aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--doc/tor-design.tex65
1 files changed, 31 insertions, 34 deletions
diff --git a/doc/tor-design.tex b/doc/tor-design.tex
index 4e414e1e1..7c379060c 100644
--- a/doc/tor-design.tex
+++ b/doc/tor-design.tex
@@ -239,7 +239,8 @@ work for the Onion Routing project in Section~\ref{sec:conclusion}.
\Section{Related work}
\label{sec:related-work}
-Modern anonymity systems date to Chaum's Mix-Net\cite{chaum-mix}. Chaum
+Modern anonymity systems date to Chaum's Mix-Net design
+\cite{chaum-mix}. Chaum
proposed hiding the correspondence between sender and recipient by
wrapping messages in layers of public key cryptography, and relaying them
through a path composed of ``Mixes.'' These mixes in turn decrypt, delay,
@@ -249,8 +250,8 @@ path towards their destinations.
Subsequent relay-based anonymity designs have diverged in two
principal directions. Some have attempted to maximize anonymity at
the cost of introducing comparatively large and variable latencies,
-including Babel\cite{babel}, Mixmaster\cite{mixmaster-spec}, and
-Mixminion\cite{minion-design}. Because of this
+including Babel \cite{babel}, Mixmaster \cite{mixmaster-spec}, and
+Mixminion \cite{minion-design}. Because of this
decision, these \emph{high-latency} networks are well-suited for anonymous
email, but introduce too much lag for interactive tasks such as web browsing,
internet chat, or SSH connections.
@@ -318,15 +319,12 @@ ISDN \cite{isdn-mixes}.
In P2P designs like Tarzan \cite{tarzan:ccs02} and MorphMix
\cite{morphmix:fc04}, all participants both generate traffic and relay
-traffic for others. Rather than aiming to hide the originator within a
-group of other originators, these systems instead aim to prevent a peer
-or observer from knowing whether a given peer originated the request
+traffic for others. These systems aim to prevent a peer
+or observer from knowing whether a given peer originated a request
or just relayed it from another peer. While Tarzan and MorphMix use
layered encryption as above, Crowds \cite{crowds-tissec} simply assumes
an adversary who cannot observe the initiator: it uses no public-key
-encryption, so nodes on a circuit can read that circuit's traffic. The
-anonymity of the initiator relies on filtering all identifying information
-from the data stream.
+encryption, so nodes on a circuit can read that circuit's traffic.
Hordes \cite{hordes-jcs} is based on Crowds but also uses multicast
responses to hide the initiator. Herbivore \cite{herbivore} and P5
@@ -334,23 +332,21 @@ responses to hide the initiator. Herbivore \cite{herbivore} and P5
and efficiency trade-offs to make broadcast more practical.
These systems are designed primarily for communication between peers,
although Herbivore users can make external connections by
-requesting a peer to serve as a proxy. Allowing easy connections to
-nonparticipating responders or recipients is important for usability,
-for example so users can visit nonparticipating Web sites or exchange
-mail with nonparticipating recipients.
+requesting a peer to serve as a proxy.
Systems like Freedom and the original Onion Routing build the circuit
all at once, using a layered ``onion'' of public-key encrypted messages,
each layer of which provides a set of session keys and the address of the
next server in the circuit. Tor as described herein, Tarzan, MorphMix,
Cebolla \cite{cebolla}, and AnonNet \cite{anonnet} build the circuit
-in stages, extending it one hop at a time. This approach makes perfect
-forward secrecy feasible.
+in stages, extending it one hop at a time.
+Section~\ref{subsubsec:constructing-a-circuit} describes how this
+approach makes perfect forward secrecy feasible.
Circuit-based anonymity designs must choose which protocol layer
to anonymize. They may choose to intercept IP packets directly, and
-relay them whole (stripping the source address) as the contents of
-the circuit \cite{freedom2-arch,tarzan:ccs02}. Alternatively, like
+relay them whole (stripping the source address) along the circuit
+\cite{freedom2-arch,tarzan:ccs02}. Alternatively, like
Tor, they may accept TCP streams and relay the data in those streams
along the circuit, ignoring the breakdown of that data into TCP frames
\cite{morphmix:fc04,anonnet}. Finally, they may accept application-level
@@ -374,12 +370,11 @@ they avoid the well-known inefficiencies of tunneling TCP over TCP
Distributed-trust anonymizing systems need to prevent attackers from
adding too many servers and thus compromising too many user paths.
