owned this note
owned this note
Published
Linked with GitHub
# Designing and attacking anonymous communication systems - George Danezis 2004
###### tags: `Tag(HashCloak - Validator Privacy)`
Paper: https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-594.pdf
Definitions:
* Anonymity is defined as the state of being not identifiable within a set of subjects, the anonymity set.
* Therefore we chose to define the anonymity provided by a system as the amount of information the attacker is missing to uniquely identify an actor’s link to an action.
* Pre-image resistance means that given h(x) it is difficult to extract any bits of x.
* Weak collision resistance means that given x it is difficult to find y such that h(x) = h(y).
* Strong collision resistance means that it is difficult to find any x and y such that h(x) = h(y).
* Therefore we have named this feature single-use reply blocks or SURB.
>The main cryptographic hash function used in this work is the standard SHA-1 [SHA93]. Its output is 160 bits long (20 bytes), and offers good strong collision resistance properties (∼ 2 80 hashes to break). Being a National Institute of Standards and Technology (NIST) standard it is readily available in most implementations of cryptographic libraries. It is believed to be secure, since no known attacks have been published against it.
### Table of Contents
[toc]
:::info
>Abstract: This report contributes to the field of anonymous communications over widely deployed communication networks. It describes novel schemes to protect anonymity; it also presents powerful new attacks and new ways of analysing and understanding anonymity properties.
:::
### Introduction
> Our major contribution consists of methods to measure anonymity, the design of new anonymous communication mechanisms, and a set of generic attacks that can be used to test the limits of anonymity
### Chapter 2: Defining anonymity
Anonymity as a security property
> Anonymity allows actors to hide their relation to particular actions and outcomes. Since anonymous communication is the main subject of this work, our objective will be to hide correspondences between senders and the messages they sent, a property we will call sender anonymity, or receivers and the messages they receive, namely recipient anonymity. It is possible for a channel to offer full bidirectional anonymity to allow anonymous senders to converse with anonymous receivers.
It is important to note that anonymity of communications is a security property orthogonal to the secrecy of communications. A typical example illustrating this is an anonymous sent letter to a newspaper. In this case the identity of the sender of the letter is not revealed although the content is public. One can use conventional encryption techniques, in addition to anonymous communications, to protect the confidentiality of messages’ contents.
The global passive adversary is the main threat model against which mix systems are required to be secure and have been thoroughly analysed against.
National entities are the most powerful adversaries in the real world because of the funding they are able to commit but also because of their legal authority over a jurisdiction. Many national entities could be considered to be global passive adversaries.
Large corporations have resources that are comparable to national entities but lack the legal authority to eavesdrop on communications or compel nodes to reveal secrets. On the other hand they are able to run subverted nodes that collect information about users, and launch active attacks.
It is worth noting that a network might protect users from traffic analysis, but still provide inadequate anonymity because of side information leaked by messages as they enter and exit the mix network.
### Chapter 3: Primitives and building blocks
#### Symmetric cryptographic primitives
**Pseudo-random functions: stream ciphers**
A pseudo-random function, or stream cipher s takes as its input a fixed length key k and generates an infinitely long (in theory) string of bits s(k). Some properties of a stream cipher are:
* Key secrecy means that given some of the output of the stream cipher s(k) it is difficult to infer anything about the key k.
* Pseudo-randomness means that for any party that does not know the key k, the output s(k) of the cipher, in indistinguishable from a truly random bit-string.
**Random permutations: block ciphers**
A block cipher takes as an input a secret key and a plaintext bit-string of length l (called the block length). It then outputs another l bit-string called the ciphertext. The mapping between the inputs and outputs of a block cipher is a secret permutation of the l-bit space, for a given key k. For this reason, the operation of a block cipher can be “undone”, by a decryption operation that takes the key k and a ciphertext and outputs the original plaintext. The main properties of a block cipher are:
* Key secrecy means that given any number of known pairs of plaintext and ciphertext an adversary cannot extract the key k. In other words no operation leaks the key.
