[tor-commits] [obfsproxy/master] Revise threat model doc to be descriptive, not aspirational
nickm at torproject.org
nickm at torproject.org
Thu Dec 29 16:07:32 UTC 2011
commit f53763c920f76be066ff7307810929949e361d60
Author: Nick Mathewson <nickm at torproject.org>
Date: Thu Dec 29 10:42:23 2011 -0500
Revise threat model doc to be descriptive, not aspirational
The idea is to describe the adversary we _do_ defeat, not the
adversary we _wish_ we could defeat.
---
doc/obfs2_threat_model.txt | 54 +++++++++++++++++++++++++++++--------------
1 files changed, 36 insertions(+), 18 deletions(-)
diff --git a/doc/obfs2_threat_model.txt b/doc/obfs2_threat_model.txt
index ed2c694..c13da2c 100644
--- a/doc/obfs2_threat_model.txt
+++ b/doc/obfs2_threat_model.txt
@@ -13,51 +13,69 @@
and is documented in the 'doc/protocol-spec.txt' file in the obfsproxy
distribution.
-1. Adversary capabilities and goals
+1. Adversary capabilities and non-capabilities
+
+ We assume a censor with limited per-connection resources.
The adversary controls the infrastructure of the network within and
at the edges of her jurisdiction, and she can potentially monitor,
block, alter, and inject trafï¬c anywhere within this region.
- The censor also holds a blacklist of network protocols, which she is
- interested in blocking.
+ However, the adversary's computational resources are limited.
+ Specifically, the adversary does not have the resources in her
+ censorship infrastructure to store very much long-term information
+ about any given IP or connection.
+
+ The adversary also holds a blacklist of network protocols, which she
+ is interested in blocking. We assume that the adversary does not have
+ a complete list of specific IPs running that protocol, though
+ preventing this is out-of-scope.
-2. Adversary attacks:
+2. The adversary's goals
- The censor passively monitors traffic and looks for content
- signatures, in an attempt to distinguish network protocols. Upon
- detecting a blacklisted protocol, the censor blocks the connection.
+ The censor wants to ban particular encrypted protocols or
+ applications, and is willing to tolerate some collateral damage, but
+ is not willing to ban all encrypted traffic entirely.
3. Goals of obfs2
+ Currently, most attackers in the category described above implement
+ their censorship by one or more firewalls that looking for protocol
+ signatures and block protocols matching those signatures. These
+ signatures are typically in the form of static strings to be matched
+ or regular expressions to be evaluated, over a packet or TCP flow.
+
obfs2 attempts to counter the above attack by removing content
signatures from network traffic. obfs2 encrypts the traffic stream
with a stream cipher, which results in the traffic looking uniformly
random.
-4. Discussion
+4. Non-goals of obfs2
-4.1. obfs2 shortcomings
+ obfs2 was designed as a proof-of-concept for Tor's pluggable
+ transport system: it is simple, useable and easily implementable. It
+ does _not_ try to protect against more sophisticated adversaries.
- obfs2 was designed as a pluggable transports proof-of-concept: it is
- simple, useable and easily implementable. It does _not_ try to protect
- against sophisticated adversaries:
-
- obfs2 does not try to protect against Tor protocol fingerprints, like
- the packet size or packet timing.
+ obfs2 does not try to protect against non-content protocol
+ fingerprints, like the packet size or timing.
obfs2 does not try to protect against attackers capable of measuring
traffic entropy.
- obfs2 does not try to protect against Deep Packet Inspection machines
- that expect the obfs2 protocol. Such machines can trivially retrieve
+ obfs2 (in its default configuration) does not try to protect against
+ Deep Packet Inspection machines that expect the obfs2 protocol and
+ have the resources to run it. Such machines can trivially retrieve
the decryption key off the traffic stream and use it to decrypt obfs2
and detect the Tor protocol.
+ obfs2 assumes that the underlying protocol provides (or does not
+ need!) integrity, confidentiality, and authentication; it provides
+ none of those on its own.
+
In other words, obfs2 does not try to protect against anything other
than fingerprintable TLS content patterns.
That said, obfs2 is not useless. It protects against many real-life
Tor traffic detection methods currentl deployed, since most of them
- use static SSL handshake strings as signatures.
+ currently use static SSL handshake strings as signatures.
More information about the tor-commits
mailing list