[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: same first hops

     On Wed, 08 Oct 2008 20:50:28 -0700 "F. Fox" <kitsune.or@xxxxxxxxx>
>M wrote:
>> Thanx Gregory  and F.Fox...understood the concept. Just one note though:
>> "Tor (like all current practical low-latency anonymity designs) fails
>> when the attacker can see both ends of the communications channel. For
>> example, suppose the attacker is watching the Tor relay you choose to
>> enter the network, and is also watching the website you visit."
>> When it says "watching" does it mean? I thought the info was encrypted
>> (except the last hop) and the IP invisible? Does it mean timing attacks?
>Yes, it's referring to end-to-end attacks - which are usually timing
>attacks; however, fingerprinting attacks (based on the total filesizes
>of known target downloads, since encryption doesn't change the size of
>data) are possible in theory, as well.
     Well, technically speaking, I guess that's true.  However, unless I'm
greatly mistaken, the exit end of a circuit will compress any data coming
into it to be relayed back to the client and will uncompress anything
arriving from the client to be sent out from the exit.  Given that the
attacker might observe data in the clear going into the exit or coming out
of it and could perform the same compression in order to know the length of
the encrypted data, the attacker might be able to pull that off.  Another
complication for the attacker to deal with is the fact that a link between
the client and an entry node may support multiple circuits, and each
circuit may support multiple streams, all of which are multiply encrypted
and whose data cells are commingled with the data cells of the others at
the client end with no obvious way of distinguishing between the cells
of one thread and the cells of any other thread traversing that particular
     However, in order to match the length up with whatever is sent/received
by the suspected client, wouldn't the attacker need to make an assumption or
two about the circuit length?  If so, then introducing randomly varying
circuit lengths ought to obfuscate things considerably for the attacker.
     Another possible way to complicate things for the attacker would be a
variant of something has already been proposed, namely, using multiple data
cell sizes within the circuit.  As I understand it, the suggestions so far
have been directed toward efficiency, e.g., sending long cells when there
are enough data to exceed the payload limits of short cells.  However, if
short cells were randomly used when there are enough data for long cells,
then the significance to the attacker of the distinction between long and
short cells would be somewhat reduced.  Tossing in occasional padding at
random to produce a long cell that might have either had only minimally
more payload than a short cell or even data for which a short cell would
have been adequate ought to augment the attacker's obstacles.  If more
than two cell lengths were used, then these techniques ought to become even
more effective against attackers.
     A third possibility might be to do at the tor level something that
is already supported at the data link level in the BSDs and perhaps LINUX,
namely, to use multiple physical links (circuits in the case of tor) to
split the traffic load of a data link (stream in the case of tor) across
multiple physical links.  The downside of this method, of course, is that
it multiplies the risk of a broken stream due to a tor node failure or
lower-level failure.  OTOH, it might also frequently and significantly
speed up large file transfers through tor.
     If a new feature were added to tor's internal protocol that would
allow handing off a thread from one circuit to another, then a further
enhancement could be made because it would be handled entirely at the tor
level.  For example, a thread supported by (i.e., spread across) multiple
tor circuits could be shifted across a frequently changing set of circuits
between the client and the exit server, all under the control of the tor
client.  For a fixed circuit length, such as the constant length of 3 that
is currently the standard in tor, the entry node and/or the middleman in
each circuit could be replaced from time to time.  A tor network that used
all of these methods (including variable-length circuits) ought to provide
a major nightmare (not to mention processing demands) for even a heavily
funded and equipped attacker to untangle by the use of timing/sizing
measurements.  (It might also be overkill, I suppose.:-)

                                  Scott Bennett, Comm. ASMELG, CFIAG
* Internet:       bennett at cs.niu.edu                              *
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *