Just finished reading a new paper on Low Cost Traffic Analysis: 

Wiangsripanawan, R., Susilo, W., and Safavi-Naini, R. 2007. Design principles for low latency anonymous network systems secure against timing attacks. In Proceedings of the Fifth Australasian Symposium on ACSW Frontiers – Volume 68(Ballarat, Australia, January 30 – February 02, 2007).

The authors look afresh at the Low Cost Traffic Analysis attack and how it applies to the Tarzan and MorphMix peer-to-peer anonymity systems. The key observation is that for the attack to apply three preconditions need to hold:

  1. A node’s load affects the latency of relayed traffic.
  2. The adversary knows the nodes participating in the protocols.
  3. The adversary must be able to establish a direct connection with all other nodes.

The paper argues that Tarzan’s mimic based routing structure may invalidate precondition (3). MorphMix on the other hand makes it difficult for the adversary to know all nodes in the network (2). As a general rule they advise designers to make comprehensive node discovery difficult, a property that is also in line with the needs of censorship resistant proposals.

Before getting overly excited about the security of those systems it is worth remembering the inherent unscalability of Tarzan, as well as the recent attacks against MorphMix.

Advertisements

The people from wikileaks have uncovered the inventory of equipment the US uses in Afghanistan and Iraq. Part of the surprise was the wide spread use, and dominant cost, of Warlock Green and Warlock Red Jammers (a nice presentation on how they work.) The presentation gives a strong hint that the use of jammers against IEDs is limited, particularly since a device could be programmed to detect the jamming signal and use it as a range finder to control detonation. 

There also seem to be about 44 TACLANE KG-175 E100AC routers deployed in Afghanistan only, that overlay cryptographic protection, and presumably traffic analysis prevention on public IP and ATM networks. Each of those boxes comes with a $10K price tag, proving once more that selling security pays well.