commit 2bc1d70055dc35751f73bdda5c66dba37eec0778 Author: Nick Mathewson nickm@torproject.org Date: Thu Dec 29 10:04:10 2011 -0500
Reformat threat model doc --- doc/obfs2_threat_model.txt | 81 +++++++++++++++++++++++++------------------ 1 files changed, 47 insertions(+), 34 deletions(-)
diff --git a/doc/obfs2_threat_model.txt b/doc/obfs2_threat_model.txt index 08385ae..ed2c694 100644 --- a/doc/obfs2_threat_model.txt +++ b/doc/obfs2_threat_model.txt @@ -1,50 +1,63 @@ -threat model: + Threat model for the obfs2 obfuscation protocol
- Adversary capabilities: + George Kadianakis + Nick Mathewson
-The adversary controls the infrastructure of the network within her -jurisdiction, and she can potentially monitor, block, alter, and -inject traffic anywhere within this region. +0. Abstract
-The censor also holds a blacklist of network protocols, which she is -interested in blocking. + We discuss the intended threat model for the 'obfs2' protocol + obfuscator, its limitations, and its implications for the protocol + design.
- Adversary attacks: + The 'obfs2' protocol is based on Bruce Leidl's obfuscated SSH layer, + and is documented in the 'doc/protocol-spec.txt' file in the obfsproxy + distribution.
-The censor passively monitors traffic and looks for content -signatures, in an attempt to distinguish network protocols. Upon -detecting a blacklisted protocol, the censor blocks the connection. +1. Adversary capabilities and goals
- Goals of obfs2: + The adversary controls the infrastructure of the network within and + at the edges of her jurisdiction, and she can potentially monitor, + block, alter, and inject traffic anywhere within this region.
-obfs2 attempts to counter the above attack by removing content -signatures from network traffic. obfs2 encrypts the traffic stream -with a stream cipher, which results in the traffic looking uniformly -random. + The censor also holds a blacklist of network protocols, which she is + interested in blocking.
- Discussion: +2. Adversary attacks:
-obfs2 shortcomings: + The censor passively monitors traffic and looks for content + signatures, in an attempt to distinguish network protocols. Upon + detecting a blacklisted protocol, the censor blocks the connection.
-obfs2 was designed as a pluggable transports proof-of-concept: it is -simple, useable and easily implementable. It does _not_ try to protect -against sophisticated adversaries: +3. Goals of obfs2
-obfs2 does not try to protect against Tor protocol fingerprints, like -the packet size or packet timing. + obfs2 attempts to counter the above attack by removing content + signatures from network traffic. obfs2 encrypts the traffic stream + with a stream cipher, which results in the traffic looking uniformly + random.
-obfs2 does not try to protect against attackers capable of measuring -traffic entropy. +4. Discussion
-obfs2 does not try to protect against Deep Packet Inspection machines -that expect the obfs2 protocol. Such machines can trivially retrieve -the decryption key off the traffic stream and use it to decrypt obfs2 -and detect the Tor protocol. +4.1. obfs2 shortcomings
-In other words, obfs2 does not try to protect against anything other -than fingerprintable TLS content patterns. + obfs2 was designed as a pluggable transports proof-of-concept: it is + simple, useable and easily implementable. It does _not_ try to protect + against sophisticated adversaries:
-That said, obfs2 is not useless. It protects against many real-life -Tor traffic detection methods currentl deployed, since most of them -use static SSL handshake strings as signatures. + obfs2 does not try to protect against Tor protocol fingerprints, like + the packet size or packet timing. + + obfs2 does not try to protect against attackers capable of measuring + traffic entropy. + + obfs2 does not try to protect against Deep Packet Inspection machines + that expect the obfs2 protocol. Such machines can trivially retrieve + the decryption key off the traffic stream and use it to decrypt obfs2 + and detect the Tor protocol. + + In other words, obfs2 does not try to protect against anything other + than fingerprintable TLS content patterns. + + That said, obfs2 is not useless. It protects against many real-life + Tor traffic detection methods currentl deployed, since most of them + use static SSL handshake strings as signatures.