Introduction |
Tor |
Tarzan and MorphMix |
Low-cost attack |
Low-cost attack on Tarzan and Morphmix | Principles of building secure systems (conclusion)
For a successful low-cost attack, two basic conditions must be met. First, the malicious host must know all the other hosts on the network. Without this, the attack in question is impossible. Second, the arising delays should characterize the volume of traffic transmitted by the node.
Based on the results of the study, we made the following conclusions.
Low-cost attack can be eliminated in one of two ways:
- Make it impossible to obtain information about all nodes on the network.
- Add cover traffic in such a way that the characteristics of the individual streams are leveled.
By adopting any of these techniques, you can build a secure system with low latency that can withstand a low-cost attack.
')
We note that everything that Murdoch and Danesis (Murdoch & Danezis 2005) rely on in their work collapses when using the second method. However, as they noted, determining the amount of cover traffic needed is a difficult task. It does not matter, in any case, the attack can be prevented by the first method.
Further discussion
Using the second method can significantly increase the anonymity that the network provides, but for systems with small delays it is difficult to apply.
This is due to the main requirement for the system - to minimize delays. Reducing delays to an acceptable level results in the transfer node not being able to mix or make its incoming and outgoing flows indistinguishable. This gives the attacker a clue to eventually break the anonymity created by the system. However, the use of several transmission nodes in the anonymizing tunnel makes the attack much more difficult, and the attacker must be able to control all network nodes or all communications between nodes. Those. be a “global observer”.
Develop an anonymizing system
- able to withstand the global observer
- while minimizing delays to an acceptable level
hard enough. Fortunately, becoming a global observer on the Internet is even more difficult. Therefore, it is believed that when creating anonymizing systems, it is sufficient to follow a weaker threat model that does not include a global observer. In this weak model, the attacker can take some active and passive actions, for example, watch some network traffic or create / modify / delete traffic or manage several intermediate nodes; but he does not have the opportunity to observe all the connections in the network.
Systems like Tor claim that they are able to withstand the attacker described above. However, they did not provide an option for an attack that can be conducted without a global observer. Seeking to meet time constraints and refusing cover traffic, Tor became vulnerable to a low-cost attack that fits into the weak threat model used. This model should be extended.
Our research has shown that the attack is applicable to systems with low latencies that allow a node to get a list of all other network nodes. Otherwise, if this condition is not met, the weak threat model remains acceptable.
Therefore, if a weak threat model is used in the development of an anonymizing system, then this should be taken into account. Each node should be able to get a list of only its neighbors, but not a list of all nodes on the network.
Based on the foregoing, we come to the conclusion that for anonymizing systems it is better to use peer-to-peer architecture, rather than dedicated servers. This is due to the fact that in peer-to-peer networks a large number of nodes. Even if the attacker manages to get a list of all the nodes on the network, he is likely to be already outdated, because it is difficult to detect all nodes in a short time.
Conclusion
In this article, we investigated one of the attacks on anonymous low-latency communication networks called the low-cost traffic analysis attack. This attack is very important because systems like Tor are susceptible to it, the systems in developing which were based on a weak threat model. We showed in what cases the attack will not work. Also, we have identified several important properties that the system must possess in order to counter such attacks.