[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[freehaven-cvs] nick"s edits to the nato-rta paper
Update of /home/freehaven/cvsroot/doc/rta04
In directory moria.mit.edu:/home2/arma/work/freehaven/doc/rta04
Modified Files:
nato-rta04.tex
Log Message:
nick's edits to the nato-rta paper
Index: nato-rta04.tex
===================================================================
RCS file: /home/freehaven/cvsroot/doc/rta04/nato-rta04.tex,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -d -r1.1 -r1.2
--- nato-rta04.tex 7 Jan 2004 22:35:44 -0000 1.1
+++ nato-rta04.tex 7 Jan 2004 22:40:59 -0000 1.2
@@ -46,7 +46,8 @@
% \pdfpageheight=\the\paperheight
%\fi
-\title{Protecting Against Traffic Analysis on Unclassified
+
+\title{Resisting Traffic Analysis on Unclassified
Networks\thanks{This work supported by DARPA and ONR.}}
% Putting the 'Private' back in 'Virtual Private Network
@@ -81,39 +82,41 @@
\section{Introduction}
It is well known that encryption hides the content of communication
-but does nothing to hide who is communicating. Indeed, Whit Diffie, an
-inventor of public-key cryptography, has noted that cryptanalysis is
-not the backbone of signals intelligence, rather, it is traffic
-analysis. The military has many reasons to communicate over open
-networks but must sometimes hide the fact that it is doing so. For
-example, it may be much more expedient and convenient to gather
-intelligence from open Internet sources. Another reason for using open
-networks is rapid formation of dynamic coalitions without an existing
-shared private infrastructure between members. A third reason is that
-hiding communication with vendors may help conceal procurement
-patterns. Finally, it is sometimes not the communicants that are
-sensitive but their location. A server whose physical or logical
+but does nothing to hide who is communicating with whom. Indeed,
+Whit Diffie, an inventor of public-key cryptography, has noted that
+traffic analysis, not cryptanalysis, is the backbone of signals
+intelligence. %cite
+% Can we be more specific than 'the military'?
+The military has many reasons to communicate over open
+networks without revealing its communications partners.
+This assists intelligence gathering intelligence from open Internet
+sources, rapid formation of dynamic coalitions without an existing
+shared private infrastructure between members, and
+hidden communication with vendors to help conceal procurement
+patterns. Finally, it is sometimes not the communicants that are
+sensitive but their location: a server whose physical or logical
location is known may be vulnerable to physical attack and denial of
service.
-Onion Routing is on overlay network concept for making anonymous
+Onion Routing is on overlay network concept for making anonymous
connections resistant to eavesdropping and traffic analysis. It
permits low-latency TCP-based communication such as web traffic,
secure shell remote login, and instant messaging. The current design
and implementation, Tor, makes a number of improvements on the
-original. These include perfect forward secrecy, being able to interface
-with applications via SOCKS without modification to those applications
-or to Onion Routing, multiplexing of application connections on
-Onion Routing circuits, congestion control, fault tolerance for node
+original. %cite
+These include perfect forward secrecy, interfacing
+to unmodified applications via SOCKS,
+multiplexing of application connections on
+Onion Routing circuits, congestion control, recovery from node
failure, integrity checking, and rendezvous points that protect the
responder of a connection in addition to the initiator.
Onion Routing may be used anywhere traffic analysis is a concern.
Because Onion Routing is an overlay network, it can exist on top of
public networks such as the Internet without any modification to the
-underlying routing structure or protocols. The confidentiality and
-integrity of communications are automatically protected by the Onion
-Routing protocol. However, the endpoints are also hidden. An
+underlying routing structure or protocols. Beyond protecting data
+confidentiality and integrity, the Onion Routing protcol hides the
+endpoint of each transmission. An
intelligence analyst surfing a web site through Onion Routing is
hidden both from that web site and from the Onion Routing network
itself. On the other hand, Onion Routing separates anonymity of the
@@ -131,10 +134,13 @@
settings.
\subsection{Related Work}
-Onion Routing did not arise in a vacuum. In this summary we cannot
-describe all of the related work that came before. We give here only a
-broad description of prior work, references and comparisons can be
-found in \cite{tor-design}. Modern anonymity systems date to Chaum's
+Onion Routing did not arise in a vacuum.
+%In this summary we cannot
+%describe all of the related work that came before.
+We give here a
+broad description of prior work; for a fuller list of references and
+comparisons, see
+\cite{tor-design}. Modern anonymity systems date to Chaum's
{\bf Mix-Net} design \cite{chaum-mix}. Chaum proposed hiding the
correspondence between sender and recipient by wrapping messages in
layers of public-key cryptography, and relaying them through a path
@@ -163,8 +169,7 @@
correlated patterns among exiting traffic. Although some work has
been done to frustrate these attacks, most designs protect primarily
against traffic analysis rather than traffic confirmation (cf.\
-Section~\ref{subsec:threat-model}).
-
+Section~\ref{subsec:threat-model}).
The simplest low-latency designs are single-hop proxies such as the
Anonymizer \cite{anonymizer}, wherein a single trusted server
@@ -191,20 +196,22 @@
main goal, however, several considerations have directed
Tor's evolution.
-\textbf{Diversity:} If all onion routers are operated by the defense
+\textbf{Diversity:} If all onion routers were operated by the defense
department or ministry of a single nation and all users of the network
-are DoD users, then traffic patterns of individuals, enclaves, and
-commands may be protected. However, any traffic emerging from the
-Onion Routing network to the Internet will be recognized as coming
-from the DoD. Therefore, it is necessary that the Onion Routing
+were DoD users, then traffic patterns of individuals, enclaves, and
+commands might be protected. However, any traffic emerging from the
+Onion Routing network to the Internet would still be recognized as coming
+from the DoD, since the network would only carry DoD traffic.
+Therefore, it is necessary that the Onion Routing
network carry traffic of a broader class of users. Similarly, having
onion routers run by diverse entities, including nonmilitary entities
-and entities from diverse countries, will help broaden and enlarge the
+and entities from different countries, will help broaden and enlarge the
class of users who will trust that system insiders will not monitor
their traffic. This will provide both a greater diversity and greater
-volume of cover traffic. Unlike confidentiality, one cannot have
-anonymity by oneself, no matter how strong the technology. This need
-for diversity affects the way other goals must be pursued.
+volume of cover traffic. Unlike confidentiality, a single entity
+cannot achieve anonymity without collaboration, no matter how strong
+the technology. %This need
+%for diversity affects the way other goals must be pursued.
\textbf{Deployability:} The design must be deployed and used in the
real world. Thus it must not be expensive to run (for example, by
@@ -328,8 +335,6 @@
Discussion of how well the Tor design defends
against each of these attacks is presented in \cite{tor-design}.
-
-
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\section{Overview of the Tor Design}
***********************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe freehaven-cvs in the body. http://freehaven.net/