Loading doc/codecon04.mgp +106 −29 Original line number Diff line number Diff line Loading @@ -60,26 +60,43 @@ Deployed: 20 nodes, hundreds (?) of users Many improvements on earlier design Free software -- available source code Free software -- modified BSD license Design is not covered by earlier onion routing patent Uses SOCKS to interface with client apps %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Talk Overview A bit about Onion Routing We have working code Improvements we've made (14 kloc of C) Some related work and a design document, and a byte-level specification, and a Debian package (in Unstable) Some lessons learned Works on Linux, BSD, OSX, Cygwin, ... User-space, doesn't need kernel mods or root Ask me questions %size 9 http://freehaven.net/tor/ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%page %% %%Talk Overview %% %%A bit about Onion Routing %% %%Improvements we've made %% %%Some related work %% %%Ask me questions %% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Loading @@ -95,7 +112,8 @@ Government applications research, law enforcement %size 6 Business applications hide relationships and volumes of communication %size 5 (hide relationships and volumes of communication) Who is visiting job sites? Which groups are talking to patent lawyers? Who are your suppliers and customers? Loading @@ -106,6 +124,19 @@ Business applications Anonymity is a network effect Systems need traffic (many low-sensitivity users) to attract the high-sensitivity users Most users do not value anonymity much Weak security (fast system) can mean more users which can mean %cont, font "italic" stronger %cont, font "standard" anonymity High-sensitivity agents have incentive to run nodes so they can be certain first node in their path is good to attract traffic for their messages There can be an optimal level of free-riding %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Loading @@ -122,10 +153,12 @@ Fixed-size cells %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Tor's goal Tor's goals Conservative design (minimize new design work needed) Conservative design minimize new design work needed %size 6 Support testing of future research Design for deployment; deploy for use Loading @@ -133,13 +166,13 @@ Design for deployment; deploy for use %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Threat model Protect against curious Bob Threat model -- what we aim for Protect against somebody watching Alice Protect against a few curious nodes in the middle Protect against curious Bob Protect against `some' curious nodes in the middle %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Loading @@ -149,11 +182,13 @@ Differences / limitations We're TCP-only, not all IP (but we're user-space and very portable) Not as strong as high-latency systems (Mixmaster, Mixminion) Not peer-to-peer No protocol normalization %%Not unobservable Not unobservable (no steg, etc) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Loading @@ -164,12 +199,8 @@ Perfect forward secrecy Telescoping circuit negotiates keys at each hop no more need for replay detection %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%page %% %%Separation from "protocol cleaning" %% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Loading @@ -183,6 +214,33 @@ Please show us they're worth the usability tradeoff %% %%Many TCP streams can share one circuit %% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Many TCP streams share a circuit Previous designs built a new circuit for each stream lots of public key ops per request plus anonymity dangers from making so many circuits %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Leaky-pipe circuit topology Alice can direct cells to any node in her circuit So we can support long-range padding, have multiple streams exiting at different places in the circuit etc %size 6 Unclear whether this is dangerous or useful More research needed %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Loading @@ -193,11 +251,14 @@ Simple rate limiting Plus have to keep internal nodes from overflowing (Can't use global state or inter-node control) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Directory servers To solve the `introduction' problem Approve new servers Loading Loading @@ -233,17 +294,32 @@ Even an external adversary could do this! Rendezvous points allow hidden services don't need (brittle) reply onions Access-controlled: Bob can control who he talks to Robust: Bob's service is available even when some Tor nodes go down Smear-resistant: Evil service can't frame a rendezvous router Application-transparent: Don't need to modify Bob's apache %size 6 (Not implemented yet) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Related work How do we compare security? c/n vs c^2/n^2 vs 2 Assume adversary owns c of n nodes can choose which %size 6 What's the chance for a random Alice and Bob that he wins? freedom, peekabooty, jap Freedom, Tor: (c/n)^2 Peekabooty, six-four, etc: c/n Jap (if no padding): 1 if c>1 Anonymizer: 1 if c>0 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Loading @@ -252,11 +328,12 @@ Future work Threshold directory agreement Restricted-route (non-clique) topology Scalability: Morphmix/p2p extensions? Restricted-route (non-clique topology) Morphmix/p2p extensions? Non-TCP transport Location-hidden servers via rendezvous points Implement rendezvous points Make it work better Loading @@ -265,9 +342,9 @@ Make it work better We have working code Plus a design document, and a byte-level specification and a Debian package (in Unstable) %size 9 http://freehaven.net/tor/ Loading Loading
