[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Mid-Latency [Re: Is three hops enough? (was Re: Tor client over a SOCKS proxy, and Tor client running through another Tor Circuit)]

On Fri, Apr 28, 2006 at 02:14:20PM -0400, Geoffrey Lewis Goodell wrote:
> Timing attacks are always possible in low-latency anonymity systems.
> This is a theoretical limit; without increasing additional latency
> (substantially degrading usability and thus the size of the anonymity
> set) or adding cover traffic near the source (requiring sources to stay
> connected for long periods of time, saturate their upstream link, starve
> their other applications, and break the business model of their ISPs),
> it is literally impossible to prevent an attacker from correlating the
> timing of traffic close to the source with the timing of traffic close
> to the destination.

I'd like to register a small objection: while (absent countermeasures)
correlation attacks work, it remains to be proven whether or not you
can improve security significantly while adding only a small,
tolerable, amount of padding and delay.  Research on high-latency
mix-nets seems to show that you can delay intersection attacks by
increasing latency variability and decreasing sender-frequency
variability; but nobody has done the numbers (yet, AFAIK) to tell
whether these techniques are useful on the low end of the latency

There are smart researchers with strong intuitions in either direction
on this; my intuition tells me that when so many clever people
disagree, more experimental results are needed.

Of course, nothing like this will go into Tor in the forseeable
future.  We have a strong design policy: "No Voodoo."  In other words,
we try not to add "security" features unless someone can demonstrate
that they actually improve security.

(Anybody interested in doing something like this as a research
project: first, check out the papers about traffic analysis on
http://freehaven.net/anonbib .  Many of the most 'obvious' ideas don't
work as well as you'd think they would; many of the recent
traffic-analysis techniques work better.)

Nick Mathewson

Attachment: pgpvgQLObEFqr.pgp
Description: PGP signature