[or-cvs] A few tiny tweaks.
syverson at seul.org
syverson at seul.org
Mon Oct 27 12:05:37 UTC 2003
Update of /home/or/cvsroot/doc
In directory moria.mit.edu:/tmp/cvs-serv14865
Modified Files:
tor-design.bib tor-design.tex
Log Message:
A few tiny tweaks.
Index: tor-design.bib
===================================================================
RCS file: /home/or/cvsroot/doc/tor-design.bib,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -d -r1.9 -r1.10
--- tor-design.bib 24 Oct 2003 11:21:19 -0000 1.9
+++ tor-design.bib 27 Oct 2003 12:05:35 -0000 1.10
@@ -5,15 +5,15 @@
}
@Misc{anonymizer,
- key = {anonymizer},
- title = {The {Anonymizer}},
- note = {\url{http://www.anonymizer.com}}
+ key = {anonymizer},
+ title = {The {Anonymizer}},
+ note = {\url{http://www.anonymizer.com}}
}
@Misc{anonnet,
- key = {anonnet},
- title = {{AnonNet}},
- note = {\url{http://www.authnet.org/anonnet/}}
+ key = {anonnet},
+ title = {{AnonNet}},
+ note = {\url{http://www.authnet.org/anonnet/}}
}
% can somebody track down the rest of this? -RD
@@ -211,29 +211,29 @@
@InProceedings{or-ih96,
- author = {David M. Goldschlag and Michael G. Reed and Paul
+ author = {David M. Goldschlag and Michael G. Reed and Paul
F. Syverson},
- title = {Hiding Routing Information},
- booktitle = {Information Hiding, First International Workshop},
- pages = {137--150},
- year = 1996,
- editor = {R. Anderson},
- month = {May},
- publisher = {Springer-Verlag, LNCS 1174},
- note = {\url{http://www.onion-router.net/Publications/IH-1996.ps.gz}}
+ title = {Hiding Routing Information},
+ booktitle = {Information Hiding, First International Workshop},
+ pages = {137--150},
+ year = 1996,
+ editor = {R. Anderson},
+ month = {May},
+ publisher = {Springer-Verlag, LNCS 1174},
+ note = {\url{http://www.onion-router.net/Publications/IH-1996.ps.gz}}
}
@Article{or-jsac98,
- author = {Michael G. Reed and Paul F. Syverson and David
+ author = {Michael G. Reed and Paul F. Syverson and David
M. Goldschlag},
- title = {Anonymous Connections and Onion Routing},
- journal = {IEEE Journal on Selected Areas in Communications},
- year = 1998,
- volume = 16,
- number = 4,
- pages = {482--494},
- month = {May},
- note = {\url{http://www.onion-router.net/Publications/JSAC-1998.ps.gz}}
+ title = {Anonymous Connections and Onion Routing},
+ journal = {IEEE Journal on Selected Areas in Communications},
+ year = 1998,
+ volume = 16,
+ number = 4,
+ pages = {482--494},
+ month = {May},
+ note = {\url{http://www.onion-router.net/Publications/JSAC-1998.ps.gz}}
}
@Misc{TLS,
@@ -456,12 +456,12 @@
@Misc{socks5,
- key = {socks5},
- title = {{SOCKS} {P}rotocol {V}ersion 5},
+ key = {socks5},
+ title = {{SOCKS} {P}rotocol {V}ersion 5},
howpublished= {IETF RFC 1928},
- month = {March},
- year = 1996,
- note = {\url{http://www.ietf.org/rfc/rfc1928.txt}}
+ month = {March},
+ year = 1996,
+ note = {\url{http://www.ietf.org/rfc/rfc1928.txt}}
}
@InProceedings{abe,
@@ -531,13 +531,13 @@
@InProceedings{socks4,
- author = {David Koblas and Michelle R. Koblas},
- title = {{SOCKS}},
- booktitle = {UNIX Security III Symposium (1992 USENIX Security
+ author = {David Koblas and Michelle R. Koblas},
+ title = {{SOCKS}},
+ booktitle = {UNIX Security III Symposium (1992 USENIX Security
