[or-cvs] Write remaining active attacks

Nick Mathewson nickm at seul.org
Sun Nov 2 04:53:17 UTC 2003 

Update of /home/or/cvsroot/doc
In directory moria.mit.edu:/tmp/cvs-serv16111

Modified Files:
	TODO tor-design.tex 
Log Message:
Write remaining active attacks

Index: TODO
===================================================================
RCS file: /home/or/cvsroot/doc/TODO,v
retrieving revision 1.32
retrieving revision 1.33
diff -u -d -r1.32 -r1.33
--- TODO	27 Oct 2003 10:24:27 -0000	1.32
+++ TODO	2 Nov 2003 04:53:15 -0000	1.33
@@ -63,6 +63,8 @@
                         - make sure exiting from the not-last hop works
                         - logic to find last *open* hop, not last hop, in cpath
                         - choose exit nodes by exit policies
+        - Remember address and port when resolving. 
+        - Extend by nickname/hostname/something, not by IP.
 
 On-going
         . Better comments for functions!

Index: tor-design.tex
===================================================================
RCS file: /home/or/cvsroot/doc/tor-design.tex,v
retrieving revision 1.55
retrieving revision 1.56
diff -u -d -r1.55 -r1.56
--- tor-design.tex	2 Nov 2003 03:58:05 -0000	1.55
+++ tor-design.tex	2 Nov 2003 04:53:15 -0000	1.56
@@ -945,7 +945,7 @@
 bucket approach to limit the number of bytes they
 receive. Tokens are added to the bucket each second (when the bucket is
 full, new tokens are discarded.) Each token represents permission to
-receive one byte from the network --- to receive a byte, the connection
+receive one byte from the network---to receive a byte, the connection
 must remove a token from the bucket. Thus if the bucket is empty, that
 connection must wait until more tokens arrive. The number of tokens we
 add enforces a long-term average rate of incoming bytes, while still
@@ -1202,6 +1202,9 @@
 SpamAssassin) on email exiting the OR network.  A generic
 intrusion detection system (IDS) could be adapted to these purposes.
 
+[XXX Mention possibility of filtering spam-like habits--e.g., many
+  recipients. -NM]
+
 ORs may also choose to rewrite exiting traffic in order to append
 headers or other information to indicate that the traffic has passed
 through an anonymity service.  This approach is commonly used, to some
@@ -1298,7 +1301,7 @@
   
 Of course, a variety of attacks remain. An adversary who controls a
 directory server can track certain clients by providing different
-information --- perhaps by listing only nodes under its control
+information---perhaps by listing only nodes under its control
 as working, or by informing only certain clients about a given
 node. Moreover, an adversary without control of a directory server can
 still exploit differences among client knowledge. If Eve knows that
@@ -1705,7 +1708,11 @@
   will have discarded the necessary information before the attack can
   be completed.  (Thanks to the perfect forward secrecy of session
   keys, the attacker cannot cannot force nodes to decrypt recorded
-  traffic once the circuits have been closed.)
+  traffic once the circuits have been closed.)  Additionally, building
+  circuits that cross jurisdictions can make legal coercion
+  harder---this phenomenon is commonly called ``jurisdictional
+  arbitrage.''
+
   
 \item \emph{Run a recipient.} By running a Web server, an adversary
   trivially learns the timing patterns of those connecting to it, and
@@ -1748,8 +1755,10 @@
   some user will choose one of those ORs for the start and another of
   those ORs as the end of a circuit.  When this happens, the user's
   anonymity is compromised for those circuits.  If an adversary can
-  control $m$ out of $N$ nodes, he will be able to correlate at most 
-  $\frac{m}{N}$ of the traffic in this way.
+  control $m$ out of $N$ nodes, he should be able to correlate at most 
+  $\frac{m}{N}$ of the traffic in this way---although an adersary
+  could possibly attract a disproportionately large amount of traffic
+  by running an exit node with an unusually permisssive exit policy.
 
 \item \emph{Compromise entire path.} Anyone compromising both
   endpoints of a circuit can confirm this with high probability. If
@@ -1781,37 +1790,23 @@
   the association. However, integrity checks on cells prevent
   this attack from succeeding.
 
-[XXXX Damn it's 5:10. So, I'm stopping here. Good luck with what's left
-tonight. Hopefully less than it looks. -PS]
-
-
-\item sub of the above on exit policy\\
-Partitioning based on exit policy.
-
-Run a rare exit server/something other people won't allow.
-
-DOS three of the 4 who would allow a certain exit.
-
-
-
-Subcase of running a hostile node: 
-the exit node can change the content you're getting to try to
-trick you. similarly, when it rejects you due to exit policy,
-it could give you a bad IP that sends you somewhere else.
-\item \emph{replaying traffic} Can't in Tor. NonSSL anonymizer.
-
-\item Do bad things with the Tor network, so we are hated and
-get shut down. Now the user you want to watch has to use anonymizer.
-
-Exit policy's are a start.
+\item \emph{Replace contents of unauthenticated protocols.}  When a
+  relaying an unauthenticated protocol like HTTP, a hostile exit node 
+  can impersonate the target server.  Thus, whenever possible, clients
+  should prefer protocols with end-to-end authentication.
 
-\item Send spam through the network. Exit policy (no open relay) and
-  rate limiting. We won't send to more than 8 people at a time.  See
-  section 5.1.
+\item \emph{Replay attacks.} Some anonymity protocols are vulnerable
+  to replay attacks.  Tor is not; replaying one side of a handshake
+  will result in a different negotiated session key, and so the rest
+  of the recorded session can't be used.  
+  % ``NonSSL Anonymizer''?
 
-we rely on DNS being globally consistent. if people in africa resolve
-IPs differently, then asking to extend a circuit to a certain IP can
-give away your origin.
+\item \emph{Smear attacks.} An attacker could use the Tor network to
+  engage in socially dissapproved acts, so as to try to bring the
+  entire network into disrepute and get its operators to shut it down.
+  Exit policies can help reduce the possibilities for abuse, but
+  ultimately, the network will require volunteers who can tolerate
+  some political heat.
 \end{tightlist}
 
 \subsubsection*{Directory attacks}
@@ -1830,17 +1825,6 @@
 \end{tightlist}
 
 
-
-Basic 
-
-How well do we resist chosen adversary?
-
-How well do we meet stated goals?
-
-Mention jurisdictional arbitrage.
-
-Pull attacks and defenses into analysis as a subsection
-
 \Section{Open Questions in Low-latency Anonymity}
 \label{sec:maintaining-anonymity}
  
@@ -2099,6 +2083,10 @@
 %     'Authorizating' sounds great, but it isn't a word.
 %     'First, second, third', not 'Firstly, secondly, thirdly'.
 %     'circuit', not 'channel'
+%     Typography: no space on either side of an em dash---ever.
+%     Hyphens are for multi-part words; en dashs imply movement or
+%        opposition (The Alice--Bob connection); and em dashes are
+%        for punctuation---like that.
 %
 %     'Substitute ``Damn'' every time you're inclined to write ``very;'' your
 %     editor will delete it and the writing will be just as it should be.'

More information about the tor-commits mailing list