1996-09-09 - Re: Job for netescrow ? (was Secure anonymouse server protocol…

Header Data

From: peter.allan@aeat.co.uk (Peter M Allan)
To: peter.allan@aeat.co.uk
Message Hash: 3f123ebe1aa81431f5e45c45936dfe3c01a14edc5e2384682a4de5d2bb9870cf
Message ID: <9609091255.AA28353@clare.risley.aeat.co.uk>
Reply To: N/A
UTC Datetime: 1996-09-09 16:49:54 UTC
Raw Date: Tue, 10 Sep 1996 00:49:54 +0800

Raw message

From: peter.allan@aeat.co.uk (Peter M Allan)
Date: Tue, 10 Sep 1996 00:49:54 +0800
To: peter.allan@aeat.co.uk
Subject: Re: Job for netescrow ? (was Secure anonymouse server protocol...
Message-ID: <9609091255.AA28353@clare.risley.aeat.co.uk>
MIME-Version: 1.0
Content-Type: text/plain




Adam and Matt put my casual remark under the grill:

  Peter Allan <peter.allan@aeat.co.uk> writes on cpunks:

  > [Matt Blaze's  Oblivious Key Escrow paper]
     ftp://ftp.research.att.com/dist/mab/netescrow.ps
  >
  > This all hinges on a policy to be followed by archive holders defining
  > the conditions under which they release their shares.  
  > This could be receipt of a signed request from the owner (remailer).
  > 
  > Maybe the table relating nyms to reply addresses could be stored in
  > netescrow style so that captured remailers reveal nothing.  The problem
  > of operator coercion is not addressed by this.


Adam:
> Just to clarify, if I understand correctly you are proposing a penet
> style system with the database held in `netescrow'.

Yes.  What I had in mind resembled the split list scheme used at a church I
used to go to.  UK tax law has concessions for regular giving (Covenants, in the jargon)
and the church needed to know that comittments were being met.  At the same time it was
preferred not to know who was giving what.  This was done by having 2 lists eg

Namelist:  Mr J Smith  = member 999

Cashlist:  member 999 gives  1000 / month

If member 999 didn't give as planned, cashlist-holder could say to namelist-holder
"have a word with 999".

These were held by 2 people, trusted not to collude.  Also I suppose committee
reshuffles shouldn't put one person straight into the other post.

My idea was to replicate this split list so that

addrlist:  leukos.gleukos@c2.org  = index97b6150200000564
nymlist:   index97b6150200000564  = an0001002304000101@this.remailer

This would be altered for the remailer table as:

addlist: leukos.gleukos@c2.org            = index97b6150200000564
addlist: an0001002304000101@this.remailer = index97b6150200400281

and these 2 mappings would be escrowed:

index97b6150200000564 -> index97b6150200400281
index97b6150200400281 -> index97b6150200000564

(Or just escrow the _keys_ for the latter, as Matt first thought.)


>                        However the aim is not to prevent others
> censoring your publically available writings, but to allow a second
> avenue of access only in the case of `mob cryptography'.

The aim is to prevent a seized remailer having its data read.
The "angry mob cryptanalysis" is a side issue.


 >      If the police are unsucessful (seems likely) does this offer the
 >      operator much solice in his jail time for contempt of court, to
 >      know that he has a vote of confidence in the moral correctness of
 >      his decision from a population of the net?
    
 >      Does it offer him any legal benefit?  Are the share holders guilty
 >      of contempt also, does this lessen his guilt, and harshness of
 >      prosecution?  (Remember that the share holders' identity and
 >      location are unknown to the operator...
    
 >      I'm not sure how useful this part is, unless the possibility of
 >      `mob cryptography' is the desired feature.  I'd have thought an
 >      individual remailer operator would be more likely to fold than a
 >      group of anonymous crypto-anarchists.

I did say this didn't address operator coercion.  The widespread
cross-jurisdiction aspects of netescrow will be important here.

Capture of hardware without scope for operator coercion would be
protected against - but is an easy problem anyway.
    

 >  2.  You could add the twist of an alternative duress key, that would
 >      stand a real chance of successfully nuking the database.  More
 >      satisfying.
    

I was thinking of calling this the "shredder ticket" and giving it to
the sender (who can then distribute it to all remaining remailers without
needing to use the seized one).  This would depend on him realising that
the remailer was (about to be) seized, and would have to be done before
the enemy rounded up the shares.  [Incidentally I'm not that keen on
regarding the police as the enemy.  My mention of "angry mob cryptanalysis"
in the event of a crime was to show that it was not the ideal vehicle for
crime.  But then maybe I'm a statist pig.]


In any case it would be necessary to 

 >  3.  Negative comment on the system: TLAs have a vested interest in
 >      themselves being most of the share holders.  True of the ownership
 >      of the current remailers also of course.
 >  

The widespread cross-jurisdiction aspects of netescrow will be important here.
(Perhaps including compulsory cross-border secret reassembly. )

I was envisaging this being combined with Mixmaster.  (I see from your
Eternity post that you'd run a netescrow scheme that way.)  This gives
us "vertical integration"  a sort of "of the remailers, by the remailers
and for the remailers".  Careful design of message formats could make it
hard to tell the escrow mechanics from the traffic.  To mount this collusion
attack the TLAs would have to be part of the scheme - helping to pass most 
anonymous messages in order to trace some random ones, not necessarily those
they want to trace. (If there was nothing in it for them they wouldn't join.)

(Compare that to the current state quoted as near as I can remember from AC2
  "It seems reasonable to assume that the NSA can break any message that it
   intercepts, but not all messages")

It takes time to collect the shares and determine the next destination,
during this time the message is sat in a pool. (Is there scope for traffic
analysis in the fact that the average speed of messages will be lower
than that of shares ?)

With that in mind I was looking at the scope for cheating.

Cheating seems possible by:

1)  Collusion (as mentioned)

2)  Not releasing (valid) shares when requested
    This can be caught by traps.  The list of where the
    shares went is usually destroyed, but need not be.
    The shareholders are none the wiser, and when they get
    known for not releasing shares the remailer excludes them
    from future share issues.

3)  Flooding attacks - storing rubbish in escrow servers who
    are eventually forced to accept no more shares, or ditch
    some existing ones.  So far as I can see Matt's Netescrow
    scheme has exactly this problem.  Ecash payments might help.
    If existing shares are ditched the reply-ability will not last
    long.  You might get a message you can reply to for 2 weeks, but 
    no later.  Sender might resend periodically - a bit like following
    up an unanswered snail mail.

 >  At the same time it would provide an argument against GAK, all
 >  legitimate (in the publics eyes, what other opinions count, this is a
 >  democracy isn't it) law enforcement needs met.

As in the last sentence or so of the OKE paper.



Matt:
 >  My original idea for OKE was as a way to backup long-term,
 >  slow-changing sensitive data without also introducing a single point
 >  of failure for either security or availability.  The remailer model is
 >  a bit different, and I'm not sure it's a good fit, in particular
 >  because I haven't thought about the various new failure modes in this
 >  application.  But let me think ``out loud.''
 >  
 
 >  So can this scheme be improved upon?  Is there a better way to run a
 >  persistent-reply-address remailer?  These are interesting, and I think
 >  largely open, questions.



 -- Peter Allan    peter.allan@aeat.co.uk





Thread