Symposium)},
- pages = {77--83},
- year = 1992,
- publisher = {USENIX},
+ pages = {77--83},
+ year = 1992,
+ publisher = {USENIX},
}
@InProceedings{flash-mix,
@@ -632,15 +632,15 @@
@InProceedings{tangler,
- author = {Marc Waldman and David Mazi\`{e}res},
- title = {Tanger: A Censorship-Resistant Publishing System
+ author = {Marc Waldman and David Mazi\`{e}res},
+ title = {Tangler: A Censorship-Resistant Publishing System
Based on Document Entanglements},
- booktitle = {$8^{th}$ ACM Conference on Computer and
+ booktitle = {$8^{th}$ ACM Conference on Computer and
Communications Security (CCS-8)},
- pages = {86--135},
- year = 2001,
- publisher = {ACM Press},
- note = {\url{http://www.scs.cs.nyu.edu/~dm/}}
+ pages = {86--135},
+ year = 2001,
+ publisher = {ACM Press},
+ note = {\url{http://www.scs.cs.nyu.edu/~dm/}}
}
@misc{neochaum,
@@ -691,15 +691,15 @@
@Article{crowds-tissec,
- author = {Michael K. Reiter and Aviel D. Rubin},
- title = {Crowds: Anonymity for Web Transactions},
- journal = {ACM TISSEC},
- year = 1998,
- volume = 1,
- number = 1,
- pages = {66--92},
- month = {November},
- note = {\url{http://citeseer.nj.nec.com/284739.html}}
+ author = {Michael K. Reiter and Aviel D. Rubin},
+ title = {Crowds: Anonymity for Web Transactions},
+ journal = {ACM TISSEC},
+ year = 1998,
+ volume = 1,
+ number = 1,
+ pages = {66--92},
+ month = {November},
+ note = {\url{http://citeseer.nj.nec.com/284739.html}}
}
@Article{crowds-dimacs,
@@ -864,50 +864,50 @@
@InProceedings{danezis-pets03,
- author = {George Danezis},
- title = {Mix-networks with Restricted Routes},
- booktitle = {Privacy Enhancing Technologies (PET 2003)},
- year = 2003,
- editor = {Roger Dingledine},
- publisher = {Springer-Verlag LNCS 2760}
+ author = {George Danezis},
+ title = {Mix-networks with Restricted Routes},
+ booktitle = {Privacy Enhancing Technologies (PET 2003)},
+ year = 2003,
+ editor = {Roger Dingledine},
+ publisher = {Springer-Verlag LNCS 2760}
}
@InProceedings{gap-pets03,
- author = {Krista Bennett and Christian Grothoff},
- title = {{GAP} -- practical anonymous networking},
- booktitle = {Privacy Enhancing Technologies (PET 2003)},
- year = 2003,
- editor = {Roger Dingledine},
- publisher = {Springer-Verlag LNCS 2760}
+ author = {Krista Bennett and Christian Grothoff},
+ title = {{GAP} -- practical anonymous networking},
+ booktitle = {Privacy Enhancing Technologies (PET 2003)},
+ year = 2003,
+ editor = {Roger Dingledine},
+ publisher = {Springer-Verlag LNCS 2760}
}
@Article{hordes-jcs,
- author = {Brian Neal Levine and Clay Shields},
- title = {Hordes: A Multicast-Based Protocol for Anonymity},
- journal = {Journal of Computer Security},
- year = 2002,
- volume = 10,
- number = 3,
- pages = {213--240}
+ author = {Brian Neal Levine and Clay Shields},
+ title = {Hordes: A Multicast-Based Protocol for Anonymity},
+ journal = {Journal of Computer Security},
+ year = 2002,
+ volume = 10,
+ number = 3,
+ pages = {213--240}
}
@TechReport{herbivore,
- author = {Sharad Goel and Mark Robson and Milo Polte and Emin G\"{u}n Sirer},
- title = {Herbivore: A Scalable and Efficient Protocol for Anonymous Communication},
+ author = {Sharad Goel and Mark Robson and Milo Polte and Emin G\"{u}n Sirer},
