[or-cvs] A few changes to related work before heading back to CCS.

syverson at seul.org syverson at seul.org
Tue Oct 28 11:29:49 UTC 2003 

Update of /home/or/cvsroot/doc
In directory moria.mit.edu:/tmp/cvs-serv22701

Modified Files:
	tor-design.tex 
Log Message:
A few changes to related work before heading back to CCS.


Index: tor-design.tex
===================================================================
RCS file: /home/or/cvsroot/doc/tor-design.tex,v
retrieving revision 1.31
retrieving revision 1.32
diff -u -d -r1.31 -r1.32
--- tor-design.tex	27 Oct 2003 12:05:35 -0000	1.31
+++ tor-design.tex	28 Oct 2003 11:29:46 -0000	1.32
@@ -127,7 +127,7 @@
 a threat to anonymity (see Section~\ref{maintaining-anonymity}).
 \footnote{The first Onion Routing design \cite{or-ih96} protected against
 this threat to some
-extent by encouraging users to hide network access behind an onion
+extent by requiring users to hide network access behind an onion
 router/firewall that was also forwarding traffic from other nodes.
 However, it is desirable for users to
 benefit from Onion Routing even when they can't run their own 
@@ -295,10 +295,7 @@
 and/or performance limitations. One can also use a cascade (fixed
 shared route) with a relatively fixed set of users. This assumes a
 significant degree of agreement and provides an easier target for an active
-attacker since the endpoints are generally known. However, a practical
-network with both of these features and thousands of active users has
-been run for many years (the Java Anon Proxy, aka Web MIXes,
-\cite{web-mix}).
+attacker since the endpoints are generally known.
 
 The simplest low-latency designs are single-hop proxies such as the
 Anonymizer \cite{anonymizer}, wherein a single trusted server removes
@@ -314,9 +311,24 @@
 comparatively inexpensive.  Because a tunnel crosses several servers, no
 single server can learn the user's communication partners.
 
+The Java Anon Proxy (aka JAP aka WebMIXes) is based on the cascade
+approach mentioned above. Like a single-hop proxy a single cascade has
+the advantage of concentrating all the concurrent users in one
+communication pipe, making for potentially large anonymity sets.
+Also, like a single-hop proxy, it is easy to know where any
+communication is entering or leaving the network. Thus, though there
+is no single trusted server, it is potentially easy to simply bridge
+the entire cascade, i.e., to obviate its purpose. The design prevents
+this by padding between end users and the head of the cascade
+\cite{web-mix}. However, the current implementation does not do such
+padding and thus remains vulnerable to both active and passive
+bridging.
+
 %[Ouch: We haven't said what an onion is yet, but we use the word here! -NM]
 Systems such as earlier versions of Freedom and the original Onion Routing
-build the anonymous channel all at once (using an onion). 
+build the anonymous channel all at once (using an onion of public-key
+encrypted messages, each layer of which provided a session key and pointer
+to the address corresponding to the next layer's key). 
 Later designs of Freedom and Tor as described herein build
 the channel in stages, as does AnonNet
 \cite{anonnet}. Amongst other things, this makes perfect forward
@@ -361,12 +373,15 @@
 forced to launch jondos using many different identities and on many
 different networks to succeed'' \cite{crowds-tissec}.
 
-Another low latency design that was proposed independently and at
+Another low-latency design that was proposed independently and at
 about the same time as the original Onion Routing was PipeNet
 \cite{pipenet}.  It provided anonymity protections that were stronger
 than Onion Routing's, but at the cost of allowing a single user to
 shut down the network simply by not sending. It was also never
-implemented or formally published.
+implemented or formally published. Low-latency anonymous communication
+has also been designed for other types of systems, including
+ISDN \cite{isdn-mixes}, and mobile applications such as telephones and
+active badging systems \cite{federrath-ih96,reed-protocols97}.
 
 Tor is not primarily designed for censorship resistance but rather
 for anonymous communication. However, Tor's rendezvous points, which
@@ -390,10 +405,14 @@
 [XXX Mention error recovery?]
 
 STILL NOT MENTIONED:
-isdn-mixes\\
 real-time mixes\\
 rewebbers\\
 cebolla\\
+
+Rewebber was mentioned in an earlier version along with Eternity,
+which *must* be mentioned if we cite anything at all
+in censorship resistance.
+
 
 [XXX Close by mentioning where Tor fits.]

More information about the tor-commits mailing list