[Huge cc: list trimmed]
Adam Shostack wrote:
> Freedom isn't a pipenet, its a mix. Pipenet resists certain classes
> of attack better, like having big chunks of the internet shut down.
Over the years, using Wei Dai's term Pipenet (or Pipe-net, as it was spelled
originally) has firmly been established as denotating an anonymous IP
network that uses constant or otherwise data independent "pipes" between the
nodes of the network. Since Freedom uses link padding, I would consider
Freedom a Pipenet.
It has been the recognition that data-independent traffic flows are a
necessary design component of a secure anonymous IP network, especially
between the end-user and the first network node, that sets Pipenet designs
apart from naive implementations such as the first generation Onion Routers
and Crowds. The reader can see a good visualization of the problem on the OR
homepage at http://www.onion-router.net/Vis.html Know that this
visualization was produced by a group that for the longest disputed that
padding was in fact a necessity. But the data was clear enough to even
convince them.
Designs that lack the link padding property fall to a number of attacks that
provide for trivial confirmation of a particular user's identity. Which
makes such designs of limited, if any, interest to most Cypherpunks. Just as
cryptanalysis of a cipher must, contrary to most people's intuition,
typically assume known plaintext, perhaps equally contrary to intuition,
attacks on anonymous IP networks must typically assume that the set of
network users that possesses the required knowledge to make educated
contributions to a webchat on biological agent feedstock DNA synthesis is
mostly known to the watchers. At this point, determining the identity of the
chatter becomes a matter of confirmation, which can be trivially obtained
absent link padding. Given Internet caching devices such as the petabyte
100,000 drive RAID array operated by an US agency, the necessary analysis
could probably be performed even after the fact.
Coincidentally, the pseudonymous email system included in Freedom suffers
from this very, fatal, flaw. Now of course ZKS is aware of it and, as I
understand, in the process of replacing the fundamentally insecurable reply
block-based architecture. (Though I can't help but wish they would act
faster. After all, I informed them of the problem over a year ago). Until
the current architecture is replaced, using Freedom pseudonymous email for
communications with even mid-level security requirements would be folly.
To give a practical example, I have a fairly good hunch as to the true
identity of the recent poster to this list using the nym
"[EMAIL PROTECTED]". Confirming the identity by sending a few
emails and watching the mailspool of the suspect would not be a particular
challenging exercise. No TLA thread model needs to be assumed. I probably
could perform the attack myself, for zero budget, and from the comfort of my
living room.
[Sidebar for recent additions to the mailing lists: adding noise, aka cover
traffic, would not prevent such an attack. It would simply require an
increase in the sample size].
--Lucky Green <[EMAIL PROTECTED]>
"Among the many misdeeds of British rule in India, history will look
upon the Act depriving a whole nation of arms as the blackest."
- Mohandas K. Gandhi, An Autobiography, pg 446
http://www.citizensofamerica.org/missing.ram
