Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormPacket StormPACKETSTORM:11971
HistoryAug 17, 1999 - 12:00 a.m.

zks.freedom.flaws.txt

1999-08-1700:00:00
Packet Storm
packetstormsecurity.com
26
JSON
`Date: Sat, 29 May 1999 15:30:24 -0700  
From: Wei Dai <[email protected]>  
To: [email protected], [email protected]  
Subject: a practical attack against ZKS Freedom  
  
Although the ZKS Freedom AIP protocol (as described in version 1.0 of the  
ZKS whitepaper) is conceptually similar to the PipeNet protocol, there are  
several attacks against ZKS which PipeNet is not susceptible to. The  
reason is that PipeNet uses end-to-end traffic padding, whereas ZKS only  
uses link padding. I came up with several attacks against link padding  
systems while developing PipeNet, which is why I ultimately choose  
end-to-end padding. However one can argue that end-to-end padding is too  
costly, and that these attacks are not practical because they require a  
global observer or the cooperation of one or more of the anonymous router  
(AIP) operators. ZKS has not publicly made this argument, but since they  
are probably aware of these earlier attacks they must have followed its  
reasoning.  
  
I hope the practicality of the new attack presented here will change their  
mind. In this attack, a user creates an anonymous route from himself  
through a pair of AIPs back to himself. He then increases the traffic  
through this route until total traffic between the pair of AIPs reach the  
bandwidth limit set by the ZKS Traffic Shaper. At this point the AIPs no  
longer send any padding packets to each other, and the real traffic  
throughput between them can be deduced by subtracting the traffic sent by  
the attacker from the bandwidth limit.   
  
This attack implies that link padding buys virtually no security. An  
attacker, without access to network sniffers or cooperation of any AIP  
operator, can strip off link padding and obtain real-time throughput data  
between all pairs of AIPs. If end-to-end padding is not used, this data  
would correlate with traffic throughput of individual users, and  
statistical analysis could then reveal their supposedly anonymous routes.  
  
---------------------------------------------------------------------------  
  
Date: Thu, 3 Jun 1999 11:33:51 -0600  
From: Tom Rawls <[email protected]>  
To: [email protected]  
Subject: FW: a practical attack against ZKS Freedom  
  
Jay, I don't know if you've seen this yet, but here's Ian Goldberg's answer  
to that.  
  
-----Original Message-----  
>From: Ian Goldberg [mailto:[email protected]]  
Sent: Wednesday, June 02, 1999 6:18 PM  
To: [email protected]; [email protected]  
Subject: Re: a practical attack against ZKS Freedom  
  
  
  
In a recent post, Wei Dai proposes an attack against the whitepaper  
design of the Freedom Network. The points he makes are, to first  
approximation, well-taken, with some additional caveats.  
  
The link padding removal method described cannot be used to remove the  
padding from links between the client and the rest of the network, since  
the client does not route external traffic. As such, packets from a  
particular client cannot be observed entering or exiting the network.  
Regardless, of course, if all other (server to server) link information  
were available, a statistical attack to find the identity of the client  
would be relatively straightforward.  
  
A second point (somewhat tangential) is that the link padding between  
servers does not in fact bring the total traffic between servers  
(necessarily) to a constant value. All that is required to prevent  
_passive_ eavedroppers from gaining information is that the total amount  
of traffic be padded to a _data-independent_ function. A constant is  
the simplest such function, but there are others. A function involving  
randomness is better in some ways, though without careful choices for  
where to use randomness (note that this is _not_ talking about the  
quality of the random numbers themselves, but rather the logical part of  
the protocol in which randomness is inserted), the randomness can often  
be removed statistically. Discovering the patterns that are best-suited  
for use in link padding is part of the research behind this product.  
Hopefully, a correct choice of function would make it difficult for Wei  
Dai's attacker to use up exactly all of the padding, and thus determine  
the actual (non-padding) throughput of the link.  
  
Now, what we plan to do about it:  
  
(1) End-to-end padding is a specific case of "red link" padding. [The  
Freedom Network consists of two kinds of links, referred to as "red  
links" and "blue links". The blue links are the server-to-server direct  
connections. "Link-padding" is padding of the blue links. The "red  
links" are the nested connections between the client and each of the  
servers in the chain.] As the Freedom Network grows, we plan to  
incorporate a high-bandwidth "core" network, as well as lower-bandwidth  
nodes hanging off of the core to a number of levels (think nested  
rings). The red links from the client into the core (which should take  
about three hops) will likely be padded, whereas the links out of the  
core (through the lower-bandwidth links) may not be. Using this method,  
Wei Dai's attacker could only (statistically) trace a route as far back  
as the core, where all traffic goes through, anyway. (Do not mistake  
the core for a central point of failure; the core itself will be made up  
of a large number of well-connected nodes, around the Internet.)  
  
