# [or-cvs] Assorted tweaks fixes, etc. to abstract et passim

Update of /home/or/cvsroot/tor/doc/design-paper
In directory moria.mit.edu:/tmp/cvs-serv4400/tor/doc/design-paper

Modified Files:
challenges.tex
Log Message:
Assorted tweaks fixes, etc. to abstract et passim

Index: challenges.tex
===================================================================
RCS file: /home/or/cvsroot/tor/doc/design-paper/challenges.tex,v
retrieving revision 1.37
retrieving revision 1.38
diff -u -d -r1.37 -r1.38
--- challenges.tex	3 Feb 2005 21:28:03 -0000	1.37
+++ challenges.tex	4 Feb 2005 18:32:40 -0000	1.38
@@ -24,16 +24,18 @@
\pagestyle{empty}

\begin{abstract}
+
+  We describe our experiences with deploying Tor, a low-latency
+  anonymous general purpose communication system that has been funded
+  by the U.S.~Navy, DARPA, and the Electronic Frontier Foundation. The
+  basic Tor design supports most applications that run over TCP (those
+  that are SOCKS compliant).

-We describe our experiences with deploying Tor, a low-latency anonymous
-communication system that has been funded both by the U.S.~Navy
-and also by the Electronic Frontier Foundation.
-
-Because of its simplified threat model, Tor does not aim to defend
-against many of the attacks in the literature.
+%Because of its simplified threat model, Tor does not aim to defend
+%against many of the attacks in the literature.

We describe both policy issues that have come up from operating the
-network and technical challenges in building a more sustainable and
+network and technical challenges to building a more sustainable and
scalable network.

\end{abstract}
@@ -73,8 +75,8 @@
enforcement and government intelligence agencies who need
to do operations on the Internet without being noticed.

-Tor research and development has been funded by the U.S.~Navy, for use
-in securing government
+Tor research and development has been funded by the U.S.~Navy and DARPA
+for use in securing government
communications, and also by the Electronic Frontier Foundation, for use
in maintaining civil liberties for ordinary citizens online. The Tor
protocol is one of the leading choices
@@ -298,24 +300,25 @@
\cite{attack-tor-oak05} that lets an attacker determine the nodes used
in a circuit; yet s/he cannot identify the initiator or responder,
e.g., client or web server, through this attack. So the endpoints
-remain secure, which is the goal. On the other hand we can imagine an
-adversary that could attack or set up observation of all connections
+remain secure, which is the goal. It is conceivable that an
+adversary could attack or set up observation of all connections
to an arbitrary Tor node in only a few minutes.  If such an adversary
were to exist, s/he could use this probing to remotely identify a node
-for further attack.  Also, the enclave model seems particularly
-threatened by this attack, since it identifies endpoints when they're
-also nodes in the Tor network: see Section~\ref{subsec:helper-nodes}
-for discussion of some ways to address this issue.
-
+for further attack.  Of more likely immediate practical concern
wants to keep a circuit alive long enough to attack an identified
-node. Could s/he do this without the overt cooperation of the client
-proxy? More immediately, someone could identify nodes in this way and
-if in their jurisdiction, immediately get a subpoena (if they even
-need one) and tell the node operator(s) that she must retain all the
-active circuit data she now has at that moment.  That \emph{can} be
-here or later in the paper -pfs]
+node. Thus it is important to prevent the responding end of the circuit
+from keeping it open indefinitely.
+Also, someone could identify nodes in this way and if in their
+jurisdiction, immediately get a subpoena (if they even need one)
+telling the node operator(s) that she must retain all the active
+circuit data she now has.
+Further, the enclave model, which had previously looked to be the most
+generally secure, seems particularly threatened by this attack, since
+it identifies endpoints when they're also nodes in the Tor network:
+see Section~\ref{subsec:helper-nodes} for discussion of some ways to
+

see \ref{subsec:routing-zones} for discussion of larger
@@ -605,7 +608,7 @@
the decision of the individual server administrator whose deciding if
he wants to post to Wikipedia from his Tor node address or allow
people to read Wikipedia anonymously through his Tor node. (Wikipedia
-has blocked all posting from all Tor nodes based in IP address.) If e.g.,
+has blocked all posting from all Tor nodes based on IP address.) If e.g.,
s/he comes through a campus or corporate NAT, then the decision must
be to have the entire population behind it able to have a Tor exit
node or to have write access to Wikipedia. This is a loss for both of us (Tor
@@ -726,8 +729,8 @@
which nodes will allow which packets to exit.
\item \emph{The Tor-internal name spaces would need to be redesigned.} We
-like {\tt{.exit}} (see Section~\ref{subsec:}), by intercepting the addresses
-when they are passed to the Tor client.
+like {\tt{.exit}} (see Section~\ref{subsec:hidden-services}),
+by intercepting the addresses when they are passed to the Tor client.
\end{enumerate}

