Modern anonymity designs date to Chaum's Mix-Net\cite{chaum-mix} design of
1981. Chaum proposed hiding sender-recipient connections by wrapping
messages in several layers of public key cryptography, and relaying them
-through a path composed of Mix servers. Mix servers in turn decrypt, delay,
-and re-order messages, before relay them along the path towards their
-destinations.
+through a path composed of ``Mixes.'' These mixes in turn decrypt, delay,
+and re-order messages, before relaying them along the sender-selected
+path towards their destinations.
Subsequent relay-based anonymity designs have diverged in two
principal directions. Some have attempted to maximize anonymity at
no resistance to traffic confirmation; it does. We defer discussion
of this point and of particular attacks until Section~\ref{sec:attacks},
after we have described Tor in more detail.)
-
-\SubSection{Known attacks against low-latency anonymity systems}
-\label{subsec:known-attacks}
-% Should be merged into ``Threat model'' and reiterated in Attacks. -NM
-
-We discuss each of these attacks in more detail below, along with the
-aspects of the Tor design that provide defense. We provide a summary
-of the attacks and our defenses against them in Section~\ref{sec:attacks}.
-
-Passive attacks:
-simple observation,
-timing correlation,
-size correlation,
-option distinguishability,
-
-Active attacks:
-key compromise,
-iterated subpoena,
-run recipient,
-run a hostile node,
-compromise entire path,
-selectively DOS servers,
-introduce timing into messages,
-directory attacks,
-tagging attacks,
-smear attacks,
-entrapment attacks
+% XXX We need to say what traffic analysis is: How about...
+On the other hand, we {\it do} try to prevent an attacker from
+performing traffic analysis: that is, attempting to learn the communication
+partners of an arbitrary user.
+% XXX If that's not right, what is? It would be silly to have a
+% threat model section without saying what we want to prevent the
+% attacker from doing. -NM
+% XXX Also, do we want to mention linkability or building profiles? -NM
+
+Our assumptions about our adversary's capabilities imply a number of
+possible attacks against users' anonymity. Our adversary might try to
+mount passive attacks by observing the edges of the network and
+correlating traffic entering and leaving the network: either because
+of relationships in packet timing; relationships in the volume of data
+sent; [XXX simple observation??]; or relationships in any externally
+visible user-selected options. The adversary can also mount active
+attacks by trying to compromise all the servers' keys in a
+path---either through illegitimate means or through legal coercion in
+unfriendly jurisdiction; by selectively DoSing trustworthy servers; by
+introducing patterns into entering traffic that can later be detected;
+or by modifying data entering the network and hoping that trashed data
+comes out the other end. The attacker can additionally try to
+decrease the network's reliability by performing antisocial activities
+from reliable servers and trying to get them taken down.
+% XXX Should there be more or less? Should we turn this into a
+% bulleted list? Should we cut it entirely?
+
+We list these attacks and more, and describe our defenses against them
+in Section~\ref{sec:attacks}.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
projects / thirdparty / tor.git / commitdiff
