you guessed it, more edits

svn:r753

doc/tor-design.tex

@@ -116,24 +116,8 @@ relies on the filtering features of privacy-enhancing
 application-level proxies such as Privoxy \cite{privoxy}, without trying
 to duplicate those features itself.
 
-\item \textbf{Many TCP streams can share one circuit:} The
+\item \textbf{No mixing, padding, or traffic shaping yet:} The original
-original Onion Routing design built a separate circuit for each
+Onion
-application-level request.  This hurt performance by requiring
-multiple public key operations for every request, and also presented
-a threat to anonymity from building so many different circuits; see
-Section~\ref{sec:maintaining-anonymity}.  Tor multiplexes multiple TCP
-streams along each virtual circuit to improve efficiency and anonymity.
-
-\item \textbf{Leaky-pipe circuit topology:} Through in-band signaling
-within the circuit, Tor initiators can direct traffic to nodes partway
-down the circuit. This novel approach allows for long-range
-padding to frustrate traffic shape and volume attacks at the initiator
-\cite{defensive-dropping}, and 
-also allows traffic to exit the circuit from the middle---thus
-frustrating traffic shape and volume attacks based on observing the end
-of the circuit.
-
-\item \textbf{No mixing, padding, or traffic shaping:} The original Onion
 Routing design called for batching and reordering the cells arriving from
 each source. It also included padding between onion routers and, in a
 later design, between onion proxies (that is, users) and onion routers
@@ -148,6 +132,23 @@ have a proven and convenient design for traffic shaping or low-latency
 mixing that will improve anonymity against a realistic adversary, we
 leave these strategies out.
 
+\item \textbf{Many TCP streams can share one circuit:} The
+original Onion Routing design built a separate circuit for each
+application-level request.  This hurt performance by requiring
+multiple public key operations for every request, and also presented
+a threat to anonymity from building so many different circuits; see
+Section~\ref{sec:maintaining-anonymity}.  Tor multiplexes multiple TCP
+streams along each virtual circuit to improve efficiency and anonymity.
+
+\item \textbf{Leaky-pipe circuit topology:} Through in-band signaling
+within the circuit, Tor initiators can direct traffic to nodes partway
+down the circuit. This novel approach allows for long-range padding if
+future research indicates that it can frustrate traffic shape and volume
+attacks at the initiator \cite{defensive-dropping}, and
+also allows traffic to exit the circuit from the middle---again possibly
+frustrating traffic shape and volume attacks based on observing the end
+of the circuit.
+
 \item \textbf{Congestion control:} Earlier anonymity designs do not
 address traffic bottlenecks. Unfortunately, typical approaches to
 load balancing and flow control in overlay networks involve inter-node
@@ -237,16 +238,19 @@ the cost of introducing comparatively large and variable latencies,
 including {\bf Babel} \cite{babel}, {\bf Mixmaster}
 \cite{mixmaster-spec}, and
 {\bf Mixminion} \cite{minion-design}.  Because of this
-decision, these \emph{high-latency} networks are well-suited for anonymous
+decision, these \emph{high-latency} networks resist strong global
-email, but introduce too much lag for interactive tasks like web browsing,
+adversaries,
+but introduce too much lag for interactive tasks like web browsing,
 internet chat, or SSH connections.
 
 Tor belongs to the second category: \emph{low-latency} designs that
 attempt to anonymize interactive network traffic. These systems handle
-a variety of bidirectional protocols. They also provide more convenient
+a variety of bidirectional protocols.
-mail delivery than the high-latency fire-and-forget anonymous email
+% They also provide more convenient
-networks, because the remote mail server provides explicit delivery
+%mail delivery than the high-latency fire-and-forget anonymous email
-confirmation. But because these designs typically
+%networks, because the remote mail server provides explicit delivery
+%confirmation.
+But because these designs typically
 involve many packets that must be delivered quickly, it is
 difficult for them to prevent an attacker who can eavesdrop both ends of the
 communication from correlating the timing and volume
@@ -482,7 +486,7 @@ suspicion that Alice is
 talking to Bob if the timing and volume patterns of the traffic on the
 connection are distinct enough; active attackers can induce timing
 signatures on the traffic to \emph{force} distinct patterns. Tor
-does not address these \emph{traffic confirmation} attacks.
+does not yet address these \emph{traffic confirmation} attacks.
 Rather, we aim to prevent \emph{traffic
 analysis} attacks, where the adversary uses traffic patterns to learn
 which points in the network he should attack.
@@ -793,8 +797,8 @@ Privoxy safely. But a portable general solution, such as is needed for
 SSH, is
 an open problem. Modifying or replacing the local nameserver
 can be invasive, brittle, and not portable. Forcing the resolver
-library to do its resolution via TCP rather than UDP is
+library to do resolution via TCP rather than UDP is
-hard to do right, and also has portability problems. We could provide a
+hard, and also has portability problems. We could provide a
 tool similar to \emph{dig} to perform a private lookup through the
 Tor network. Our current answer is to encourage the use of
 privacy-aware proxies like Privoxy wherever possible.
@@ -1370,7 +1374,7 @@ acknowledge his existence.
 \Section{Attacks and Defenses}
 \label{sec:attacks}
 
