Home Explore Help
Sign In
sengler
/
tor-parallel-relay-conn
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 99be6dae1e
Branches Tags
tor-parallel...
/
doc
/
spec
/
proposals
/
ideas
/
xxx-bridge-disbursement.txt

xxx-bridge-disbursement.txt 6.4 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174 
  1. 

  2. How to hand out bridges.
    3. 

  3. 

  4. Divide bridges into 'strategies' as they come in.  Do this uniformly
    5. 

  5. at random for now.
    6. 

  6. 

  7. For each strategy, we'll hand out bridges in a different way to
    8. 

  8. clients.  This document describes two strategies: email-based and
    9. 

  9. IP-based.
    10. 

  10. 

  11. 0. Notation:
    12. 

  12. 

  13.    HMAC(k,v) : an HMAC of v using the key k.
    14. 

  14. 

  15.    A|B: The string A concatenated with the string B.
    16. 

  16. 

  17. 

  18. 1. Email-based.
    19. 

  19. 

  20.   Goal: bootstrap based on one or more popular email service's sybil
    21. 

  21.      prevention algorithms.
    22. 

  22. 

  23. 

  24.   Parameters:
    25. 

  25.      HMAC -- an HMAC function
    26. 

  26.      P -- a time period
    27. 

  27.      K -- the number of bridges to send in a period.
    28. 

  28. 

  29.   Setup: Generate two nonces, N and M.
    30. 

  30. 

  31.   As bridges arrive, put them into a ring according to HMAC(N,ID)
    32. 

  32.   where ID is the bridges's identity digest.
    33. 

  33. 

  34.   Divide time into divisions of length P.
    35. 

  35. 

  36.   When we get an email:
    37. 

  37. 

  38.      If it's not from a supported email service, reject it.
    39. 

  39. 

  40.      If we already sent a response to that email address (normalized)
    41. 

  41.      in this period, send _exactly_ the same response.
    42. 

  42. 

  43.      If it is from a supported service, generate X = HMAC(M,PS|E) where E
    44. 

  44.      is the lowercased normalized email address for the user, and
    45. 

  45.      where PS is the start of the currrent period.  Send
    46. 

  46.      the first K bridges in the ring after point X.
    47. 

  47. 

  48.      [If we want to make sure that repeat queries are given exactly the
    49. 

  49.       same results, then we can't let the ring change during the
    50. 

  50.       time period. For a long time period like a month, that's quite a
    51. 

  51.       hassle. How about instead just keeping a replay cache of addresses
    52. 

  52.       that have been answered, and sending them a "sorry, you already got
    53. 

  53.       your addresses for the time period; perhaps you should try these
    54. 

  54.       other fine distribution strategies while you wait?" response? This
    55. 

  55.       approach would also resolve the "Make sure you can't construct a
    56. 

  56.       distinct address to match an existing one" note below. -RD]
    57. 

  57. 

  58.         [I think, if we get a replay, we need to sen back the same
    59. 

  59.         answer as we did the first time, not say "try again."
    60. 

  60.         Otherwise we need to worry that an attacker can keep people
    61. 

  61.         from getting bridges by preemtively asking for them,
    62. 

  62.         or that an attacker may force them to prove they haven't
    63. 

  63.         gotten any bridges by asking. -NM]
    64. 

  64. 

  65.      [While we're at it, if we do the replay cache thing and don't need
    66. 

  66.       repeatable answers, we could just pick K random answers from the
    67. 

  67.       pool. Is it beneficial that a bridge user who knows about a clump of
    68. 

  68.       nodes will be sharing them with other users who know about a similar
    69. 

  69.       (overlapping) clump? One good aspect is against an adversary who
    70. 

  70.       learns about a clump this way and watches those bridges to learn
    71. 

  71.       other users and discover *their* bridges: he doesn't learn about
    72. 

  72.       as many new bridges as he might if they were randomly distributed.
    73. 

  73.       A drawback is against an adversary who happens to pick two email
    74. 

  74.       addresses in P that include overlapping answers: he can measure
    75. 

  75.       the difference in clumps and estimate how quickly the bridge pool
    76. 

  76.       is growing. -RD]
    77. 

  77. 

  78.         [Random is one more darn thing to implement; rings are already
    79. 

  79.          there. -NM]
    80. 

  80. 

  81.      [If we make the period P be mailbox-specific, and make it a random
    82. 

  82.       value around some mean, then we make it harder for an attacker to
    83. 

