diff options
Diffstat (limited to 'doc/codecon04.mgp')
-rw-r--r-- | doc/codecon04.mgp | 135 |
1 files changed, 106 insertions, 29 deletions
diff --git a/doc/codecon04.mgp b/doc/codecon04.mgp index d78191edb6..e9815fcb37 100644 --- a/doc/codecon04.mgp +++ b/doc/codecon04.mgp @@ -60,27 +60,44 @@ Deployed: 20 nodes, hundreds (?) of users Many improvements on earlier design -Free software -- available source code +Free software -- modified BSD license Design is not covered by earlier onion routing patent +Uses SOCKS to interface with client apps + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page -Talk Overview - -A bit about Onion Routing +We have working code -Improvements we've made +(14 kloc of C) -Some related work +and a design document, +and a byte-level specification, +and a Debian package (in Unstable) -Some lessons learned +Works on Linux, BSD, OSX, Cygwin, ... +User-space, doesn't need kernel mods or root -Ask me questions +%size 9 +http://freehaven.net/tor/ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%page +%% +%%Talk Overview +%% +%%A bit about Onion Routing +%% +%%Improvements we've made +%% +%%Some related work +%% +%%Ask me questions +%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Anonymity: Who needs it? @@ -95,7 +112,8 @@ Government applications research, law enforcement %size 6 Business applications - hide relationships and volumes of communication +%size 5 +(hide relationships and volumes of communication) Who is visiting job sites? Which groups are talking to patent lawyers? Who are your suppliers and customers? @@ -106,6 +124,19 @@ Business applications Anonymity is a network effect + Systems need traffic (many low-sensitivity users) to attract the high-sensitivity users + Most users do not value anonymity much + Weak security (fast system) can mean more users + which can mean +%cont, font "italic" +stronger +%cont, font "standard" +anonymity + High-sensitivity agents have incentive to run nodes + so they can be certain first node in their path is good + to attract traffic for their messages + There can be an optimal level of free-riding + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page @@ -122,10 +153,12 @@ Fixed-size cells %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page -Tor's goal +Tor's goals -Conservative design (minimize new design work needed) +Conservative design + minimize new design work needed +%size 6 Support testing of future research Design for deployment; deploy for use @@ -133,13 +166,13 @@ Design for deployment; deploy for use %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page -Threat model - -Protect against curious Bob +Threat model -- what we aim for Protect against somebody watching Alice -Protect against a few curious nodes in the middle +Protect against curious Bob + +Protect against `some' curious nodes in the middle %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page @@ -149,11 +182,13 @@ Differences / limitations We're TCP-only, not all IP (but we're user-space and very portable) +Not as strong as high-latency systems (Mixmaster, Mixminion) + Not peer-to-peer No protocol normalization -%%Not unobservable +Not unobservable (no steg, etc) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page @@ -164,13 +199,9 @@ Perfect forward secrecy Telescoping circuit negotiates keys at each hop + no more need for replay detection %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%%page -%% -%%Separation from "protocol cleaning" -%% -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page No mixing, padding, traffic shaping (yet) @@ -183,6 +214,33 @@ Please show us they're worth the usability tradeoff %% %%Many TCP streams can share one circuit %% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page + +Many TCP streams share a circuit + +Previous designs built a new circuit for each stream + + lots of public key ops per request + plus anonymity dangers from making so many circuits + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%page + +Leaky-pipe circuit topology + +Alice can direct cells to any node in her circuit + + So we can support long-range padding, + have multiple streams exiting at different places in the circuit + etc + +%size 6 +Unclear whether this is dangerous or useful + +More research needed + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page @@ -193,11 +251,14 @@ Simple rate limiting Plus have to keep internal nodes from overflowing +(Can't use global state or inter-node control) + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Directory servers +To solve the `introduction' problem Approve new servers @@ -233,17 +294,32 @@ Even an external adversary could do this! Rendezvous points - allow hidden services +don't need (brittle) reply onions + + Access-controlled: Bob can control who he talks to + Robust: Bob's service is available even when some Tor nodes go down + Smear-resistant: Evil service can't frame a rendezvous router + Application-transparent: Don't need to modify Bob's apache + +%size 6 +(Not implemented yet) + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page -Related work +How do we compare security? -c/n vs c^2/n^2 vs 2 +Assume adversary owns c of n nodes + can choose which +%size 6 +What's the chance for a random Alice and Bob that he wins? -freedom, peekabooty, jap +Freedom, Tor: (c/n)^2 +Peekabooty, six-four, etc: c/n +Jap (if no padding): 1 if c>1 +Anonymizer: 1 if c>0 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page @@ -252,11 +328,12 @@ Future work Threshold directory agreement -Restricted-route (non-clique) topology +Scalability: Morphmix/p2p extensions? +Restricted-route (non-clique topology) -Morphmix/p2p extensions? +Non-TCP transport -Location-hidden servers via rendezvous points +Implement rendezvous points Make it work better @@ -265,9 +342,9 @@ Make it work better We have working code - Plus a design document, and a byte-level specification +and a Debian package (in Unstable) %size 9 http://freehaven.net/tor/ |