[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[freehaven-cvs] tweaks throughout, update bib entries, shrink our ma...
Update of /home/freehaven/cvsroot/doc/routing-zones
In directory moria.mit.edu:/home2/arma/work/freehaven/doc/routing-zones
Modified Files:
routing-zones.tex routing-zones.bib
Log Message:
tweaks throughout, update bib entries, shrink our margins
Index: routing-zones.tex
===================================================================
RCS file: /home/freehaven/cvsroot/doc/routing-zones/routing-zones.tex,v
retrieving revision 1.63
retrieving revision 1.64
diff -u -d -r1.63 -r1.64
--- routing-zones.tex 29 Jan 2004 07:11:31 -0000 1.63
+++ routing-zones.tex 8 Jun 2004 04:12:41 -0000 1.64
@@ -12,6 +12,12 @@
% \setlength{\topsep}{0mm}
}}{\end{list}}
+\textwidth16cm
+\textheight21cm
+\topmargin0mm
+\oddsidemargin3mm
+\evensidemargin3mm
+
\begin{document}
%\title{Automated Jurisdictional Arbitrage}
@@ -27,8 +33,8 @@
\begin{abstract}
-Anonymity networks have long relied on the diversity of nodes in the
-infrastructure for protection against attacks---typically an adversary who
+Anonymity networks have long relied on diversity of node location for
+protection against attacks---typically an adversary who
can observe a larger fraction of the network can launch a more effective
attack. We investigate the diversity of two deployed anonymity networks,
Mixmaster and Tor, with respect to an adversary who controls a single
@@ -59,11 +65,11 @@
\cite{mixmaster-spec}, an adversary who observes a large volume of
network traffic can notice over time that certain recipients are more
likely to receive messages after particular senders have transmitted messages
-\cite{disad-free-routes,statistical-disclosure,e2e-traffic}. Low-latency
+\cite{statistical-disclosure,e2e-traffic}. Low-latency
networks like Onion Routing~\cite{tor-design,or-jsac98} are more directly
vulnerable: an eavesdropper on both ends of the connection can quickly
link sender to recipient through packet counting or timing attacks
-\cite{defensive-dropping,SS03}.
+\cite{defensive-dropping,SS03,danezis-pet2004}.
Anonymity designs use three major strategies to mitigate these attacks.
\begin{tightlist}
@@ -76,7 +82,7 @@
receiver~\cite{langos02,pipenet,defensive-dropping}.
\item {\bf{Dispersal:}} Reducing the chance that the adversary sees
both endpoints for a given communication may entirely block some
-attacks on low-latency networks, and disrupting intersection attacks on
+attacks on low-latency networks, and slow intersection attacks on
high-latency networks.
\end{tightlist}
@@ -87,8 +93,7 @@
topology so messages can enter or exit at more places in the network
(compared to a cascade topology~\cite{disad-free-routes});
or by \emph{jurisdictional arbitrage} --- coordinating network behavior
-so each transaction is spread over multiple administrative domains,
-or jurisdictions.
+so each transaction is spread over multiple jurisdictions.
In this paper, we investigate a variant of jurisdictional arbitrage that
takes advantage of the fact that the Internet is divided into thousands
@@ -104,7 +109,7 @@
evaluate the independence metric for these networks.
This paper presents several interesting results.
-First, we find that both Tor and Mixmaster have multiple mix nodes in
+First, we find that both Tor and Mixmaster have multiple nodes in
the same autonomous system. Users of these networks should take care to
avoid selecting two nodes from the same AS. In light of this, we argue
that node selection algorithms that look only at IP prefixes, such as
@@ -126,7 +131,7 @@
random node selection---even when the initiator never chooses the same node
for both entry and exit---are likely to be observed by a single AS between
10\% and 30\% of the time, depending on the location of the initiator
-and responder and that the single AS that can observe these paths is
+and responder, and that the single AS that can observe these paths is
always a backbone ISP. We conclude that a slightly different node
selection algorithm can allow users of these networks to minimize the
likelihood that their entry path and exit path traverse the same AS.
