[10705] in bugtraq
Practical Attack Against ZKS Freedom.
daemon@ATHENA.MIT.EDU (Jay D. Dyson)
Thu Jun 3 12:04:00 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.GSO.3.96.990601142506.12799E-100000@techreports.jpl.nasa.gov>
Date: Tue, 1 Jun 1999 14:26:40 -0700
Reply-To: "Jay D. Dyson" <jdyson@TECHREPORTS.JPL.NASA.GOV>
From: "Jay D. Dyson" <jdyson@TECHREPORTS.JPL.NASA.GOV>
To: BUGTRAQ@NETSPACE.ORG
-----BEGIN PGP SIGNED MESSAGE-----
Courtesy of Cypherlist-Watch.
Hadn't seen this cross the list here.
- -----BEGIN FORWARDED MESSAGE-----
Date: Sat, 29 May 1999 15:30:24 -0700
From: Wei Dai <weidai@eskimo.com>
To: cypherlist-watch@joshua.rivertown.net
Subject: a practical attack against ZKS Freedom
Message-ID: <19990529153024.B7065@eskimo.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Although the ZKS Freedom AIP protocol (as described in version 1.0 of the
ZKS whitepaper) is conceptually similar to the PipeNet protocol, there are
several attacks against ZKS which PipeNet is not susceptible to. The
reason is that PipeNet uses end-to-end traffic padding, whereas ZKS only
uses link padding. I came up with several attacks against link padding
systems while developing PipeNet, which is why I ultimately choose
end-to-end padding. However one can argue that end-to-end padding is too
costly, and that these attacks are not practical because they require a
global observer or the cooperation of one or more of the anonymous router
(AIP) operators. ZKS has not publicly made this argument, but since they
are probably aware of these earlier attacks they must have followed its
reasoning.
I hope the practicality of the new attack presented here will change their
mind. In this attack, a user creates an anonymous route from himself
through a pair of AIPs back to himself. He then increases the traffic
through this route until total traffic between the pair of AIPs reach the
bandwidth limit set by the ZKS Traffic Shaper. At this point the AIPs no
longer send any padding packets to each other, and the real traffic
throughput between them can be deduced by subtracting the traffic sent by
the attacker from the bandwidth limit.
This attack implies that link padding buys virtually no security. An
attacker, without access to network sniffers or cooperation of any AIP
operator, can strip off link padding and obtain real-time throughput data
between all pairs of AIPs. If end-to-end padding is not used, this data
would correlate with traffic throughput of individual users, and
statistical analysis could then reveal their supposedly anonymous routes.
- ----- END FORWARDED MESSAGE -----
( ______
)) .--- "There's always time for a good cup of coffee" ---. >===<--.
C|~~| (>--- Jay D. Dyson - jdyson@techreports.jpl.nasa.gov ---<) | = |-'
`--' `- Superman had Kryptonite, I have NT. Life is real. -' `-----'
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBN1RQE82OVDpaKXD9AQHqbgP/bvCWyLvSKzsFEtHko5dVk/3wCqv8mytB
+xkInNPYxi8+no9Zv4ksAF/422ebK5HUjNC/HCDd62GcXwej2gE/vaQbxdf/eL6W
GbUPeaQ+VB49N9U5yhH9pLt1kqbgOMgVx+QE6Ro4DByL6YAxkdNdHbi7qKFQ+pQu
/AmZANl3NCQ=
=upzI
-----END PGP SIGNATURE-----