* Permutation pseudo-randomness means that given any number of pairs of known plaintext and ciphertext it is not possible for the adversary to infer any other mappings of the random permutation.
**Large block ciphers: BEAR**
> An important feature of BEAR is its all-or-nothing nature. None of the plaintext can be retrieved until all the bits of ciphertext are known. Furthermore, if any ciphertext is modified by an attacker, without knowledge of the key the message will decrypt into a random stream. In many cases even a key-less (or with a fixed globally known key) BEAR transform can be used.
**Message authentication codes for integrity**
A message authentication code (MAC) is a short bit-string that is derived from a message and a key. The parties with the key can compute the MAC, which also allows them to verify it, while the parties without the key cannot distinguish a valid MAC from a random one. There are many possible construction of MACs. Two of them are presented here:
* A block cipher in CBC mode can be used to compute a MAC. The initialisation vector is set to a globally known value (usually a string of zeros) and only the last block of the CBC ciphertext is kept as the MAC. Using AES would result in a 128 bit MAC.
* A hash function can be used to compute a MAC by appending and prepending the key to the text to be checked. It is important to append the key at the end since this prevents an attacker using implementation specificities of SHA-1, to update the message and the MAC, therefore producing a valid MAC without knowing the key.
#### Asymmetric cryptographic primitives
**Diffie-Hellman exchange**
> Whitfield Diffie and Martin Hellman presented for the first time in public, a system that allowed two participants to establish a shared secret, using only publicly available information. The Diffie-Hellman exchange bases its security on the difficulty of the discrete logarithm problem in a finite field. In the case of integers, it is trivial to compute E = g x mod p for a prime p, a generator g and a random number x. On the other hand it is computationally very difficult to determine x by computing the logarithm x = logg E mod p. In other words, modular exponentiation can be thought as being a one way function with special properties.
The ability to change the ciphertext in a way that is not predictable is used in many constructions to provide the bitwise unlinkability necessary to build mix systems
#### The Rivest-Shamir-Adelman crypto-system
> The RSA crypto-system relies on the difficulty of factoring composites of large primes to provide its security. A composite n = p × q is computed, and made public, while the two primes p and q are kept secret. A value e where 1 < e < (p − 1)(q − 1) is chosen at random, and d such that d × e = 1 mod (p − 1)(q − 1) is efficiently calculated. The public key is (e, n), while (d, n) is the secret key.
Digital signatures provide integrity properties and non-repudiation properties: if the public key of Bob is well known, Alice can prove to a third party that Bob has signed a message. Often this property is not desirable but for technical reasons other integrity primitives, such as message authentication codes, cannot be used. One can adapt protocols using digital signatures to provide plausible deniability by publishing the private keys as the last step of the protocol.
#### Strengthening the primitives
It was realised that by themselves they were not as secure as conventional “encryption”. In particular the mathematical structure that they relied upon, could be used to mount adaptive active attacks, blinding and re-encryption, to leak information about the plaintext.
A lot of research has focused on trying to formally define security for encryption, and to try and minimise the potential leakage of information out of public key encryption systems.
* Semantic security means that no useful information can be extracted from the ciphertext about the plaintext.
* Chosen ciphertext security means that no information about the plaintext can be extracted if modified ciphertexts are submitted to a decryption oracle.
* plaintext-aware encryption that detects any modification to the plaintext. Sometimes this property is also called nonmalleability.
**Plausible deniability**
Plausible deniability is the security property which ensures that a principal cannot be linked to some action with an appropriate level of certainty.
**Deniable encryption**
Plausibly deniable encryption is the inability to prove that a particular ciphertext decrypts to a particular plaintext. A system that provides perfectly deniable encryption is the one time pad. Since the key is as long as the plaintext and ciphertext, a key can always be constructed to decrypt any ciphertext to any plaintext. Furthermore the key provided will be indistinguishable from noise, and therefore any other possible key that might have been used. It is important to notice that under compulsion the sender and the receiver should release the same fake key, leading to some fake plaintext, otherwise they might be uncovered. This might be difficult to arrange if the ciphertext has not yet reached the receiver.
