Re: Getting Back to our Radical Roots
The resources used to break DES, if as many people hosted remailers and anonymizers on their machines, would further Cypherpunks goals a lot more than breaking DES, which we all know was breakable (as we know what "56 bits" means).
There were messages here some time back about systems like anonymizer but chainable and using cryptography. Did anything come of that? Efficient anonymous web browsing could be a killer app for crypto. Use anonymous web access to get to hotmail accounts like this one and you have anonymous email, easy to use. "John --------------------------------------------------------- Get Your *Web-Based* Free Email at http://www.hotmail.com ---------------------------------------------------------
At 1:52 PM -0700 6/20/97, John Smith wrote:
The resources used to break DES, if as many people hosted remailers and anonymizers on their machines, would further Cypherpunks goals a lot more than breaking DES, which we all know was breakable (as we know what "56 bits" means).
There were messages here some time back about systems like anonymizer but chainable and using cryptography. Did anything come of that? Efficient anonymous web browsing could be a killer app for crypto. Use anonymous web access to get to hotmail accounts like this one and you have anonymous email, easy to use.
A hurdle or speedbump is the one of latencies: * e-mail is expected, or accepted, to have latencies of minutes or even hours. And as the packet sizes of e-mail messages are typically small, e.g. 3 KB, adequate mixing or entropy can be gotten in a remailer by mixing 10 or so messages, repeated several times though various hops. * Web access is expected, or required, to be fast and peppy...people will hardly tolerate (i.e., will not use) a site which spends minutes between actions. Whether minutes are needed between actions depends on the degree of mixing sought, and the amount of other messages or Web accesses.... Also, a remailer can be done with *one way" paths, while Web accesses of course require two-way paths. Two-way paths present oft-discussed hurdles for anonymity. (Reply-blocks, message pools, etc.) These are not unresolvable problems, from what I can see, but are typical engineering tradeoffs, a la the usual: "Speed, anonymity, interactivity. Pick two." (Or something like this...) PipeNet will help. Several groups are sort of working on new schemes. I have my own thoughts about fixing this problem. --Tim May There's something wrong when I'm a felon under an increasing number of laws. Only one response to the key grabbers is warranted: "Death to Tyrants!" ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1398269 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
-----BEGIN PGP SIGNED MESSAGE----- At 01:52 PM 6/20/97 PDT, John Smith wrote:
The resources used to break DES, if as many people hosted remailers and anonymizers on their machines, would further Cypherpunks goals a lot more than breaking DES, which we all know was breakable (as we know what "56 bits" means).
There were messages here some time back about systems like anonymizer but chainable and using cryptography. Did anything come of that? Efficient anonymous web browsing could be a killer app for crypto. Use anonymous web access to get to hotmail accounts like this one and you have anonymous email, easy to use.
Anonymous web browsing is definitely being worked on. However, simply chaining proxies ala remailer chains is not sufficient because traffic analysis is fairly trivial. The question is what's the threat model. If the goal is to prevent the server from identifying the client given limited resources, then www.anonymizer.com or similar is sufficient. However, the real problem is preventing an entity with unlimited resources and control over most of the nodes in the anonymous network from conducting successful traffic analysis. This is an entirely different and very difficult problem. The cpunks are getting some help in this from the Naval Research Lab (although actually I think we're helping them not vice versa) because the military seems to want to be able to browse anonymously too. Jeremey. -----BEGIN PGP SIGNATURE----- Version: 5.0 Charset: noconv iQCVAwUBM6r/FC/fy+vkqMxNAQEnWgQAvxvAwgMmUWfl9mSzh5Hsf3O/5OgqwzfS fJzL5wNX9Pssr6dZuGXudD1OuQjUmha5e5+G3MJrrPOafsUCI3518kTVyLMbVuZG fghrbj+s20Fyhj4G3FUM2UtzrGdaqIx/pqzkNcKyAKz3EF8iH6OSxdWWmhX/J650 qQgkrb7Om9M= =iqAT -----END PGP SIGNATURE----- -- Jeremey Barrett BlueMoney Software Corp. Crypto, Ecash, Commerce Systems http://www.bluemoney.com/ PGP key fingerprint = 3B 42 1E D4 4B 17 0D 80 DC 59 6F 59 04 C3 83 64
At 7:22 pm -0400 on 6/20/97, Tim May wrote:
When I was at CFP a few months back, and NSA guy said he read the Cypherpunks list regularly. And a CIA analyst who attended the Hackers Conference recognized my name when I happened to sit down next to him at a meal, and said his office often looked to the CP list for insights into how various proposals would be met. I don't recall either of their names--I wasn't that interested in tracking them--but I rather suspect their subscriptions were under under other names or at least other domain names, or forwarded directly off of other sites.
