[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on latest draft



Nick, and all,

Thanks for the comments and the latexed version. I mostly agree with your 
comments (and the amendments on the second email), I hope some of my 
comments will clarify some issues.

On 25 Mar 2002, Nick Mathewson wrote:
> 1. Scope: As near as I can tell, this document needs to specify some
> other parts to be complete.  We may want to separate the following into
> their own sections:
>     - Administration (requesting and transmitting server info blocks)
>     - Transport
>     - Standard delivery methods (including multipart, gzip, dummy, and
> smtp) 
> 
>    (I know people have said that standard extensions shouldn't be part
> of the core spec.  This is right, but we do need to specify them, else
> our system is a useless academic exercise.)
> 

I think it is fundamental to specify a default transport mechanism, 
between mixes. This is probably going to be SSL with frequent but 
inexpensive key changes.

I agree that we need a bit more for the administration, and in particular 
standard ways of describing capabilities and keys.

I agree that we need to specify some standard modules that everyone should 
implement. DUMP is one of them, PING might be another (any other ideas?).

Finally on to of all this we should define a standard application (such as 
email) as a proof of concept and so that people start using it.

> 2a. We should specify a specific PRNG. 
>  b. Why is the PRNG seed gone from the header?
> 

The Master Secret on the Header can be transformed to seed a PRNG. 

Note that we do not define a mixing method in the standard. I am not sure 
how prudent that is. Maybe we should require a minimum level of traffic 
and mixing from each node.

> 3. Along with the list of rejected design decisions, there should be a
> reason why.
> 

Yes we should.

> 4. MH format: 
>    a. Sometimes the document says "Main Header", sometimes "Master
> Header".
>    b. If time is in days, an 8-byte timestamp will last for about 5e16
> years - quadrillions of years after the sun burns out.  I think we can
> be content with 2 or 3 bytes here.
>    c. Return level, reuse level: see 5 below.
>    d. Address type, next address, port:  According to this scheme, it
> seems that only static addresses are supported.  (20 bytes is far too
> short to hold a typical.fully-qualified.hostname.)  Is this a feature,
> or a bug?

This is a feature. We are working at the network layer so the mixes on the 
path do not need to do DNS queries. I agree that we are in trouble if IPv6 
catches on with dynamic addresses. Having variable length addresses will 
be a traffic analysis nightmare, unless we allocate a fixed but large 
size.

>    e. The fields (size, type, return level) only  make sense for final
> headers.  The fields (address type, next address, dest port, expected
> key) only make sense for intermediate headers.
>       Is this correct?

Type is used to tell the mix if the message is to be re injected, so it is 
useful to intermediate hosts. Return level can also be used by 
intermediate nodes to perform a more secure encryption operation than 
Counter mode with a fixed IV for MURBs. I do not describe this since I am 
not sure if we want MURBs at all.

>    f. When last we met, we suggested that "type" be a string, and not be
> in the header.  Now it's 2 bytes in the header.  Any reason why?
>     

This is a basic multiplexing mechanism to facilitate the job of the server 
logic that redirects the packet to the appropriate module for processing. 
You can think of it like the protocol type in IP headers or the Port type 
of TCP/UDP. The message body can then contain any additional configuration 
information specific to the module.

> 5. BIG ISSUE: It looks like multi-use reply blocks (MURBs) are back in. 
> The problem is: I still don't think they work.
>    a. If I'm reading the spec right, we use the same IV for every pass
> through the system.  This results in multiple uses of counter-mode with
> the same IV: a trivially exploitable flaw.
>    b. We were trying last time (it seems) to find a good way to build
> MURBs without adding a separate "type-1 remailer" mode to our system.  I
> think this should still be a goal: traffic of this kind will be
> colossally vulnerable to traffic analysis by hostile nodes if it is so
> readily distinguishable from the rest of the traffic through the system.
>       At the very least, we should acknowledge as a goal the desire to
> take this feature out of the system.
>    c. Why have a separate field in the MH for reuse level?  Why not just
> introduce another message type for type-1 remailer reply, if we're going
> to support both modes?  This way, we could specify another encryption
> mode for these messages, and avoid (a) above.

I have been thinking of MURBs a lot. Basically they do not work even under 
the most weak threat model assumptions. I agree that counter mode does not 
make things better but after some though I have convinced myself that it 
does not make things worse either. Intermediate nodes are always able to 
see their position in the chain (which is always the same), they can link 
messages together (they must have the same header). They can also tag 
messages and follow them through the mix network.

I increasingly think they are a truly bad idea, because they seem so 
convenient. People are going to use them instead of building proper 
systems, offering strong anonymity.

> 
> 6. More issues around the MH section:
>    a. For a parameter P, if my understanding (that it's an unrestricted
> byte stream) is correct, here are a couple of ideas:
>       - Evocative: "But who is that on the other side of you?" (from
> "The Waste Land").
>       - Political: "Everyone has the right to freedom of opinion and
> expression; this right includes freedom to hold opinions without
> interference and to seek, receive and impart information and ideas
> through any media and regardless of frontiers." (from the Universal
> Declaration of Human Rights, article 12)
>       - Political #2: "He who would make his own liberty secure, must
> guard even his enemy from oppression; for if he violates this duty, he
> establishes a precedent that will reach to himself." (Thomas Paine)
>       - Any other thoughts?

I quite like Political #2. Political #1 has the problem that it also  
contains:

Article 12.

No one shall be subjected to arbitrary interference with his 
privacy, family, home or correspondence, nor to attacks upon his honor 
and reputation. Everyone has the right to the protection of the law 
against such interference or attacks.

>    b. For "Which format exactly do we want [the date] to be?" I
> recommend whole days since Jan 1, 1970, GMT.

I think this should be fine.

>    c. I disagree with the proposal for smaller packets. Let's go with
> what we have, and change it only if it turns out to work poorly.

ok.

>    d. For message, we should define at least a "DROP" type as well as a
> "FORWARD" type.  We should define a standard name for each type. 
> Finally, we should mention the existence of standard extensions. (Like
> multipart and smtp.)

Yes we should.

> 8. Transport issues: I favor an SSL-based solution.  Designing protocols
> and implementing them securely is hard.  (I omit comment on the non-ssl
> MMTP, since I'm not competent to analyze it.)
>    - There should also be a standard port.
> 

I quite favor the SSL based solution myself, given that it offers us 
everything we need. We should restrict its ability to negotiate week 
combinations of ciphers.

> 9. Administrative issues: 
>    a. The capabilities block needs to be better specified. I'd recommend
> a list of supported message types, and leave it at that.
>    b. Why <LFCR>?  Is that just a notation for "platform-appropriate
> newline," or do you mean something else?
>    c. There should be a standard way IMO to query a server's public key
> from the server.

Who want to rework these?

Yours,

George