give us page numbers, cut some more

svn:r3578
This commit is contained in:
Roger Dingledine 2005-02-08 01:57:19 +00:00
parent aed5aae534
commit 51784c4191

View File

@ -30,7 +30,7 @@ Naval Research Lab \email{<syverson@itd.nrl.navy.mil>}}
\maketitle \maketitle
\pagestyle{empty} %\pagestyle{empty}
\begin{abstract} \begin{abstract}
There are many unexpected or unexpectedly difficult obstacles to There are many unexpected or unexpectedly difficult obstacles to
@ -891,16 +891,14 @@ mix-networks resist these attacks by introducing variability into message
arrival times: as timing variance increases, timing correlation attacks arrival times: as timing variance increases, timing correlation attacks
require increasingly more data~\cite{e2e-traffic}. Can we improve Tor's require increasingly more data~\cite{e2e-traffic}. Can we improve Tor's
resistance to these attacks without losing too much usability? resistance to these attacks without losing too much usability?
%by introducing batching
%and delaying strategies to the Tor messages?
First, we need to learn whether we can trade a small increase in latency First, we need to learn whether we can trade a small increase in latency
for a large anonymity increase, or if we'll end up trading a lot of for a large anonymity increase, or if we'll end up trading a lot of
latency for a small security gain. It would be worthwhile even if we latency for a small security gain. It would be worthwhile even if we
can only protect certain use cases, such as infrequent short-duration can only protect certain use cases, such as infrequent short-duration
transactions. In order to answer this question, we might transactions. To answer this question, we might
try to adapt the techniques of~\cite{e2e-traffic} to a lower-latency mix adapt the techniques of~\cite{e2e-traffic} to a lower-latency mix
network, where instead of sending messages, users send batches network, where the messages are batches
of cells in temporally clustered connections. of cells in temporally clustered connections.
Once the anonymity questions are answered, we need to consider usability. If Once the anonymity questions are answered, we need to consider usability. If
@ -944,7 +942,6 @@ mid-latency option; however, we should continue the caution with which
we have always approached padding lest the overhead cost us too much we have always approached padding lest the overhead cost us too much
performance or too many volunteers. performance or too many volunteers.
\subsection{Measuring performance and capacity} \subsection{Measuring performance and capacity}
\label{subsec:performance} \label{subsec:performance}
@ -1114,7 +1111,6 @@ produce traffic. They seem the ideal use case for our above discussion
of helper nodes. This insecurity means that they may not be suitable as of helper nodes. This insecurity means that they may not be suitable as
a building block for Free Haven~\cite{freehaven-berk} or other anonymous a building block for Free Haven~\cite{freehaven-berk} or other anonymous
publishing systems that aim to provide long-term security. publishing systems that aim to provide long-term security.
%Also, they're brittle in terms of intersection and observation attacks.
\emph{Hot-swap} hidden services, where more than one location can \emph{Hot-swap} hidden services, where more than one location can
provide the service and loss of any one location does not imply a provide the service and loss of any one location does not imply a
@ -1145,8 +1141,6 @@ encryption and end-to-end authentication to their website.
\subsection{Trust and discovery} \subsection{Trust and discovery}
\label{subsec:trust-and-discovery} \label{subsec:trust-and-discovery}
[arma will edit this and expand/retract it]
The published Tor design adopted a deliberately simplistic design for The published Tor design adopted a deliberately simplistic design for
authorizing new nodes and informing clients about Tor nodes and their status. authorizing new nodes and informing clients about Tor nodes and their status.
In the early Tor designs, all nodes periodically uploaded a signed description In the early Tor designs, all nodes periodically uploaded a signed description
@ -1548,60 +1542,12 @@ minute burst in each 4 hour period.}
\end{figure} \end{figure}
\section{Things to cut?} Making use of nodes with little bandwidth, or high latency/packet loss.
\subsection{Peer-to-peer / practical issues}
[leave this section for now, and make sure things here are covered
elsewhere. then remove it.]
Making use of nodes with little bandwidth. How to handle hammering by
certain applications.
Handling nodes that are far away from the rest of the network, e.g. on
the continents that aren't North America and Europe. High latency,
often high packet loss.
Running Tor nodes behind NATs, behind great-firewalls-of-China, etc. Running Tor nodes behind NATs, behind great-firewalls-of-China, etc.
Restricted routes. How to propagate to everybody the topology? BGP Restricted routes. How to propagate to everybody the topology? BGP
style doesn't work because we don't want just *one* path. Point to style doesn't work because we don't want just *one* path. Point to
Geoff's stuff. Geoff's stuff.
\subsection{Caching stuff: If a topic's gotta go for space, I think this
is the best candidate}
The attacks in \cite{attack-tor-oak05} are also dependent on
cooperation of the responding application or the ability to modify or
monitor the responder stream, in order of decreasing attack
effectiveness. So, another way to slow some of these attacks
would be to cache responses at exit nodes where possible, as it is with
DNS lookups and cacheable HTTP responses. Caching would, however,
create threats of its own. First, a Tor network is expected to contain
hostile nodes. If one of these is the repository of a cache, the
attack is still possible. Though more work to set up a Tor node and
cache repository, the payoff of such an attack is potentially
higher.
%To be
%useful, such caches would need to be distributed to any likely exit
%nodes of recurred requests for the same data.
% Even local caches could be useful, I think. -NM
%
%Added some clarification -PFS
Besides allowing any other insider attacks, caching nodes would hold a
record of destinations and data visited by Tor users reducing forward
anonymity. Worse, for the cache to be widely useful much beyond the
client that caused it there would have to either be a new mechanism to
distribute cache information around the network and a way for clients
to make use of it or the caches themselves would need to be
distributed widely. Either way the record of visited sites and
downloaded information is made automatically available to an attacker
without having to actively gather it himself. Besides its inherent
value, this could serve as useful data to an attacker deciding which
locations to target for confirmation. A way to counter this
distribution threat might be to only cache at certain semitrusted
helper nodes. This might help specific clients, but it would limit
the general value of caching.
\end{document} \end{document}