Mixmaster Message Drops
Anonymous
nobody at mix.winterorbit.com
Thu Aug 9 01:37:39 PDT 2001
Joseph Ashwood wrote:
>[Jim Choate wrote]:
>> The next major question is to determine where the drops are
>> happening. Inbound, outbound, inter-remailer, intra-remailer?
>
> That matters from a correction view but not from a usage view, which
> I assume we're taking. Basically we don't care what technology the
> remailer uses as long as it is correct technology and
> trustable. From there we care only what remailers are disfunctional
> and which are useful.
Hear, hear.
> Correcting this is much more difficult, but would only take the use
> of digital signatures and encryption on all the messages traversing
> the network.
The quick and dirty way to do this is to sign and encrypt traffic
between remailers with gpg. But, I doubt this will be necessary. (At
some point something like this should be done, however, especially as
the added encryption makes flooding attacks much harder.)
It would be dumb for an adversary to attempt sabotage by causing
message drops because we can definitively solve the problem and in
doing so we may detect it, thus revealing the operation. For example,
two remailer ops could collude to the extent of keeping checksums of
their mutual traffic and comparing offline. This is indetectible to
the active attacker, but his or her presence will be revealed. Once
revealed, the ops can methodically and quietly track down how the
attack is being performed. This would be big news.
Far more effective is for an attacker to run a remailer perfectly, but
quietly watch everything going by. (Hope nobody's taking notes! ;-)
>> If at all possible all measurements should be made anonymously and
>> as stealthily as possible.
>
> Agreed I was beginning to adress this above, it still has some major
> problems.
This isn't necessary if you have identified a working set of
remailers. When they just work, you don't have to identify the bad
ones. (Trust and reputation might be a faster way to get there than
statistics.)
The level of reliability specified, roughly 1 in 5000 messages
dropped, is barely detectible and is thus a good value. If you send
10,000 messages in a month, that's about 330/day. For example, you
might be feeding a few newsgroups through the mixmaster network to a
friend. If the "packets" are sequenced and none are lost, then the
goal has been achieved. This test could be performed as a side
benefit of some other activity.
Also, if the 1 in 5000 figure is truly independent (a stretch,
perhaps), sending the message three times gives you less than one in a
billion chance of failure. Good enough for government work.
More information about the cypherpunks-legacy
mailing list