[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] Edits for section 7. I am happier, and the paper is finall...
Update of /home/or/cvsroot/doc
In directory moria.mit.edu:/tmp/cvs-serv11585
Modified Files:
tor-design.tex
Log Message:
Edits for section 7. I am happier, and the paper is finally under 15 pages.
Index: tor-design.tex
===================================================================
RCS file: /home/or/cvsroot/doc/tor-design.tex,v
retrieving revision 1.106
retrieving revision 1.107
diff -u -d -r1.106 -r1.107
--- tor-design.tex 5 Nov 2003 00:15:11 -0000 1.106
+++ tor-design.tex 5 Nov 2003 01:18:10 -0000 1.107
@@ -1410,7 +1410,7 @@
Routing; nonetheless, Tor can directly use Privoxy and related
filtering services to anonymize application data streams.
-\emph{Option distinguishability.} Configuration options can be a
+\emph{Option distinguishability.} Options can be a
source of distinguishable patterns. In general there is economic
incentive to allow preferential services \cite{econymics}, and some
degree of configuration choice can attract users, which
@@ -1420,7 +1420,7 @@
behavior.
%XXX Actually, circuitrebuildperiod is such an option. -RD
-\emph{End-to-end Timing correlation.} Tor only minimally hides
+\emph{End-to-end timing correlation.} Tor only minimally hides
end-to-end timing correlations. An attacker watching patterns of
traffic at the initiator and the responder will be
able to confirm the correspondence with high probability. The
@@ -1429,39 +1429,44 @@
by running the onion proxy locally or
behind a firewall. This approach
requires an observer to separate traffic originating at the onion
-router from traffic passing through it; but because we do not mix
-or pad, this does not provide much defense.
+router from traffic passing through it: a global observer can do this,
+but it might be beyond a limited observer's capabilities.
-\emph{End-to-end Size correlation.} Simple packet counting
+\emph{End-to-end size correlation.} Simple packet counting
without timing correlation will also be effective in confirming
endpoints of a stream. However, even without padding, we have some
limited protection: the leaky pipe topology means different numbers
of packets may enter one end of a circuit than exit at the other.
-\emph{Website fingerprinting.} All the above passive
-attacks that are at all effective are traffic confirmation attacks.
-This puts them outside our general design goals. There is also
+\emph{Website fingerprinting.} All the effective passive
+attacks above are traffic confirmation attacks,
+which puts them outside our design goals. There is also
a passive traffic analysis attack that is potentially effective.
Rather than searching exit connections for timing and volume
correlations, the adversary may build up a database of
-``fingerprints'' containing file sizes and access patterns for many
-interesting websites. He can confirm a user's connection to a given
+``fingerprints'' containing file sizes and access patterns for
+targeted websites. He can later confirm a user's connection to a given
site simply by consulting the database. This attack has
-been shown to be effective against SafeWeb \cite{hintz-pet02}. But
-Tor is not as vulnerable as SafeWeb to this attack: there is the
-possibility that multiple streams are exiting the circuit at
-different places concurrently. Also, fingerprinting will be limited to
-the granularity of cells, currently 256 bytes. Other defenses include
-larger cell sizes and/or minimal padding schemes that group websites
+been shown to be effective against SafeWeb \cite{hintz-pet02}.
+% But
+%Tor is not as vulnerable as SafeWeb to this attack: there is the
+%possibility that multiple streams are exiting the circuit at
+%different places concurrently.
+% XXX How does that help? Roger and I don't know. -NM
+It may slightly less effective against Tor, since
+fingerprinting will be limited to
+the granularity of cells, currently 256 bytes. Further potential
+defenses include
+larger cell sizes and/or minimal padding schemes to group websites
into large sets. But this remains an open problem. Link
padding or long-range dummies may also make fingerprints harder to
detect.\footnote{Note that
-such fingerprinting should not be confused with the latency attacks
+this fingerprintin attack should not be confused with the latency attacks
of \cite{back01}. Those require a fingerprint of the latencies of
all circuits through the network, combined with those from the
network edges to the targeted user and the responder website. While
these are in principle feasible and surprises are always possible,
-these constitute a much more complicated attack, and there is no
+they constitute a much more complicated attack, and there is no
current evidence of their practicality.}\\
\noindent{\large\bf Active attacks}\\
@@ -1497,57 +1502,58 @@
\emph{Run a recipient.} By running a Web server, an adversary
trivially learns the timing patterns of users connecting to it, and
can introduce arbitrary patterns in its responses. This can greatly
-facilitate end-to-end attacks: If the adversary can induce certain
+facilitate end-to-end attacks: If the adversary can induce
users to connect to his webserver (perhaps by advertising
content targeted at those users), she now holds one end of their
connection. Additionally, there is a danger that the application
protocols and associated programs can be induced to reveal
-information about the initiator. Tor does not aim to solve this problem;
+information about the initiator. Tor does not aim to solve this latter problem;
we depend on Privoxy and similar protocol cleaners.
