ANON: anonymous mail

[nobody@indirect.com]

-----BEGIN PGP SIGNED MESSAGE-----

I thought I'd describe why you would want to pad anonymous mail.

Currently, the destination and contents of email you send isn't private.  It
is possible for any number of people to snoop your mail as it travels to its
destination.

For privacy, you can encrypt your mail.  Suppose Alice has an email account
as learns that email is about as private as a postcard.  She decides to
encrypt all of her email, and all of her correspondents agree to do the 
same.  So now, nobody can read her mail.

But, who she communicates with still yeilds information.  This is called 
traffic analysis, and I won't go into it here.  

So, enter anonymous remailers (see Chaum's "Untraceable Electronic Mail").
Currently several people on this list are experimenting with and running
anonymous remailers.  The remailers accept instructions (optionally 
encrypted) and resend messages, making it look as though the mail originates
from the remailer.

Now Alice sends and receives all her encrypted mail from an anonymous
remailer.  Somebody snooping Alice won't learn the contents of her mail,
or even with whom she communicates.  (She could even keep private what
USENET news she reads by borrowing a trick from Mr. Slippery in "True Names"
 - just download everything and read what you want at home.)

Another security enhancement is chaining the anonymous remailers, 
instructing one to mail to another, and so on, eventually delivering mail. 
Alice and her friends do the same, and they continue to privately 
communicate, keeping their various identities secret.  If the snooper just 
watches the first remailer, he will learn that her mail goes to another 
remailer, etc.  Now the snooper would need to watch more remailers to figure
out who Alice is talking to.

- From time to time, people suggest a probabalistic remailer, either 
forwarding mail to another remailer, or delivering it immediately.  This
actually reveals the final destination to more remailers than before.  For
example, if Alice chains mail A-B-C-final, then only the C remailer knows
the final destination.  But if the remailers implemented some probabalistic
scheme, then each one will have to be given the final destination.

To make it harder for a snooper, the remailers decide to cache their
remailing requests, sending them out periodically instead of immediately.
Now, a snooper would see a steady stream of mail into the remailer, and
nothing coming out until suddenly, the remailer sends out all of its queued
messages.  If a large number of messages are stored to be remailed later, 
the snooper isn't able to easily match up incoming and outgoing messages.

Now we come to message padding.  If a snooper watches the incoming and
outgoing mail, perhaps the size of the mail will provide enough information
to link sender to destination, even if it is cached and remailed along with
several other messages.  So, to defeat this, the remailer can pad all 
messages to be a certain length.

The best way for this to work is if a snooper can't figure out what is
padding and what isn't.  For plaintext and digitally signed (only)
documents, this is not too difficult.  But, for encrypted messages, if the
remailer could insert padding into the encrypted text itself, or add in 
padding which would be ignored upon decryption, then it would be very 
difficult, if not impossible, for a snooper to determine what is and what
isn't padding.

The system implemented at the elee9sf@menudo.uh.edu remailer is a simple
type - it pads the message body to a certain length.  But it is pretty
obvious what is padding and what isn't - so if a snooper is in a position
to determine the length of a message (say they are trying to match up
source and destination), they probably will be able to read the message
and throw the padding out on their own.

A better system would be one that pads inside encrypted text.  This can be 
done with a pgp encrypted message by padding the end of ascii encrypted text
and adjusting a few bytes (length fields, etc.).  The message can still be 
decrypted, and the excess padding bytes will be ignored.  Such a system is 
in the works... and it is reasonable to pad encrypted messages since it is 
much harder to detect and you will probably encrypt text sent through an 
anonymous remailer to get the maximum benefit.  (If you don't mind everyone
reading what you wrote you could use a dc-net and generate plaintext :-)

Another useful technique is an anonymous pool, where everybody in the pool
gets every message.  Since everybody subscribing to the list receives
every message, it would be extremely difficult for a snooper to determine
to whom such a message is really intended for.  You could use a newsgroup 
for the same purpose - post encrypted text to some group and your friend 
would read the group and retreive the message.  

Also, from time to time people wonder about errors and whether failed mail
can be bounced back or whatever.  The difficulty here is that the anonymous
remailers try to keep information about source and destination to a minimum.
For instance, a message may be routed through several remailers; the 
previous hop may be another remailer, so it wouldn't be useful to bounce the
message back.  Some remailers drop bounced mail, others wind up appending to
a log file.  A good solution currently implemented at extropia.wimsey.com is
to use an anonymous pool for error reporting.

Karl Barrus
<klbarrus@owlnet.rice.edu>

-----BEGIN PGP SIGNATURE-----
Version: 2.3a

iQCVAgUBLNH9eYOA7OpLWtYzAQEPzQP/QYeciQf7TKimj67xQRWScov848bcauF6
hlFOfoF4MFSm7mhD1bPks7xiwZuYO6P+MwkaeMqBKYQfWzBi37Blx5PNo3iK6Dmk
pmeGsYqew34oPxk7Exvsu7uOcKhFAhBcEWvElJ+ytMjEbuY8EsHoGGETXpPVK87C
OFkNxCrdqYY=
=J/5q
-----END PGP SIGNATURE-----