Tor relies on a small set of well-known directory servers, run by
-independent parties, to make
-decisions about which nodes can join. Tarzan
-and MorphMix allow unknown users to run servers, and limit an attacker
-from becoming too much of the network based on a limited resource such
-as number of IPs controlled. Crowds suggests requiring written, notarized
-requests from potential crowd members.
+independent parties, to make decisions about which nodes can
+join. Tarzan and MorphMix allow unknown users to run servers, and use
+a limited resource (like IP addresses) to prevent an attacker from
+controlling too much of the network. Crowds suggests requiring
+written, notarized requests from potential crowd members.
Anonymous communication is essential for censorship-resistant
systems like Eternity \cite{eternity}, Free~Haven \cite{freehaven-berk},
@@ -409,15 +404,16 @@ liability burden on operators (for example, by allowing attackers to
implicate onion routers in illegal activities); and designs that are
difficult or expensive to implement (for example, by requiring kernel
patches, or separate proxies for every protocol). This requirement also
-precludes systems in which users who do not benefit from anonymity are
-required to run special software in order to communicate with anonymous
-parties. (We do not meet this goal for the current rendezvous design,
+precludes systems in which non-anonymous parties (such as websites)
+must run our software. (We do not meet this goal for the current
+rendezvous design,
however; see Section~\ref{sec:rendezvous}.)
\textbf{Usability:} A hard-to-use system has fewer users---and because
anonymity systems hide users among users, a system with fewer users
-provides less anonymity. Usability is not only a convenience for Tor:
-it is a security requirement \cite{econymics,back01}. Tor should not
+provides less anonymity. Usability is thus not only a convenience for Tor:
+it is a security requirement \cite{econymics,back01}. Tor should
+therefore not
require modifying applications; should not introduce prohibitive delays;
and should require the user to make as few configuration decisions
as possible.
@@ -443,7 +439,7 @@ approaches to protecting anonymity.
\label{subsec:non-goals}
In favoring simple, deployable designs, we have explicitly deferred
several possible goals, either because they are solved elsewhere, or because
-they are an open research question.
+their solution is an open research problem.
\textbf{Not Peer-to-peer:} Tarzan and MorphMix aim to scale to completely
decentralized peer-to-peer environments with thousands of short-lived
@@ -478,7 +474,7 @@ they communicate.
A global passive adversary is the most commonly assumed threat when
analyzing theoretical anonymity designs. But like all practical
low-latency systems, Tor does not protect against such a strong
-adversary. Instead, we expect an adversary who can observe some fraction
+adversary. Instead, we assume an adversary who can observe some fraction
of network traffic; who can generate, modify, delete, or delay traffic
on the network; who can operate onion routers of its own; and who can
compromise some fraction of the onion routers on the network.
@@ -486,9 +482,9 @@ compromise some fraction of the onion routers on the network.
In low-latency anonymity systems that use layered encryption, the
adversary's typical goal is to observe both the initiator and the
receiver. Passive attackers can confirm a suspicion that Alice is
-talking to Bob if the timing and volume properties of the traffic on the
-connection are unique enough; active attackers are even more effective
-because they can induce timing signatures on the traffic. Tor provides
+talking to Bob if the timing and volume patterns of the traffic on the
+connection are distinct enough; active attackers can induce timing
+signatures on the traffic to \emph{force} distinct patterns. Tor provides
some defenses against these \emph{traffic confirmation} attacks, for
example by encouraging users to run their own onion routers, but it does
not provide complete protection. Rather, we aim to prevent \emph{traffic
@@ -499,7 +495,7 @@ Our adversary might try to link an initiator Alice with any of her
communication partners, or he might try to build a profile of Alice's
behavior. He might mount passive attacks by observing the edges of the
network and correlating traffic entering and leaving the network---either
-because of relationships in packet timing; relationships in the volume
+by relationships in packet timing; relationships in the volume
of data sent; or relationships in any externally visible user-selected
options. The adversary can also mount active attacks by compromising
routers or keys; by replaying traffic; by selectively denying service
@@ -628,6 +624,7 @@ to each other by a given exit node. Also, because circuits are built
in the background, failed routers do not affect user experience.
\subsubsection{Constructing a circuit}
+\label{subsubsec:constructing-a-circuit}
Users construct a circuit incrementally, negotiating a symmetric key with
each hop one at a time. To begin creating a new circuit, the user