nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-11-24 12:23:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Small changes in design goals. Starting analysis section.

Browse Source 
svn:r694
This commit is contained in:
Paul Syverson 2003-10-30 11:40:14 +00:00
parent 161eac5093
commit 3d21eade6b
1 changed files with 84 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

101
doc/tor-design.tex
View File

@ -80,8 +80,8 @@ is sent in fixed-size \emph{cells}, which are unwrapped by a symmetric key
at each node (like the layers of an onion) and relayed downstream. The at each node (like the layers of an onion) and relayed downstream. The
original Onion Routing project published several design and analysis original Onion Routing project published several design and analysis
papers papers
\cite{or-jsac98,or-discex00,or-ih96,or-pet00}. While there was briefly \cite{or-jsac98,or-discex00,or-ih96,or-pet00}. While there was
a wide area Onion Routing network, a wide area Onion Routing network for a several weeks,
% how long is briefly? a day, a month? -RD % how long is briefly? a day, a month? -RD
the only long-running and publicly accessible the only long-running and publicly accessible
implementation was a fragile proof-of-concept that ran on a single implementation was a fragile proof-of-concept that ran on a single
@ -400,9 +400,9 @@ enable connections between mutually anonymous entities, also
facilitate connections to hidden servers. These building blocks to facilitate connections to hidden servers. These building blocks to
censorship resistance and other capabilities are described in censorship resistance and other capabilities are described in
Section~\ref{sec:rendezvous}. Location-hidden servers are an Section~\ref{sec:rendezvous}. Location-hidden servers are an
essential component for anonymous publishing systems such as essential component for the anonymous publishing systems such as
Publius\cite{publius}, Free Haven\cite{freehaven-berk}, and Eternity\cite{eternity}, Publius\cite{publius},
Tangler\cite{tangler}. Free Haven\cite{freehaven-berk}, and Tangler\cite{tangler}.
STILL NOT MENTIONED: STILL NOT MENTIONED:
@ -410,9 +410,6 @@ real-time mixes\\
rewebbers\\ rewebbers\\
cebolla\\ cebolla\\
Rewebber was mentioned in an earlier version along with Eternity,
which *must* be mentioned if we cite anything at all
in censorship resistance.
[XXX Close by mentioning where Tor fits.] [XXX Close by mentioning where Tor fits.]
@ -444,6 +441,16 @@ Tor's evolution.
% for Alice if she's using some other http proxy somewhere. I guess the % for Alice if she's using some other http proxy somewhere. I guess the
% external http proxy should route through a Tor client, which automatically % external http proxy should route through a Tor client, which automatically
% translates the foo.onion address? -RD % translates the foo.onion address? -RD
%
% 1. Such clients do benefit from anonymity: they can reach the server.
% Recall that our goal for location hidden servers is to continue to
% provide service to priviliged clients when a DoS is happening or
% to provide access to a location sensitive service. I see no contradiction.
% 2. A good idiot check is whether what we require people to download
% and use is more extreme than downloading the anonymizer toolbar or
% privacy manager. I don't think so, though I'm not claiming we've already
% got the installation and running of a client down to that simplicity
% at this time. -PS
\item[Usability:] A hard-to-use system has fewer users---and because \item[Usability:] A hard-to-use system has fewer users---and because
anonymity systems hide users among users, a system with fewer users anonymity systems hide users among users, a system with fewer users
provides less anonymity. Usability is not only a convenience for Tor: provides less anonymity. Usability is not only a convenience for Tor:
@ -459,7 +466,12 @@ Tor's evolution.
solved by Tor; it would be beneficial if future systems were not forced to solved by Tor; it would be beneficial if future systems were not forced to
reinvent Tor's design decisions. (But note that while a flexible design reinvent Tor's design decisions. (But note that while a flexible design
benefits researchers, there is a danger that differing choices of benefits researchers, there is a danger that differing choices of
extensions will render users distinguishable. Thus, implementations should extensions will render users distinguishable. Thus, experiments
on extensions should be limited and should not significantly affect
the distinguishability of ordinary users.