doc/codecon04.mgp +106 −29 Original line number Diff line number Diff line Loading @@ -60,26 +60,43 @@ Deployed: 20 nodes, hundreds (?) of users Many improvements on earlier design Free software -- available source code Free software -- modified BSD license Design is not covered by earlier onion routing patent Uses SOCKS to interface with client apps %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Talk Overview A bit about Onion Routing We have working code Improvements we've made (14 kloc of C) Some related work and a design document, and a byte-level specification, and a Debian package (in Unstable) Some lessons learned Works on Linux, BSD, OSX, Cygwin, ... User-space, doesn't need kernel mods or root Ask me questions %size 9 http://freehaven.net/tor/ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%page %% %%Talk Overview %% %%A bit about Onion Routing %% %%Improvements we've made %% %%Some related work %% %%Ask me questions %% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Loading @@ -95,7 +112,8 @@ Government applications research, law enforcement %size 6 Business applications hide relationships and volumes of communication %size 5 (hide relationships and volumes of communication) Who is visiting job sites? Which groups are talking to patent lawyers? Who are your suppliers and customers? Loading @@ -106,6 +124,19 @@ Business applications Anonymity is a network effect Systems need traffic (many low-sensitivity users) to attract the high-sensitivity users Most users do not value anonymity much Weak security (fast system) can mean more users which can mean %cont, font "italic" stronger %cont, font "standard" anonymity High-sensitivity agents have incentive to run nodes so they can be certain first node in their path is good to attract traffic for their messages There can be an optimal level of free-riding %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Loading @@ -122,10 +153,12 @@ Fixed-size cells %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Tor's goal Tor's goals Conservative design (minimize new design work needed) Conservative design minimize new design work needed %size 6 Support testing of future research Design for deployment; deploy for use Loading @@ -133,13 +166,13 @@ Design for deployment; deploy for use %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Threat model Protect against curious Bob Threat model -- what we aim for Protect against somebody watching Alice Protect against a few curious nodes in the middle Protect against curious Bob Protect against `some' curious nodes in the middle %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Loading @@ -149,11 +182,13 @@ Differences / limitations We're TCP-only, not all IP (but we're user-space and very portable) Not as strong as high-latency systems (Mixmaster, Mixminion) Not peer-to-peer No protocol normalization %%Not unobservable Not unobservable (no steg, etc) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Loading @@ -164,12 +199,8 @@ Perfect forward secrecy Telescoping circuit negotiates keys at each hop no more need for replay detection %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%page %% %%Separation from "protocol cleaning" %% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Loading @@ -183,6 +214,33 @@ Please show us they're worth the usability tradeoff %% %%Many TCP streams can share one circuit %% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Many TCP streams share a circuit Previous designs built a new circuit for each stream lots of public key ops per request plus anonymity dangers from making so many circuits %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Leaky-pipe circuit topology Alice can direct cells to any node in her circuit So we can support long-range padding, have multiple streams exiting at different places in the circuit etc %size 6 Unclear whether this is dangerous or useful More research needed %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Loading @@ -193,11 +251,14 @@ Simple rate limiting Plus have to keep internal nodes from overflowing (Can't use global state or inter-node control) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Directory servers To solve the `introduction' problem Approve new servers Loading Loading @@ -233,17 +294,32 @@ Even an external adversary could do this! Rendezvous points allow hidden services don't need (brittle) reply onions Access-controlled: Bob can control who he talks to Robust: Bob's service is available even when some Tor nodes go down Smear-resistant: Evil service can't frame a rendezvous router Application-transparent: Don't need to modify Bob's apache %size 6 (Not implemented yet) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Related work How do we compare security? c/n vs c^2/n^2 vs 2 Assume adversary owns c of n nodes can choose which %size 6 What's the chance for a random Alice and Bob that he wins? freedom, peekabooty, jap Freedom, Tor: (c/n)^2 Peekabooty, six-four, etc: c/n Jap (if no padding): 1 if c>1 Anonymizer: 1 if c>0 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Loading @@ -252,11 +328,12 @@ Future work Threshold directory agreement Restricted-route (non-clique) topology Scalability: Morphmix/p2p extensions? Restricted-route (non-clique topology) Morphmix/p2p extensions? Non-TCP transport Location-hidden servers via rendezvous points Implement rendezvous points Make it work better Loading @@ -265,9 +342,9 @@ Make it work better We have working code Plus a design document, and a byte-level specification and a Debian package (in Unstable) %size 9 http://freehaven.net/tor/ Loading