**Forward security**
Ross Anderson points out in that the name forward security is deceptive. He argues that the term would better be suited to describe the property of a system to become secure in the future, after it has been compromised.
### Chapter 4: Related Work
#### Trusted and semi-trusted relays
**anon.penet.fi**
>The concept that even non-malicious relay operators could be forced under legal or other compulsion, to reveal any information they have access to, provided a new twist to the conventional threat models. Honest relays or trusted nodes could under some circumstances be forced to reveal any information they held concerning the origin or destination of a particular communication. Minimising the information held by trusted parties is therefore not just protecting their users, but also acts to protect the services themselves
**Anonymizer & SafeWeb**
> Anonymizer is less vulnerable to legal compulsion attacks, since no long-term logs are required to be kept, that could link users with resources accessed. Unlike email, users always initiate web requests, and receive the replies, and all records can be deleted after the request and reply have been processed. Records can be made unavailable to seize after just a few seconds.
> SafeWeb allowed the traffic on the link from SafeWeb to the user to be encrypted using SSL
**Type I “Cypherpunk” remailers**
> Type I remailers, first developped by Eric Hughes and Hal Finney, are nodes that relay electronic mail, after stripping all identifying information and decrypting it with their private key.
> prevents the most trivial passive attacks based on observing the exact bit patterns of incoming messages and linking them to outgoing ones. However it leaks information, such as the size of the messages.
**Crowds**
> A user then relays her web requests by passing it to another randomly selected node in the crowd. Upon receiving a request each node tosses a biased coin and decides if it should relay it further through the crowd or send it to the final recipient. Finally, the reply is sent back to the user via the route established as the request was being forwarded through the crowd
> Crowds is one of the first papers to address quantitatively how colluding nodes would affect the anonymity provided by the system.
**Nym Servers**
> Nym servers store an anonymous reply block, and map it to a pseudonymous email address. When a message is received for this address it is not stored, but immediately forwarded anonymously using the reply block to the owner of the pseudonym.
> Nym servers and pseudonymous communications offer some hope of combining anonymity and accountability
#### Mix systems
The type I remailer, presented in section 4.1.3, is the insecure version of a whole body of research that we shall call mix systems and mix networks. This section presents more secure constructions based on these ideas:
**Chaum’s original mix**
The first, and most influential, paper in the field of anonymous communications was presented by Chaum in 1981. Chaum introduced the concept of a “mix” node that hides the correspondences between its input messages and its output messages in a cryptographically strong way.
>B. Pfitzmann and A. Pfitzmann show that Chaum’s scheme does not provide the unlinkability properties necessary. The RSA mathematical structure can be subject to active attacks that leak enough information during decryption to link ciphertexts with their respective plaintexts.
**ISDN mixes, Real Time mixes and Web mixes**
In 1991, A. Pfitzmann, B. Pfitzmann and Waidner designed a system to anonymise ISDN telephone conversations.
All three designs were the product of what could be informally called the Dresden anonymity community (although early research started in Karlsruhe).
ISDN, Real Time and Web mixes always use cascades of mixes, making sure that each message is processed by all mixes in the same order. This removes the need for routing information to be passed along with the messages, and also protects the system from a whole set of intersection attacks presented in
**Babel and Mixmaster**
Babel and Mixmaster were designed in the mid-nineties, and the latter has become the most widely deployed remailer. They both follow a message-based approach, namely they support sending single messages, usually email, though a fully connected mix network.
Babel offers sender anonymity, called the “forward path” and receiver anonymity, through replies travelling over the “return path”. While the security of the forward path is as good as in the secured original mix network proposals, the security of the return path is slightly weaker.
Mixmaster supports only sender anonymity, or in the terminology used by Babel, only the forward path. Messages are made bitwise unlinkable by hybrid RSA and EDE 3DES encryption, while the message size is kept constant by appending random noise at the end of the message.
**Stop-and-go mixes**
It aims at minimising the potential for (n − 1) attacks, where the attacker inserts a genuine message in a mix along with a flood of his own messages until the mix processes the batch. It is then trivial to observe where the traced message is going.
