diff options
| author | Paul Syverson <syverson@itd.nrl.navy.mil> | 2007-06-14 21:05:28 +0000 |
|---|---|---|
| committer | Paul Syverson <syverson@itd.nrl.navy.mil> | 2007-06-14 21:05:28 +0000 |
| commit | 4398a0991033331de7df5f07df7384e8b8550418 (patch) | |
| tree | ca44506454298e5caa22f652672e6a864c2e5cad | |
| parent | 9a74e881efac170df9787e7a69cc87e4ef20a862 (diff) | |
| download | tor-4398a0991033331de7df5f07df7384e8b8550418.tar tor-4398a0991033331de7df5f07df7384e8b8550418.tar.gz | |
Change suggestions from our editor
svn:r10603
| -rw-r--r-- | doc/design-paper/sptor.tex | 18 | ||||
| -rw-r--r-- | doc/design-paper/tor-design.bib | 8 |
2 files changed, 23 insertions, 3 deletions
diff --git a/doc/design-paper/sptor.tex b/doc/design-paper/sptor.tex index ce60bfa88..eaa2f0428 100644 --- a/doc/design-paper/sptor.tex +++ b/doc/design-paper/sptor.tex @@ -76,9 +76,15 @@ a %signed list of Tor nodes from several central \emph{directory servers} via a voting protocol to avoid dependence on or complete trust in any one of them, and incrementally creates a private pathway or \emph{circuit} of -encrypted connections through authenticated Tor nodes on the network, +encrypted connections through authenticated Tor nodes on the network +whose public keys were obtained form the directory servers, negotiating a separate set of encryption keys for each hop along the -circuit. The circuit is extended one node at a time, and each node +circuit. The nodes in the circuit are chosen at random by the client +subject to a preference for higher performing nodes to allocate +resources effectively and with a client-chosen preferred set of first +nodes called \emph{entry guards} to complicate profiling attacks by +internal adversaries~\cite{hs-attack}. +The circuit is extended one node at a time, and each node along the way knows only the immediately previous and following nodes in the circuit, so no individual Tor node knows the complete path that each fixed-sized data packet (or \emph{cell}) will take. Thus, @@ -148,7 +154,13 @@ users and applications. For example, unlike purely P2P designs we neither limit ordinary users to content and services available only within our network nor require them to take on responsibility for connections outside the network, unless they separately choose to run -server nodes. +server nodes. Nonetheless because we support low-latency interactive +communications, end-to-end \emph{traffic correlation} +attacks~\cite{danezis:pet2004,defensive-dropping,SS03,hs-attack,bauer:tr2007} +allow an attacker who can observe both ends of a communication to +correlate packet timing and volume, quickly linking the initiator to +her destination. + Our defense lies in having a diverse enough set of nodes to prevent most real-world adversaries from being in the right places to attack diff --git a/doc/design-paper/tor-design.bib b/doc/design-paper/tor-design.bib index 2738f20db..37cd20ff5 100644 --- a/doc/design-paper/tor-design.bib +++ b/doc/design-paper/tor-design.bib @@ -9,6 +9,14 @@ } +@TechReport{bauer:tr2007, + author = {Kevin Bauer and Damon McCoy and Dirk Grunwald and Tadayoshi Kohno and Douglas Sicker}, + title = {Low-Resource Routing Attacks Against Anonymous Systems}, + institution = {University of Colorado at Boulder}, + year = 2007, + number = {CU-CS-1025-07} +} + % fix me @misc{tannenbaum96, author = "Andrew Tannenbaum", |