@@ -168,7 +173,7 @@
attacks. Attacks inside the network aim to partition anonymity sets
through passive observation~\cite{disad-free-routes,minion-design}
or active traffic manipulation~\cite{trickle02}, or otherwise narrow
-out suspects for a given transaction. Endpoint attacks treat the
+the set of suspects for a given transaction. Endpoint attacks treat the
network as a black box and consider only the entry node and exit node
for the transaction; such attacks include simple timing and counting
attacks against low-latency systems~\cite{defensive-dropping,SS03},
@@ -188,10 +193,10 @@
to get an informal intuition of the independence of the
network~\cite{riot-remap}. Previous anonymity networks, such as Tarzan
and Morphmix, aim to provide collusion resistance by comparing the IP of
-each peer~\cite{freedman:ccs02,morphmix:fc04} (our results show that
-this technique is ineffective). In this paper, we evaluate the
-topologies of {\em real anonymity networks in the context of the
-properties of Internet routing at the AS-level}, and design ways to
+each peer~\cite{freedman:ccs02,morphmix:fc04} (our results show that this
+technique is less effective than claimed). In this paper, we evaluate the
+topologies of {\em real anonymity networks} in the context of the
+properties of Internet routing at the AS-level, and design ways to
quantify the results.
\subsection{Overview of Internet Routing and Topology}
@@ -233,7 +238,7 @@
ASes. A router will typically readvertise the route to neighboring
ASes, prepending its own AS number to the AS path in the process. In
this fashion, BGP allows each AS to learn the AS-level path of a route to
-a destination that it learns via BGP.
+a destination that it learns via BGP.
ASes do not blindly propagate routes to all of their neighbors; rather,
each pair of ASes has a commercial relationship, and an AS may prefer to
@@ -334,10 +339,10 @@
\section{Threat Models}
\label{sec:threat-model}
-Alice wants to anonymously communicate with Bob. We aim to improve
-Alice's anonymity against an adversary who can monitor a single AS,
-for example, a curious ISP or a corrupt law enforcement officer abusing
-his subpoena powers. We assume that the ability to observe
+Alice wants to communicate with Bob without revealing her location. We
+aim to improve Alice's anonymity against an adversary who can monitor a
+single AS (for example, a curious ISP or a corrupt law enforcement officer
+abusing his subpoena powers). We assume that the ability to observe
multiple ASes is significantly more difficult than observing a single
AS, either because few
ISPs control multiple ASes, or because law enforcement will
@@ -347,7 +352,7 @@
%bar for breaking the anonymity of the system.
To investigate further, we must consider which attacks are most
-effective against different classes of anonymity network. We divide
+effective against different classes of anonymity networks. We divide
attacks into intra-network attacks and endpoint attacks, as described
in Section~\ref{subsec:background-anonymity}.
@@ -355,7 +360,7 @@
an adversary observing both Alice and Bob can quickly learn that they
are communicating. Onion Routing analysis~\cite{onion-routing:pet2000}
has shown that an adversary observing $c$ of the $n$ nodes in the network
-can use endpoint attacks to break $(\frac{c}{n})^2$ of the transactions. By
+can use endpoint attacks to break $\frac{c^2}{n^2}$ of the transactions. By
requiring the path from Alice to the anonymity network and the
path from the anonymity network to Bob to traverse separate
ASes, we can prevent all of these
@@ -384,12 +389,12 @@
\section{Modeling Techniques}
-%We now describe how we model mix networks and Internet routing to draw
-%conclusions about an anonymity network's vulnerability to eavesdropping
-%by the adversary detailed in Section~\ref{sec:threat-model}. First we
-%describe our model of node selection, and then we present our techniques
-%for estimating the AS-level path between two arbitrary hosts on the
-%Internet.
+We now describe how we model mix networks and Internet routing to draw
+conclusions about an anonymity network's vulnerability to eavesdropping
+by the adversary detailed in Section~\ref{sec:threat-model}. First we
+describe our model of node selection, and then we present our techniques
+for estimating the AS-level path between two arbitrary hosts on the
+Internet.
\subsection{Node Selection in Mix Networks}
\label{sec:path-selection}
@@ -535,13 +540,10 @@
\section{Data}
-%Here we summarize the data that we use in our analysis of
-%AS-level paths in mix networks. % In our analysis of mix networks, we
-%Our analysis of mix networks is based
-%%We base our analysis
-%on the location of mix
-%nodes in deployed systems today. We then
-%describe the data we used to generate the AS-level network topology.
