Loading doc/tor-design.tex +9 −10 Original line number Diff line number Diff line Loading @@ -96,8 +96,8 @@ Routing design: \item \textbf{Perfect forward secrecy:} The original Onion Routing design was vulnerable to a single hostile node recording traffic and later compromising successive nodes in the circuit and forcing them % XXX Problem: at this point, readers don't know what an onion is. to decrypt it. Rather than using a single onion to lay each circuit, to decrypt it. Rather than using a single multiply encrypted data structure (an \emph{onion}) to lay each circuit, Tor now uses an incremental or \emph{telescoping} path-building design, where the initiator negotiates session keys with each successive hop in the circuit. Once these keys are deleted, subsequently compromised nodes Loading @@ -106,7 +106,7 @@ is no longer necessary, and the process of building circuits is more reliable, since the initiator knows when a hop fails and can then try extending to a new node. \item \textbf{Separation of protocol cleaning from anonymity:} \item \textbf{Separation of ``protocol cleaning'' from anonymity:} The original Onion Routing design required a separate ``application proxy'' for each supported application protocol---most of which were never written, so many applications were never supported. Tor uses the Loading Loading @@ -269,7 +269,7 @@ about who is talking to whom. The simplest low-latency designs are single-hop proxies such as the {\bf Anonymizer} \cite{anonymizer}, wherein a single trusted server strips the data's origin before relaying it. These designs are easy to analyze, but require users to trust the anonymizing proxy. analyze, but users must trust the anonymizing proxy. Concentrating the traffic to a single point increases the anonymity set (the people a given user is hiding among), but can make traffic analysis easier: an adversary need only eavesdrop on the proxy to observe Loading Loading @@ -314,6 +314,7 @@ encryption, so any node on a circuit can read that circuit's traffic. {\bf Hordes} \cite{hordes-jcs} is based on Crowds but also uses multicast responses to hide the initiator. {\bf Herbivore} \cite{herbivore} and {\bf P5} \cite{p5} go even further, requiring broadcast. % XXX This should be $P^5$ in bold. How to do it? -RD These systems are designed primarily for communication between peers, although Herbivore users can make external connections by requesting a peer to serve as a proxy. Loading Loading @@ -402,7 +403,7 @@ it is a security requirement \cite{econymics,back01}. Tor should therefore not require modifying applications; should not introduce prohibitive delays; and should require users to make as few configuration decisions as possible. Finally, Tor should be easily implemented on all commonly as possible. Finally, Tor should be easily implemented on all common platforms; we cannot require users to change their operating system in order to be anonymous. (The current Tor implementation runs on Windows and assorted Unix clones including Linux, FreeBSD, and MacOS X.) Loading Loading @@ -480,11 +481,9 @@ responder. By observing both ends, passive attackers can confirm a suspicion that Alice is talking to Bob if the timing and volume patterns of the traffic on the connection are distinct enough; active attackers can induce timing signatures on the traffic to \emph{force} distinct patterns. Tor provides some defenses against these \emph{traffic confirmation} attacks, for example by encouraging users to run their own onion routers, but it does % XXX More P2P issues here. -NM not provide complete protection. Rather, we aim to prevent \emph{traffic signatures on the traffic to \emph{force} distinct patterns. Tor does not address these \emph{traffic confirmation} attacks. Rather, we aim to prevent \emph{traffic analysis} attacks, where the adversary uses traffic patterns to learn which points in the network he should attack. Loading Loading
doc/tor-design.tex +9 −10 Original line number Diff line number Diff line Loading @@ -96,8 +96,8 @@ Routing design: \item \textbf{Perfect forward secrecy:} The original Onion Routing design was vulnerable to a single hostile node recording traffic and later compromising successive nodes in the circuit and forcing them % XXX Problem: at this point, readers don't know what an onion is. to decrypt it. Rather than using a single onion to lay each circuit, to decrypt it. Rather than using a single multiply encrypted data structure (an \emph{onion}) to lay each circuit, Tor now uses an incremental or \emph{telescoping} path-building design, where the initiator negotiates session keys with each successive hop in the circuit. Once these keys are deleted, subsequently compromised nodes Loading @@ -106,7 +106,7 @@ is no longer necessary, and the process of building circuits is more reliable, since the initiator knows when a hop fails and can then try extending to a new node. \item \textbf{Separation of protocol cleaning from anonymity:} \item \textbf{Separation of ``protocol cleaning'' from anonymity:} The original Onion Routing design required a separate ``application proxy'' for each supported application protocol---most of which were never written, so many applications were never supported. Tor uses the Loading Loading @@ -269,7 +269,7 @@ about who is talking to whom. The simplest low-latency designs are single-hop proxies such as the {\bf Anonymizer} \cite{anonymizer}, wherein a single trusted server strips the data's origin before relaying it. These designs are easy to analyze, but require users to trust the anonymizing proxy. analyze, but users must trust the anonymizing proxy. Concentrating the traffic to a single point increases the anonymity set (the people a given user is hiding among), but can make traffic analysis easier: an adversary need only eavesdrop on the proxy to observe Loading Loading @@ -314,6 +314,7 @@ encryption, so any node on a circuit can read that circuit's traffic. {\bf Hordes} \cite{hordes-jcs} is based on Crowds but also uses multicast responses to hide the initiator. {\bf Herbivore} \cite{herbivore} and {\bf P5} \cite{p5} go even further, requiring broadcast. % XXX This should be $P^5$ in bold. How to do it? -RD These systems are designed primarily for communication between peers, although Herbivore users can make external connections by requesting a peer to serve as a proxy. Loading Loading @@ -402,7 +403,7 @@ it is a security requirement \cite{econymics,back01}. Tor should therefore not require modifying applications; should not introduce prohibitive delays; and should require users to make as few configuration decisions as possible. Finally, Tor should be easily implemented on all commonly as possible. Finally, Tor should be easily implemented on all common platforms; we cannot require users to change their operating system in order to be anonymous. (The current Tor implementation runs on Windows and assorted Unix clones including Linux, FreeBSD, and MacOS X.) Loading Loading @@ -480,11 +481,9 @@ responder. By observing both ends, passive attackers can confirm a suspicion that Alice is talking to Bob if the timing and volume patterns of the traffic on the connection are distinct enough; active attackers can induce timing signatures on the traffic to \emph{force} distinct patterns. Tor provides some defenses against these \emph{traffic confirmation} attacks, for example by encouraging users to run their own onion routers, but it does % XXX More P2P issues here. -NM not provide complete protection. Rather, we aim to prevent \emph{traffic signatures on the traffic to \emph{force} distinct patterns. Tor does not address these \emph{traffic confirmation} attacks. Rather, we aim to prevent \emph{traffic analysis} attacks, where the adversary uses traffic patterns to learn which points in the network he should attack. Loading
