed this on IRC, but I'm writing to the list too for
the record.]

There aren't supposed to be an arbitrarily large amount of voting
directory servers.  If there were, we'd have exactly the same problem of
knowing which directory servers to trust that we do with knowing which
mixes to trust.  Instead, the default quorum should contain a handful of
directory servers (say, between 5 and 9).  All of these should be run by
well known people and organizations, living and operating in different
jurisdictions.

An attacker can alway sign up more directory servers ... but unless the
attacker can get the members of a good quorum to trust the attacker's
servers, those servers can not join the quorum.  (It's okay if the
attacker has his own quorum of 25 servers floating off in the middle of
nowhere... users who decide to use that quorum instead are screwed, but
in this case, we can't save users from their own bad judgment.)

If the attacker persuades _some_ of the servers in the good quorum to
trust *enough* of the attackers' servers, the attacker may be able to
lure those "confused" servers into preferring the attacker's quorum. 
(For instance, suppose the default quorum has good servers G1...G6,
along with confused servers C1,C2,C3.  Suppose the attacker signs up
M1...M7.  If the attacker persuades C1...C3 to trust M1...M7, and
M1...M7 are listed as trusting C1...C3 and themselves, then the
attacker's larger quorum will pull <C1...C3,M1...M7> into a separate
quorum, leaving G1...G6 on their own.)

(Of course, in this case, the attacker still cannot produce a directory
signed by more than half of the default quorum, unless the attacker
manages to confuse at least half of the default quorum in this way.)

HTH,
-- 
Nick

Attachment: signature.asc
Description: This is a digitally signed message part

References:
- Draft: Directory agreement in Type III
  - From: Nick Mathewson <nickm@freehaven.net>
- Re: Draft: Directory agreement in Type III
  - From: Steve Crook <steve@bananasplit.info>

Prev by Author: Draft: Directory agreement in Type III
Next by Author: Brief argument for directory agreement [was Re: Sendingunique/recogniziable remailer keys to suspect mixminion users]
Previous by thread: Re: Draft: Directory agreement in Type III
Next by thread: Re: Draft: Directory agreement in Type III
Index(es):
- Author
- Thread