Write remaining active attacks

svn:r711
This commit is contained in:
Nick Mathewson 2003-11-02 04:53:15 +00:00
parent a91c6d27bf
commit b0c6a5ea2e
2 changed files with 35 additions and 45 deletions

View File

@ -63,6 +63,8 @@ Short-term:
- make sure exiting from the not-last hop works - make sure exiting from the not-last hop works
- logic to find last *open* hop, not last hop, in cpath - logic to find last *open* hop, not last hop, in cpath
- choose exit nodes by exit policies - choose exit nodes by exit policies
- Remember address and port when resolving.
- Extend by nickname/hostname/something, not by IP.
On-going On-going
. Better comments for functions! . Better comments for functions!

View File

@ -945,7 +945,7 @@ their bandwidth usage. To accomodate them, Tor servers use a token
bucket approach to limit the number of bytes they bucket approach to limit the number of bytes they
receive. Tokens are added to the bucket each second (when the bucket is receive. Tokens are added to the bucket each second (when the bucket is
full, new tokens are discarded.) Each token represents permission to full, new tokens are discarded.) Each token represents permission to
receive one byte from the network --- to receive a byte, the connection receive one byte from the network---to receive a byte, the connection
must remove a token from the bucket. Thus if the bucket is empty, that must remove a token from the bucket. Thus if the bucket is empty, that
connection must wait until more tokens arrive. The number of tokens we connection must wait until more tokens arrive. The number of tokens we
add enforces a long-term average rate of incoming bytes, while still add enforces a long-term average rate of incoming bytes, while still
@ -1202,6 +1202,9 @@ Similarly, one could run automatic spam filtering software (such as
SpamAssassin) on email exiting the OR network. A generic SpamAssassin) on email exiting the OR network. A generic
intrusion detection system (IDS) could be adapted to these purposes. intrusion detection system (IDS) could be adapted to these purposes.
[XXX Mention possibility of filtering spam-like habits--e.g., many
recipients. -NM]
ORs may also choose to rewrite exiting traffic in order to append ORs may also choose to rewrite exiting traffic in order to append
headers or other information to indicate that the traffic has passed headers or other information to indicate that the traffic has passed
through an anonymity service. This approach is commonly used, to some through an anonymity service. This approach is commonly used, to some
@ -1298,7 +1301,7 @@ and are discussed more in section~\ref{sec:maintaining-anonymity}.
Of course, a variety of attacks remain. An adversary who controls a Of course, a variety of attacks remain. An adversary who controls a
directory server can track certain clients by providing different directory server can track certain clients by providing different
information --- perhaps by listing only nodes under its control information---perhaps by listing only nodes under its control
as working, or by informing only certain clients about a given as working, or by informing only certain clients about a given
node. Moreover, an adversary without control of a directory server can node. Moreover, an adversary without control of a directory server can
still exploit differences among client knowledge. If Eve knows that still exploit differences among client knowledge. If Eve knows that
@ -1705,7 +1708,11 @@ them.
will have discarded the necessary information before the attack can will have discarded the necessary information before the attack can
be completed. (Thanks to the perfect forward secrecy of session be completed. (Thanks to the perfect forward secrecy of session
keys, the attacker cannot cannot force nodes to decrypt recorded keys, the attacker cannot cannot force nodes to decrypt recorded
traffic once the circuits have been closed.) traffic once the circuits have been closed.) Additionally, building
circuits that cross jurisdictions can make legal coercion
harder---this phenomenon is commonly called ``jurisdictional
arbitrage.''
\item \emph{Run a recipient.} By running a Web server, an adversary \item \emph{Run a recipient.} By running a Web server, an adversary
trivially learns the timing patterns of those connecting to it, and trivially learns the timing patterns of those connecting to it, and
@ -1748,8 +1755,10 @@ them.
