nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-11-24 12:23:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

A few tiny tweaks.

Browse Source 
svn:r686
This commit is contained in:
Paul Syverson 2003-10-27 12:05:35 +00:00
parent 5d48aa622a
commit 0c9bce8c88
2 changed files with 152 additions and 98 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

180
doc/tor-design.bib
View File

@ -5,15 +5,15 @@
}
@Misc{anonymizer,
key = {anonymizer},
title = {The {Anonymizer}},
note = {\url{http://www.anonymizer.com}}
key = {anonymizer},
title = {The {Anonymizer}},
note = {\url{http://www.anonymizer.com}}
}
@Misc{anonnet,
key = {anonnet},
title = {{AnonNet}},
note = {\url{http://www.authnet.org/anonnet/}}
key = {anonnet},
title = {{AnonNet}},
note = {\url{http://www.authnet.org/anonnet/}}
}
% can somebody track down the rest of this? -RD
@ -211,29 +211,29 @@ full_papers/rao/rao.pdf}},
@InProceedings{or-ih96,
author = {David M. Goldschlag and Michael G. Reed and Paul
author = {David M. Goldschlag and Michael G. Reed and Paul
F. Syverson},
title = {Hiding Routing Information},
booktitle = {Information Hiding, First International Workshop},
pages = {137--150},
year = 1996,
editor = {R. Anderson},
month = {May},
publisher = {Springer-Verlag, LNCS 1174},
note = {\url{http://www.onion-router.net/Publications/IH-1996.ps.gz}}
title = {Hiding Routing Information},
booktitle = {Information Hiding, First International Workshop},
pages = {137--150},
year = 1996,
editor = {R. Anderson},
month = {May},
publisher = {Springer-Verlag, LNCS 1174},
note = {\url{http://www.onion-router.net/Publications/IH-1996.ps.gz}}
}
@Article{or-jsac98,
author = {Michael G. Reed and Paul F. Syverson and David
author = {Michael G. Reed and Paul F. Syverson and David
M. Goldschlag},
title = {Anonymous Connections and Onion Routing},
journal = {IEEE Journal on Selected Areas in Communications},
year = 1998,
volume = 16,
number = 4,
pages = {482--494},
month = {May},
note = {\url{http://www.onion-router.net/Publications/JSAC-1998.ps.gz}}
title = {Anonymous Connections and Onion Routing},
journal = {IEEE Journal on Selected Areas in Communications},
year = 1998,
volume = 16,
number = 4,
pages = {482--494},
month = {May},
note = {\url{http://www.onion-router.net/Publications/JSAC-1998.ps.gz}}
}
@Misc{TLS,
@ -456,12 +456,12 @@ full_papers/rao/rao.pdf}},
@Misc{socks5,
key = {socks5},
title = {{SOCKS} {P}rotocol {V}ersion 5},
key = {socks5},
title = {{SOCKS} {P}rotocol {V}ersion 5},
howpublished= {IETF RFC 1928},
month = {March},
year = 1996,
note = {\url{http://www.ietf.org/rfc/rfc1928.txt}}
month = {March},
year = 1996,
note = {\url{http://www.ietf.org/rfc/rfc1928.txt}}
}
@InProceedings{abe,
@ -531,13 +531,13 @@ full_papers/rao/rao.pdf}},
@InProceedings{socks4,
author = {David Koblas and Michelle R. Koblas},
title = {{SOCKS}},
booktitle = {UNIX Security III Symposium (1992 USENIX Security
author = {David Koblas and Michelle R. Koblas},
title = {{SOCKS}},
booktitle = {UNIX Security III Symposium (1992 USENIX Security
Symposium)},
pages = {77--83},
year = 1992,
publisher = {USENIX},
pages = {77--83},
year = 1992,
publisher = {USENIX},
}
@InProceedings{flash-mix,
@ -632,15 +632,15 @@ full_papers/rao/rao.pdf}},
@InProceedings{tangler,
author = {Marc Waldman and David Mazi\`{e}res},
title = {Tanger: A Censorship-Resistant Publishing System
author = {Marc Waldman and David Mazi\`{e}res},
title = {Tangler: A Censorship-Resistant Publishing System
Based on Document Entanglements},
booktitle = {$8^{th}$ ACM Conference on Computer and
booktitle = {$8^{th}$ ACM Conference on Computer and
Communications Security (CCS-8)},
pages = {86--135},
year = 2001,
publisher = {ACM Press},
note = {\url{http://www.scs.cs.nyu.edu/~dm/}}
pages = {86--135},
year = 2001,
publisher = {ACM Press},
note = {\url{http://www.scs.cs.nyu.edu/~dm/}}