+Here we summarize the data that we use in our analysis of AS-level paths
+in mix networks. We base our analysis on the location of mix nodes in
+deployed systems today. We then describe the data we used to generate
+the AS-level network topology.
\subsection{Mix Networks, Senders, and Receivers}
@@ -636,7 +638,7 @@
and Mixmaster nodes are located in the same AS. We also examine the
AS-level path properties between pairs of existing mix nodes and
quantify the extent to which the AS-level paths between two mix nodes
-traverse common ASes.
+traverse common ASes.
\subsubsection{Node properties}
@@ -747,7 +749,7 @@
another ISP). Not surprisingly, Table~\ref{tab:path_ind} shows that
many of the ASes that are between a large number of mix node pairs are
tier-1 ISPs (e.g., UUNet, Qwest, Global Crossing, AT\&T, AOL, Verio, and
-Abovenet).
+Abovenet).
The prevalence of certain ISPs between mix node pairs suggests that as
the length of a mix network path increases, the likelihood that an AS
@@ -1021,7 +1023,7 @@
We propose that mix networks aiming to achieve jurisdictional diversity
should consider the underlying AS-level paths. % Our paper
%brings to light several interesting and important results:
-Our results include:
+In particular, our results include:
\begin{tightlist}
\item While previous systems have proposed
Index: routing-zones.bib
===================================================================
RCS file: /home/freehaven/cvsroot/doc/routing-zones/routing-zones.bib,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -d -r1.18 -r1.19
--- routing-zones.bib 30 Jan 2004 16:15:23 -0000 1.18
+++ routing-zones.bib 8 Jun 2004 04:12:41 -0000 1.19
@@ -63,7 +63,7 @@
booktitle = {Financial Cryptography},
year = {2004},
editor = {Ari Juels},
- publisher = {Springer-Verlag, LNCS (forthcoming)},
+ publisher = {Springer-Verlag, LNCS 3110},
}
@inproceedings{babel,
@@ -140,14 +140,14 @@
booktitle = {Financial Cryptography},
year = {2004},
editor = {Ari Juels},
- publisher = {Springer-Verlag, LNCS (forthcoming)},
+ publisher = {Springer-Verlag, LNCS 3110},
}
@inproceedings{SS03,
title = {Passive Attack Analysis for Connection-Based Anonymity Systems},
author = {Andrei Serjantov and Peter Sewell},
booktitle = {Computer Security -- ESORICS 2003},
- publisher = {Springer-Verlag, LNCS (forthcoming)},
+ publisher = {Springer-Verlag, LNCS 2808},
year = {2003},
month = {October},
}
@@ -213,20 +213,30 @@
publisher = {Springer-Verlag, LNCS 2482}
}
-@misc{e2e-traffic,
+@InProceedings{e2e-traffic,
author = "Nick Mathewson and Roger Dingledine",
title = "Practical Traffic Analysis: Extending and Resisting Statistical Disclosure",
- howpublished = {Manuscript},
- month = {January},
+ booktitle= {Privacy Enhancing Technologies (PET 2004)},
+ editor = {David Martin and Andrei Serjantov},
+ month = {May},
year = {2004},
}
-@misc{tor-design,
+@InProceedings{danezis-pet2004,
+ author = "George Danezis",
+ title = "The Traffic Analysis of Continuous-Time Mixes",
+ booktitle= {Privacy Enhancing Technologies (PET 2004)},
+ editor = {David Martin and Andrei Serjantov},
+ month = {May},
+ year = {2004},
+}
+
+@inproceedings{tor-design,
author = "Roger Dingledine and Nick Mathewson and Paul Syverson",
title = {{Tor: The Second-Generation Onion Router}},
- howpublished = {Manuscript},
- month = {January},
+ booktitle = {Proceedings of the 13th USENIX Security Symposium},
year = {2004},
+ month = {August},
}
@inproceedings{statistical-disclosure,
***********************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe freehaven-cvs in the body. http://freehaven.net/