Re: [ANN] M.0.0.3rc2: Reply block issue

["Thomas J. Boschloo" <t.j.boschloo@hccnet.nl>]

On Tue, 18 Feb 2003 14:03:15 -0500 (EST), George Danezis 
<gd@theory.lcs.mit.edu> wrote:

> Dear Nick and All,
>
> This has popped up in the past, but at the time it was a theoretical 
> issue while now we have an actual implementation.
>
> Executive summary: I believe, and I need other's opinions on this, that 
> it
> is important that a user specified tag should be attached to each SURB,
> and revealed when a reply is decoded.
>
> Long version: Think of the following scenario: I (George) sends two 
> anonymous messages to Nick and Roger, pretending to be Grace and Glory 
> respectively. Both messages contain some reply blocks so that Nick and 
> Roger can reply to me.
>
> Roger and Nick are good friends and believe that Grace and Glory are 
> actually the same woman (well man in this case). In order to test this 
> Nick gives his reply block to Roger, who using it writes an email to 
> Glory. I receive the email, as Glory, and I reply as if nothing wrong had 
> happened. Therefore their hypothesis that Grace is indeed Glory is 
> confirmed.
>
> The solution to this problem is to 'bound' SURBS to particular pseudonyms 
> (in a very loose sense). Therefore in the TAG field of the SURB I include 
> 'To: Glory' and 'To: Grace' respectively. When I receive the email from 
> Roger, writing to Glory, the decoded messages is clearly addressed 'To: 
> Grace' and this cannot be modified by the network. Therefore I know that 
> I should reply saying 'I am sorry Roger you must be mistaken. I am not 
> Glory, but Grace'.
>
> The above is actually related to a security policy that we have thought 
> off and published at the end of the IH2001 paper:
> http://www.cl.cam.ac.uk/~rnc1/Patterns_of_Failure.pdf
> It is advocating strict compartments between the what the pseudonyms and 
> real person knows, and analyzes and other information flows using covert 
> channel analysis.
>
> The above is quite important if one want to build more complex systems on 
> top of the mixminion implementation in python.
>
> Let me know what you think,
Hello George, Hello Group,

Call me stupid, but while I do see the problem (which I will sketch below), 
I do not see the solutions put forward to date.

IMO The problem can be abstracted as this:
A == Alice
B == Bob
L == Last Mixminion Remailer on sending, but in any case First Mixminion 
Remailer in Reply Block (ie the hop that does the first encryption and 
which should be the only hop with access to the Bob e-mail address if the 
protocol is working at all!)
T == Trent, the evil remop or anybody else who might break the protocol 
(Nick in the above case)

So what you want (as I, stupid me, understand so far) is:
A --> L --> B

and then:
B --> L --> A

AND, in this second 'reply' case, you want L to make sure that B == Bob, 
while he might in fact be T == Trent.

This simply cannot be solved IMHO, not in this universe AFAICS!

What can be done is that Alice checks which reply-block was used by storing 
which public keys he assigned to Bob.

What can also be done is that Bob signs the reply back to Alice with his 
key or even encrypts it to her public key for that nym!

What cannot be done is that this signed message by Bob can be used to proof 
that this message actually belongs to Bob and that only Alice can receive 
it. If Bob == B is actually Trent == T == B, then nothing will stop this 
attack by Trent and Bob, not even storing he From line from L to B or 
storing the To line from B back to L. In fact, Trent could without either L 
or B knowing, modify these (unsigned) to and from lines in transit.

So I say, don't fix it, it is either that or ignore my stupid comments 
because I don't get what you are trying to solve here and how this will 
ever work since it is quite obvious to me from your example that Nick == 
Roger and thus there is no way for Alice to differentiate between the two 
even if they were using PGP for signing and encrypting all their messages. 
Adding anonimity to the mix makes the problem even more unsolvable, but 
hey, I have been diagnosed several severe forms of (unrelated) psychiatric 
deceases in succesion, so who knows? Maybe my psychiatrist is right. Maybe 
I am mad. Maybe you are right. Maybe I am wrong. It is just that I don't 
seem that stupid to myself so I would like to propose that you are all 
stupid and my psychiatrist is stupid (which might result in the same 
condition of not getting allong with each other, which is a condition that 
I clearly suffer from in my experience and which anti-psychotics which I 
have stupidly been taking for over four years clearly seem to solve to some 
extend (in addition to having the withdrawl symptome of making things worse 
again, no I don't have a spell-checker for this e-mail client if you are 
wondering my my sentenses have half the words spelled wrong)),

MIT, theoretical computer science, right. I still wonder what made me fail 
my studies in computer science under similar conditions as this.. must be 
me, doesn't it.. hunderds of people can't be wrong, can they?

Regards anyway and I hope we can work these problems out,
Thomas J. Boschloo
Den Helder
--
Real World Attacks and Self-Defense, three things that the world does not 
know yet:
"http://home.hccnet.nl/t.j.boschloo/TLBP/copkiller.html";