some user will choose one of those ORs for the start and another of some user will choose one of those ORs for the start and another of
those ORs as the end of a circuit. When this happens, the user's those ORs as the end of a circuit. When this happens, the user's
anonymity is compromised for those circuits. If an adversary can anonymity is compromised for those circuits. If an adversary can
control $m$ out of $N$ nodes, he will be able to correlate at most control $m$ out of $N$ nodes, he should be able to correlate at most
$\frac{m}{N}$ of the traffic in this way. $\frac{m}{N}$ of the traffic in this way---although an adersary
could possibly attract a disproportionately large amount of traffic
by running an exit node with an unusually permisssive exit policy.
\item \emph{Compromise entire path.} Anyone compromising both \item \emph{Compromise entire path.} Anyone compromising both
endpoints of a circuit can confirm this with high probability. If endpoints of a circuit can confirm this with high probability. If
@ -1781,37 +1790,23 @@ them.
the association. However, integrity checks on cells prevent the association. However, integrity checks on cells prevent
this attack from succeeding. this attack from succeeding.
[XXXX Damn it's 5:10. So, I'm stopping here. Good luck with what's left \item \emph{Replace contents of unauthenticated protocols.} When a
tonight. Hopefully less than it looks. -PS] relaying an unauthenticated protocol like HTTP, a hostile exit node
can impersonate the target server. Thus, whenever possible, clients
should prefer protocols with end-to-end authentication.
\item \emph{Replay attacks.} Some anonymity protocols are vulnerable
to replay attacks. Tor is not; replaying one side of a handshake
will result in a different negotiated session key, and so the rest
of the recorded session can't be used.
% ``NonSSL Anonymizer''?
\item sub of the above on exit policy\\ \item \emph{Smear attacks.} An attacker could use the Tor network to
Partitioning based on exit policy. engage in socially dissapproved acts, so as to try to bring the
entire network into disrepute and get its operators to shut it down.
Run a rare exit server/something other people won't allow. Exit policies can help reduce the possibilities for abuse, but
ultimately, the network will require volunteers who can tolerate
DOS three of the 4 who would allow a certain exit. some political heat.
Subcase of running a hostile node:
the exit node can change the content you're getting to try to
trick you. similarly, when it rejects you due to exit policy,
it could give you a bad IP that sends you somewhere else.
\item \emph{replaying traffic} Can't in Tor. NonSSL anonymizer.
\item Do bad things with the Tor network, so we are hated and
get shut down. Now the user you want to watch has to use anonymizer.
Exit policy's are a start.
\item Send spam through the network. Exit policy (no open relay) and
rate limiting. We won't send to more than 8 people at a time. See
section 5.1.
we rely on DNS being globally consistent. if people in africa resolve
IPs differently, then asking to extend a circuit to a certain IP can
give away your origin.
\end{tightlist} \end{tightlist}
\subsubsection*{Directory attacks} \subsubsection*{Directory attacks}
@ -1830,17 +1825,6 @@ keys)
\end{tightlist} \end{tightlist}
Basic
How well do we resist chosen adversary?
How well do we meet stated goals?
Mention jurisdictional arbitrage.
Pull attacks and defenses into analysis as a subsection
\Section{Open Questions in Low-latency Anonymity} \Section{Open Questions in Low-latency Anonymity}
\label{sec:maintaining-anonymity} \label{sec:maintaining-anonymity}
@ -2099,6 +2083,10 @@ issues remaining to be ironed out. In particular:
% 'Authorizating' sounds great, but it isn't a word. % 'Authorizating' sounds great, but it isn't a word.
% 'First, second, third', not 'Firstly, secondly, thirdly'. % 'First, second, third', not 'Firstly, secondly, thirdly'.
% 'circuit', not 'channel' % 'circuit', not 'channel'
% Typography: no space on either side of an em dash---ever.
% Hyphens are for multi-part words; en dashs imply movement or
% opposition (The Alice--Bob connection); and em dashes are
% for punctuation---like that.
% %
% 'Substitute ``Damn'' every time you're inclined to write ``very;'' your % 'Substitute ``Damn'' every time you're inclined to write ``very;'' your
% editor will delete it and the writing will be just as it should be.' % editor will delete it and the writing will be just as it should be.'