[117991] in Cypherpunks
Re: Freedom Network commentary
daemon@ATHENA.MIT.EDU (Ian Sparkes)
Fri Sep 17 06:54:32 1999
Message-ID: <19990917103837.41054.qmail@hotmail.com>
From: "Ian Sparkes" <isparkes@hotmail.com>
To: cypherpunks@einstein.ssz.com
Cc: secret_squirrel@nym.alias.net
Date: Fri, 17 Sep 1999 03:38:36 PDT
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Reply-To: "Ian Sparkes" <isparkes@hotmail.com>
IIRC there was an exchange on this topic. I'm not sure if it was on this
list. I think Wei Dai was involved.
>assumptions of unclear parts of white paper:
>1. Any AIP on the last hop can act as a wormhole.
>2. packets are in clear text while they are on an AIP being prepared
>for the next hop; they are in cypher over the wire only.
>3. the create command is in the clear from the client to the first AIP
>when creating a route
>4. NSA controls all trans-oceanic interchanges (e.g. mae-west) and
>possibly other strategically important network choke points.
>Assumption based on recent echelon scandal.
>5. When padding, padding is added to fill packets to the maximum size
>of 6 hops, otherwise it would be possible to tell how many hops the
>client wished to use.
>
You assumption number 2 is fatally flawed, and I'm pretty sure that the most
severe part of your attack (getting your grubby mitts on the palintext data)
is therefore more or less dealt with.
Ian Goldberg gave a very interesting talk about freedom at CCC, and for
about an hour afterwards he gallantly took questions from a mumbling,
sceptical audience. A couple of minor things in the eMail system came up
which he couldn't answer in the heat of the moment (what to do with
undeliverable mail - you don't know where it's come from so all you can do
is throw it away. Correlation analysis of the last hop from the Freedom mail
server to the client) but all in all the system hangs together really well.
I certainly came away from the talk with the feeling that the system has
been well thought through. (Ian also mentioned that the email system was
going to be completely new before production, so the worries with the email
may already have been dealt with.
The data is encrypted to *each* of the servers on the route in turn and then
this encrypted information prepared for the next hop - the result is a data
packet that looks like a like a russian doll. Each hop decrypts a layer of
the "envelope" and then forwards it to the next server. An attack on an AIP
only delivers yet another encrypted packet.
The last hop (wormhole) delivers a packet encrypted to the client software.
With regards to the DoS point, you have this problem whether you use freedom
or not, don't you? I'm not sure that Freedom is even intended to be
DoS-proof.
I don't think there's so much a security issue for Freedom - the real issue
at the moment is getting the speed of the link up so that people will use it
willingly as their default Internet link.
Alex de Jode was also complaining a bit that the cover traffic was driving
the operating costs of a server up for AIPs that have a pay-per-byte link.
Of course, this is only the information I picked up at CCC - there may be
things I have overlooked.
Ian
>possible forms of attack:
>
>1. Hostile AIPs- A hostile AIP could be introduced to the network
>either as a volunteer or as an existing AIP that gets compromised.
>
>2. Forced routes- a. One way to force a route is to interrupt freedom net
>communications. The latency feature states whether an AIP is
>available. If the connection travels over an ATM connection,
>retransmit on packets can be modified. Then the internal latency
>variable will not match and the connection will break. AIP servers
>could be subjected to a simple DoS attack. b. The severs dont need to be
>attacked directly. Routers are
>vulnerable. Any router still using RIP can be hacked. A new route can
>be inserted that will cut links between AIPs or force a particular
>route. If the AIP cloud is widely distrubuted, traffic will be flowing over
>NSA compromised choke points eventually.
>
>3. traffic analysis-
>a. three types of packets: start, middle, end. The start packet is
>distguishable by the CREATE command.The middle packets are ciphered.
>the end packets are in the clear. A compramise of any AIP will make the
>last hop. next hop and final destination knowen. Furthermore, the paper
>implies that the client chooses the route. This would mean that a
>compramised router not only make the next, last, and final hop known but
>all hops after that one (and if the implementation was
>really brain dead all the hops prior). because the protocol keeps an
>Anonymous Connection ID (ACID) there would be a way to trace packets
>belonging to a certain connection. unless these ID's are unique to each
>hop.
>
>Combining all these:
>
>This attack is designed to minimize the amount of necessary hostile
>resources for total compromise of the freedom network. Force a
>predictable pattern to the randomness of the AIP cloud. IF the cloud
>as a circle, we have coincentric circles alternating between safe and
>hostile AIPs with hostile as the center and friendly as the outer
>ring. With 6 hops maximum, we need only 2 layers of hostile AIPs, for
>33% compromise. The circle gets "denser" toward the center, in 3space,
>like a funnel (black hole). The routes are designed in such a way that
>the traffic is forced to travel through the core of the circle, the
>compromised AIPs. Because of the alternation, each hostile AIP can see
>the source and the destination for the clients route because the
>packets are in clear text while the decrypt/encrypt happens on the
>hop. (interpret the white paper to say that cypher is only on the
>wire). with the ability to force a route and an ACID it would be possible
>to
>trace back a session in real time. plus the software defaults to choosing
>a first hop topologically close (making it easier to force a first hop).
>forcing a first hop means that the system provides no anonymity.
>
>Q+23
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
