[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [ANN] M.0.0.3rc2: Reply block issue
On Tue, 18 Feb 2003 14:03:15 -0500 (EST), George Danezis
<gd@theory.lcs.mit.edu> wrote:
Dear Nick and All,
This has popped up in the past, but at the time it was a theoretical
issue while now we have an actual implementation.
Executive summary: I believe, and I need other's opinions on this, that
it
is important that a user specified tag should be attached to each SURB,
and revealed when a reply is decoded.
Long version: Think of the following scenario: I (George) sends two
anonymous messages to Nick and Roger, pretending to be Grace and Glory
respectively. Both messages contain some reply blocks so that Nick and
Roger can reply to me.
Roger and Nick are good friends and believe that Grace and Glory are
actually the same woman (well man in this case). In order to test this
Nick gives his reply block to Roger, who using it writes an email to
Glory. I receive the email, as Glory, and I reply as if nothing wrong had
happened. Therefore their hypothesis that Grace is indeed Glory is
confirmed.
The solution to this problem is to 'bound' SURBS to particular pseudonyms
(in a very loose sense). Therefore in the TAG field of the SURB I include
'To: Glory' and 'To: Grace' respectively. When I receive the email from
Roger, writing to Glory, the decoded messages is clearly addressed 'To:
Grace' and this cannot be modified by the network. Therefore I know that
I should reply saying 'I am sorry Roger you must be mistaken. I am not
Glory, but Grace'.
The above is actually related to a security policy that we have thought
off and published at the end of the IH2001 paper:
http://www.cl.cam.ac.uk/~rnc1/Patterns_of_Failure.pdf
It is advocating strict compartments between the what the pseudonyms and
real person knows, and analyzes and other information flows using covert
channel analysis.
The above is quite important if one want to build more complex systems on
top of the mixminion implementation in python.
Let me know what you think,
Hello George, Hello Group,
Call me stupid, but while I do see the problem (which I will sketch below),
I do not see the solutions put forward to date.
IMO The problem can be abstracted as this:
A == Alice
B == Bob
L == Last Mixminion Remailer on sending, but in any case First Mixminion
Remailer in Reply Block (ie the hop that does the first encryption and
which should be the only hop with access to the Bob e-mail address if the
protocol is working at all!)
T == Trent, the evil remop or anybody else who might break the protocol
(Nick in the above case)
So what you want (as I, stupid me, understand so far) is:
A --> L --> B
and then:
B --> L --> A
AND, in this second 'reply' case, you want L to make sure that B == Bob,
while he might in fact be T == Trent.
This simply cannot be solved IMHO, not in this universe AFAICS!
What can be done is that Alice checks which reply-block was used by storing
which public keys he assigned to Bob.
What can also be done is that Bob signs the reply back to Alice with his
key or even encrypts it to her public key for that nym!
What cannot be done is that this signed message by Bob can be used to proof
that this message actually belongs to Bob and that only Alice can receive
it. If Bob == B is actually Trent == T == B, then nothing will stop this
attack by Trent and Bob, not even storing he From line from L to B or
storing the To line from B back to L. In fact, Trent could without either L
or B knowing, modify these (unsigned) to and from lines in transit.
So I say, don't fix it, it is either that or ignore my stupid comments
because I don't get what you are trying to solve here and how this will
ever work since it is quite obvious to me from your example that Nick ==
Roger and thus there is no way for Alice to differentiate between the two
even if they were using PGP for signing and encrypting all their messages.
Adding anonimity to the mix makes the problem even more unsolvable, but
hey, I have been diagnosed several severe forms of (unrelated) psychiatric
deceases in succesion, so who knows? Maybe my psychiatrist is right. Maybe
I am mad. Maybe you are right. Maybe I am wrong. It is just that I don't
seem that stupid to myself so I would like to propose that you are all
stupid and my psychiatrist is stupid (which might result in the same
condition of not getting allong with each other, which is a condition that
I clearly suffer from in my experience and which anti-psychotics which I
have stupidly been taking for over four years clearly seem to solve to some
extend (in addition to having the withdrawl symptome of making things worse
again, no I don't have a spell-checker for this e-mail client if you are
wondering my my sentenses have half the words spelled wrong)),
MIT, theoretical computer science, right. I still wonder what made me fail
my studies in computer science under similar conditions as this.. must be
me, doesn't it.. hunderds of people can't be wrong, can they?
Regards anyway and I hope we can work these problems out,
Thomas J. Boschloo
Den Helder
--
Real World Attacks and Self-Defense, three things that the world does not
know yet:
"http://home.hccnet.nl/t.j.boschloo/TLBP/copkiller.html"