traffic analysis

Adam Back adam at cypherspace.org
Thu Aug 28 20:02:35 EDT 2003 

On Thu, Aug 28, 2003 at 08:06:07AM -0400, John S. Denker wrote:
> A couple of people wrote in to say that my remarks
> about defending against traffic analysis are "not
> true".  As 'proof' they cite [1]
>
> which proves nothing of the sort.

I agree it doesn't prove anything directly.  However if your proposed
scheme falls to one or more of the traffic attacks we detail then that
conversely demonstrates that your scheme is also not ideally secure.

With reference to your previous post (which I had not read until now),
it's unclear on the datahaven.  You posit that it exists and is
trustworthy, but you seem to be working to a weaker threat-model than
we explored, namely your propose a user trust a single trusted entity.
We explored the more interesting case where the user can choose to
trust some set of nodes operated by different entities and the
objective is to design a system such that you still get good anonymity
as long as some k of n of the nodes are not rogue and hostile to your
anonymity.

Some of the attacks we examined discuss traffic analysis attacks
inside the anonymous network.

But some consider the anonymous network as a black box with perfect
properties (this model seems to be similar to yours.)  Of those the
attack where the user disrupts an input and observes disruption in the
output appear to work.  ie. say there are two users A and B browsing
the web via this idealised system; if I disrupt (DoS / crash etc) user
A's network connection and one of the browsing streams abruptly stops,
I have some statistical information suggesting that browsing stream
belonged to real user A.

Now this is not really a criticism of the anonymous network as such,
but a problem particular to browsing -- the system requires observable
events to happen on the internet as the information is coming from
computers outside of the anonymity system.

Ideas about how to combat these kinds of problems are:

- mimic functions - to have some agent continue the browsing when the
  user's connection is disrupted.  However the limitation here is that
  good user browsing mimic functions are likely hard.

- another is cacheing (ZKS Freedom did this) and this tends to help
  because some of the content is coming from the cache and so only
  observable to a rogue node that happens to be the exit (and
  cacheing) node.

- another is moving the content inside the anonymous network; ie
  trying to host the content in a p2p network that also provides
  anonymity.  For example freenet tries to do this kind of thing.

but overall I have not seen any anonymous system design to date that
comes close to providing interactive anonymity against a threat-model
of retaining security with k of n honest nodes with k < n (!)  (and
where n != 1) 

Even a single compromised node (eg the exit node) plus ability to
observe or remotely influence network behavior of target users seems
to break most systems.

I restrict that comment to system where the content is outside of the
anonymous network; systems like freenet where the content is inside
the system probably require a different threat model, because there
are a number of new threats still I think would be vulnerable to
similar attacks from hostile insiders (and here anyone can usually be
an insider as it is a p2p system).

New threats in a p2p context include:

1. attacker's ability to discover what content a given node is serving
2. attacker's ability to discover all nodes serving a given file
3. attacker's ability to damage file integrity 
4. attacker's ability to flood the network with files (pure volume DoS)
5. attacker's ability to flood the network with bogus files and trick
   downloaders and p2p nodes into downloading and sharing the bogus
   files in place of genuine content
6. search term privacy
7. attacker's ability to flood the search mechanism

attack 1 particularly seems hard to defend against.

about the padding scheme:

> More specifically, anybody who thinks the scheme
> I described is vulnerable to a timing attack isn't
> paying attention.  I addressed this point several
> times in my original note.  All transmissions
> adhere to a schedule -- independent of the amount,
> timing, meaning, and other characteristics of the
> payload.
> 
> And this does not require wide-area synchronization.
> If incoming packets are delayed or lost, outgoing
> packets may have to include nulls (i.e. cover traffic).

this is vulnerable to insider attack because the padding is not
end-to-end if I read your description correctly.  Wei Dai has an
attack on that scheme which we describe in the paper and uses it to
argue for end-to-end padding.  (Note Pipenet is about internal
traffic, it does not propose external traffic, though presumably this
could be added at the cost of the discussed loss of security).

But in fact if I understand you are talking about a single
anonmity-providing node so you have to trust that node to terminate
the padding.

So I think the case is more that what you proposed could be secure
(modulo the problem of black-box correlation of disrupted input links
and distrupted output streams), but is a "trust-me" system, or at
least a "trust a single but chosen 3rd party" system whereas others
are probably thinking of a k of n trust target.

Adam

[1] http://www.cypherspace.org/adam/pubs/traffic.pdf

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list