Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Small changes in design goals. Starting analysis section.

svn:r694
Paul Syverson 22 years ago
parent
161eac5093
commit
3d21eade6b
1 changed files with 84 additions and 17 deletions
Unified View Show Diff Stats
  1. 84 17
      doc/tor-design.tex

+ 84 - 17
doc/tor-design.tex
View File 

@@ -80,8 +80,8 @@ is sent in fixed-size \emph{cells}, which are unwrapped by a symmetric key
 
 at each node (like the layers of an onion) and relayed downstream. The
 
 at each node (like the layers of an onion) and relayed downstream. The
 
 original Onion Routing project published several design and analysis
 
 original Onion Routing project published several design and analysis
 
 papers
 
 papers
 
-\cite{or-jsac98,or-discex00,or-ih96,or-pet00}. While there was briefly
 
-a wide area Onion Routing network,
 
+\cite{or-jsac98,or-discex00,or-ih96,or-pet00}. While there was
 
+a wide area Onion Routing network for a several weeks,
 
 % how long is briefly? a day, a month? -RD
 
 % how long is briefly? a day, a month? -RD
 
 the only long-running and publicly accessible
 
 the only long-running and publicly accessible
 
 implementation was a fragile proof-of-concept that ran on a single
 
 implementation was a fragile proof-of-concept that ran on a single
 
@@ -400,9 +400,9 @@ enable connections between mutually anonymous entities, also
 
 facilitate connections to hidden servers.  These building blocks to
 
 facilitate connections to hidden servers.  These building blocks to
 
 censorship resistance and other capabilities are described in
 
 censorship resistance and other capabilities are described in
 
 Section~\ref{sec:rendezvous}.  Location-hidden servers are an
 
 Section~\ref{sec:rendezvous}.  Location-hidden servers are an
 
-essential component for anonymous publishing systems such as
 
-Publius\cite{publius}, Free Haven\cite{freehaven-berk}, and
 
-Tangler\cite{tangler}.
 
+essential component for the anonymous publishing systems such as
 
+Eternity\cite{eternity}, Publius\cite{publius},
 
+Free Haven\cite{freehaven-berk}, and Tangler\cite{tangler}.
 
 
 
 
 
 STILL NOT MENTIONED:
 
 STILL NOT MENTIONED:
 
@@ -410,9 +410,6 @@ real-time mixes\\
 
 rewebbers\\
 
 rewebbers\\
 
 cebolla\\
 
 cebolla\\
 
 
 
-Rewebber was mentioned in an earlier version along with Eternity,
 
-which *must* be mentioned if we cite anything at all
 
-in censorship resistance.
 
 
 
 [XXX Close by mentioning where Tor fits.]
 
 [XXX Close by mentioning where Tor fits.]
 
 
 
@@ -444,6 +441,16 @@ Tor's evolution.
 
 %     for Alice if she's using some other http proxy somewhere. I guess the
 
 %     for Alice if she's using some other http proxy somewhere. I guess the
 
 %     external http proxy should route through a Tor client, which automatically
 
 %     external http proxy should route through a Tor client, which automatically
 
 %     translates the foo.onion address? -RD
 
 %     translates the foo.onion address? -RD
 
+%
 
+%  1. Such clients do benefit from anonymity: they can reach the server.
 
+%  Recall that our goal for location hidden servers is to continue to
 
+%  provide service to priviliged clients when a DoS is happening or
 
+%  to provide access to a location sensitive service. I see no contradiction.
 
+%  2. A good idiot check is whether what we require people to download
 
+%  and use is more extreme than downloading the anonymizer toolbar or
 
+%  privacy manager. I don't think so, though I'm not claiming we've already
 
+%  got the installation and running of a client down to that simplicity
 
+%  at this time. -PS
 
 \item[Usability:] A hard-to-use system has fewer users---and because
 
 \item[Usability:] A hard-to-use system has fewer users---and because
 
   anonymity systems hide users among users, a system with fewer users
 
   anonymity systems hide users among users, a system with fewer users
 
   provides less anonymity.  Usability is not only a convenience for Tor:
 
   provides less anonymity.  Usability is not only a convenience for Tor:
 
@@ -459,7 +466,12 @@ Tor's evolution.
 
   solved by Tor; it would be beneficial if future systems were not forced to
 
   solved by Tor; it would be beneficial if future systems were not forced to
 
   reinvent Tor's design decisions.  (But note that while a flexible design
 
   reinvent Tor's design decisions.  (But note that while a flexible design
 
   benefits researchers, there is a danger that differing choices of
 
   benefits researchers, there is a danger that differing choices of
 
-  extensions will render users distinguishable.  Thus, implementations should
 
+  extensions will render users distinguishable.  Thus, experiments
 
+  on extensions should be limited and should not significantly affect
 
+  the distinguishability of ordinary users.
 
+  % To run an experiment researchers must file an
 
+  % anonymity impact statement -PS
 
+  of implementations should
 
   not permit different protocol extensions to coexist in a single deployed
 
   not permit different protocol extensions to coexist in a single deployed
 
   network.)
 
   network.)
 
