[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[freehaven-cvs] Update attacks section, mention Free Haven, fix prot...
Update of /home2/freehaven/cvsroot/doc/pynchon-gate
In directory moria.mit.edu:/tmp/cvs-serv11012
Modified Files:
pynchon.tex pynchon.bib
Log Message:
Update attacks section, mention Free Haven, fix protocol issues.
Index: pynchon.tex
===================================================================
RCS file: /home2/freehaven/cvsroot/doc/pynchon-gate/pynchon.tex,v
retrieving revision 1.30
retrieving revision 1.31
diff -u -d -r1.30 -r1.31
--- pynchon.tex 17 Sep 2004 08:09:42 -0000 1.30
+++ pynchon.tex 17 Sep 2004 13:07:35 -0000 1.31
@@ -74,14 +74,18 @@
%countermeasures to basic attacks against the system.
\end{abstract}
-\section{Introduction}
+\section{Introduction}
Pseudonymous messaging services seek to provide users with a way to send
messages that originate at a pseudonymous address (or ``nym'') unlinked to
-the user, and to receive messages send to that address, without allowing an
-attacker to deduce which users are associated with which pseudonyms. But, as
-we will argue below, most existing deployed solutions are either vulnerable
-to traffic analysis, or require unacceptably large amounts of bandwidth and
-storage as the number of users and volume of traffic increase.
+the user, and to receive messages send to that address, without allowing
+an attacker to deduce which users are associated with which pseudonyms.
+These systems can be used specifically to provide a mechanism for a user
+to communicate without revealing her identity, or can be used as a
+building-block for other systems which need a bi-directional communication
+channel, such as Free Haven~\cite{freehaven-berk}. But, as we will argue
+below, most existing deployed solutions are either vulnerable to traffic
+analysis, or require unacceptably large amounts of bandwidth and storage
+as the number of users and volume of traffic increase.
We propose the Pynchon Gate, a novel design that uses distributed-trust
private information retrieval (PIR)~\cite{pir} primitives to build a secure,
@@ -321,6 +325,11 @@
to obtain information about nym holders by comparing network and user
behavior when a given message or packet is transmitted multiple times.
+\subsubsection{Tagging and known-cleartext attacks.} An attacker may alter
+a message, or observe the cleartext of a message, so that he may be able
+to later link an input message with a given output retrieved by the
+nym-holder.
+
\subsubsection{{\it Who am I?} attack.}
An attacker may send messages intended for nym Alice to nym Bob instead,
to confirm that Alice and Bob are the same nym-holder~\cite{gd-thesis}.
@@ -328,7 +337,19 @@
\subsubsection{Usage pattern and intersection attacks.}
An attacker may analyze network usage and anonymity set members over time
-to sub-divide anonymity sets such that a given user is identified.
+to sub-divide anonymity sets such that a given user is identified. In
+addition to passive observation of the network, there are a number of
+active attacks which can facilitate usage pattern attacks. An attacker may
+flood a nym, to observe a corresponding increase in traffic by the
+recipient. If attacks on portions of the pseudonymity infrastructure
+affect some users differently than others, an attacker may exploit such
+attacks on components of the system to facilitate an intersection attack
+against a user of the system as a whole. For instance, in a reply-block
+system, an attacker could disable certain mixes, and observe which nyms
+ceased receiving traffic. If the nym holder has a fixed-route reply block,
+this would enable the attacker to identify the mixes used in the
+nym-holder's reply-block path, and increase his chances of successfully
+linking the nym with the nym-holder's true name.
\subsubsection{Statistical-disclosure attacks.}
@@ -389,14 +410,16 @@
with the nym server, so at a minimum the nym server must be able to
receive email in addition to any optional support for other protocols.
Future developments in forward anonymity protocols may alleviate this
-reliance on email.} and pass these messages to each independently-operated
-distributor node in the network. Through the use of a client which can
-communicate with the distributor nodes, the owner of a given pseudonym is
-able to make a series of requests from several distributor nodes, enabling
-her to receive her message without the individual nodes determining the
-identity of the pseudonym being requested. The protocol used is resistant
-to collusion: even if there are $(k-1)$ nodes operated by the adversary
-the adversary cannot learn the requested pseudonym.
