1995-01-28 - Re: Secure (!?) Remailer Net

Header Data

From: Hal <hfinney@shell.portal.com>
To: cypherpunks@toad.com
Message Hash: 0360d1b90485822852a194bc6bc1708ea4d3946a82711837650faacdc79240c8
Message ID: <199501281951.LAA03940@jobe.shell.portal.com>
Reply To: N/A
UTC Datetime: 1995-01-28 19:51:43 UTC
Raw Date: Sat, 28 Jan 95 11:51:43 PST

Raw message

From: Hal <hfinney@shell.portal.com>
Date: Sat, 28 Jan 95 11:51:43 PST
To: cypherpunks@toad.com
Subject: Re:  Secure (!?) Remailer Net
Message-ID: <199501281951.LAA03940@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

From: Nathan Zook <nzook@bga.com>
>     The traffic analysis that we've seen so far mainly just documents
> tcmay's "everybody a remailer" concept.  If you look, you will notice that
> these analyses all assume that Alice and Bob are _not_ remailers
> themselves, and for a good reason.  If Alice and Bob _are_ remailers,
> analysis of the type used here is worthless, especially if Alice and Bob
> have a policy of not sending any mail unless they first receive garbage,
> and of sending out garbage whenever they get a letter.

Realistically, though, everybody is not a remailer, and there are no
prospects of everybody becoming a remailer anytime soon, so the analyses
of Wei and others are certainly relevant.

>     HOWEVER, the analysis makes another assumption--that messages are
> indistinguishable.  This assumption does not correlate, as I understand it,
> with the current remailer net.

Mixmaster is supposed to do splitting and, I think, padding.  I hope to
have time to look at it soon.  It sounds very good.

>     First, the message is signed with the sender's key.  (More on that
> later.)

I did not see why this should be done.

>     Suppose a signed message to be forwarded is smaller than the standard
> packet size.  The sending remailer adds a Cutmarks:  header.  At the end of
> the message, the cutmark is added, followed by sufficient garbage to fill
> out the standard packet size.  The message is then pgp'ed to the recipent
> _with COMPRESS = OFF_.

A better approach IMO is to embed the message length in the encrypted
information (as PGP does) and pad with cryptographic random garbage
(which PGP could be patched to do).

>     Upon receipt, the message is decrypted, and its origination can then be
> triply verified (at least).  From: line, packet size, and PGP signature.
> Since the message claims to be from a packeting remailer, the packet size
> should be the standard one.  The recipient now has the message that was
> sent to it.  This message is probably itself encrypted, so it can be
> handled (almost) as if this message were just received.  This includes
> stripping the garbage and (probably) decrypting the message to get the
> forwarding information.

Why does the remailer care where the message came from?  What difference
does that make?  I can see the final recipient caring about the original
sender, so a PGP sig makes sense at that level, but why at each hop?

>     Note that this system would allow the extropian remailer to be
> compatible with Matt Ghio's alias system.  (Right now, the remailer doesn't
> like separate pgp packets, or packets it can't read, or something.) Under
> the current system, the precausion is entirely warranted.

I don't think so.  The problem with Miron's extropy remailer is that it
only passes through the contents of a PGP block.  For anonymous addresses
to work, the (chained,encrypted) address must be in a PGP block which
precedes the message body.  I don't see how any cutmarks idea would
affect this.

>     To make life even more fun, there is no good reason that non-remailers
> cannot be in on the action!  Alice, sending to Bob through Chaum, pretends
> to be a remailer.  That is, she prepares her message to Bob, (encrypted),
> and adds the Request-Remailing-To:  Bob@nowhere.org, and signs it.  She
> then observes that the message is too small, so she adds the Cutmarks:
> header, etc.  When Chaum receives the packet, he opens it, removes the
> cutmarks, and sees a signature he does not know.  Chaum then sends a
> request to pgp-key-server@omniscient.gov for the key, and holds the message
> until he gets it.  He then compares the address and name on the key
> recieved to the message.  The signature is good, so he is ready to send the
> packet to Bob.

Again, why does the remailer go to all this trouble to verify a
signature from Alice?  That sig is for Bob!  She may not even want to
post her public key for everyone; Bob may be the only one who has it.  I
don't understand why the remailer, which exists to hide identities, is
going to such trouble to verify them on its own.

