Sorry I'm a bit late on this thread. I don't usually watch freenet-dev,
but since Brett posted my mail from freehaven-dev onto here, I figured
I'd respond. (you had to pick the one that makes me sound like a paranoid
psychopath, eh Brett? :)
On Sat, Jul 29, 2000 at 09:35:01PM -0500, Signal 11 wrote:
> PPTP tunnel everything of importance. Traffic analysis
> isn't a hard-to-grasp concept, once you know what you're
> looking for and how the data is structured.
It's not that it's hard to analyze traffic -- it's hard to anticipate
what other people will be able to figure out from your traffic. See
below for an example.
> other nodes would aggregate traffic. I'm assuming one of the
> goals of Freenet is plausible deniability - nobody can ever prove
> a particular piece of data ever passed your node. If that is a
This is necessary but not sufficient for a real anonymous system. If the
Church/mafia can even guess that you (or one of a dozen individuals)
might be responsible for something sufficiently bad, they might just go
take you all out.
But as Oskar points out, Free Haven takes the secure but infeasible
approach to answering this problem, and Freenet takes the insecure but
feasible approach. Getting both is still a very tough problem. (We're
working on it.)
> > 5) We glimpsed at the conference that often a couple of compromised
> > nodes are sufficient to trace source/destination of remailer mail.
>
> Which is why you use multiple remailers...
Using multiple remailers and calling yourself secure is not sufficient.
The general assumption with mixes is to use a series of mix nodes, to
distribute trust -- "as long as at least one node in your path is honest,
the network remains secure".
I'll present the example that Andreas Pfitzmann gave at the Berkeley
conference; I imagine I won't explain it as clearly as he did, but it's
worth a shot.
There are a number of traffic analysis attacks that can be used if there
are constraints in the system. The specific one he gave as an example
was if users can pick their own paths through the network, and paths
are fixed-size. He showed that in the vast majority of cases, having
one honest mix in the path was not nearly enough:
Alice -- Mix1 -------- Mix6 -- Bob's recipient
\ /
Mix5
/ \
Bob -- Mix3 -- Mix4 Mix7 -- Mix8 -- Alice's recipient
In this scenario, users can pick their own paths, and paths are
fixed-length at 4. Mix5 is the honest mix. The adversary can watch
the others.
Alice chooses Mix1->Mix5->Mix7->Mix8.
Bob chooses Mix3->Mix4->Mix5->Mix6.
By watching how many hops the message takes before and after Mix5, our
adversary can distinguish which message coming out of Mix5 corresponds
to the ones coming in.
While this looks like a particularly trivial (and easy to fix) example on
the surface, I think it instead demonstrates how little we understand
traffic analysis and how many different sorts of attacks we might
introduce into a system even from a simple-sounding idea like letting
users pick their own paths through the mix network.
We can't simply solve the problem by saying "use a mix cascade, not a
network" because the underlying issue -- can an adversary distinguish
messages based on characteristics of the messages or protocols? -- is
still not answered. For all I know, even running your message through a
single compromised mix node is giving him a good shot at figuring out
your endpoints, particularly in a case like Free Haven where servers
reuse their mixnet addresses.
Your link padding solution doesn't do anything here, since the adversary
can distinguish the wheat from the chaffe. Anyway, I'm not saying we
can't solve this; I'm just saying it's a lot more complex than people
seem to be giving it credit for.
--Roger
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL:
<https://emu.freenetproject.org/pipermail/devl/attachments/20000804/ee50347a/attachment.pgp>