+ title = {Herbivore: A Scalable and Efficient Protocol for Anonymous Communication},
institution = {Cornell University Computing and Information Science},
- year = 2003,
- type = {Technical Report},
- number = {TR2003-1890},
- month = {February}
+ year = 2003,
+ type = {Technical Report},
+ number = {TR2003-1890},
+ month = {February}
}
@InProceedings{p5,
- author = {Rob Sherwood and Bobby Bhattacharjee and Aravind Srinivasan},
- title = {$P^5$: A Protocol for Scalable Anonymous Communication},
- booktitle = {2002 IEEE Symposium on Security and Privacy},
- pages = {58--70},
- year = 2002,
- publisher = {IEEE CS}
+ author = {Rob Sherwood and Bobby Bhattacharjee and Aravind Srinivasan},
+ title = {$P^5$: A Protocol for Scalable Anonymous Communication},
+ booktitle = {2002 IEEE Symposium on Security and Privacy},
+ pages = {58--70},
+ year = 2002,
+ publisher = {IEEE CS}
}
@phdthesis{ian-thesis,
@@ -919,15 +919,15 @@
}
@Article{taz,
- author = {Ian Goldberg and David Wagner},
- title = {TAZ Servers and the Rewebber Network: Enabling
+ author = {Ian Goldberg and David Wagner},
+ title = {TAZ Servers and the Rewebber Network: Enabling
Anonymous Publishing on the World Wide Web},
- journal = {First Monday},
- year = 1998,
- volume = 3,
- number = 4,
- month = {August},
- note = {\url{http://www.firstmonday.dk/issues/issue3_4/goldberg/}}
+ journal = {First Monday},
+ year = 1998,
+ volume = 3,
+ number = 4,
+ month = {August},
+ note = {\url{http://www.firstmonday.dk/issues/issue3_4/goldberg/}}
}
@inproceedings{wright02,
Index: tor-design.tex
===================================================================
RCS file: /home/or/cvsroot/doc/tor-design.tex,v
retrieving revision 1.30
retrieving revision 1.31
diff -u -d -r1.30 -r1.31
--- tor-design.tex 27 Oct 2003 10:18:20 -0000 1.30
+++ tor-design.tex 27 Oct 2003 12:05:35 -0000 1.31
@@ -1,6 +1,6 @@
\documentclass[times,10pt,twocolumn]{article}
\usepackage{latex8}
-%\usepackage{times}
+\usepackage{times}
\usepackage{url}
\usepackage{graphics}
\usepackage{amsmath}
@@ -300,12 +300,6 @@
been run for many years (the Java Anon Proxy, aka Web MIXes,
\cite{web-mix}).
-Another low latency design that was proposed independently and at
-about the same time as the original Onion Routing was PipeNet \cite{pipenet}.
-It provided anonymity protections that were stronger than Onion Routing's,
-but at the cost of allowing a single user to shut down the network simply
-by not sending. It was also never implemented or formally published.
-
The simplest low-latency designs are single-hop proxies such as the
Anonymizer \cite{anonymizer}, wherein a single trusted server removes
identifying users' data before relaying it. These designs are easy to
@@ -367,6 +361,13 @@
forced to launch jondos using many different identities and on many
different networks to succeed'' \cite{crowds-tissec}.
+Another low latency design that was proposed independently and at
+about the same time as the original Onion Routing was PipeNet
+\cite{pipenet}. It provided anonymity protections that were stronger
+than Onion Routing's, but at the cost of allowing a single user to
+shut down the network simply by not sending. It was also never
+implemented or formally published.
