1996-06-15 - Hackerpunks and C2

Header Data

From: Ecafe Mixmaster Remailer <mixmaster@remail.ecafe.org>
To: cypherpunks@toad.com
Message Hash: 589810280250c52e003e82cb21f42d32aaa76dce6ec8a74f1542430b63301c1b
Message ID: <199606140215.CAA03053@avignon.hypereality.co.uk>
Reply To: N/A
UTC Datetime: 1996-06-15 03:19:18 UTC
Raw Date: Sat, 15 Jun 1996 11:19:18 +0800

Raw message

From: Ecafe Mixmaster Remailer <mixmaster@remail.ecafe.org>
Date: Sat, 15 Jun 1996 11:19:18 +0800
To: cypherpunks@toad.com
Subject: Hackerpunks and C2
Message-ID: <199606140215.CAA03053@avignon.hypereality.co.uk>
MIME-Version: 1.0
Content-Type: text/plain


[ Although this post deals, for concreteness, with a specific mailing list,
I hope that cypherpunks will appreciate how the problem alluded to points
out a weakness in C2's current nym scheme, which is especially exploitable
in the context of general nym based mailing lists being run via similar
servers. ] 

The proposal for a Hackerpunks nym based mailing list is interesting,
however, there are some concerns regarding the susceptibility of the list
to traffic analysis.

The contents of the list will clearly not be secret since anyone can create
a C2 nym and then subscribe. For a given bag of messages, B, let L(B)
denote the bag of the lengths of the messages in B. (A length, x, appearing
n times in L(B) if and only if there are n messages of length x in B.) Let
B_x denote the bag of messages that subscriber x receives. If for any two
subscribers, a and b, L(B_a)=L(B_b), then someone cooperating with many
ISPs could easily guess who was and was not subscribed to the list by
seeing if a customer received a bag of messages, M, with L(M)=L(the bag of
messages actually posted to the list). A solution to this might seem to be
to append to each message posted to the list a pad varying randomly in
length between each subscriber who was to receive a copy.  However, if the
list ownership ever feel into evil hands, the lengths of the pads could be
chosen non-randomly, and thus provide very convincing evidence that someone
receiving messages of the non-randomly chosen lengths was the owner of the
given nym.

There is also a concern that the owner of Hackerpunks could be discovered
with a traffic analysis similar to the one used to determine list
subscribers. This time, let P be the bag of messages (with padding deleted)
posted to the list. If someone were to watch to see if some node on the
Internet received a bag, I, with L(I)=L(P), then that person could guess
that that node had a user who was the owner of the Hackerpunks mailing
list. As before it would, of course, not help the owner of Hackerpunks to
ask their subscribers to help weaken this attack by padding their messages
to random lengths, since a malicious enemy could then determine a
non-random sequence of messages lengths and send the corresponding message
to owner of Hackerpunks for posting. This would only increase the
likelihood that a node receiving those messages had a user who was the
owner of the Hackerpunks mailing list. 

The solution to the two dilemmas seems to be to ask that the C2 re-mailing
code be modified so as ensure that each messages is padded to a fixed size
before encrypting and being sent through the reply block. On the other
hand, this would give away information that anyone receiving messages of
this fixed length was likely the owner of some C2 nym.





Thread