[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Random chaff [was: more work for Grobbages]

On Fri, Sep 18, 2009 at 10:19:17PM -0400, Ted Smith wrote:
> On Fri, 2009-09-18 at 04:25 -0400, grarpamp wrote:
> > Nodes usually have a max bandwitch set.
> > Nodes often comsume less than this.
> > All node to node traffic is encrypted.
> > Perhaps implement a random stream generator
> > that only runs when it or its chosen path has
> > free bandwidth, tags its traffic as chaff, pipes
> > it through some number of nodes, or if it has
> > idle neighbors, and ultimtely sink it somewhere.
> > It would be even harder to follow an actual client
> > dl/ul stream if things were maybe udp with the stream reassembly
> > info inside each onion wrapped cell. Or something
> > like that. No doubt this is old ideas.
> Indeed it is, and it's my understanding that this doesn't really work.
> More astute minds than I can explain in full, but you can render this
> sort of safeguard useless quite easily.

The issue with padding isn't that it doesn't work at all, but that it
doesn't work well enough to do any good.  Last I checked, the state of
the art in low-volume padding could slow down correlation attacks by
10-50%, depending on how you're counting.

This sounds good until you think about how fast correlation attacks
actually are.  If a correlating attacker (one watching both ends of
the communication) needs only a second of traffic to link sender and
receiver, then forcing him to collect an extra half-second of traffic
doesn't actually help the user very much, assuming that the user
intends to use Tor for more than a second and a half.

What would need to change for padding to become useful? If it turns
out that correlation attacks are far more difficult than the research
community thinks, or if somebody comes up with a padding approach that
actually delays correlation enough[**], I think we should come back
to the question.

[*] You can do high-cost methods that defeat correlation[***] pretty
    easily: constant-rate traffic is one of them.  There's a FAQ
    entry about why constant-rate traffic probably won't work in
    the wild:

[**] What's "enough"?  I'd say "the lifetime of a circuit," but I
      might be wrong.

[***] But you'd still need to worry about active attacks in this case.