diff options
author | Roger Dingledine <arma@torproject.org> | 2003-10-22 11:30:47 +0000 |
---|---|---|
committer | Roger Dingledine <arma@torproject.org> | 2003-10-22 11:30:47 +0000 |
commit | cf2fe9d1da0b91302355542d60050ae720ceaf5d (patch) | |
tree | 082fab3b2ecf7af342b7d7d7ea0fad9a0af8499e | |
parent | 4139c1c86a92a90bde1c006a592bc7e894755140 (diff) | |
download | tor-cf2fe9d1da0b91302355542d60050ae720ceaf5d.tar.gz tor-cf2fe9d1da0b91302355542d60050ae720ceaf5d.zip |
some minor tweaks
svn:r657
-rw-r--r-- | doc/tor-design.tex | 26 |
1 files changed, 17 insertions, 9 deletions
diff --git a/doc/tor-design.tex b/doc/tor-design.tex index 936f8a5af2..038f4f378b 100644 --- a/doc/tor-design.tex +++ b/doc/tor-design.tex @@ -94,7 +94,7 @@ forcing successive nodes in the circuit to decrypt it. Rather than using onions to lay the circuits, Tor uses an incremental or \emph{telescoping} path-building design, where the initiator negotiates session keys with each successive hop in the circuit. Onion replay detection is no longer -necessary, and the network as a whole is more reliable to boot, since +necessary, and the process of building circuits is more reliable, since the initiator knows which hop failed and can try extending to a new node. \item \textbf{Applications talk to the onion proxy via Socks:} @@ -343,12 +343,12 @@ cebolla (?)\\ Like other low-latency anonymity designs, Tor seeks to frustrate attackers from linking communication partners, or from linking multiple communications to or from a single point. Within this -overriding goal, however, several design considerations have directed +main goal, however, several design considerations have directed Tor's evolution. First, we have tried to build a {\bf deployable} system. [XXX why?] This requirement precludes designs that are expensive to run (for -example, by requiring more bandwidth than volunteers are easy to +example, by requiring more bandwidth than volunteers will easily provide); designs that place a heavy liability burden on operators (for example, by allowing attackers to implicate operators in illegal activities); and designs that are difficult or expensive to implement @@ -406,9 +406,10 @@ sending or receiving communications via Tor. \SubSection{Adversary Model} \label{subsec:adversary-model} -Like all practical low-latency systems, Tor is broken against a global -passive adversary, the most commonly assumed adversary for analysis of -theoretical anonymous communication designs. The adversary we assume +Like all practical low-latency systems, Tor is not secure against a +global passive adversary, which is the most commonly assumed adversary +for analysis of theoretical anonymous communication designs. The adversary +we assume is weaker than global with respect to distribution, but it is not merely passive. We assume a threat model that expands on that from \cite{or-pet00}. @@ -424,8 +425,8 @@ The basic adversary components we consider are: link. Can change all those things that an observer can observe up to the limits of computational ability (e.g., cannot forge signatures unless a key is compromised). -\item[Hostile initiator:] can initiate (destroy) connections with - specific routes as well as varying the timing and content of traffic +\item[Hostile initiator:] can initiate (or destroy) connections with + specific routes as well as vary the timing and content of traffic on the connections it creates. A special case of the disrupter with additional abilities appropriate to its role in forming connections. \item[Hostile responder:] can vary the traffic on the connections made @@ -434,6 +435,10 @@ The basic adversary components we consider are: special case of the disrupter. \item[Key breaker:] can break the longterm private decryption key of a Tor-node. +% Er, there are no long-term private decryption keys. They have +% long-term private signing keys, and medium-term onion (decryption) +% keys. Plus short-term link keys. Should we lump them together or +% separate them out? -RD \item[Compromised Tor-node:] can arbitrarily manipulate the connections under its control, as well as creating new connections (that pass through itself). @@ -545,7 +550,7 @@ in an offline clique. Rendezvous points are a building block for \emph{location-hidden services} (aka responder anonymity) in the Tor network. Location-hidden -services means Bob can offer a tcp service, such as an Apache webserver, +services means Bob can offer a tcp service, such as a webserver, without revealing the IP of that service. We provide this censorship resistance for Bob by allowing him to @@ -739,6 +744,9 @@ them. \item \emph{Selectively DoS servers.} \item \emph{Introduce timing into messages.} \item \emph{Tagging attacks.} +the exit node can change the content you're getting to try to +trick you. similarly, when it rejects you due to exit policy, +it could give you a bad IP that sends you somewhere else. \end{itemize} \item \textbf{Directory attacks} |