The average time that the message needs to be delayed can be estimated, and the appropriate time window can be specified to make such a delayed message be rejected by the mix.
**Onion Routing**
> Onion routing is the equivalent of mix networks, but in
the context of circuit-based routing.
* Instead of routing each anonymous packet separately the first message opens a circuit through the network, by labelling a route.
* Each message having a particular label is then routed on this predetermined path.
* Finally, a message can be sent to close the path.
Often we refer to the information travelling in each of these labelled circuits as an anonymous stream.
Onion routing notes that ISDN mixes are not easily implementable over the Internet, and aims to distribute the anonymous network and adapt it to run on top of TCP/IP.
Onion routing admits to being susceptible to a range of attacks. It has become clear that in the absence of heavy amounts of cover traffic, patterns of traffic are present that could allow an attacker to follow a stream in the network and identify the communicating parties. Such attacks have been called timing attacks.
Furthermore very little mixing is done in the system
generally, because of the real-time performance that is assumed to be needed. Onion routing aims at providing anonymous web browsing, and therefore would become too slow if proper mixing was to be implemented.
#### Peer-to-peer mix networks
In Chaum’s original work it is assumed that if each participant in the mix network also
acts as a mix for others, this would improve the overall security of the network. Recent
interest in peer-to-peer networking has influenced some researchers to further examine
such networks with large, but transient, number of mixes.
> Mark Rennhard introduces MorphMix, which shares a very similar architecture
and threat model with Tarzan. A crucial difference is that the route through the network
is not specified by the source but chosen by intermediate nodes, observed by user specified
and trusted witnesses
#### Mix building blocks, attacks and analysis
Replay attacks were first described by Chaum himself. A passive attacker can trace a message by ‘replaying’ it in the network.
* To prevent replay attacks mixes have to remember the messages that they have processed and not process them a second time.
* An alternative, which is an active field or research, is to use non deterministic decoding and routing protocols, possibly implemented using the new universal re-encryption primitive
* The position attack allows an adversary to partition the messages coming in and out according to the position of the only honest mix.
* The brute force attack is the simplest attack that can be performed against a mix network. The set of all potential recipients is generated by following a message through the network, and adding to the anonymity set all the recipients of the messages that have been mixed together.
* (n − 1) attacks are presented again. An attacker waits until a mix is empty (or stuffs it until it empties), and then sends a single genuine message to it. Then the attacker either waits, or again stuffs the mix until the message under surveillance is output. This leaks the receiver of this single honest message.
* Timing attacks try to guess the correlation between inputs to the network and outputs by using the fact that each link introduces a different delay.
* Communication patterns can be used to find out when users of pseudonymous systems are on-line and when they are off-line.
* Packet counting attacks take advantage of the fact that systems such as Onion Routing send whole streams along the same path. They correlate ingoing and outgoing streams, and follow them in the network by counting the packets in them.
* Intersection attacks, try to extract the sender of a stream of messages by intersecting the sender anonymity sets of consecutive messages sent by a pseudonym.
>The statistical variant of this attack is the statistical disclosure attack.
* User interaction attacks (or Sting attacks) take advantage of the fact that a user will act in a different way if he is the actual sender of a message than if he is not.
* Send n’ Seek attacks are related to the tagging attacks, but are slightly more general. They rely on a special message being sent to an anonymous receiver that is then used to track the receiver.
* Attack invented Wei Dai: An attacker wishes to defeat the traffic shaping mechanisms that attempt to hide the real volumes of traffic on an anonymous channel. The attacker creates a route using the link that he wishes to observe, and slowly increases the traffic on it. The router will not know that the stream or streams are all under the control of the attacker, and at some point will signal that the link has reached its maximum capacity. The attacker then subtracts the volume of traffic he was sending from the maximum capacity of the link to estimate the volumes of honest traffic.
