Re: [tor-talk] Fwd: ANONdroid
On Thu, Jan 26, 2012 at 10:35:20AM +0200, Maxim Kammerer wrote:
On Thu, Jan 26, 2012 at 10:05, Karsten N. <kn@awxcnx.de> wrote:
It is possible, to deanonymize a single user by some features (user IP address, website monitoring or user account). The idedentify feature for the malicious user has to be provided by the law enforcement agency and all operators have to get an official order in their country.
So there is no difference from Tor?
JonDoNym and Tor have some significant aspects in common, but they are fundamentally different in the basis for their security. JonDoNym is a mix cascade design (or `MIX' as some would write it). This means that all the messages (packets/cells) that enter the network together (enter a node at roughly the same time) proceed through the network together in a batch and leave the network together (exit at a predictable but distinct node all at the same time). In principle, this means that an adversary will have a difficult time separating messages in a batch from one another. (In practice, research indicates that the situation for low-latency traffic is, let's just be generous and say, more complicated.) This is the basis of the security they provide. Onion routing designs like Tor derive their security primarily from the unpredictability of routes: just seeing a message from a client enter the network does not tell you where it is going to come out. The pros and cons of these are a matter of long debate. (I miss you, Andreas.) I come down strongly on the side of onion routing as an approach. Many detailed research papers address lots of the issues, but much of my position is captured in my "Why I'm not an Entropist." (Let me know if you want to see it and can't find it.) The basic difference is roughly that mix cascades attempt to hide you well in a predictable 'anonymity set'. Onion routing networks attempt to make it hard to know where to look/attack if you want to de-anonymize, e.g., what website someone is browsing. And the Tor network is intended to be big enough and in diverse enough jurisdictions that it is hard for any one adversary to look everywhere (thousands of nodes worldwide). That's the main idea, skipping a lot of aspects, such as the possible benefits (or not) of combining the two approachers.
An scientific paper about the "Revocable Anonymity" impleneted by JonDonym
I see, so is that an optional feature that can be turned on by a MIX router operator once served by a surveillance order? It seems to me that it's an advantage over Tor, where relay operators can be served with an order and some Tor patches that they wouldn't be able to turn down to to the absence of a similar feature in Tor. Revocable Anonymity seems to be designed to provide the minimum necessary information to law enforcement.
Many security researchers, including myself, are quite resistant to the idea of revocable anonymity. Designing, building, and deploying a system to be secure is incredibly hard even without the added burden of building in a systematic means to selectively remove its security properties. See, for example, Matt Blaze's work on key escrow. See http://www.acsac.org/2011/program/keynotes/ for his recent retrospective. But leaving that entire issue aside, from my above comment, I hope it is apparent that there is another important difference from mix cascades. For Tor such a surveillance order for purposes of tracking particular communicants would be pointless, and thus presumably unjustified. Unlike cascades, a message entering the network in one location might come out at any exit node, anywhere in the world. And if, e.g., one observes communication exiting a particular network node and arriving at a destination of interest, there is no reason to think that future communication, even from the same originating client is likely to emerge from that same node. In fact just the opposite. aloha, Paul _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
participants (1)
-
Paul Syverson