+reliance on email. In our system, the nym server may communicate directly
+with Mixminion nodes via the direct communication mechanism in Mixminion.}
+and pass these messages to each independently-operated distributor node in
+the network. Through the use of a client which can communicate with the
+distributor nodes, the owner of a given pseudonym is able to make a series
+of requests from several distributor nodes, enabling her to receive her
+message without the individual nodes determining the identity of the
+pseudonym being requested. The protocol used is resistant to collusion:
+even if there are $(k-1)$ nodes operated by the adversary the adversary
+cannot learn the requested pseudonym.
By using a PIR-based message retrieval system we retain the convenience,
reliability, and security of the ``send everything everywhere'' method,
@@ -500,7 +523,7 @@
from that bucket to the hash tree root. These distributors communicate to
the client application using the \emph{Pynchon Gate PIR Protocol}.
-\subsection{The Pynchon Gate Client}
+\subsection{The Pynchon Gate PIR Protocol}
\label{subsec:client-design}
The \emph{Pynchon Gate Client} application resides on the nym owner's
@@ -577,12 +600,13 @@
make sure that each of the distributors they use agree about the value of
the hash root.
-The hash tree root used for bucket authentication uses a distinct tree
-structure from the tree organization of the data in the buckets. The
-authentication tree is a simple binary hash tree which can be computed
-implicitly given the entire list of buckets. Binary hash trees enable the
-path from any given bucket to the root to be expressed as compactly as
-possible.
+%The hash tree root used for bucket authentication uses a distinct tree
+%structure from the tree organization of the data in the buckets. The
+%authentication tree is a simple binary hash tree which can be computed
+%implicitly given the entire list of buckets. Binary hash trees enable the
+%path from any given bucket to the root to be expressed as compactly as
+%possible.
+% XXXX This is not correct.
Distributors append to each bucket the path from that bucket to the hash
tree root. With this information, the client can verify the integrity of
@@ -773,7 +797,7 @@
We would like to thank Russell O'Connor, for review of several candidate
PIR systems; Adam Back, for his optimization on the message request
protocol; Lucky Green, for valuable comments; Ben Laurie, for review of an
-early sketch of the Pynchon Gate Protocol; Sonia Ara\~na, Roger
+early sketch of the Pynchon Gate PIR Protocol; Sonia Ara\~na, Roger
Dingledine, Peter Palfrader, and Adam Shostack for proof-reading and
comments on the paper. Finally, thanks to the many members of the
Cypherpunks mailing list who have contributed much to the field of
Index: pynchon.bib
===================================================================
RCS file: /home2/freehaven/cvsroot/doc/pynchon-gate/pynchon.bib,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -d -r1.14 -r1.15
--- pynchon.bib 16 Sep 2004 21:06:33 -0000 1.14
+++ pynchon.bib 17 Sep 2004 13:07:35 -0000 1.15
@@ -65,6 +65,19 @@
year = {2004},
}
+@inproceedings{freehaven-berk,
+ title = {The Free Haven Project: Distributed Anonymous Storage Service},
+ author = {Roger Dingledine and Michael J. Freedman and David Molnar},
+ booktitle = {Proceedings of Designing Privacy Enhancing Technologies: Workshop on Design
+ Issues in Anonymity and Unobservability},
+ year = {2000},
+ month = {July},
+ editor = {H. Federrath},
+ publisher = {Springer-Verlag, LNCS 2009},
+ www_important = {1},
+ www_ps_url = {http://freehaven.net/doc/berk/freehaven-berk.ps},
+ www_section = {Anonymous publication},
+}
@inproceedings{universal,
title = {Universal Re-Encryption for Mixnets},
@@ -90,7 +103,7 @@
@inproceedings{mixmaster-reliable,
title = {Comparison between two practical mix designs},
author = {Claudia D\'{\i}az and Len Sassaman and Evelyne Dewitte},
- booktitle = {Proceedings of 9th European Symposiumon Research in Computer Security
+ booktitle = {Proceedings of 9th European Symposium on Research in Computer Security
(ESORICS)},
year = {2004},
month = {September},
@@ -515,4 +528,4 @@
series = {LNCS},
www_section = traffic,
www_pdf_url = "http://freehaven.net/doc/e2e-traffic/e2e-traffic.pdf",
-}
\ No newline at end of file
+}
***********************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe freehaven-cvs in the body. http://freehaven.net/