### Chapter 5: Mixminion
>Mixminion has been designed by myself, Roger Dingledine and Nick Mathewson, who is also the lead developer, to be the successor of the current Mixmaster anonymous remailer infrastructure. While the project has many objectives, our main contribution1 to it is the design of a mix packet format that can effectively:
• be mixed and provide bitwise unlinkability,
• accommodate indistinguishable replies,
• leak minimal information to intermediate mixes,
• be resistant to tagging attacks
#### Models and requirements
* Forward Path. Alice wants to send a message to Bob, without Bob being able to tell that it came from Alice. In order to do this Alice constructs a Mixminion message and sends it to the Mixminion network. The message gets out of the network at some other point and is sent to Bob by conventional email. We call this use case the forward path.
* Reply Path. Alice wants to send a message to Bob, without Bob being able to tell that it came from Alice. Despite this, Alice wants Bob to be able to reply to her message, again without Bob discovering her identity. Alice therefore constructs a reply block that she includes in a message sent to Bob using the forward path. Bob is able to send this reply block to a mix in the network, using conventional mail, along with a message. The message will be routed anonymously back to Alice, who will decode it. We call this use case the reply path.
* Bidirectional Anonymity. Alice wants to communicate anonymously to someone that she does not know, that she likes to call Beatrice. Through some mechanism (such as a Nym Server) she knows one of Beatrice’s reply blocks. Alice therefore creates a Mixminion message that is intended to route her message through the network to first hide her identity using the forward path, and then uses the reply path to reach Beatrice. We call this bidirectional anonymity, and it allows two parties, through some system of anonymous first contact, to maintain an anonymous conversation.
> A user-friendly system should try to minimise any exposure to a user that does not fit into the model described above. Any security-sensitive operation that must be performed by the user and does not fit into this “natural” model above, will likely not be performed effectively. Therefore, it should be automated and hidden. For example it might be “natural” to expect the user not to sign the end of an anonymous email with their real name; but asking them to “contact the directory server at least once a day” might not. The only reasonable answer to expect would be “what is a directory server?” This operation should, for the sake of security and usability, be automated and hidden from the user.
#### Requirements
Mixminion aims to provide anonymity despite a global passive adversary that controls a subset of nodes on the message path and can perform active attacks against honest mix servers.
Mixminion was never meant to be a proof-of-concept academic system, and therefore it has been engineered to be secure by quite a margin to all known attacks. This approach has lead to some inefficiencies and unnecessary overheads.
A key objective of Mixminion from the start has been to provide a facility for secure anonymous replies.
As Back, M¨oller and Stiglic report,
> “In anonymity systems usability, efficiency, reliability and cost become security objectives because they affect the size of the user base which in turn affects the degree of anonymity it is possible to achieve.”
**Orthogonal issues**
* Mixing strategy: Mixminion does not impose any restrictions on the mixing, batching or delaying strategy that individual mixes or the network as a whole wishes to implement.
* Network Topology: Any network topology can be used to route Mixminion traffic.
* Route Selection. It is not specified how individual clients choose the path their messages will take through the network.
* Dummy Policy: While there is support for both encrypted link padding and dummy messages, Mixminion nodes are not required to implement any particular strategy for generating any kind of cover traffic.
* Environment Awareness: We assume that each mix simply knows about the directory servers to which it must periodically upload its information. In this respect a node is required to know even less than a client, which needs to have a recent version of the directory of available mixes.
> The issues above are either orthogonal to the problems that Mixminion is trying to tackle or were, at the time of the design, active research areas.
#### The anatomy of the Mixminion format
There are also two main algorithms related to a Mixminion packet:
1. Packet Creation: This algorithm requires a sequence of mix server description, containing the network addresses and the public keys of the mixes, a final address and a body. It will then generate a Mixminion packet suitable for being relayed by the chosen intermediaries. Note that the final address might be a reply block.
2. Packet Processing: Given a secret key, a public list of hashes of previous message signatures, and a Mixminion message, this algorithm will output the Mixminion packet to be relayed and the address of the next mix. If the processing mix is the last one, the procedure will provide a body, and instructions on how to send out the message by conventional email.
#### Security analysis of Mixminion
* Bitwise unlinkability: In order to provide security against passive observers the Mixminion packet format should guarantee that the message entering a mix looks different when it leaves it.