  83.       know when to try using his small army of gmail addresses to gather
    84. 

  84.       another harvest. But we also make it harder for users to know when
    85. 

  85.       they can try again. -RD]
    86. 

  86. 

  87.         [Letting the users know about when they can try again seems
    88. 

  88.          worthwhile.  Otherwise users and attackers will all probe and
    89. 

  89.          probe and probe until they get an answer.  No additional
    90. 

  90.          security will be achieved, but bandwidth will be lost. -NM]
    91. 

  91. 

  92.   To normalize an email address:
    93. 

  93.      Start with the RFC822 address.  Consider only the mailbox {???}
    94. 

  94.      portion of the address (username@domain).  Put this into lowercase
    95. 

  95.      ascii.
    96. 

  96. 

  97.   Questions:
    98. 

  98.      What to do with weird character encodings?  Look up the RFC.
    99. 

  99. 

  100.   Notes:
    101. 

  101.      Make sure that you can't force a single email address to appear
    102. 

  102.      in lots of different ways.  IOW, if nickm@freehaven.net and
    103. 

  103.      NICKM@freehaven.net aren't treated the same, then I can get lots
    104. 

  104.      more bridges than I should.
    105. 

  105. 

  106.      Make sure you can't construct a distinct address to match an
    107. 

  107.      existing one.  IOW, if we treat nickm@X and nickm@Y as the same
    108. 

  108.      user, then anybody can register nickm@Z and use it to tell which
    109. 

  109.      bridges nickm@X got (or would get).
    110. 

  110. 

  111.      Make sure that we actually check headers so we can't be trivially
    112. 

  112.      used to spam people.
    113. 

  113. 

  114. 

  115. 2. IP-based.
    116. 

  116. 

  117.   Goal: avoid handing out all the bridges to users in a similar IP
    118. 

  118.   space and time.
    119. 

  119. 

  120.   Parameters:
    121. 

  121. 

  122.      T_Flush -- how long it should take a user on a single network to
    123. 

  123.         see a whole cluster of bridges.
    124. 

  124. 

  125.      N_C
    126. 

  126. 

  127.      K -- the number of bridges we hand out in response to a single
    128. 

  128.      request.
    129. 

  129. 

  130.   Setup: using an AS map or a geoip map or some other flawed input
    131. 

  131.   source, divide IP space into "areas" such that surveying a large
    132. 

  132.   collection of "areas" is hard.  For v0, use /24 address blocks.
    133. 

  133. 

  134.   Group areas into N_C clusters.
    135. 

  135. 

  136.   Generate secrets L, M, N.
    137. 

  137. 

  138.   Set the period P such that P*(bridges-per-cluster/K) = T_flush.
    139. 

  139.   Don't set P to greater than a week, or less than three hours.
    140. 

  140. 

  141.   When we get a bridge:
    142. 

  142. 

  143.      Based on HMAC(L,ID), assign the bridge to a cluster.  Within each
    144. 

  144.      cluster, keep the bridges in a ring based on HMAC(M,ID).
    145. 

  145. 

  146.      [Should we re-sort the rings for each new time period, so the ring
    147. 

  147.       for a given cluster is based on HMAC(M,PS|ID)? -RD]
    148. 

  148. 

  149.   When we get a connection:
    150. 

  150. 

  151.      If it's http, redirect it to https.
    152. 

  152. 

  153.      Let area be the incoming IP network.  Let PS be the current
    154. 

  154.      period.  Compute X = HMAC(N, PS|area).  Return the next K bridges
    155. 

  155.      in the ring after X.
    156. 

  156. 

  157.      [Don't we want to compute C = HMAC(key, area) to learn what cluster
    158. 

  158.       to answer from, and then X = HMAC(key, PS|area) to pick a point in
    159. 

  159.       that ring? -RD]
    160. 

  160. 

  161. 

  162.   Need to clarify that some HMACs are for rings, and some are for
    163. 

  163.   partitions. How rings scale is clear. How do we grow the number of
    164. 

  164.   partitions? Looking at successive bits from the HMAC output is one way.
    165. 

  165. 

  166. 3. Open issues
    167. 

  167. 

  168.    Denial of service attacks
    169. 

  169.    A good view of network topology
    170. 

  170. 

  171. at some point we should learn some reliability stats on our bridges. when
    172. 

  172. we say above 'give out k bridges', we might give out 2 reliable ones and
    173. 

  173. k-2 others. we count around the ring the same way we do now, to find them.
    174. 

  174.