[tor-commits] [tor-design-2012/master] Add discussion of guard nodes

[sjm217 at torproject.org]

commit 68b71f66af84ef4262fc8b4cd841cdf7ed86f222
Author: Steven Murdoch <Steven.Murdoch at cl.cam.ac.uk>
Date:   Mon Nov 12 16:47:45 2012 +0000

    Add discussion of guard nodes
---
 todo                |    2 +-
 tor-design-2012.tex |   35 ++++++++++++++++++++++++++++++++---
 2 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/todo b/todo
index 8ec58e3..3c4e430 100644
--- a/todo
+++ b/todo
@@ -18,7 +18,7 @@ ITEMS:
      o Faster first-hop circuit establishment with CREATE_FAST
      o Cell queueing and scheduling.
    . Integrate content from the second blog post [steven]
-     - guard nodes
+     o guard nodes
      - Bridges, censorship resistance, and pluggable transports
      - Changes and complexities in our path selection algorithms
      o stream isolation
diff --git a/tor-design-2012.tex b/tor-design-2012.tex
index be4beb4..d163891 100644
--- a/tor-design-2012.tex
+++ b/tor-design-2012.tex
@@ -1871,15 +1871,44 @@ an adversary can run multiple ORs, and can persuade the
 directory servers that those ORs are trustworthy and
 independent, then occasionally some user will choose one of
 those ORs for the start and another as the end of a circuit. If
-an adversary controls $m>1$ of $N$ nodes, he can correlate at
-most $\left(\frac{m}{N}\right)^2$ of the traffic---although an
+an adversary controls $m$ bandwidth out of the total network
+bandwidth $N$, he can correlate approximately
+$\left(\frac{m}{N}\right)^2$ of the circuits---although an
 adversary could still attract a disproportionately large amount
 of traffic by running an OR with a permissive exit policy, or by
 degrading the reliability of other routers.
 
-% Running a hostile exit should get its own graf. -NM
+If the path chosen for each circuit was chosen independently of
+the paths chosen for previous circuits, the probability that
+each circuit will be compromised would be equal. Therefore, even
+if there is only a small probability that any individual circuit
+is compromised, if a user creates many circuits, over time the
+probability that at least one circuit will be compromised could
+be quite large. Since compromising only a fraction of a user's
+circuits (perhaps even just one) will likely be enough to
+compromise a user's anonymity, the security offered by such a
+system could be quite poor.
+
+Therefore Tor adopts ``guard nodes'' (sometimes called ``helper
+nodes'') where each user choses a few nodes to act as that
+user's entry point to the network, and keeps this selection the
+same for as long as enough of the chosen guards remain
+operational. This approach doesn't affect the probability that a
+user's first circuit will be compromised, but if a user has
+chosen honest guards their future circuits will remain safe. A
+user which has chosen a dishonest guard however will have a
+large proportion of their circuits compromised. An adversary
+still is able to compromise $\left(\frac{m}{N}\right)^2$ of the
+circuits but the use of guard nodes concentrates these
+compromised circuits over a small group of users. Since we
+assume that compromising a few circuits is only marginally
+better for user security than compromising them all, guard nodes
+improves the average security of the network.
 
 % The above paragraph needs more discussion of why guard nodes exist. -NM
+% Believed done -SJM
+
+% Running a hostile exit should get its own graf. -NM
 
 \emph{Introduce timing into messages.} This is simply a stronger
 version of passive timing attacks already discussed earlier.