* Route position and length leakage: A mix knows if it is the last one in the header, because it is required to perform a special operation, such as swap, or must forward the message by email. It is very likely that a mix node knows if it is the first one on the path, because the message will arrive from a source that is not an established mix.
* Tagging attacks: Tagging attacks are a family of active attacks performed by modifying mix packets travelling through a sequence of mixes, in order to recognise the packets elsewhere in the network, or when they leave the network.
> If the message body is modified, it will be
processed correctly but the result will not leak any information about the final destination or the original body of the message. In other words, the tagging attack is not detected early enough to discard the message, but the error introduced is amplified to such a degree that it is impossible to extract any information about the content or destination of the message afterwards.
It has to be pointed out that Mixminion’s resilience to single messages being tagged does not automatically extend to multiple messages known to the attacker to belong to the same stream. In case one of them gets tagged it will turn into random noise, but the information in the other related messages will still be visible.
#### Protocols with reply blocks
> Mixminion’s main novel feature is the provision of secure reply blocks. By secure it is meant that reply blocks provide the same degree of protection against all the above attacks as the messages travelling on the forward path.
* It can also be considered insecure to allow a large number of SURBs to be available to untrusted parties. The reason for this relates to the way in which a compulsion attack can be performed on the forward and reply paths.
* In the case of the forward path, a message cannot be traced back from the receiver to the sender. At each intermediary node the message is stripped of the information that could be used to route it back.
* On the other hand, a reply block can be traced by compelling each intermediary node in turn to perform the decryption until the final recipient is uncovered. This attack is hard for an adversary that does not control all intermediate nodes, but can be performed on SURBs more easily than on the forward path.
Mixminion prevents such attacks by encoding in the SURB the pseudonym to which the reply block is addressed. This is done by having separate secret keys for each pseudonym to gain access to the information necessary to reconstruct the secrets that decrypt the reply. This unfortunately requires Mixminion to be aware of pseudonyms, although the same service could be provided by allowing a user to encode an arbitrary string with the creation of each pseudonym. This string would be protected against tampering, and revealed when the reply is decoded.
#### Nym servers
In order to solve both problems, special services named nym servers provide a gateway between the world of Mixminion and conventional email. Furthermore they allow normal mail users to initiate conversations with parties they did not have any contact with before, and therefore allow the first contact problem to be naturally solved.
It is important to realise that nym servers are trusted to reliably perform their tasks, guaranteeing the availability of the service offered, but are not trusted to safeguard the anonymity of the users. In other words a misbehaving or subverted nym server can jeopardise the delivery of messages, but cannot link pseudonyms to users.
### Chapter 6: Forward secure mixing
> Here we will assume that an adversary is capable of requesting information from honest mix nodes and clients.
In this chapter, we will describe how an adversary can use compulsion powers to trace anonymous communications through the network. We will also define the notion of forward secure anonymity. This is similar to forward security in the sense that unconditional anonymity is provided after a certain point in time.
#### How to trace a mixed message
> In order to trace back a communication, an attacker is required to work forward starting at an interception point, by requiring mixes to decrypt the material intercepted, hoping that the communication traced ends up being the one that had to be traced. This process means that the opponent will need to acquire exponentially many decryptions in the number of hops to trace a message. A good anonymizing protocol would force this effort to be as large as to require all messages present in the mix network to be decrypted.
> However an opponent interested in tracing forward a communication initiated by a particular user, only needs to put this specific user under surveillance and request all intermediate nodes that relayed the messages to reveal the destinations of the messages. Therefore in the case of directed surveillance against a particular user, interception needs only to take place around that user, and then intermediate nodes can be requested to decrypt the ciphertexts until the ultimate destination is revealed.
#### The fs-mix
We can achieve forward secure anonymity by introducing secret state into the mix nodes.
The new state we require has to be kept secret, since it will be used to derive keying information.
1. H1 hash function is used to extract a public tag of the message to avoid replays and is always applied to the secret contained in the message.