 \item[Conservative design:] The protocol's design and security parameters
 
 \item[Conservative design:] The protocol's design and security parameters
 
@@ -1376,6 +1388,30 @@ client doesn't include the right cookie with its request for service,
 
 the server doesn't even acknowledge its existence.
 
 the server doesn't even acknowledge its existence.
 
 
 
 \Section{Analysis}
 
 \Section{Analysis}
 
+\label{sec:analysis}
 
+
 
+In this section, we discuss how well Tor meets our stated design goals
 
+and its resistance to attacks.
 
+
 
+Goals:
 
+\begin{description}
 
+\item [Basic Anonymity:] Because traffic is encrypted, changing in
 
+  appearance, and can flow from anywhere to anywhere within the
 
+  network, a simple observer that cannot see both the initiator
 
+  activity and the corresponding activity where the responder talks to
 
+  the network will not be able to link the initiator and responder.
 
+  Nor is it possible to directly correlate any two communication
 
+  sessions as coming from a single source without additional
 
+  information. Resistance to specific anonymity threats will be discussed
 
+  below.
 
+
 
+\item[Deployability:]
 
+
 
+\item[Usability:] 
+\item[Flexibility:] 
+\item[Conservative design:] 
+\end{description}
 
+Basic 
 
 
 How well do we resist chosen adversary?
 
 How well do we resist chosen adversary?
 
 
 
@@ -1497,26 +1533,57 @@ them.
 
 \begin{enumerate}
 
 \begin{enumerate}
 
 \item \textbf{Passive attacks}
 
 \item \textbf{Passive attacks}
 
 \begin{itemize}
 
 \begin{itemize}
 
-\item \emph{Simple observation.}
 
+\item \emph{Observing user behavior.}
 
 \item \emph{Timing correlation.}
 
 \item \emph{Timing correlation.}
 
 \item \emph{Size correlation.}
 
 \item \emph{Size correlation.}
 
-\item \emph{Option distinguishability.}
 
+\item \emph{Option distinguishability.} User configuration options.
 
+A: We standardize on how clients behave. cite econymics.
 
+
 
+\item sub of the above on exit policy\\
 
+Partitioning based on exit policy.
 
+
 
+Run a rare exit server/something other people won't allow.
 
+
 
+DOS three of the 4 who would allow a certain exit.
 
+
 
+\item Content analysis. Not our main thing, but, Privoxy to
 
+  anonymization of data stream.
 
+
 
+
 
 \end{itemize}
 
 \end{itemize}
 
 
 
 \item \textbf{Active attacks}
 
 \item \textbf{Active attacks}
 
 \begin{itemize}
 
 \begin{itemize}
 
-\item \emph{Key compromise.}
 
-\item \emph{Iterated subpoena.}
 
-\item \emph{Run recipient.}
 
-\item \emph{Run a hostile node.}
 
-\item \emph{Compromise entire path.}
 
-\item \emph{Selectively DoS servers.}
 
+\item \emph{Key compromise.} Talk about all three keys. 3 bullets
 
+\item \emph{Iterated subpoena.} Legal roving adversary. Works bad against
 
+this because of ephemeral keys. Criticize pets paper in section 2 for
 
+failing to consider this when describing roving adversary.
 
+\item \emph{Run recipient.} Be the Web server.
 
+\item \emph{Run a hostile node.} 
+\item \emph{Compromise entire path.} Directory servers controlling admission
 
+to network. But if you do compromise it, we're toast.
 
+\item \emph{Selectively DoS OR.} Flood the pipe. We're toast. Rate limiting.
 
+We can't stop flooding creates through all your neighbors. Router twins
 
+is a useful fallback, makes you hit all the twins.
 
 \item \emph{Introduce timing into messages.}
 
 \item \emph{Introduce timing into messages.}
 
 \item \emph{Tagging attacks.}
 
 \item \emph{Tagging attacks.}
 
+Integrity checking stops this.
 
+
 
+Subcase of running a hostile node: 
 the exit node can change the content you're getting to try to
 
 the exit node can change the content you're getting to try to
 
 trick you. similarly, when it rejects you due to exit policy,
 
 trick you. similarly, when it rejects you due to exit policy,
 
 it could give you a bad IP that sends you somewhere else.
 
 it could give you a bad IP that sends you somewhere else.
 
 \end{itemize}
 
 \end{itemize}
 
+\item \emph{replaying traffic} Can't in Tor. NonSSL anonymizer.
 
+
 
+\item Do bad things with the Tor network, so we are hated and
 
+get shut down. Now the user you want to watch has to use anonymizer.
 
+
 
+Exit policy's are a start.
 
+
 
+\item Send spam through the network. Exit policy (no open relay) and
 
+  rate limiting. We won't send to more than 8 people at a time.  See
 
+  section 5.1.
 
 
 
 we rely on DNS being globally consistent. if people in africa resolve
 
 we rely on DNS being globally consistent. if people in africa resolve
 
 IPs differently, then asking to extend a circuit to a certain IP can
 
 IPs differently, then asking to extend a circuit to a certain IP can