This list is discouragingly long right now, but we recognize that it
@@ -833,7 +836,7 @@
% Hintz stuff and the Back et al. stuff from Info Hiding 01. I've
% separated the two and added the references. -PFS
routes through the network to each site will be random even if they
-have relatively unique latency characteristics. So the do
+have relatively unique latency characteristics. So this does
not seem an immediate practical threat. Further along similar lines,
the same paper suggested a clogging attack''. A version of this
was demonstrated to be practical in
@@ -854,18 +857,31 @@
effectiveness.  So, another way to slow some of these attacks
would be to cache responses at exit servers where possible, as it is with
DNS lookups and cacheable HTTP responses.  Caching would, however,
-create threats of its own.
+create threats of its own. First, a Tor network is expected to contain
+hostile nodes. If one of these is the repository of a cache, the
+attack is still possible. Though more work to set up a Tor node and
+cache repository, the payoff of such an attack is potentially
+higher.
%To be
%useful, such caches would need to be distributed to any likely exit
%nodes of recurred requests for the same data.
%   Even local caches could be useful, I think. -NM
-Aside from the logistic
-difficulties and overhead, caches would  constitute a
-record of destinations and data visited by Tor users.  While
-limited to network insiders, given the need for wide distribution
-they could serve as useful data to an attacker deciding which locations
-to target for confirmation. A way to counter this distribution
-threat might be to only cache at certain semitrusted helper nodes.
+%
+Besides allowing any other insider attacks, caching nodes would hold a
+record of destinations and data visited by Tor users reducing forward
+anonymity. Worse, for the cache to be widely useful much beyond the
+client that caused it there would have to either be a new mechanism to
+distribute cache information around the network and a way for clients
+to make use of it or the caches themselves would need to be
+distributed widely. Either way the record of visited sites and
+without having to actively gather it himself.  Besides its inherent
+value, this could serve as useful data to an attacker deciding which
+locations to target for confirmation. A way to counter this
+distribution threat might be to only cache at certain semitrusted
+helper nodes.  This might help specific clients, but it would limit
+the general value of caching.

%Does that cacheing discussion belong in low-latency?

@@ -984,7 +1000,10 @@
the attack does not identify the order of nodes in a route, so the
longer the route, the greater the uncertainty about which node might
be first. It may be possible to extend the attack to learn the route
-node order, but it is not clear that this is practically feasible.
+node order, but has not been shown whether this is practically feasible.
+If so, the incompleteness uncertainty engendered by random lengths would
+remain, but once the complete set of nodes in the route were identified
+the initiating node would also be identified.

Another way to reduce the threats to both enclaves and simple Tor
clients is to have helper nodes. Helper nodes were introduced
@@ -993,7 +1012,8 @@
The idea is to use a single trusted node as the first one you go to,
that way an attacker cannot ever attack the first nodes you connect
to and do some form of intersection attack. This will not affect the
-Danezis-Murdoch attack at all.
+Danezis-Murdoch attack at all if the attacker can time latencies to
+both the helper node and the enclave node.

We have to pick the path length so adversary can't distinguish client from
server (how many hops is good?).
@@ -1054,6 +1074,7 @@
%big stuff.

\subsection{Location-hidden services}
+\label{subsec:hidden-services}

with Tor, it also provides support for \emph{rendezvous points}, which
@@ -1174,9 +1195,9 @@
discovery, both bootstrapping -- how a Tor client can robustly find an
initial server list -- and ongoing -- how a Tor client can learn about
a fair sample of honest servers and not let the adversary control his
-circuits (see Section x).  Second is detecting and handling the speed
+circuits (see Section~\ref{}).  Second is detecting and handling the speed
and reliability of the variety of servers we must use if we want to
-accept many servers (see Section y).
+accept many servers (see Section~\ref{}).
Since the speed and reliability of a circuit is limited by its worst link,
we must learn to track and predict performance.  Finally, in order to get
a large set of servers in the first place, we must address incentives