On Wed, Dec 8, 2010 at 10:11 AM, Mitar <[email protected]> wrote: > Hi! > >> Relaxing the realtime constraint, adding random delays, more >> hops and also chaff trafic in a Tor derivate would arguably >> make such attacks more difficult. > > I am asking just about more hops. Why would more hops be necessary? It > is enough that one node introduces random delay and this is it?
It is strictly necessary that the bad guy not control 100% of the forwarding nodes. On a realtime onion network anonymity is bounded by timing attacks— even if you could tolerate the delay of having a zillion middle nodes the attacker could just watch the entrances an exits and correlate timing. So adding a great many hops would not significantly increase security. A mix network can tolerate higher delays and, hopefully, eliminates the timing attacks. So additional hops can be beneficial. The down side is increased vulnerability to DOS attacks if flooders can generate cheap round-the-world messages. The creating a hidden service based overlay network, as was suggested here by Karsten N., was what I thought when I read the thread— but I was concerned that if the network identity of all/most of the nodes is hidden that an attacker could spin up thousands of fake mix nodes without even needing a lot of network resources. They could make it far more likely that all your hops were controlled by one party. Although the risk exists for non hidden service based designs, it's probably much easier with an anonymity layer in between. Any design using hidden services would specifically need to address this risk. *********************************************************************** To unsubscribe, send an e-mail to [email protected] with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