}
@misc{neochaum,
@ -691,15 +691,15 @@ full_papers/rao/rao.pdf}},
@Article{crowds-tissec,
author = {Michael K. Reiter and Aviel D. Rubin},
title = {Crowds: Anonymity for Web Transactions},
journal = {ACM TISSEC},
year = 1998,
volume = 1,
number = 1,
pages = {66--92},
month = {November},
note = {\url{http://citeseer.nj.nec.com/284739.html}}
author = {Michael K. Reiter and Aviel D. Rubin},
title = {Crowds: Anonymity for Web Transactions},
journal = {ACM TISSEC},
year = 1998,
volume = 1,
number = 1,
pages = {66--92},
month = {November},
note = {\url{http://citeseer.nj.nec.com/284739.html}}
}
@Article{crowds-dimacs,
@ -864,50 +864,50 @@ full_papers/rao/rao.pdf}},
@InProceedings{danezis-pets03,
author = {George Danezis},
title = {Mix-networks with Restricted Routes},
booktitle = {Privacy Enhancing Technologies (PET 2003)},
year = 2003,
editor = {Roger Dingledine},
publisher = {Springer-Verlag LNCS 2760}
author = {George Danezis},
title = {Mix-networks with Restricted Routes},
booktitle = {Privacy Enhancing Technologies (PET 2003)},
year = 2003,
editor = {Roger Dingledine},
publisher = {Springer-Verlag LNCS 2760}
}
@InProceedings{gap-pets03,
author = {Krista Bennett and Christian Grothoff},
title = {{GAP} -- practical anonymous networking},
booktitle = {Privacy Enhancing Technologies (PET 2003)},
year = 2003,
editor = {Roger Dingledine},
publisher = {Springer-Verlag LNCS 2760}
author = {Krista Bennett and Christian Grothoff},
title = {{GAP} -- practical anonymous networking},
booktitle = {Privacy Enhancing Technologies (PET 2003)},
year = 2003,
editor = {Roger Dingledine},
publisher = {Springer-Verlag LNCS 2760}
}
@Article{hordes-jcs,
author = {Brian Neal Levine and Clay Shields},
title = {Hordes: A Multicast-Based Protocol for Anonymity},
journal = {Journal of Computer Security},
year = 2002,
volume = 10,
number = 3,
pages = {213--240}
author = {Brian Neal Levine and Clay Shields},
title = {Hordes: A Multicast-Based Protocol for Anonymity},
journal = {Journal of Computer Security},
year = 2002,
volume = 10,
number = 3,
pages = {213--240}
}
@TechReport{herbivore,
author = {Sharad Goel and Mark Robson and Milo Polte and Emin G\"{u}n Sirer},
title = {Herbivore: A Scalable and Efficient Protocol for Anonymous Communication},
author = {Sharad Goel and Mark Robson and Milo Polte and Emin G\"{u}n Sirer},
title = {Herbivore: A Scalable and Efficient Protocol for Anonymous Communication},
institution = {Cornell University Computing and Information Science},
year = 2003,
type = {Technical Report},
number = {TR2003-1890},
month = {February}
year = 2003,
type = {Technical Report},
number = {TR2003-1890},
month = {February}
}
@InProceedings{p5,
author = {Rob Sherwood and Bobby Bhattacharjee and Aravind Srinivasan},
title = {$P^5$: A Protocol for Scalable Anonymous Communication},
booktitle = {2002 IEEE Symposium on Security and Privacy},
pages = {58--70},
year = 2002,
publisher = {IEEE CS}
author = {Rob Sherwood and Bobby Bhattacharjee and Aravind Srinivasan},
title = {$P^5$: A Protocol for Scalable Anonymous Communication},
booktitle = {2002 IEEE Symposium on Security and Privacy},
pages = {58--70},
year = 2002,
publisher = {IEEE CS}
}
@phdthesis{ian-thesis,
@ -919,15 +919,15 @@ full_papers/rao/rao.pdf}},
}
@Article{taz,
author = {Ian Goldberg and David Wagner},
title = {TAZ Servers and the Rewebber Network: Enabling
author = {Ian Goldberg and David Wagner},
title = {TAZ Servers and the Rewebber Network: Enabling
Anonymous Publishing on the World Wide Web},
journal = {First Monday},
year = 1998,
volume = 3,
number = 4,
month = {August},
note = {\url{http://www.firstmonday.dk/issues/issue3_4/goldberg/}}
journal = {First Monday},
year = 1998,
volume = 3,
number = 4,
month = {August},
note = {\url{http://www.firstmonday.dk/issues/issue3_4/goldberg/}}
}
@inproceedings{wright02,

