[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Random chaff [was: more work for Grobbages]

To: or-talk@xxxxxxxxxxxxx, Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Subject: Re: Random chaff [was: more work for Grobbages]
From: Brian Mearns <bmearns@xxxxxxxx>
Date: Wed, 23 Sep 2009 10:01:07 -0400
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Wed, 23 Sep 2009 10:01:30 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:from:date:x-google-sender-auth:message-id:subject:to :content-type:content-transfer-encoding; bh=TXNziSVQDn/AE1NAvLiHGVyOlZProEke4VsZeXURjxY=; b=HhRi3z7vG1udbanso08j4xQdfbr2iMHHgcQePvlIKPToGGPUh96UAmQXnZXO4twNw8 eGXWwjB0p4HcJQVWGk/UNw0aNH6RUBrMn3MsJ1rQqphZwyThMTm/I0lx3QcJDQFy51mw 0iekJaT6k3m79E3M4HB2ycFGJZpnxrUJhL54o=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:content-type :content-transfer-encoding; b=f3DqE5arky19YnX1o1SFYNY370HOePE0kcU/hWruuk+rf9dUdH3DKMcHgGCly7WcUq nfEQlzuiG1MtvgrbKJnEq5I4g/T8YZ9WuXXJJueyPkcY19+RfLaqYq/IBNPSxp8AGZDx GR7E453nGnhQk5DstbQj/5FSskhS0ZpH+zpcc=
In-reply-to: <20090923073845.GB15706@xxxxxxxxxxxxxx>
References: <d2e731a10909180125i61bedd75u6cf8717c0c88a6c7@xxxxxxxxxxxxxx> <1253326757.16009.8.camel@aldebaran> <20090923073845.GB15706@xxxxxxxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

On Wed, Sep 23, 2009 at 3:38 AM, Nick Mathewson <nickm@xxxxxxxxxxxxxx> wrote:
> On Fri, Sep 18, 2009 at 10:19:17PM -0400, Ted Smith wrote:
>> On Fri, 2009-09-18 at 04:25 -0400, grarpamp wrote:
>> > Nodes usually have a max bandwitch set.
>> > Nodes often comsume less than this.
>> > All node to node traffic is encrypted.
>> > Perhaps implement a random stream generator
>> > that only runs when it or its chosen path has
>> > free bandwidth, tags its traffic as chaff, pipes
>> > it through some number of nodes, or if it has
>> > idle neighbors, and ultimtely sink it somewhere.
>> > It would be even harder to follow an actual client
>> > dl/ul stream if things were maybe udp with the stream reassembly
>> > info inside each onion wrapped cell. Or something
>> > like that. No doubt this is old ideas.
>>
>> Indeed it is, and it's my understanding that this doesn't really work.
>> More astute minds than I can explain in full, but you can render this
>> sort of safeguard useless quite easily.
>
> The issue with padding isn't that it doesn't work at all, but that it
> doesn't work well enough to do any good.  Last I checked, the state of
> the art in low-volume padding could slow down correlation attacks by
> 10-50%, depending on how you're counting.
>
> This sounds good until you think about how fast correlation attacks
> actually are.  If a correlating attacker (one watching both ends of
> the communication) needs only a second of traffic to link sender and
> receiver, then forcing him to collect an extra half-second of traffic
> doesn't actually help the user very much, assuming that the user
> intends to use Tor for more than a second and a half.
>
> What would need to change for padding to become useful? If it turns
> out that correlation attacks are far more difficult than the research
> community thinks, or if somebody comes up with a padding approach that
> actually delays correlation enough[**], I think we should come back
> to the question.
>
> [*] You can do high-cost methods that defeat correlation[***] pretty
>    easily: constant-rate traffic is one of them.  There's a FAQ
>    entry about why constant-rate traffic probably won't work in
>    the wild:
>      http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#YouShouldPad
>
> [**] What's "enough"?  I'd say "the lifetime of a circuit," but I
>      might be wrong.
>
> [***] But you'd still need to worry about active attacks in this case.
>
>
> peace,
> --
> Nick
>

So, if I understand this correctly, a correlation attack works (on a
very basic level) by noticing that Alice sent a message to Bob (a
known Tor node) at time X, and Dave (another known Tor node) sent a
message to Wally (a web server) at time X+e, where e is about how long
we would expect it to take for the onion to be routed. Is that more or
less the idea?

It seems like determining e (time to route the packet) with any degree
of precision would be pretty difficult, so is this really a big
problem? (or is that still being debated?) On the other hand, if an
attacker could monitor a good number of nodes, wouldn't it be fairly
easy to determine each three-node circuit segment (like Alice, to Bob,
to Charlie) and trace the whole thing end-to-end? It seems like this
could be defeated with a more intelligent type of "chaff", where the
receiving relay generates N random dummy onions (with an appreciable
circuit length) for each onion it receives, and then sends all N+1
into the network in a random order.

Then again, I may have completely missed the boat on this whole
correlation attack thing.

-Brian

-- 
Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from: http://keys.gnupg.net

Follow-Ups:
- Re: Random chaff [was: more work for Grobbages]
  - From: Paul Syverson

References:
- Random chaff [was: more work for Grobbages]
  - From: grarpamp
- Re: Random chaff [was: more work for Grobbages]
  - From: Ted Smith
- Re: Random chaff [was: more work for Grobbages]
  - From: Nick Mathewson

Prev by Author: Re: good troll, intelligence psyops, or the genuine article? you decide
Next by Author: Re: Gmail
Previous by thread: Re: Random chaff [was: more work for Grobbages]
Next by thread: Re: Random chaff [was: more work for Grobbages]
Index(es):
- Author
- Thread