This could be done at the archives, even if they *are* in Singapore. :-). Maybe *that's* why they need onion routers... :-). ----------------- Robert Hettinga (rah@shipwright.com), Philodox e$, 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' The e$ Home Page: http://www.shipwright.com/
On Fri, 20 Jun 1997, Jeremey Barrett wrote:
X-Premail-Auth: Good signature from user "Jeremey Barrett <jeremey@bluemoney.com>".
Anonymous web browsing is definitely being worked on. However, simply chaining proxies ala remailer chains is not sufficient because traffic analysis is fairly trivial.
The question is what's the threat model. If the goal is to prevent the server from identifying the client given limited resources, then www.anonymizer.com or similar is sufficient. However, the real problem is preventing an entity with unlimited resources and control over most of the nodes in the anonymous network from conducting successful traffic analysis. This is an entirely different and very difficult problem.
Having got the latest Applied Cryptography, it looks like it would be possible to set up a series of servers on the "Dining Cryptographers at a Disco" model. It would require a constant flow, probably something like token ring, so couldn't be used for high bandwidth applications, but it completely nukes traffic analysis. (as an aside, if someone has control of "most of the nodes" they can cheat however they want without resorting to traffic analysis - if they control few nodes the picture is different). [brief but wrong description: assume there are an even number of servers. Each generates a random number and passes it on along with a parity bit. Then next server compares it's random number with the previous one and flips the parity bit if the random bits *differ*, and then sends the parity bit and the same random bit to the next server. When the bit has completed the circuit, the parity bit will be zero (which would be broadcast or send in the next round), unless someone altered it intentionally. So any one can set a one bit by simply not flipping it, and no one will know who since all anyone knows is the original state of the parity bit when they saw it, and the previous random number. If a series of bits is encrypted using a public key, then only the recipient will be able to receive it, and in all cases no one will know who sent or received the message. You need collision detection like ethernet, and some addressing stuff, but all the extra bandwidth obscures the sender and recipient. Someone please post a clearer description]
Regarding DC nets: Modern tree structures only double the bandwidth requirement. DC nets are practical today. I would encourage CP's to work on implementations. -- Lucky Green <mailto:shamrock@netcom.com> PGP encrypted mail preferred
At 01:57 PM 6/25/97 -0700, Lucky Green <shamrock@netcom.com> wrote:
Regarding DC nets: Modern tree structures only double the bandwidth requirement. DC nets are practical today. I would encourage CP's to work on implementations.
How do you do that? Arrange the XORs to do x0^x1, x2^x3...., then (x0^x1)^(x2^x3)... etc., ending up with user 0 doing the last XOR, and broadcasting or tree-casting the results? It cuts down on bandwidth for the average user, but does end up with a few users doing most of the work, and perhaps there's some security risk in the unbalanced workload. It's an interesting approach, and I suppose you could do a bit more work (logn instead of 2) to spread the partial results around so more people can calculate them directly (e.g. user 0 sends user 2 x0^x1, and sends user 1 x2^x3, and if you're still paranoid you can have user 0 also send user 3 x0^x1, which user 2 and user 3 can compare....) You've probably got to put more thought into getting the details right, like collision detection and backoff, but it's still doable. # Thanks; Bill # Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com # You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp # (If this is a mailing list or news, please Cc: me on replies. Thanks.)
-----BEGIN PGP SIGNED MESSAGE----- At 04:23 PM 6/25/97 -0400, tzeruch@ceddec.com wrote:
On Fri, 20 Jun 1997, Jeremey Barrett wrote:
The question is what's the threat model. If the goal is to prevent the server from identifying the client given limited resources, then www.anonymizer.com or similar is sufficient. However, the real problem is preventing an entity with unlimited resources and control over most of the nodes in the anonymous network from conducting successful traffic analysis. This is an entirely different and very difficult problem.
