From 09ffc85a97fd4a3ad5eea9b36622269c7884b7b3 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Tue, 26 Jun 2007 21:40:19 +0000 Subject: r13522@catbus: nickm | 2007-06-26 17:37:43 -0400 Add proposal 116 from Mike Lieberman: Two hop paths from entry guards. svn:r10683 --- proposals/116-two-hop-paths-from-guard.txt | 120 +++++++++++++++++++++++++++++ 1 file changed, 120 insertions(+) create mode 100644 proposals/116-two-hop-paths-from-guard.txt (limited to 'proposals/116-two-hop-paths-from-guard.txt') diff --git a/proposals/116-two-hop-paths-from-guard.txt b/proposals/116-two-hop-paths-from-guard.txt new file mode 100644 index 0000000..0230a5a --- /dev/null +++ b/proposals/116-two-hop-paths-from-guard.txt @@ -0,0 +1,120 @@ +Filename: 116-two-hop-paths-from-guards.txt +Title: Two hop paths from entry guards +Version: $Revision: 13462 $ +Last-Modified: $Date: 2007-06-17T15:09:35.083173Z $ +Author: Michael Lieberman +Created: 26-Jun-2007 +Status: Open + +This proposal is related to (but different from) Mike Perry's proposal 115 +"Two Hop Paths." + +Overview: + +Volunteers who run entry guards should have the option of using only 2 +additional tor nodes when constructing their own tor circuits. + +While the option of two hop paths should perhaps be extended to every client +(as discussed in Mike Perry's thread), I believe the anonymity properties of +two hop paths are particularly well-suited to client computers that are also +serving as entry guards. + +First I will describe the details of the strategy, as well as possible +avenues of attack. Then I will list advantages and disadvantages. Then, I +will discuss some possibly safer variations of the strategy, and finally +some implementation issues. + +Details: + +Suppose Alice is an entry guard, and wants to construct a two hop circuit. +Alice chooses a middle node at random (not using the entry guard strategy), +and gains anonymity by having her traffic look just like traffic from +someone else using her as an entry guard. + +Can Alice's middle node figure out that she is initiator of the traffic? I +can think of four possible approaches for distinguishing traffic from Alice +with traffic through Alice: + +1) Notice that communication from Alice comes too fast: Experimentation is +needed to determine if traffic from Alice can be distinguished from traffic +from a computer with a decent link to Alice. + +2) Monitor Alice's network traffic to discover the lack of incoming packets +at the appropriate times. If an adversary has this ability, then Alice +already has problems in the current system, because the adversary can run a +standard timing attack on Alice's traffic. + +3) Notice that traffic from Alice is unique in some way such that if Alice +was just one of 3 entry guards for this traffic, then the traffic should be +coming from two other entry guards as well. An example of "unique traffic" +could be always sending 117 packets every 3 minutes to an exit node that +exits to port 4661. However, if such patterns existed with sufficient +precision, then it seems to me that Tor already has a problem. (This "unique +traffic" may not be a problem if clients often end up choosing a single +entry guard because their other two are down. Does anyone know if this is +the case?) + +4) First, control the middle node *and* some other part of the traffic, +using standard attacks on a two hop circuit without entry nodes (my recent +paper on Browser-Based Attacks would work well for this +http://petworkshop.org/2007/papers/PET2007_preproc_Browser_based.pdf). With +control of the circuit, we can now cause "unique traffic" as in 3). +Alternatively, if we know something about Alice independently, and we can +see what websites are being visited, we might be able to guess that she is +the kind of person that would visit those websites. + +Anonymity Advantages: + +-Alice never has the problem of choosing a malicious entry guard. In some +sense, Alice acts as her own entry guard. + +Anonymity Disadvantages: + +-If Alice's traffic is identified as originating from herself (see above for +how hard that might be), then she has the anonymity of a 2 hop circuit +without entry guards. + +Additional advantages: + +-A discussion of the latency advantages of two hop circuits is going on in +Mike Perry's thread already. +-Also, we can advertise this change as "Run an entry guard and decrease your +own Tor latency." This incentive has the potential to add nodes to the +network, improving the network as a whole. + +Safer variations: + +To solve the "unique traffic" problem, Alice could use two hop paths only +1/3 of the time, and choose 2 other entry guards for the other 2/3 of the +time. All the advantages are now 1/3 as useful (possibly more, if the other +2 entry guards are not always up). + +To solve the problem that Alice's responses are too fast, Alice could delay +her responses (ideally based on some real data of response time when Alice +is used an entry guard). This loses most of the speed advantages of the two +hop path, but if Alice is a fast entry guard, it doesn't lose everything. It +also still has the (arguable) anonymity advantage that Alice doesn't have to +worry about having a malicious entry guard. + +Implementation details: +For Alice to remain anonymous using this strategy, she has to actually be +acting as an entry guard for other nodes. This means the two hop option can +only be available to whatever high-performance threshold is currently set on +entry guards. Alice may need to somehow check her own current status as an +entry guard before choosing this two hop strategy. + +Another thing to consider: suppose Alice is also an exit node. If the +fraction of exit nodes in existence is too small, she may rarely or never be +chosen as an entry guard. It would be sad if we offered an incentive to run +an entry guard that didn't extend to exit nodes. I suppose clients of Exit +nodes could pull the same trick, and bypass using Tor altogether (zero hop +paths), though that has additional issues.* + +Mike Lieberman +MIT + +*Why we shouldn't recommend Exit nodes pull the same trick: +1) Exit nodes would suffer heavily from the problem of "unique traffic" +mentioned above. +2) It would give governments an incentive to confiscate exit nodes to see if +they are pulling this trick. -- cgit v1.2.3-54-g00ecf