> But Bob can be in on the game as well, since there is no
> reason that he cannot handle the Cutmarks:, the signature, and the nested
> encryption.  In fact, Alice could include a copy of Bob's key in the
> message for Chaum to use, after a Recipient-Key:  header.

Alice is the one who should encrypt the message for Bob, not the
remailer!  Are you suggesting that she should let the remailer see the
message contents?

> Bob can also
> verify that the message was actually routed through Chaum.

Why on earth does he care?  I really don't see what problem you are
solving here with all this checking.

> If Chaum is
> concerned that, at some future time, Eve might supeona his key ring in
> order to demonstrate that Alice and Bob are using Chaum, Chaum can
> alternately request keys that he does not need from the servers, and delete
> (older) keys in the ring.

Eve would be more likely to subpoena Chaum's secret key ring.  A public
key ring proves nothing.

>     In other words, if all the remailers can handle nested pgp packets and
> cutmarks, we are close to moving all small messages to a standard size.

This mostly makes sense (although as I said I prefer simply enhancing the
crypto program to take a parameter for output pad size) but I don't see
where all the rest of it came from.

>     What if the file is too big?
>  
>     If the file is too big, break it in pieces.  We need a header,
> Multipart Message:  n of m.  Note that since this is assumed to be _inside_
> a pgp wrapper, it is secure.  The recipient could hold and merge the files
> as needed.  If the message to be forwarded is too big, split and continue.
> Since the messages are ascii armored, the split/combine protocal is to
> concatenate.  Message parts could be made equal size to minimize the chance
> of a message barely bumping over the limit as it moves.  Of course, Alice
> could break her message to Bob directly, but we cannot assume that all
> would do this for us.

I believe Mixmaster provides a client mode to do this.  I prefer putting
more functionality in the hands of the users and not relying on kindly
old Uncle Remailer to do it for you.

>     This also means that if Alice sends a message to Bob in the clear
> through Chaum, and David, that the message will be encrypted from Chaum to
> David.  Thus, if Eve wants to know which message from Chaum to David is the
> one from Alice to Bob, (perhaps to know that it is _not_ the message from
> Frank she is interested in) she knows only that it was one of the messages
> from Chaum to David after Chaum got the message from Alice, and before
> David sent it to Bob.  While Chaum and David can both read the message, it
> still provides mixing capabilites inside the remailer net itself, and thus,
> some protection to Frank.  (Who apparently needs the help.)

This is a commonly made suggestion, but philosophically I am opposed.  We
got into this fix (lack of privacy) by letting people rely on others to
do things for them.  It's time for people to take responsibility on their
own.  The kind of thing you are suggesting provides the illusion of
privacy.  Never trust remailer operators!

>     A word on remailer keys:  Since pgp uses square-and-multiply for
> exponentiation, we see that the amount of work needed to sign a message is
> d(m) * (d(e) + o(e)) where d(m) is the digits of the modulous, d(e) digits
> of the exponent, and o(e) is the number of ones in e.  (I don't remember
> the technical term.) Since the public key is small, each of the parts of
> the private key will be large, BUT, there is no reason to assume that we
> cannot get lucky, and find an m such that d(e) + o(e) is much smaller than
> expected, (d(m) * 3/2, roughly) thus greatly reducing the system demand of
> the remailer.  In fact, it might be possible to move to 768-bit keys for
> those that have kept their sizes down in the past.  If pgp handles each
> prime separately, we look for a double-lucky modulous.  (And a source of
> random numbers that does not involve striking keys!)

Since the secret key d is effectively a random number from 0 to m, you
would have to create, say, 1000 key pairs to have a good chance of
finding a d that was as much as 10 bits shorter than m.  Then o(d) might
be 5 bits shorter.  So you'd be done from 768+384 to 758+379 or about a
1% reduction in time.  And it will take a while to generate 1000 keys.
To get a 2% reduction you would have to generate 1000000 keys.  I hope
you have a lot of time on your hands.

I'm sorry to have been so negative, but this message is part of a long
tradition advocating putting more responsibility into the remailer net.
I strongly feel that better solutions put power into the users' hands.
I oppose centralized solutions.

Hal

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQBVAwUBLyqgIRnMLJtOy9MBAQF1YAH/Yu68NkN0NnbCTfxDoGm4oc6lCs+dCp6V
pmjinw8zdwBM133eAaaorjtW0KhEvBNMGQTFHeiGJTOt94bE8ELB5g==
=owIt
-----END PGP SIGNATURE-----





Thread