From: jdd@aiki.demon.co.uk (Jim Dixon)
To: tcmay@netcom.com
Message Hash: 09ebb50c3df9799e7973006b2fd50bc249e73bc1c25b54884ab3448e1f8075af
Message ID: <4308@aiki.demon.co.uk>
Reply To: N/A
UTC Datetime: 1994-08-08 15:11:13 UTC
Raw Date: Mon, 8 Aug 94 08:11:13 PDT
From: jdd@aiki.demon.co.uk (Jim Dixon)
Date: Mon, 8 Aug 94 08:11:13 PDT
To: tcmay@netcom.com
Subject: Re: Latency vs. Reordering (Was: Remailer ideas (Was: Re: Latency vs. Reordering))
Message-ID: <4308@aiki.demon.co.uk>
MIME-Version: 1.0
Content-Type: text/plain
In message <199408080514.WAA28015@netcom7.netcom.com> "Timothy C. May" writes:
> Jim Dixon writes:
> (quoting Hal Finney)
> > > If this idea seems valid, it suggests that the real worth of a network of
> > > remailers is to try to assure that there are at least some honest ones
> > > in your path. It's not to add security in terms of message mixing; a
> > > single remailer seems to really provide all that you need.
> >
> > Yes, in an ideal world. Each additional remailer introduces another
> > chance of being compromised.
>
> No, I'm afraid you have this backwards. A remailer cannot introduce
> a chance of increase the chance of being compromised.
There are at least two models of remailer networks being kicked around.
In what I have called RemailerNet, if a gateway is compromised, then
some degree of traffic analysis is possible, and other parts of the
system become less secure.
Security increases when there are two remailers handling your traffic,
because then neither should know the identity of both sender and receiver.
Whether the addition of more intervening remailers increases the security
of the system in RemailerNet is a complex question.
In the second model of remailer networks, I also believe that using
more than two remailers and the random selection of remailers decreases
the security of the system if there is regular traffic between
correspondents. To argue this at all, one would need a much clearer
model with all of the assumptions spelled out in detail. For the
argument to be interesting, the model would have to be realistic.
My personal impression is that the second model is highly insecure
in cases where there is regular traffic between two parties and some
third party has significant resources.
--
Jim Dixon
Return to August 1994
Return to “jdd@aiki.demon.co.uk (Jim Dixon)”
1994-08-08 (Mon, 8 Aug 94 08:11:13 PDT) - Re: Latency vs. Reordering (Was: Remailer ideas (Was: Re: Latency vs. Reordering)) - jdd@aiki.demon.co.uk (Jim Dixon)