Home Explore Help
Sign In
sengler
/
tor-parallel-relay-conn
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Write attacks+defenses vs rendezvous pts

svn:r720
Nick Mathewson 22 years ago
parent
aed9895495
commit
49b1c0e95c
1 changed files with 29 additions and 5 deletions
Split View Show Diff Stats
  1. 29 5
      doc/tor-design.tex

+ 29 - 5
doc/tor-design.tex
View File 

@@ -1418,10 +1418,8 @@ and its resistance to attacks.
 
 \SubSection{Attacks and Defenses}
 
 \label{sec:attacks}
 
 
-Below we summarize a variety of attacks and how well our design withstands
 
-them.
 
-
 
-[XXX Note that some of these attacks are outside our threat model! -NM]
 
+Below we summarize a variety of attacks, and discuss how well our
 
+design withstands them.
 
 
 \subsubsection*{Passive attacks}
 
 \begin{tightlist}
 
@@ -1708,7 +1706,33 @@ them.
 
 
 \subsubsection*{Attacks against rendezvous points}
 
 \begin{tightlist}
 
-\item foo
 
+\item \emph{Make many introduction requests.}  An attacker could
 
+  attempt to deny Bob service by flooding his Introduction Point with
 
+  requests.  Because the introduction point can block requests that
 
+  lack authentication tokens, however, Bob can restrict the volume of
 
+  requests he receives, or require a certain amount of computation for
 
+  every request he receives.
 
+  
+\item \emph{Attack an introduction point.} An attacker could try to
 
+  disrupt a location-hidden service by disabling its introduction
 
+  point.  But because a service's identity is attached to its public
 
+  key, not its introduction point, the service can simply re-advertise
 
+  itself at a different introduction point.
 
+
 
+\item \emph{Compromise an introduction point.} If an attacker controls
 
+  an introduction point for a service, it can flood the service with
 
+  introduction requests, or prevent valid introduction requests from
 
+  reaching the hidden server.  The server will notice a flooding
 
+  attempt if it receives many introduction requests.  To notice
 
+  blocking of valid requests, however, the hidden server should
 
+  periodically test the introduction point by sending its introduction
 
+  requests, and making sure it receives them.
 
+
 
+\item \emph{Compromise a rendezvous point.}  Controlling a rendezvous
 
+  point gains an attacker no more than controlling any other OR along
 
+  a circuit, since all data passing along the rendezvous is protected
 
+  by the session key shared by the client and server.
 
+
 
 \end{tightlist}