Paradoxical bandwidth 'law' with anonymizing systems?
I was reading a paper on Onion routing, and the following occurred to me: The FEWER people using the system, the SLOWER the system can react. Otherwise, it leaks temporal information as a block moves from router to router. Longer explanation: Onion routing provides real-time anonymized connections. (Compare to "mixmaster" email anonymizers which do not provide real-time connections). If you are trying to avoid timing attacks in such a system, then the fewer the people using the system, the longer the routers have to wait, it seems to me. Otherwise, say if you were the only user of the system, the fact that packets ("Onions") are being sent from router to router is easy to track. If a lot of connections are being processed, the connections from router to router are difficult to trace, so the routers needn't be concerned with imposing delays to impede time-based traffic analysis. A possible workaround would be to place some of the routers in time zones which would be active. That way, even 4AM users would get temporally anonymized by the busy routers in other zones. I suppose this is similar to the anonymity-by-groups (e.g., using a simple proxy) concept, where your 'group' is other users of Onion routers. But you can't be anonymous if you're the only one using the chain of routers, right? ------------------------------------------------------------ David Honig Orbit Technology honig@otc.net Intaanetto Jigyoubu Steel : Meatspace :: Encryption : Virtual space
Another way to defeat traffic analysis is to maintain a constant stream of traffic between servers, some of which is noise.. Only someone with the decryption key would be able to determine which is noise and which is signal (hopefully). Pipenet's description involved this constant stream.. It may have been one of the resource-consuming aspects that the designers of onion routing wanted to get rid of. I have been thinking of anonymous packet resenders recently, and one of the problems that confronted me was that regardless of how much encrypted traffic goes between the resender systems, an organization with enough resources could watch for "unknown" incoming connections at each of the known resenders and match that with the outgoing connection if there aren't too many people connected.. The organization could even force some type of DOS on the incoming connections until the outgoing connection also dropped (revealing the sender's identity), although I suppose the outgoing packets could continue to be sent by the resenders in the case of a dropped connection. Putting the right stuff in the packets would be difficult, though. To make it more difficult for such an organization to discover a sender's identity, I thought that if anonymous connections could not be depended on to be numerous enough, the entry points to the resender system could also maintain popular web/ftp/mail sites which accepted requests with hidden packet transmission requests. Of course, this would make packet sending/receiving very expensive, and the increased traffic coming from one IP and destined to mostly anonymous resenders might make it stand out from the regular connections.. but the identity tracker's job has been made harder (since he must analyze large amounts of incoming traffic), and the entry points to the resender system can be said to receive mostly "innocent" data. Any comments/ideas? On Wed, 15 Apr 1998, David Honig wrote:
I was reading a paper on Onion routing, and the following occurred to me: The FEWER people using the system, the SLOWER the system can react.
participants (2)
-
David Honig -
Illuminatus Primus