Abstract
We evaluate the anonymity provided by two popular email mix implementations, Mixmaster and Reliable, and compare their effectiveness through the use of simulations which model the algorithms used by these mixing applications. Our simulations are based on actual traffic data obtained from a public anonymous remailer (mix node). We determine that assumptions made in previous literature about the distribution of mix input traffic are incorrect: in particular, the input traffic does not follow a Poisson distribution. We establish for the first time that a lower bound exists on the anonymity of Mixmaster, and discover that under certain circumstances the algorithm used by Reliable provides no anonymity. We find that the upper bound on anonymity provided by Mixmaster is slightly higher than that provided by Reliable.
We identify flaws in the software in Reliable that further compromise its ability to provide anonymity, and review key areas that are necessary for the security of a mix in addition to a sound algorithm. Our analysis can be used to evaluate under which circumstances the two mixing algorithms should be used to best achieve anonymity and satisfy their purpose. Our work can also be used as a framework for establishing a security review process for mix node deployments.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Ben-Halim, Z., Raymond, E., Pfeifer, J., Dickey, T.: Ncurses
Cox, M., Engelschall, R., Henson, S., Laurie, B.: The OpenSSL Project
Chaum, D.: Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM 4(2), 84–88 (1981)
Microsoft Corporation. Visual basic language reference–Rnd function. MSDN Library
Cottrell, L.: Mixmaster and remailer attacks
Cottrell, L.: Announcement: Mixmaster 2.0 remailer release! Usenet post (May 1995)
Danezis, G., Dingledine, R., Mathewson, N.: Mixminion: Design of a Type III Anonymous Remailer Protocol. In: Proceedings of the 2003 IEEE Symposium on Security and Privacy (May 2003)
Deutsch, P., Gailly, J.-L.: ZLIB Compressed Data Format Specification version 3.3. Request for Comments: 1950 (May 1996)
Diaz, C., Preneel, B.: Reasoning about the anonymity provided by pool mixes that generate dummy traffic. In: Fridrich, J. (ed.) IH 2004. LNCS, vol. 3200, pp. 309–325. Springer, Heidelberg (2004)
Danezis, G., Sassaman, L.: Heartbeat traffic to counter (n-1) attacks. In: Proceedings of the Workshop on Privacy in the Electronic Society (WPES 2003), Washington, DC, USA (October 2003)
Serjantov, A., Dingledine, R., Syverson, P.: From a trickle to a flood: Active attacks in several mix types. In: Petitcolas, F.A.P. (ed.) IH 2002. LNCS, vol. 2578, pp. 36–52. Springer, Heidelberg (2003)
Diaz, C., Serjantov, A.: Generalising mixes. In: Dingledine, R. (ed.) PET 2003. LNCS, vol. 2760, pp. 18–31. Springer, Heidelberg (2003)
Diaz, C., Seys, S., Claessens, J., Preneel, B.: Towards measuring anonymity. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 54–68. Springer, Heidelberg (2003)
Goldberg, I., Wagner, D.: Randomness and the Netscape browser. Dr. Dobb’s Journal (January 1996)
Hazel, P.: Perl compatible regular expressions
Kesdogan, D., Egner, J., Büschkes, R.: Stop-and-go MIXes: Providing probabilistic anonymity in an open system. In: Aucsmith, D. (ed.) IH 1998. LNCS, vol. 1525, p. 83. Springer, Heidelberg (1998)
U lf Möller. Personal communication. Private email to Len Sassaman (August 2002)
Möller, U., Cottrell, L., Palfrader, P., Sassaman, L.: Mixmaster Protocol – Version 2 (July 2004), http://www.abditum.com/mixmaster-spec.txt
Pfitzmann, A., Kohntopp, M.: Anonymity, unobservability and pseudonymity – a proposal for terminology. In: Designing Privacy Enhancing Technologies: Proceedings of the International Workshop on the Design Issues in Anonymity and Observability, July 2000, pp. 1–9 (2000)
RProcess. Selective denial of service attacks. Usenet post (September 1999)
Sassaman, L.: The promise of privacy. In: LISA XVI (November 2002) (invited talk)
Serjantov, A., Danezis, G.: Towards an information theoretic metric for anonymity. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 41–53. Springer, Heidelberg (2003)
Thayer, R.: SlimJim: shared library shimming for password harvesting. Presentation, ToorCon (September 2003)
Thompson, K.: Reflections on trusting trust. Communications of the ACM 27(8) (August 1984)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Díaz, C., Sassaman, L., Dewitte, E. (2004). Comparison Between Two Practical Mix Designs. In: Samarati, P., Ryan, P., Gollmann, D., Molva, R. (eds) Computer Security – ESORICS 2004. ESORICS 2004. Lecture Notes in Computer Science, vol 3193. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30108-0_9
Download citation
DOI: https://doi.org/10.1007/978-3-540-30108-0_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-22987-2
Online ISBN: 978-3-540-30108-0
eBook Packages: Springer Book Archive