\emph{Run an onion proxy.} It is expected that end users will
nearly always run their own local onion proxy. However, in some
settings, it may be necessary for the proxy to run
-remotely---typically, in an institutional setting which wants
+remotely---typically, in institutions that want
to monitor the activity of those connecting to the proxy.
-Compromising an onion proxy means compromising all future connections
+Compromising an onion proxy compromises all future connections
through it.
-\emph{DoS non-observed nodes.} An observer who can observe some
-of the Tor network can increase the value of this traffic analysis
+\emph{DoS non-observed nodes.} An observer who can only watch some
+of the Tor network can increase the value of this traffic
by attacking non-observed nodes to shut them down, reduce
their reliability, or persuade users that they are not trustworthy.
The best defense here is robustness.
\emph{Run a hostile node.} In addition to being a
local observer, an isolated hostile node can create circuits through
-itself, or alter traffic patterns, to affect traffic at
-other nodes. Its ability to directly DoS a neighbor is now limited
-by bandwidth throttling. Nonetheless, in order to compromise the
-anonymity of the endpoints of a circuit by its observations, a
-hostile node must be immediately adjacent to that endpoint.
-If an adversary is able to
-run multiple ORs, and is able to persuade the directory servers
+itself, or alter traffic patterns to affect traffic at
+other nodes. (Its ability to directly DoS a neighbor is now limited
+by bandwidth throttling.) Nonetheless, in order to compromise the
+anonymity of a circuit by its observations, a
+hostile node must be immediately adjacent to both endpoints.
+If an adversary can
+run multiple ORs, and can persuade the directory servers
that those ORs are trustworthy and independent, then occasionally
some user will choose one of those ORs for the start and another
as the end of a circuit. When this happens, the user's
-anonymity is compromised for those streams. If an adversary can
-control $m$ out of $N$ nodes, he should be able to correlate at most
+anonymity is compromised for those circuits. If an adversary
+controls $m>1$ out of $N$ nodes, he should be able to correlate at most
$\left(\frac{m}{N}\right)^2$ of the traffic in this way---although an
adversary
could possibly attract a disproportionately large amount of traffic
by running an OR with an unusually permissive exit policy.
-\emph{Run a hostile directory server.} Directory servers control
-admission to the network. However, because the network directory
-must be signed by a majority of servers, the threat of a single
-hostile server is minimized.
+%% Duplicate.
+%
+%\emph{Run a hostile directory server.} Directory servers control
+%admission to the network. However, because the network directory
+%must be signed by a majority of servers, the threat of a single
+%hostile server is minimized.
\emph{Selectively DoS a Tor node.} As noted, neighbors are
-bandwidth limited; however, it is possible to open up sufficient
-circuits that converge at a single onion router to
-overwhelm its network connection, its ability to process new
-circuits, or both.
+bandwidth limited; however, it is possible to open enough
+circuits converging at a single onion router to
+overwhelm its network connection, CPU, or both.
% We aim to address something like this attack with our congestion
% control algorithm.
@@ -1556,14 +1562,14 @@
\emph{Tagging attacks.} A hostile node could ``tag'' a
cell by altering it. This would render it unreadable, but if the
-stream is, for example, an unencrypted request to a Web site,
-the garbled content coming out at the appropriate time could confirm
+stream were, for example, an unencrypted request to a Web site,
+the garbled content coming out at the appropriate time would confirm
the association. However, integrity checks on cells prevent
this attack.
\emph{Replace contents of unauthenticated protocols.} When
relaying an unauthenticated protocol like HTTP, a hostile exit node
-can impersonate the target server. Thus, whenever possible, clients
+can impersonate the target server. Thus clients
should prefer protocols with end-to-end authentication.
