On Thu, Aug 28, 2003 at 08:06:07AM -0400, John S. Denker wrote: > A couple of people wrote in to say that my remarks > about defending against traffic analysis are "not > true". As 'proof' they cite  > > which proves nothing of the sort.
I agree it doesn't prove anything directly. However if your proposed scheme falls to one or more of the traffic attacks we detail then that conversely demonstrates that your scheme is also not ideally secure. With reference to your previous post (which I had not read until now), it's unclear on the datahaven. You posit that it exists and is trustworthy, but you seem to be working to a weaker threat-model than we explored, namely your propose a user trust a single trusted entity. We explored the more interesting case where the user can choose to trust some set of nodes operated by different entities and the objective is to design a system such that you still get good anonymity as long as some k of n of the nodes are not rogue and hostile to your anonymity. Some of the attacks we examined discuss traffic analysis attacks inside the anonymous network. But some consider the anonymous network as a black box with perfect properties (this model seems to be similar to yours.) Of those the attack where the user disrupts an input and observes disruption in the output appear to work. ie. say there are two users A and B browsing the web via this idealised system; if I disrupt (DoS / crash etc) user A's network connection and one of the browsing streams abruptly stops, I have some statistical information suggesting that browsing stream belonged to real user A. Now this is not really a criticism of the anonymous network as such, but a problem particular to browsing -- the system requires observable events to happen on the internet as the information is coming from computers outside of the anonymity system. Ideas about how to combat these kinds of problems are: - mimic functions - to have some agent continue the browsing when the user's connection is disrupted. However the limitation here is that good user browsing mimic functions are likely hard. - another is cacheing (ZKS Freedom did this) and this tends to help because some of the content is coming from the cache and so only observable to a rogue node that happens to be the exit (and cacheing) node. - another is moving the content inside the anonymous network; ie trying to host the content in a p2p network that also provides anonymity. For example freenet tries to do this kind of thing. but overall I have not seen any anonymous system design to date that comes close to providing interactive anonymity against a threat-model of retaining security with k of n honest nodes with k < n (!) (and where n != 1) Even a single compromised node (eg the exit node) plus ability to observe or remotely influence network behavior of target users seems to break most systems. I restrict that comment to system where the content is outside of the anonymous network; systems like freenet where the content is inside the system probably require a different threat model, because there are a number of new threats still I think would be vulnerable to similar attacks from hostile insiders (and here anyone can usually be an insider as it is a p2p system). New threats in a p2p context include: 1. attacker's ability to discover what content a given node is serving 2. attacker's ability to discover all nodes serving a given file 3. attacker's ability to damage file integrity 4. attacker's ability to flood the network with files (pure volume DoS) 5. attacker's ability to flood the network with bogus files and trick downloaders and p2p nodes into downloading and sharing the bogus files in place of genuine content 6. search term privacy 7. attacker's ability to flood the search mechanism attack 1 particularly seems hard to defend against. about the padding scheme: > More specifically, anybody who thinks the scheme > I described is vulnerable to a timing attack isn't > paying attention. I addressed this point several > times in my original note. All transmissions > adhere to a schedule -- independent of the amount, > timing, meaning, and other characteristics of the > payload. > > And this does not require wide-area synchronization. > If incoming packets are delayed or lost, outgoing > packets may have to include nulls (i.e. cover traffic). this is vulnerable to insider attack because the padding is not end-to-end if I read your description correctly. Wei Dai has an attack on that scheme which we describe in the paper and uses it to argue for end-to-end padding. (Note Pipenet is about internal traffic, it does not propose external traffic, though presumably this could be added at the cost of the discussed loss of security). But in fact if I understand you are talking about a single anonmity-providing node so you have to trust that node to terminate the padding. So I think the case is more that what you proposed could be secure (modulo the problem of black-box correlation of disrupted input links and distrupted output streams), but is a "trust-me" system, or at least a "trust a single but chosen 3rd party" system whereas others are probably thinking of a k of n trust target. Adam  http://www.cypherspace.org/adam/pubs/traffic.pdf --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]