[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


> > (Furthermore, most remailer structures still can't erase some other security
> > concerns --
> >   1: remailers acutally can be hacked or physically compromised
> >   2: clients really can be screwed
> >   3: etc.
> > 
> > To help solve the first, you'd want a two-box setup doing remailing, with the
> > security-critical stuff loaded on a box not directly connected to the Net with
> > something 140-1ish to make tampering harder, a secure OS, etc. -- or, of
> > course, you can scrap all that to get really big remailer count.
> As long as you do not see the box and do not control its manufacture,
> I see no reason why you should have ny more trust in it.

Well, you shouldn't have complete trust -- a tamper-resistant net could be
compromised, too -- but there's a good reason to have more trust in it than in
the existing one. More on that after a parenthetical remark.

(This brings up the "hardware web-of-trust" issue; you can set up such a web
with trusted spot-checkers and statistical/cryptographic means of assuring the
user that the box works as advertised, if your threat model demands it.  
There's more about it in the "Beyond Class (A1)" section of the Orange Book,
although the section's use to Cypherpunk types is limited because it's written
without any thought to, say, doing things cheaply or having a decentralized

The tamper-resistance simply means that if the mailer was set up secure, it's
not going to become compromised. Instead of having to trust that one of the
remailer operators is currently honest and has always done all the necessary
homework to ensure the system was safe, you have to trust that this entity was
honest and diligent when the remailer was set up (unless, of course, you think
the tamper-resistance was circumvented); if the operator is bribed after the
remailer's set up and the public key is published, there's no way to suddenly
and invisibly make messages traceable, as there is in a "normal" Mixmaster

(This is because, given the normal assumptions about crypto strength, it takes
the remailer's private key to process a Mixmaster-like packet and that key is
generated by and stays within the tamper-resistant box)

My predictions about the biggest attacks on a tamper-resistant remailer net:
  1: traffic analysis. Until the net structure is overhauled, this will always
     be possible.
  2: propagation and exploitation of faulty server software. Related to the
     whole web-of-trust issue.
  3: direct attacks on specific clients. Again, no web of trust.
  4: creation of bad remailers and attempts to shut down good ones. More
     messages could be traced in a world with 6 good and 47 bad remailers than
     in one with 9 good and 3 bad.
  5: direct attacks on new remailers
  6: attempts to make an operator feign a catastrophe and set up a new,
     compromised remailer. Users, however, would know that the new key not 
     signed by an old one means that they must now trust that the remailer was
     not compromised before the publication of the new key.
  7: attacks on tamper resistance
  n: attacks on crypto
n+1: etc.