[tor-commits] [obfsproxy/master] Reformat threat model doc
nickm at torproject.org
nickm at torproject.org
Thu Dec 29 16:07:32 UTC 2011
commit 2bc1d70055dc35751f73bdda5c66dba37eec0778
Author: Nick Mathewson <nickm at torproject.org>
Date: Thu Dec 29 10:04:10 2011 -0500
Reformat threat model doc
---
doc/obfs2_threat_model.txt | 81 +++++++++++++++++++++++++------------------
1 files changed, 47 insertions(+), 34 deletions(-)
diff --git a/doc/obfs2_threat_model.txt b/doc/obfs2_threat_model.txt
index 08385ae..ed2c694 100644
--- a/doc/obfs2_threat_model.txt
+++ b/doc/obfs2_threat_model.txt
@@ -1,50 +1,63 @@
-threat model:
+ Threat model for the obfs2 obfuscation protocol
- Adversary capabilities:
+ George Kadianakis
+ Nick Mathewson
-The adversary controls the infrastructure of the network within her
-jurisdiction, and she can potentially monitor, block, alter, and
-inject trafï¬c anywhere within this region.
+0. Abstract
-The censor also holds a blacklist of network protocols, which she is
-interested in blocking.
+ We discuss the intended threat model for the 'obfs2' protocol
+ obfuscator, its limitations, and its implications for the protocol
+ design.
- Adversary attacks:
+ The 'obfs2' protocol is based on Bruce Leidl's obfuscated SSH layer,
+ and is documented in the 'doc/protocol-spec.txt' file in the obfsproxy
+ distribution.
-The censor passively monitors traffic and looks for content
-signatures, in an attempt to distinguish network protocols. Upon
-detecting a blacklisted protocol, the censor blocks the connection.
+1. Adversary capabilities and goals
- Goals of obfs2:
+ The adversary controls the infrastructure of the network within and
+ at the edges of her jurisdiction, and she can potentially monitor,
+ block, alter, and inject trafï¬c anywhere within this region.
-obfs2 attempts to counter the above attack by removing content
-signatures from network traffic. obfs2 encrypts the traffic stream
-with a stream cipher, which results in the traffic looking uniformly
-random.
+ The censor also holds a blacklist of network protocols, which she is
+ interested in blocking.
- Discussion:
+2. Adversary attacks:
-obfs2 shortcomings:
+ The censor passively monitors traffic and looks for content
+ signatures, in an attempt to distinguish network protocols. Upon
+ detecting a blacklisted protocol, the censor blocks the connection.
-obfs2 was designed as a pluggable transports proof-of-concept: it is
-simple, useable and easily implementable. It does _not_ try to protect
-against sophisticated adversaries:
+3. Goals of obfs2
-obfs2 does not try to protect against Tor protocol fingerprints, like
-the packet size or packet timing.
+ obfs2 attempts to counter the above attack by removing content
+ signatures from network traffic. obfs2 encrypts the traffic stream
+ with a stream cipher, which results in the traffic looking uniformly
+ random.
-obfs2 does not try to protect against attackers capable of measuring
-traffic entropy.
+4. Discussion
-obfs2 does not try to protect against Deep Packet Inspection machines
-that expect the obfs2 protocol. Such machines can trivially retrieve
-the decryption key off the traffic stream and use it to decrypt obfs2
-and detect the Tor protocol.
+4.1. obfs2 shortcomings
-In other words, obfs2 does not try to protect against anything other
-than fingerprintable TLS content patterns.
+ obfs2 was designed as a pluggable transports proof-of-concept: it is
+ simple, useable and easily implementable. It does _not_ try to protect
+ against sophisticated adversaries:
-That said, obfs2 is not useless. It protects against many real-life
-Tor traffic detection methods currentl deployed, since most of them
-use static SSL handshake strings as signatures.
+ obfs2 does not try to protect against Tor protocol fingerprints, like
+ the packet size or packet timing.
+
+ obfs2 does not try to protect against attackers capable of measuring
+ traffic entropy.
+
+ obfs2 does not try to protect against Deep Packet Inspection machines
+ that expect the obfs2 protocol. Such machines can trivially retrieve
+ the decryption key off the traffic stream and use it to decrypt obfs2
+ and detect the Tor protocol.
+
+ In other words, obfs2 does not try to protect against anything other
+ than fingerprintable TLS content patterns.
+
+ That said, obfs2 is not useless. It protects against many real-life
+ Tor traffic detection methods currentl deployed, since most of them
+ use static SSL handshake strings as signatures.
More information about the tor-commits
mailing list