From: JMKELSEY@delphi.com
Date: Thu, 4 Jul 1996 14:29:05 +0800
To: cypherpunks@toad.com
Subject: Re: anonymous remailers
Message-ID: <01I6NJCHTC8Q91X6WG@delphi.com>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

[ To: cypherpunks ## Date: 07/02/96 03:35 pm ##
  Subject: Re: anonymous mailing lists ]

>Date: Fri, 28 Jun 1996 23:04:28 -0500 (CDT)
>From: ichudov@algebra.com (Igor Chudov @ home)
>Subject: Re: anonymous mailing lists

>How about this attack: suppose I want to find out who hides behind
>an alias MightyPig@alpha.c2.org and I have the ability to monitor
>all internet traffic. Then I simply start mailbombing that address
>and see whose account gets unusually high traffic volume.

Yes.  This is a simpler version.  The advantage of the attack I was
describing over this attack is that an attacker doesn't have to know
how to send messages to the recipient--just where the stream of
messages is originating.

>A nice, albeit quite expensive, way of pretection from traffic analysis
>is to create a mailing list (or a newsgroup) and forward all messages to
>all users of that mailing list or newsgroup. Of course, since messages
>are encrypted, only the recipients will be able to decrypt them.

The flaw here is that only a small number of people will be willing
to plow through any volume of messages at all, in order to
occasionally get a single readable message.  There are also some
potential problems with giving the right recipient a cheap way to
determine whether or not this message is for him, without giving
anyone else a cheap way to determine this.  (An application for
``Rabin for Paranoids,'' anyone?)

>This way the list of suspects is all subscribers of that list or
>newsgroup and there is no way to discriminate them.

If this is a small enough group, that may still be a problem.  And
the bandwidth and processing requirements are probably enough to
ensure that it's a small group.

>Instead of having messages to be sent to all recipients all the time,
>alpha.c2.org may be programmed so that it sends out every message not to
>only one recipient X, but to X and 20 other randomly selected people.

This makes the attack only a little harder.  If the other 20 are
selected randomly, then for a stream of many messages, only one
recipient will correlate properly with sender volume and timing.  If
it's the same 20 every time for a given receiver, then the attacker
will be able to narrow the recipient down to 20 people.  At that
point, he can use other techniques (wiretaps, black-bag jobs,
TEMPEST attacks, etc.) to make his final determination.

>	- Igor.

Note:  Please respond via e-mail as well as or instead of posting,
as I get CP-LITE instead of the whole list.

   --John Kelsey, jmkelsey@delphi.com / kelsey@counterpane.com
 PGP 2.6 fingerprint = 4FE2 F421 100F BB0A 03D1 FE06 A435 7E36

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMds0OUHx57Ag8goBAQFE8QP/ZWBP32mg2xdkcUrloFwruW+4L1bgY+Uk
CEGxngqarxQxTNAckF0vOzpbS5gtjrs6dlEOFIQGeEuF3UWxHeKUIoOejofBZ2vT
Htp/FT4x2xkfTFlgVE6GLyjE7bxK8DqfwH3ACAtbR4l+YwKQDNoInfpeFw0HKD40
jC/R8M7l0Lk=
=9uja
-----END PGP SIGNATURE-----