nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-11-13 22:53:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

cut a paragraph, cut the rendezvous attacks subsec

Browse Source 
svn:r1018
This commit is contained in:
Roger Dingledine 2004-01-30 03:37:10 +00:00
parent b87302a885
commit ab67fcaa7f
1 changed files with 38 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
doc/tor-design.tex
View File

@ -958,10 +958,10 @@ has to check whether data has been successfully flushed onto the TCP
stream; it sends the \emph{relay sendme} cell only when the number of bytes pending stream; it sends the \emph{relay sendme} cell only when the number of bytes pending
to be flushed is under some threshold (currently 10 cells' worth). to be flushed is under some threshold (currently 10 cells' worth).
% Maybe omit this next paragraph. -NM %% Maybe omit this next paragraph. -NM
Currently, non-data relay cells do not affect the windows. Thus we %Currently, non-data relay cells do not affect the windows. Thus we
avoid potential deadlock issues, for example, arising because a stream %avoid potential deadlock issues, for example, arising because a stream
can't send a \emph{relay sendme} cell when its packaging window is empty. %can't send a \emph{relay sendme} cell when its packaging window is empty.
These arbitrarily chosen parameters seem to give tolerable throughput These arbitrarily chosen parameters seem to give tolerable throughput
and delay; see Section~\ref{sec:in-the-wild}. and delay; see Section~\ref{sec:in-the-wild}.
@ -987,7 +987,6 @@ to new ORs. \textbf{Smear-resistant:}
A social attacker who offers an illegal or disreputable location-hidden A social attacker who offers an illegal or disreputable location-hidden
service should not be able to ``frame'' a rendezvous router by service should not be able to ``frame'' a rendezvous router by
making observers believe the router created that service. making observers believe the router created that service.
%slander-resistant? defamation-resistant?
\textbf{Application-transparent:} Although we require users \textbf{Application-transparent:} Although we require users
to run special software to access location-hidden servers, we must not to run special software to access location-hidden servers, we must not
require them to modify their applications. require them to modify their applications.
@ -1903,41 +1902,40 @@ also designed to include authentication/authorization---if Alice doesn't
include the right cookie with her request for service, Bob need not even include the right cookie with her request for service, Bob need not even
acknowledge his existence. acknowledge his existence.
\SubSection{Attacks against rendezvous points} %\SubSection{Attacks against rendezvous points}
%
We describe here attacks against rendezvous points and how well %We describe here attacks against rendezvous points and how well
the system protects against them. %the system protects against them.
%
\emph{Make many introduction requests.} An attacker could %\emph{Make many introduction requests.} An attacker could
try to deny Bob service by flooding his introduction points with %try to deny Bob service by flooding his introduction points with
requests. Because the introduction points can block requests that %requests. Because the introduction points can block requests that
lack authorization tokens, however, Bob can restrict the volume of %lack authorization tokens, however, Bob can restrict the volume of
requests he receives, or require a certain amount of computation for %requests he receives, or require a certain amount of computation for
every request he receives. %every request he receives.
%
\emph{Attack an introduction point.} An attacker could %\emph{Attack an introduction point.} An attacker could
disrupt a location-hidden service by disabling its introduction %disrupt a location-hidden service by disabling its introduction
points. But because a service's identity is attached to its public %points. But because a service's identity is attached to its public
key, the service can simply re-advertise %key, the service can simply re-advertise
itself at a different introduction point. Advertisements can also be %itself at a different introduction point. Advertisements can also be
done secretly so that only high-priority clients know the address of %done secretly so that only high-priority clients know the address of
Bob's introduction points or so that different clients know of different %Bob's introduction points or so that different clients know of different
introduction points. This forces the attacker to disable all possible %introduction points. This forces the attacker to disable all possible
introduction points. %introduction points.
%
\emph{Compromise an introduction point.} An attacker who controls %\emph{Compromise an introduction point.} An attacker who controls
Bob's introduction point can flood Bob with %Bob's introduction point can flood Bob with
introduction requests, or prevent valid introduction requests from %introduction requests, or prevent valid introduction requests from
reaching him. Bob can notice a flood, and close the circuit. To notice %reaching him. Bob can notice a flood, and close the circuit. To notice
blocking of valid requests, however, he should periodically test the %blocking of valid requests, however, he should periodically test the
introduction point by sending rendezvous requests and making %introduction point by sending rendezvous requests and making
sure he receives them. %sure he receives them.
%
\emph{Compromise a rendezvous point.} A rendezvous %\emph{Compromise a rendezvous point.} A rendezvous
point is no more sensitive than any other OR on %point is no more sensitive than any other OR on
a circuit, since all data passing through the rendezvous is encrypted %a circuit, since all data passing through the rendezvous is encrypted
with a session key shared by Alice and Bob. %with a session key shared by Alice and Bob.
\end{document} \end{document}