\emph{Replay attacks.} Some anonymity protocols are vulnerable
@@ -1580,34 +1586,33 @@
\emph{Distribute hostile code.} An attacker could trick users
into running subverted Tor software that did not, in fact, anonymize
-their connections---or worse, trick ORs into running weakened
+their connections---or worse, could trick ORs into running weakened
software that provided users with less anonymity. We address this
problem (but do not solve it completely) by signing all Tor releases
with an official public key, and including an entry in the directory
-describing which versions are currently believed to be secure. To
+listing which versions are currently believed to be secure. To
prevent an attacker from subverting the official release itself
(through threats, bribery, or insider attacks), we provide all
releases in source code form, encourage source audits, and
frequently warn our users never to trust any software (even from
-us!) that comes without source.\\
+us) that comes without source.\\
\noindent{\large\bf Directory attacks}\\
\emph{Destroy directory servers.} If a few directory
-servers drop out of operation, the others still arrive at a final
-directory. So long as any directory servers remain in operation,
+servers disappear, the others still arrive at a final
+directory. So long as any any directory servers remain in operation,
they will still broadcast their views of the network and generate a
consensus directory. (If more than half are destroyed, this
directory will not, however, have enough signatures for clients to
use it automatically; human intervention will be necessary for
-clients to decide whether to trust the resulting directory, or continue
-to use the old valid one.)
+clients to decide whether to trust the resulting directory.)
-\emph{Subvert a directory server.} By taking over a directory
-server, an attacker can influence (but not control) the final
-directory. Since ORs are included or excluded by majority vote,
-the corrupt directory can at worst cast a tie-breaking vote to
-decide whether to include marginal ORs. How often such marginal
-cases will occur in practice, however, remains to be seen.
+\emph{Subvert a directory server.} By taking over a directory server,
+an attacker can partially influence the final directory. Since ORs
+are included or excluded by majority vote, the corrupt directory can
+at worst cast a tie-breaking vote to decide whether to include
+marginal ORs. It remains to be seen how often such marginal cases
+occur in practice.
\emph{Subvert a majority of directory servers.} If the
adversary controls more than half of the directory servers, he can
@@ -1641,38 +1646,36 @@
\noindent{\large\bf Attacks against rendezvous points}\\
\emph{Make many introduction requests.} An attacker could
-try to deny Bob service by flooding his Introduction Point with
-requests. Because the introduction point can block requests that
+try to deny Bob service by flooding his introduction points with
+requests. Because the Introduction point can block requests that
lack authentication tokens, however, Bob can restrict the volume of
requests he receives, or require a certain amount of computation for
every request he receives.
-\emph{Attack an introduction point.} An attacker could try to
-disrupt a location-hidden service by disabling its introduction
-point. But because a service's identity is attached to its public
-key, not its introduction point, the service can simply re-advertise
-itself at a different introduction point.
-If an attacker is
-able to disable all of the introduction points for a given service,
-he can block access to the service. However, re-advertisement of
+\emph{Attack an introduction point.} An attacker could try to disrupt
+Bob's location-hidden service by disabling its introduction points.
+But because a Bob's identity is attached to his public key, Bob
+service can simply re-advertise himself at a different introduction
+point. If an attacker is able to disable all of Bob's introduction
+points, he can block access to Bob. However, re-advertisement of new
introduction points can still be done secretly so that only
-high-priority clients know the address of the service's introduction
-points. These selective secret authorizations can also be issued
-during normal operation. Thus an attacker must disable
+high-priority clients know the address of Bob's introduction
+points. (These selective secret authorizations can also be issued
+during normal operation.) Thus an attacker must disable
all possible introduction points.
\emph{Compromise an introduction point.} If an attacker controls
-an introduction point for a service, it can flood the service with
+Bob's an introduction point, he can flood Bob with
introduction requests, or prevent valid introduction requests from
-reaching the hidden server. The server will notice a flooding
+reaching him. Bob will notice a flooding
attempt if it receives many introduction requests. To notice
-blocking of valid requests, however, the hidden server should
-periodically test the introduction point by sending its introduction
-requests, and making sure it receives them.
+blocking of valid requests, however, he should periodically test the
+introduction point by sending it introduction requests, and making
+sure he receives them.
\emph{Compromise a rendezvous point.} Controlling a rendezvous
point gains an attacker no more than controlling any other OR along
-a circuit, since all data passing along the rendezvous is protected
+a circuit, since all data passing through the rendezvous is protected
by the session key shared by the client and server.
\Section{Open Questions in Low-latency Anonymity}