[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Forward and reply messages
[sorry for not contributing more in the past few days. I've started a new
job, and I'm in the process of moving -- both of which are taking up most
of my time.]
On Mon, 29 Apr 2002, Roger Dingledine wrote:
> Option one: Distinguishable forward and reply messages.
> Flaw: adversary can divide messages into two sets. If one set is small
> (ever), it's much easier to trace.
> Not-very-good-solution: send dummy traffic to make the percentages equal.
> But: This wastes a lot of bandwidth. (Other attacks?)
I don't think that option one is really an option to consider. If we're
going to do it that way, we might as well have two systems -- one for
forward messages, one for reply messages, and not even worry about having
them work together.
The total set is too small as it is. Dividing it would, I suspect, be
fatal.
> Option two: Indistinguishable forward and reply messages.
[snip]
> So if the adversary doesn't own most of the crossover points, then the
> tagging attack doesn't get him anything. And since Alice chooses the
> crossover points, and if we assume the adversary doesn't own most of the
> network (a good assumption, in my book, else lots of other stuff breaks
> too), then it's really very hard to do succeed at a tagging attack.
>
> Do you buy it?
I think it is the best option I have heard so far. I like the suggestion
of using a short cascade at the start of the path, too. The client should
be smart enough to help the user make decent choices for his chain --
things to work on later.
BTW, I am more interested in protecting against traffic analysis attacks
than tagging attacks in general. (I want to protect against both, but if
it comes down to one of the other, traffic analysis is more important). An
attacker risks detection with a tagging attack or a replay attack, whereas
he has no such risk doing passive message correlation. Dividing the
anonymity set makes the riskless attack far too easy.
--Len.