70
doc/tor-design.tex
View File

@ -1,6 +1,6 @@
\documentclass[times,10pt,twocolumn]{article}
\usepackage{latex8}
%\usepackage{times}
\usepackage{times}
\usepackage{url}
\usepackage{graphics}
\usepackage{amsmath}
@ -300,12 +300,6 @@ network with both of these features and thousands of active users has
been run for many years (the Java Anon Proxy, aka Web MIXes,
\cite{web-mix}).
Another low latency design that was proposed independently and at
about the same time as the original Onion Routing was PipeNet \cite{pipenet}.
It provided anonymity protections that were stronger than Onion Routing's,
but at the cost of allowing a single user to shut down the network simply
by not sending. It was also never implemented or formally published.
The simplest low-latency designs are single-hop proxies such as the
Anonymizer \cite{anonymizer}, wherein a single trusted server removes
identifying users' data before relaying it. These designs are easy to
@ -367,6 +361,13 @@ jondos on any one net- work (using IP address), the attacker would be
forced to launch jondos using many different identities and on many
different networks to succeed'' \cite{crowds-tissec}.
Another low latency design that was proposed independently and at
about the same time as the original Onion Routing was PipeNet
\cite{pipenet}. It provided anonymity protections that were stronger
than Onion Routing's, but at the cost of allowing a single user to
shut down the network simply by not sending. It was also never
implemented or formally published.
Tor is not primarily designed for censorship resistance but rather
for anonymous communication. However, Tor's rendezvous points, which
enable connections between mutually anonymous entities, also
@ -528,7 +529,8 @@ The basic adversary components we consider are:
% same. I reworded above, I'm thinking we should leave other concerns
% for later. -PS
\item{Hostile Tor node:} can arbitrarily manipulate the
\item[Hostile Tor node:] can arbitrarily manipulate the
connections under its control, as well as creating new connections
(that pass through itself).
\end{description}
@ -627,6 +629,15 @@ capabilities are collaborating and are connected in an offline clique.
We do not assume any hostile users, except in the context of
% This sounds horrible. What do you mean we don't assume any hostile
% users? Surely we can tolerate some? -RD
%
% This could be phrased better. All I meant was that we are not
% going to try to model or quantify any attacks on anonymity
% by users of the system by trying to vary their
% activity. Yes, we tolerate some, but if ordinary usage can
% vary widely, there is nothing added by considering malicious
% attempts specifically,
% except if they are attempts to expose someone at the far end of a
% session we initiate, e.g., the rendezvous server case. -PS
rendezvous points. Nonetheless, we assume that users vary widely in
both the duration and number of times they are connected to the Tor
network. They can also be assumed to vary widely in the volume and
@ -1001,6 +1012,23 @@ have a buffer for funny stuff coming out of port 80. we could similarly
have other exit proxies for other protocols, like mail, to check
delivered mail for being spam.
[XXX Um, I'm uncomfortable with this for several reasons.
It's not good for keeping honest nodes honest about discarding
state after it's no longer needed. Granted it keeps an external
observer from noticing how often sites are visited, but it also
allows fishing expeditions. ``We noticed you went to this prohibited
site an hour ago. Kindly turn over your caches to the authorities.''
I previously elsewhere suggested bulk transfer proxies to carve
up big things so that they could be downloaded in less noticeable
pieces over several normal looking connections. We could suggest
similarly one or a handful of squid nodes that might serve up
some of the more sensitive but common material, especially if
the relevant sites didn't want to or couldn't run their own OR.
This would be better than having everyone run a squid which would
just help identify after the fact the different history of that
node's activity. All this kind of speculation needs to move to
future work section I guess. -PS]
A mixture of open and restricted exit nodes will allow the most
flexibility for volunteers running servers. But while a large number
of middleman nodes is useful to provide a large and robust network,
@ -1237,6 +1265,32 @@ Pull attacks and defenses into analysis as a subsection
\Section{Maintaining anonymity in Tor}
\label{sec:maintaining-anonymity}
I probably should have noted that this means loops will be on at least
five hop routes, which should be rare given the distribution. I'm
realizing that this is reproducing some of the thought that led to a
default of five hops in the original onion routing design. There were
some different assumptions, which I won't spell out now. Note that
enclave level protections really change these assumptions. If most
circuits are just two hops, then just a single link observer will be
able to tell that two enclaves are communicating with high probability.
So, it would seem that enclaves should have a four node minimum circuit
to prevent trivial circuit insider identification of the whole circuit,
and three hop minimum for circuits from an enclave to some nonclave
responder. But then... we would have to make everyone obey these rules
or a node that through timing inferred it was on a four hop circuit
would know that it was probably carrying enclave to enclave traffic.
Which... if there were even a moderate number of bad nodes in the
network would make it advantageous to break the connection to conduct
a reformation intersection attack. Ahhh! I gotta stop thinking
about this and work on the paper some before the family wakes up.
On Sat, Oct 25, 2003 at 06:57:12AM -0400, Paul Syverson wrote:
> Which... if there were even a moderate number of bad nodes in the
> network would make it advantageous to break the connection to conduct > a reformation intersection attack. Ahhh! I gotta stop thinking > about this and work on the paper some before the family wakes up.
This is the sort of issue that should go in the 'maintaining anonymity
with tor' section towards the end. :)
Email from between roger and me to beginning of section above. Fix and move.
[Put as much of this as a part of open issues as is possible.]
[what's an anonymity set?]