|
|
@@ -168,7 +168,20 @@ the fly so it connects to a different webserver, or by tagging encrypted
|
|
|
traffic and looking for traffic at the network edges that has been
|
|
|
tagged \cite{minion-design}.
|
|
|
|
|
|
-\item \textbf{Robustness to node failure:} router twins
|
|
|
+\item \textbf{Robustness to node failure:} Node failure for a
|
|
|
+ low-latency system like Tor is not as serious a problem as it is for
|
|
|
+ a traditional mix network. Nonetheless, simple mechanisms that allow
|
|
|
+ connections to be established despite slightly dated information
|
|
|
+ from a directory server or very recent node failure are useful. Tor
|
|
|
+ permits onion routers to have router twins. These share the same
|
|
|
+ private decryption key that is used when establishing a connection
|
|
|
+ through the onion router. Note that because of how connections are
|
|
|
+ now established with perfect forward secrecy, this does not
|
|
|
+ automatically mean that an onion router can read the traffic on a
|
|
|
+ connection established through its twin even while that connection
|
|
|
+ is active. Also, which nodes are twins can change dynamically
|
|
|
+ depending on current circumstances, and twins may or may not be
|
|
|
+ under the same administrative authority.
|
|
|
|
|
|
\item \textbf{Exit policies:}
|
|
|
Tor provides a consistent mechanism for each node to specify and
|
|
|
@@ -545,23 +558,32 @@ tagging attacks
|
|
|
|
|
|
\SubSection{Assumptions}
|
|
|
|
|
|
-All dirservers are honest and trusted.
|
|
|
-
|
|
|
-Somewhere between ten percent and twenty percent of nodes
|
|
|
-are compromised. In some circumstances, e.g., if the Tor network
|
|
|
-is running on a hardened network where all operators have had careful
|
|
|
+For purposes of this paper, we assume all directory servers are honest
|
|
|
+and trusted. Perhaps more accurately, we assume that all users and
|
|
|
+nodes can perform their own periodic checks on information they have
|
|
|
+from directory servers and that all will always have access to at
|
|
|
+least one directory server that they trust and from which they obtain
|
|
|
+all directory information. Future work may include robustness
|
|
|
+techniques to cope with a minority dishonest servers.
|
|
|
+
|
|
|
+Somewhere between ten percent and twenty percent of nodes are assumed
|
|
|
+to be compromised. In some circumstances, e.g., if the Tor network is
|
|
|
+running on a hardened network where all operators have had careful
|
|
|
background checks, the percent of compromised nodes might be much
|
|
|
-lower. Also, it may be worthwhile to consider cases where many
|
|
|
-of the `bad' nodes are not fully compromised but simply (passive)
|
|
|
-observing adversaries. We assume that all adversary components,
|
|
|
-regardless of their capabilities are collaborating and are connected
|
|
|
-in an offline clique.
|
|
|
-
|
|
|
+lower. It may be worthwhile to consider cases where many of the `bad'
|
|
|
+nodes are not fully compromised but simply (passive) observing
|
|
|
+adversaries or that some nodes have only had compromise of the keys
|
|
|
+that decrypt connection initiation requests. But, we assume for
|
|
|
+simplicity that `bad' nodes are compromised in the sense spelled out
|
|
|
+above. We assume that all adversary components, regardless of their
|
|
|
+capabilities are collaborating and are connected in an offline clique.
|
|
|
+
|
|
|
+We do not assume any hostile users, except in the context of
|
|
|
+rendezvous points. Nonetheless, we assume that users vary widely in
|
|
|
+both the duration and number of times they are connected to the Tor
|
|
|
+network. They can also be assumed to vary widely in the volume and
|
|
|
+shape of the traffic they send and receive.
|
|
|
|
|
|
-- Threat model
|
|
|
-- Mostly reliable nodes: not trusted.
|
|
|
-- Small group of trusted dirserv ops
|
|
|
-- Many users of diff bandwidth come and go.
|
|
|
|
|
|
[XXX what else?]
|
|
|
|
Paul Syverson