[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [ANN] M.0.0.3rc2: Reply block issue
Dear Nick and All,
This has popped up in the past, but at the time it was a theoretical issue
while now we have an actual implementation.
Executive summary: I believe, and I need other's opinions on this, that it
is important that a user specified tag should be attached to each SURB,
and revealed when a reply is decoded.
Long version: Think of the following scenario: I (George) sends two
anonymous messages to Nick and Roger, pretending to be Grace and Glory
respectively. Both messages contain some reply blocks so that Nick and
Roger can reply to me.
Roger and Nick are good friends and believe that Grace and Glory are
actually the same woman (well man in this case). In order to test this
Nick gives his reply block to Roger, who using it writes an email to
Glory. I receive the email, as Glory, and I reply as if nothing wrong had
happened. Therefore their hypothesis that Grace is indeed Glory is
confirmed.
The solution to this problem is to 'bound' SURBS to particular pseudonyms
(in a very loose sense). Therefore in the TAG field of the SURB I include
'To: Glory' and 'To: Grace' respectively. When I receive the email from
Roger, writing to Glory, the decoded messages is clearly addressed 'To:
Grace' and this cannot be modified by the network. Therefore I know that I
should reply saying 'I am sorry Roger you must be mistaken. I am not
Glory, but Grace'.
The above is actually related to a security policy that we have thought
off and published at the end of the IH2001 paper:
http://www.cl.cam.ac.uk/~rnc1/Patterns_of_Failure.pdf
It is advocating strict compartments between the what the pseudonyms and
real person knows, and analyzes and other information flows using covert
channel analysis.
The above is quite important if one want to build more complex systems on
top of the mixminion implementation in python.
Let me know what you think,
George