arma at mit.edu
Sun Jan 4 10:51:44 UTC 2004
On Sat, Jan 03, 2004 at 07:16:14PM +0100, Some Guy wrote:
> So a tagged message would only have a 1/16th chance to make it another hop before being
> identified, and raising alarm bells or at least being dropped.
Here are the problems:
1) If this is designed for low-latency systems, then:
a) Tagging attacks are irrelevant, because timing and counting attacks
(see http://freehaven.net/anonbib/#SS03) already work great.
b) Thousands of crypts overhead per cell is an unacceptable performance
penalty. It will seriously impact throughput.
2) If it's for high-latency systems, then this low chance of detection
is not good enough. Plus, messages are large enough that you can afford
to use some more space. Mixminion includes a hash of the header at
each hop, and includes some more magic to deal with the body; see
the design paper for details.
Also, note that this integrity-checking you're talking about cannot work
for intermediate nodes in the reverse (reply) direction, because they
don't know the other symmetric keys used in the circuit, so they can't
know what the cells will look like at other hops.
Please carefully reread http://mixminion.net/minion-design.pdf and
http://freehaven.net/tor/tor-design.pdf. Feel free to mail me privately,
but we should take this thread off the or-dev list.
More information about the tor-dev