Tim May wrote:
I haven't carefully looked at the current source code (if it's available) for things like "Type II Mixmaster" remailers, things which offer reply-blocks.
The source is available for mixmaster. However, Type II does not offer reply blocks.
Certainly for the canonical Cypherpunks remailer, the store-and-forward-after-mixing remailer, the fact that the nested encryption is GENERATED BY THE ORIGINATOR means that interception is useless to a TLA. The most a TLA can do is to a) not forward as planned, resulting in a dropped message, or b) see where a particular collection of random-looking (because of encryption) bits came from and where they are intended to next go.
Not necessarily. You don't have to be able to read a message to determine what it is. In the case of an amphibian remailer operator (who shall remain nameless) revealing the identity of someone using his remailer, this remop ran 2 of the three remailers being used. The chain went: A -> B -> C -> D -> E where A is the sender, E the recipient, and B and D are the remailers controlled by the same person. Also, if the message to E had been encrypted it wouldn't have mattered much in identifing who what sending something to whom. The remop could tell that a message from A coming in through B always resulted in a message going to C, and that such messages always had a corresponding message from D to E. The fact that the messages were encrypted to each remailer's key, and that the middle remailers was not compromised, did not protect the user. There were a some special circumstances to this, the biggest one being that A was sending a ton of messages, all of similar size, through the exact same chain. But it does show the problem with Type I reply blocks in use by the current system.
In particular, a TLA or interceptor or corrupted or threatened remailer operator CANNOT insert new text or new delivery instructions into packets received by his node BECAUSE HE CANNOT OPEN ANY PAYLOAD ENCRYPTED TO THE NEXT NODE. Anything he adds to the payload bits (which he can see of course, though not decrypt or make sense of) will of course make the next node see only garbage when he tries to decrypt the payload.
Of course they can't alter the encrypted text, but it may be possible to add text after the pgp-encrypted block to make tracking the messages easier. There's also the issue of taking a reply block and replaying it with new text in order to watch where it goes. [snip]
And if even a fraction of the remailers are compromised, then with collusion they can map inputs to outputs, in many cases. (How many they can and how many they can't are issues of statistics and suchlike.)
Exactly. This is the case I was mentioning above. It shows that the "if one remailer is legit your messages are safe" line of thinking is not necessarily true. [snip]
Adding reply-block capability significantly raises the risks for traceability, in my opinion. I am not casting doubt on the Anonymizer and on Mixmaster Type N (whatever is current), but I have not seen much detailed discussion here on the Cypherpunks list, and I am unaware of peer-reviewed papers on the cryptographic protocols being used. (If they exist, pointers here would be great to have!)
Type II is the current, though cypherpunk (Type I) are in use. II does not allow for reply blocks. Type III (mixminion) is in active development and allows for SURBs - Single Use Reply Blocks -- that will allow for nyms without having to store a set number of reply blocks that can be replayed (a la the current type I pseudonym setup) Anyway, just a few thoughts. I'm far from an expert on this so take everything with a large grain of salt. --B