-% XXX In sec4 we should talk about bandwidth classes, which will
+% XXX In sec9 we should talk about bandwidth classes, which will
 %     enable us to accept a lot more ORs than if we continue to
 %     require 10mbit connections for all ORs. -RD
 
@@ -1380,21 +1384,18 @@ design withstands them.
 
 \subsubsection*{Passive attacks}
 
-\emph{Observing user traffic patterns.} Observations of connection
+\emph{Observing user traffic patterns.} Observing the connection
-between a user and her first onion router will not reveal to whom
+from the user will not reveal her destination or data, but it will
-the user is connecting or what information is being sent. It will
+reveal traffic patterns (both sent and received). Profiling via user
-reveal patterns of user traffic (both sent and received). Simple
+connection patterns is hampered because multiple application streams may
-profiling of user connection patterns is not generally possible,
+be operating simultaneously or in series over a single circuit. Thus,
-however, because multiple application streams may be operating
+further processing is necessary to discern even these usage patterns.
-simultaneously or in series over a single circuit. Thus, further
-processing is necessary to discern even these usage patterns.
   
-\emph{Observing user content.} At the user end, content is
+\emph{Observing user content.} While content at the user end is encrypted,
-encrypted; however, connections from the network to arbitrary
+connections to responders may not be (further, the responding website
-websites may not be. Further, a responding website may itself be
+itself may be hostile). Filtering content is not a primary goal of Onion
-hostile. Filtering content is not a primary goal of
+Routing; nonetheless, Tor can directly use Privoxy and related
-Onion Routing; nonetheless, Tor can directly make use of Privoxy and
+filtering services to anonymize application data streams.
-related filtering services to anonymize application data streams.
 
 \emph{Option distinguishability.} Configuration options can be a
 source of distinguishable patterns. In general there is economic
@@ -1524,12 +1525,6 @@ adversary
 could possibly attract a disproportionately large amount of traffic
 by running an exit node with an unusually permissive exit policy.
 
-\emph{Compromise entire path.} Anyone compromising both
-endpoints of a circuit can confirm this with high probability. If
-the entire path is compromised, this becomes a certainty; however,
-the added benefit to the adversary of such an attack is small in
-relation to the difficulty.
-
 \emph{Run a hostile directory server.} Directory servers control
 admission to the network. However, because the network directory
 must be signed by a majority of servers, the threat of a single
@@ -1676,18 +1671,17 @@ by the session key shared by the client and server.
 % There must be a better intro than this! -NM
 In addition to the open problems discussed in
 Section~\ref{subsec:non-goals}, many other questions remain to be
-solved by future research before we can be confident that we
+solved by future research before we can be confident of our security.
-have built a secure low-latency anonymity service.
 
 Many of these open issues are questions of balance.  For example,
 how often should users rotate to fresh circuits?  Too-frequent
-rotation is inefficient, expensive, and may lead to intersection attacks,
+rotation is inefficient, expensive, and may lead to intersection attacks
+and predecessor attacks \cite{wright03},
 but too-infrequent rotation
-makes the user's traffic linkable.   Instead of opening a fresh
+makes the user's traffic linkable.   Along with opening a fresh
-circuit; clients can also limit linkability by exiting from a middle point
+circuit, clients can also limit linkability by exiting from a middle point
-of the circuit, or by truncating and re-extending the circuit, but
+of the circuit, or by truncating and re-extending the circuit; but
 more analysis is needed to determine the proper trade-off.
-%[XXX mention predecessor attacks?]
 
 A similar question surrounds timing of directory operations:
 how often should directories be updated?  With too-infrequent
@@ -1696,7 +1690,6 @@ too-frequent updates the directory servers are overloaded.
 
 %do different exit policies at different exit nodes trash anonymity sets,
 %or not mess with them much?
-%
 %% Why would they?  By routing traffic to certain nodes preferentially?
 
 %[XXX Choosing paths and path lengths: I'm not writing this bit till