% To run an experiment researchers must file an
% anonymity impact statement -PS
of implementations should
not permit different protocol extensions to coexist in a single deployed not permit different protocol extensions to coexist in a single deployed
network.) network.)
\item[Conservative design:] The protocol's design and security parameters \item[Conservative design:] The protocol's design and security parameters
@ -1376,6 +1388,30 @@ client doesn't include the right cookie with its request for service,
the server doesn't even acknowledge its existence. the server doesn't even acknowledge its existence.
\Section{Analysis} \Section{Analysis}
\label{sec:analysis}
In this section, we discuss how well Tor meets our stated design goals
and its resistance to attacks.
Goals:
\begin{description}
\item [Basic Anonymity:] Because traffic is encrypted, changing in
appearance, and can flow from anywhere to anywhere within the
network, a simple observer that cannot see both the initiator
activity and the corresponding activity where the responder talks to
the network will not be able to link the initiator and responder.
Nor is it possible to directly correlate any two communication
sessions as coming from a single source without additional
information. Resistance to specific anonymity threats will be discussed
below.
\item[Deployability:]
\item[Usability:]
\item[Flexibility:]
\item[Conservative design:]
\end{description}
Basic
How well do we resist chosen adversary? How well do we resist chosen adversary?
@ -1497,26 +1533,57 @@ them.
\begin{enumerate} \begin{enumerate}
\item \textbf{Passive attacks} \item \textbf{Passive attacks}
\begin{itemize} \begin{itemize}
\item \emph{Simple observation.} \item \emph{Observing user behavior.}
\item \emph{Timing correlation.} \item \emph{Timing correlation.}
\item \emph{Size correlation.} \item \emph{Size correlation.}
\item \emph{Option distinguishability.} \item \emph{Option distinguishability.} User configuration options.
A: We standardize on how clients behave. cite econymics.
\item sub of the above on exit policy\\
Partitioning based on exit policy.
Run a rare exit server/something other people won't allow.
DOS three of the 4 who would allow a certain exit.
\item Content analysis. Not our main thing, but, Privoxy to
anonymization of data stream.
\end{itemize} \end{itemize}
\item \textbf{Active attacks} \item \textbf{Active attacks}
\begin{itemize} \begin{itemize}
\item \emph{Key compromise.} \item \emph{Key compromise.} Talk about all three keys. 3 bullets
\item \emph{Iterated subpoena.} \item \emph{Iterated subpoena.} Legal roving adversary. Works bad against
\item \emph{Run recipient.} this because of ephemeral keys. Criticize pets paper in section 2 for
\item \emph{Run a hostile node.} failing to consider this when describing roving adversary.
\item \emph{Compromise entire path.} \item \emph{Run recipient.} Be the Web server.
\item \emph{Selectively DoS servers.} \item \emph{Run a hostile node.}
\item \emph{Compromise entire path.} Directory servers controlling admission
to network. But if you do compromise it, we're toast.
\item \emph{Selectively DoS OR.} Flood the pipe. We're toast. Rate limiting.
We can't stop flooding creates through all your neighbors. Router twins
is a useful fallback, makes you hit all the twins.
\item \emph{Introduce timing into messages.} \item \emph{Introduce timing into messages.}
\item \emph{Tagging attacks.} \item \emph{Tagging attacks.}
Integrity checking stops this.
Subcase of running a hostile node:
the exit node can change the content you're getting to try to the exit node can change the content you're getting to try to
trick you. similarly, when it rejects you due to exit policy, trick you. similarly, when it rejects you due to exit policy,
it could give you a bad IP that sends you somewhere else. it could give you a bad IP that sends you somewhere else.
\end{itemize} \end{itemize}
\item \emph{replaying traffic} Can't in Tor. NonSSL anonymizer.
\item Do bad things with the Tor network, so we are hated and
get shut down. Now the user you want to watch has to use anonymizer.
Exit policy's are a start.
\item Send spam through the network. Exit policy (no open relay) and
rate limiting. We won't send to more than 8 people at a time. See
section 5.1.
we rely on DNS being globally consistent. if people in africa resolve we rely on DNS being globally consistent. if people in africa resolve
IPs differently, then asking to extend a circuit to a certain IP can IPs differently, then asking to extend a circuit to a certain IP can