Having got the latest Applied Cryptography, it looks like it would be possible to set up a series of servers on the "Dining Cryptographers at a Disco" model. It would require a constant flow, probably something like token ring, so couldn't be used for high bandwidth applications, but it completely nukes traffic analysis.
You'll have a secure black box then. Everything in the black box is secure, but the real information comes from watching what goes in one side and out the other. Unless there is an astronomical amount of traffic, it will be fairly obvious who's doing what. After all, knowing who did what is the goal of traffic analysis, usually not what route they took in between. The trick is to design a system where an eavesdropper can't correlate a connection into the anonymous network to one coming out. Such a system will almost certainly involve some sort of "personal proxy" running on your own machine. It might maintain a constant bandwidth to the anonymous network, but that's sub-optimal since most people like their bandwidth for other things. Jeremey. -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQCVAwUBM7GdTS/fy+vkqMxNAQF1KgP9HUeipjxUkMd6WcdIu7erw4dXmHQlB2VO RELgmItWCCZm1XdHanh197VKe714RUYN0FNEIu09hdgLK80yI8qDxIXBykcglFIc O7V+HbfPa3HOAR1HftTQm6evXeY/JEWUSt/7ymGXVKHp06SWRsExcbGwDt0DhsAw apmEl0PNV8c= =JfEd -----END PGP SIGNATURE----- -- Jeremey Barrett BlueMoney Software Corp. Crypto, Ecash, Commerce Systems http://www.bluemoney.com/ PGP key fingerprint = 3B 42 1E D4 4B 17 0D 80 DC 59 6F 59 04 C3 83 64
On Wed, 25 Jun 1997, Jeremey Barrett wrote:
The trick is to design a system where an eavesdropper can't correlate a connection into the anonymous network to one coming out. Such a system will
almost certainly involve some sort of "personal proxy" running on your own machine. It might maintain a constant bandwidth to the anonymous network, but
that's sub-optimal since most people like their bandwidth for other things.
The trick for users might be to move everything through the DC net. That way you take a max. hit of 50% loss of bandwidth. The problem would likely be worse for intermediate nodes. Need to think about this some more. There is a solution... --Lucky
At 3:07 PM -0700 6/20/97, Jeremey Barrett wrote:
The cpunks are getting some help in this from the Naval Research Lab (although actually I think we're helping them not vice versa) because the military seems to want to be able to browse anonymously too.
I rather suspect the motives are more complicated than this. It is an easy enough matter for anyone in the CIA or NSA or DIA or whatever to get cutout accounts in any number of ISPs, either local or connected to remotely in the usual ways. This lets them surf rapidly and quickly, and with little traceability so long as they maintain an "air gap" between the nyms. "ddenning@nsa.gov" can become "witch666@aol.com" or "shill@clarke.net" rather easily. When I was at CFP a few months back, and NSA guy said he read the Cypherpunks list regularly. And a CIA analyst who attended the Hackers Conference recognized my name when I happened to sit down next to him at a meal, and said his office often looked to the CP list for insights into how various proposals would be met. I don't recall either of their names--I wasn't that interested in tracking them--but I rather suspect their subscriptions were under under other names or at least other domain names, or forwarded directly off of other sites. --Tim May There's something wrong when I'm a felon under an increasing number of laws. Only one response to the key grabbers is warranted: "Death to Tyrants!" ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1398269 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
At 01:52 PM 6/20/97 PDT, John Smith wrote:
There were messages here some time back about systems like anonymizer but chainable and using cryptography. Did anything come of that? Efficient anonymous web browsing could be a killer app for crypto. Use anonymous web access to get to hotmail accounts like this one and you have anonymous email, easy to use.
See http://www.itd.nrl.navy.mil/ITD/5540/projects/onion-routing/overview.html The project is moving forward after some Cypherpunks instigated bug fixes. However, it will probably be a while before the system has been ported from Solaris/BSAFE to Linux/SSLeay. --Lucky Green <shamrock@netcom.com> PGP encrypted mail preferred. DES is dead! Please join in breaking RC5-56. http://rc5.distributed.net/
participants (7)
-
Bill Stewart -
Jeremey Barrett -
John Smith -
Lucky Green -
Robert Hettinga -
Tim May -
tzeruch@ceddec.com