Home / Browse / Mixmaster / Mail / Archive

Mixmaster

Email Archive: mixmaster-devel (read-only)

2001:	_Jan	_Feb	_Mar	_Apr	_May	_Jun	_Jul	_Aug	_Sep	_Oct	_Nov (65)	_Dec (120)
2002:	_Jan (30)	_Feb (17)	_Mar (35)	_Apr (17)	_May (19)	_Jun (4)	_Jul (125)	_Aug (187)	_Sep (144)	_Oct (171)	_Nov (11)	_Dec (109)
2003:	_Jan (61)	_Feb (20)	_Mar (22)	_Apr (25)	_May (57)	_Jun (33)	_Jul (24)	_Aug (76)	_Sep (13)	_Oct (44)	_Nov (43)	_Dec (15)
2004:	_Jan (25)	_Feb (2)	_Mar (16)	_Apr (63)	_May (118)	_Jun (13)	_Jul	_Aug	_Sep (9)	_Oct (1)	_Nov (5)	_Dec (1)
2005:	_Jan	_Feb	_Mar	_Apr (1)	_May	_Jun	_Jul (2)	_Aug (9)	_Sep	_Oct (3)	_Nov	_Dec
2006:	_Jan (3)	_Feb (6)	_Mar (4)	_Apr	_May	_Jun (15)	_Jul (2)	_Aug	_Sep (1)	_Oct	_Nov (1)	_Dec (2)
2007:	_Jan (2)	_Feb	_Mar	_Apr	_May	_Jun (1)	_Jul (6)	_Aug	_Sep (4)	_Oct (1)	_Nov (14)	_Dec (1)
2008:	_Jan (5)	_Feb	_Mar (31)	_Apr (2)	_May	_Jun (1)	_Jul	_Aug (4)	_Sep (5)	_Oct	_Nov (1)	_Dec
2009:	_Jan (3)	_Feb	_Mar	_Apr (2)	_May	_Jun (1)	_Jul	_Aug (1)	_Sep (1)	_Oct	_Nov	_Dec
2010:	_Jan	_Feb	_Mar	_Apr	_May	_Jun	_Jul	_Aug	_Sep (1)	_Oct	_Nov	_Dec
2011:	_Jan	_Feb	_Mar	_Apr	_May	_Jun	_Jul (9)	_Aug (2)	_Sep	_Oct	_Nov	_Dec
2012:	_Jan	_Feb	_Mar	_Apr (2)	_May	_Jun (5)	_Jul	_Aug	_Sep (3)	_Oct	_Nov	_Dec
2013:	_Jan	_Feb (1)	_Mar	_Apr	_May	_Jun	_Jul	_Aug	_Sep	_Oct	_Nov	_Dec

[Mixmaster-devel] Discussing requirements

From: Scott Renfro <scott@re...> - 2001-11-15 10:14

Although I haven't had time to think through the requirements in any
detail, I thought I'd throw out the following framework for discussing
requirements. Maybe Len can collect the feedback on these if he has the
time.

Rather than discussing the security requirements in the abstract, it may
be useful to discuss the capabilities/knowledge we want various parties
to possess -- this is a natural extension of threat modeling.  The
following lists some of the parties of which I'm aware and the
capabilities I've heard expressed.  A '+' means this must/can be allowed
(optionally, can't be prevented by the protocol), a '-' means this must
be prevented, and a '?' means I'm not sure there's consensus (we may
need other states as well).

Please add in the missing parties and capabilities.

Passive Network Attacker
 +  know the source and destination remailers ip addresses and ports
 -  know the inter-remailer message contents
 -? know the number of messages exchanged
 ?  know the number of message blocks exchanged
 -  determine whether messages were accepted or rejected
 -  know the relative sizes of messages

Active Network Attacker (a superset of a passive attacker)
 -  impersonate the server
 -  truncate messages without detection
 +  TCP-based DDoS  
 -? enumerate Key_IDs of receiving remailer's private keys

Corrupt Receiving Remailer
 +  can throw away messages
 +  can retain statistics

Corrupt Sending Remailer
 +  must batch messages
 +  can publish details of "stealth" remailers

Spammer
 ?

Sending Remailer
 +  have local policies about retry rates and fallback
 +  receive an unforgeable ephemeral receipt from receiving client
    (without which the message is assumed undelivered and given which
    the receiving remailer queues for further delivery)

Receiving Remailer
 +  can accept messages on the inter-remailer protocol only (not SMTP)
 +  can exist without publication
 +  can require sending remailers to authenticate

User
 +  can specify a stealth remailer as a middle hop, including port number


Ok, that's all I have off the top of my head.  Now everyone else can
take their whacks...

cheers,
--Scott

-- 
Scott Renfro <scott@...>