2. H2 is applied to the final symmetric secret in order to generate keys that can be used in future communications.
3. H3 is applied to these keys to generate their public indexes.
4. n H4 is used on the secrets stored in the mix and the packet to create final shared secrets.
5. H5 is used to update secrets.
All functions Hx are secure hash functions, in particular they have to be pre-image resistant, to avoid giving any information about the key.
#### Other forward security mechanisms
**Forward secure link encryption**
**Tamper-proof secure hardware**
### Chapter 8: Red-green-black mixes
> In this chapter we describe a technique that mix nodes can employ to detect whether they are under an active attack.
#### Red-green-black mixes
An rgb-mix receives a certain number of black messages per round. These are genuine messages to be anonymized, or could be the product of a flooding attack mounted against the mix. The mix needs to estimate how many of these black messages are genuine in order to guarantee some quality of anonymity. Unfortunately, because of the nested encryption, and the absence of identifying information in the packets, the mix cannot do this by simple inspection.
If the fraction of red messages received in a round is smaller than expected, subject to statistical fluctuations, this could mean one of three things:
1. Firstly, the mix could be under a blending attack, meaning that the genuine traffic is being blocked and only the attacker’s messages are let through.
2. The mix has only recently started its operation and the red messages sent did not have enough time to loop back.
3. A third is that traffic load is changing.
#### The security of rgb-mixes
> The key to understanding the security of rgb-mixes is the realisation that an attacker is not able to distinguish between red, green and black messages.
The rgb-mix needs to answer the following question: Given that R red messages are received, how many genuine traffic messages BT are likely the have been allowed through?
We devise a strategy that allows mixes to detect that such an attack is taking place. They send heartbeat messages back to themselves, and use the rate at which these messages are received to estimate the amount of genuine traffic they receive.
In case an adversary is delaying traffic to perform the (n−1) attack the rate at which the heartbeat messages are received is reduced, and the attack is detected. In this case special cover traffic messages are generated to maintain the quality of anonymity provided. This technique is very efficient, since it only uses large volumes of cover traffic when under attack.
### Chapter 11: Conclusions and future work
> “Whoever thinks his problem can be solved using cryptography, doesn’t understand his problem and doesn’t understand cryptography.” -Roger Needham or Butler Lampson
* While Mixminion provides very good security against passive or active attackers and subverted nodes, operators are still liable to be compelled to decode messages. For this reason we explore in detail how messages can be traced in a network, and design the fs-mix to provide forward secure anonymity (chapter 6).
*
* Open questions include the impact of crooked directory servers, reliable transmission protocols that are not prone to traffic analysis, and implementing anonymous services at higher layers
* Receipt-freeness and plausible deniability properties could also be sought in future mix network architectures in order to protect the mix node operators from compulsion attacks.
* The work on mixing using sparse networks, presented in chapter 7, needs to be extended for the case of networks with highly dynamic membership. This could answer some questions about the anonymity provided by peer-to-peer mix networks, such as Tarzan.
* Generally solutions to other problems, such as peer discovery and route reconstruction attacks, presented in section 4.2.7, have to be found before the peer-to-peer paradigm can effectively be used for mixing.
The statistical disclosure attacks clearly show that
the anonymity of long-term conversations will eventually be compromised. Therefore anonymous communications can only offer tactical, and not strategic, protection against a global passive adversary.
On the other hand, high-volume, low-latency communications, as required for web browsing, seem immediately susceptible to attack. The statistical disclosure attacks and the attacks against continuous-time stream-based mix systems leaves us very sceptical about the possibility of securing them. Furthermore approaches such as peer-to-peer systems, contrary to popular belief, seem to offer a lesser degree of protection. They are susceptible to peer discovery attacks as with Tarzan, and they offer weaker protection against traffic analysis because their topologies spread the traffic too thinly across large numbers of links.
Our results might at first appear very negative. It is worth keeping in mind that the threat models we used are harsh, and that adversaries will need huge resources in order to mount such attacks. A new line of research should assess how these techniques protect individuals and organisations against weaker threat models.
### Contributions
### Conclusion