(2) The possibility of introducing some manner of "reservations". This  
is further off in the design, but it prevents the attacker from  
observing the actual throughput between nodes, without the cost of  
blindly carrying padding traffic around the network. The attacker can  
still gain some information if he compromises a number of nodes on the  
route, but that's pretty fundamental. The tricky bit of reservations is  
preventing DoS attacks wherein an attacker (under many nyms) reserves  
all the available bandwidth. Again, a research issue.  
  
In summary, the attack presented is an interesting one. We claim, however,  
that strict "end-to-end" padding is not fundamental to the solution;  
rather, other techniques ("red link" padding / reservations with link  
padding) can also be used (at a somewhat lower cost to the network)  
to prevent the attack.  
  
- Ian "Chief Scientist and Head Cypherpunk, Zero Knowledge Systems"  
  
---------------------------------------------------------------------------  
  
Date: Fri, 4 Jun 1999 00:38:21 -0400  
From: [email protected]  
To: [email protected]  
Subject: Freedom Beta  
  
I got my hands on a copy of the Freedom Beta from Zero-Knowledge. Here  
are my first impressions,  
  
1) Ease of use  
  
The easy of use when compared to _ANY_ other remailer of Nymserver out there  
is incredible. It took me around 90 seconds to create my nym, with 3 reply  
blocks and start creating anonymous web, IRC routes.  
  
At the same time I think they need to get some help with usability, since I  
had to hunt for some of the features and some of the interface decisions are  
not that intuitive. (i.e. I couldn't find the e-mail address for my nym  
right away, I had to look in a preference setting. When I setup custom  
routing preferences I have to switch to regular user and then back to my nym  
to have it take effect - little things, but things that I think are  
important if they are going to get 10 million people using it).  
  
Overall, I'm REALLY impressed with the way they've packaged so much crypto  
and security in a really simple interface.  
  
At the same time, as a crypto geek, I'd like to be able to see more of  
things like my key fingerprints; more details about key lengths (Both for my  
nym and the servers that I choose to use). I hope they don't keep the  
interface so dumb that I can't ever get access to these things.  
  
2) Speed  
  
I am actually pretty impressed with the speed. I'm using an ISDN dialup  
connection and with a three hop route (Going to of all places Quebec :) I  
was getting good speed. I noticed a little slow down with the way  
graphics were coming into my browser, but in general the throughput and  
performance was completely acceptable. (10kbps vs. 11.5 without Freedom on  
a sustained download)  
  
The whole idea that I can select my IP address and all of a sudden I had an  
IP number in Quebec, or Texas or Viriginia was very fucking cool. I can't  
wait until they have all their ISPs up and running and I can choose anywhere  
in the world to 'be'.  
  
There goes national borders :)  
  
3) Security  
  
There is a big warning saying that I can't do any really _FUN_ things yet  
since the client hasn't passed a security review by Counterpane & Ian  
Goldberg yet. It's cool they are being open with that, but I still wish  
they were open source.  
  
Maybe if we call send them e-mail to <[email protected]> asking for  
open source code - I understand from comments that Ian Goldberg has made  
that they are planning on releasing the source code once they can make sure  
that the anonymous network has critical mass and doesn't get split (ala BSD  
variants) - but I don't think this is a good enough reason.  
  
I personally won't use the software for anything other than general  
conversations until they do a wider audit or open the source code (Although  
if I had to pick only two people I trusted to review source code, it would  
be Counterpane and Ian Goldberg - but more is always good). At the same  
time I've sent my ISP 4 e-mails telling them to join the Freedom network and  
am going to be organizing a group of users at my ISP to make sure that we  
have a local Freedom node. Hopefully we can get some sort of commitment  
>from Zero-Knowledge about the number of Freedom nodes that need to be  
deployed before they open source - at least then we get to know if they are  
serious.  
  
I also ran a packet sniffer on my Windows box running Freedom and noticed  
that the connection to the first node is not being padded. (There is a  
constant stream of packets leaving my machine, but they are not running at a  
set speed. I understand from the release notes that this is not a secure  
version and there are still security improvements being made with regards to  
the routing so I'm waiting on this one.)  
  
SUMMARY  
  
I don't know how many people they gave this beta to, but my guess is if they  
fix some of the UI issues and get the security signed off by Bruce and Ian,  
we will have a WHOLE new way to play online and people like Jim Bell and  
Toto would be able to be back playing with us :)  
  
PS - I'm not Detweiler- but just wait 'till he sees this software.  
  
  
-Ender  
  
`
JSON