+
Tor is not primarily designed for censorship resistance but rather
for anonymous communication. However, Tor's rendezvous points, which
enable connections between mutually anonymous entities, also
@@ -528,7 +529,8 @@
% same. I reworded above, I'm thinking we should leave other concerns
% for later. -PS
-\item{Hostile Tor node:} can arbitrarily manipulate the
+
+\item[Hostile Tor node:] can arbitrarily manipulate the
connections under its control, as well as creating new connections
(that pass through itself).
\end{description}
@@ -627,6 +629,15 @@
We do not assume any hostile users, except in the context of
% This sounds horrible. What do you mean we don't assume any hostile
% users? Surely we can tolerate some? -RD
+%
+% This could be phrased better. All I meant was that we are not
+% going to try to model or quantify any attacks on anonymity
+% by users of the system by trying to vary their
+% activity. Yes, we tolerate some, but if ordinary usage can
+% vary widely, there is nothing added by considering malicious
+% attempts specifically,
+% except if they are attempts to expose someone at the far end of a
+% session we initiate, e.g., the rendezvous server case. -PS
rendezvous points. Nonetheless, we assume that users vary widely in
both the duration and number of times they are connected to the Tor
network. They can also be assumed to vary widely in the volume and
@@ -1001,6 +1012,23 @@
have other exit proxies for other protocols, like mail, to check
delivered mail for being spam.
+[XXX Um, I'm uncomfortable with this for several reasons.
+It's not good for keeping honest nodes honest about discarding
+state after it's no longer needed. Granted it keeps an external
+observer from noticing how often sites are visited, but it also
+allows fishing expeditions. ``We noticed you went to this prohibited
+site an hour ago. Kindly turn over your caches to the authorities.''
+I previously elsewhere suggested bulk transfer proxies to carve
+up big things so that they could be downloaded in less noticeable
+pieces over several normal looking connections. We could suggest
+similarly one or a handful of squid nodes that might serve up
+some of the more sensitive but common material, especially if
+the relevant sites didn't want to or couldn't run their own OR.
+This would be better than having everyone run a squid which would
+just help identify after the fact the different history of that
+node's activity. All this kind of speculation needs to move to
+future work section I guess. -PS]
+
A mixture of open and restricted exit nodes will allow the most
flexibility for volunteers running servers. But while a large number
of middleman nodes is useful to provide a large and robust network,
@@ -1236,6 +1264,32 @@
\Section{Maintaining anonymity in Tor}
\label{sec:maintaining-anonymity}
+
+I probably should have noted that this means loops will be on at least
+five hop routes, which should be rare given the distribution. I'm
+realizing that this is reproducing some of the thought that led to a
+default of five hops in the original onion routing design. There were
+some different assumptions, which I won't spell out now. Note that
+enclave level protections really change these assumptions. If most
+circuits are just two hops, then just a single link observer will be
+able to tell that two enclaves are communicating with high probability.
+So, it would seem that enclaves should have a four node minimum circuit
+to prevent trivial circuit insider identification of the whole circuit,
+and three hop minimum for circuits from an enclave to some nonclave
+responder. But then... we would have to make everyone obey these rules
+or a node that through timing inferred it was on a four hop circuit
+would know that it was probably carrying enclave to enclave traffic.
+Which... if there were even a moderate number of bad nodes in the
+network would make it advantageous to break the connection to conduct
+a reformation intersection attack. Ahhh! I gotta stop thinking
+about this and work on the paper some before the family wakes up.
+On Sat, Oct 25, 2003 at 06:57:12AM -0400, Paul Syverson wrote:
+> Which... if there were even a moderate number of bad nodes in the
+> network would make it advantageous to break the connection to conduct > a reformation intersection attack. Ahhh! I gotta stop thinking > about this and work on the paper some before the family wakes up.
+This is the sort of issue that should go in the 'maintaining anonymity
+with tor' section towards the end. :)
+Email from between roger and me to beginning of section above. Fix and move.
+
[Put as much of this as a part of open issues as is possible.]
More information about the tor-commits
mailing list