[p2p-hackers] censorship resistance and anonymity (was: newbie mnet
zooko at zooko.com
Sun Sep 26 12:04:11 UTC 2004
I'm going to move this discussion from mnet-devel to p2p-hackers, even
though p2p-hackers has grown to 724 subscribers and it is intimidating
to disturb the peace of so many e-mail addresses. Because what is this
the list for, then, if it is so big, and so full of prestigious
researchers, that no one dare post to it? --Zooko
On 2004, Jul 11, zooko at zooko.com wrote:
>> Personally, I think that the basic Freenet concept of achieving
>> anonymity by combining forwarding with routing (with the filesystem)
>> is flawed. In my opinion, even if Freenet's latest design (NGrouting
>> with erasure coding) can be made to perform well, the anonymity
>> achieved will still be minimal -- i.e. it will provide anonymity only
>> against very limited attackers.
>> Mnet does not attempt to provide anonymity. As I've said, I think it
>> would be a mistake to attempt to do that in the same layer as routing
>> and the filesystem. It could be provided in a lower layer in one of
>> two ways:
>> 1. The "one-hop privacy" approach, which means implementing an
>> anonymous routing system in EGTP (Mnet's communications layer).
>> 2. Using an anonymous routing system that someone else has developed,
>> such as MixMinion or Tor:
On 2004, Sep 26, at 02:38, seberino at spawar.navy.mil wrote:
> I've been thinking more about p2p systems and our conversation.
> Correct me if I'm wrong but it seems like Freenet is
> the only project I know of that is doing the
> original job of trying to provide a censor proof/attack proof/
> anonymous p2p system.
> I agree with your idea that MixMinion is potentially
> a great way to add anonymity to a p2p system. However, I think
> Freenet goes a few steps farther in that in addition to not knowing
> who the authors are, they try to prevent you from even knowing *where*
> something is stored. Who cares? If a system *only* provided anonymity
> it would still be censorable if someone could find out where
> objectionable content was stored and attack it somehow.
> In this sense, I'm thinking Freenet is in a class all it's own.
> Everything else seems like "just another file sharing system".
> I could be wrong but to me Freenet now is looking like the p2p system
> to work on. I would appreciate hearing your opinions on these matters.
This is a good question! (By which I mean: I have to actually think in
order to answer this one.)
I'm thinking about the difference between "censorship resistance" and
Mnet current attempts censorship resistance without anonymity. An
attacker who wants to delete a file from Mnet needs to overcomes the
erasure coding and the tendency of nodes to replicate data blocks.
Freenet also includes those two defenses, plus it attempts to hide the
identity of the server from the attacker.
MixMinion provides two kinds of anonymity: sender anonymity and
recipient anonymity. They are very different, because if you are going
to send a message to an anonymous recipient, you must first acquire a
cryptographic blob that enables your message to route to him without
enabling you to track him down. That's tricky! But MixMinion does a
pretty good job of it, while paying a price in increased complexity,
latency, and rates of packet loss.
In a hypothetical Mnet+MixMinion (which I'll call "M+MM") if the Mnet
nodes used recipient-anonymity then they would have the same kind of
protection that Freenode nodes have except that their anonymity would
be stronger (see below) and their communications less efficient.
Why would M+MM nodes have stronger recipient-anonymity than Freenet
nodes have? At the risk of over-simplifying, MixMinion is designed to
withstand an attacker with more points of attack, and at lower levels
of the network protocol stack. Freenet is designed to provide
anonymity against an attacker who runs Freenet nodes. MixMinion is
designed to provide anonymity against an attacker who runs many of the
IP routers than your nodes use for their Internet service (in addition
to running MixMinion nodes)
The reason that such an attacker can penetrate the recipient-anonymity
of Freenet is that he can do traffic analysis -- he can observe the
timing and patterns of messages that pass among Freenet nodes, even if
he doesn't know the contents of most of them. For example, if there is
an attacker who has packet sniffers on the right IP routers, then he
can inject a request for a file into the Freenet network by sending the
request to Freenet node 1. Then he simply watches and sees what
happens next. If Freenet node 1 sends a message back containing the
file, without having exchanged messages with anyone else in the
interim, then he knows for certain that Freenet node 1 is storing a
copy of that file. If Freenet node 1 instead sends a message to
Freenet node 2, then he has to see what Freenet node 2 does.
Anonymity researchers have developed extensive understanding of how
such traffic analysis attacks can strip away the anonymity from mixes
such as Freenet, even when those mixes use sophisticated and expensive
countermeasures which Freenet currently does not. 
So I think the bottom line on the question of integration versus
layering of censorship resistance is that the Freenet concept of
"anonymity as censorship resistance" can be understood as
"recipient-anonymity for the servers that store data and respond to
requests for that data". That feature could be implemented with a
separate anonymity layer as long as the anonymity layer offers
I would love to know if I've missed anything important in that analysis.
Even if you, seberino, still think that Freenet's integrated
filesystem/anonymity/censorship-resistance layer is the way to go, that
doesn't mean Freenet is the only current project that you can work on.
Freenet has inspired several similar projects such as AntsP2P and Mute
. I haven't looked into them and know little other than that they
are new and are somewhat inspired by Freenet. There is also, of
course, GNUnet . It is not new, and it does integrate anonymity,
censorship resistance, and file-system. There are also the other
systems that we have discussed before. If you've investigated some of
them and want to report on what you've learned I would love to hear it.
This is not to say that you shouldn't work on Freenet! Of course you
should. Freenet is a good project.
More information about the P2p-hackers