Having just come across MaidStore and being very excited about its potential, I wanted to spur a discussion about its anonymity properties … particularly since the whistleblower use case is mentioned.
So would Snowden be safe in publishing highly sensitive documents to the network?
When we assume that:
-
Our adversary can monitor any and all links between peers and can capture encrypted RUDP traffic for analysis.
-
Controls a proportion of nodes on the network
This is my (probably flawed) understanding of how a document would be published by a whistleblower:
-
Document is split into a number of chunks and encrypted
-
a FIND_NODE operation is used to find the most appropriate node for the each chunk
-
the chunk is saved on the node with the STORE operation
During the FIND_NODE procedure, the whistleblower has revealed his IP address, and the fact that he is looking up a node for a certain ID, to his peers on Hop 1.
-
These peers can build lists of (IP address, time, ID) to log all IPs involved in lookups for the sensitive document chunks
-
The first IP address to lookup a relevant ID may not be the whistleblower but may be a few hops away from him
-
Coupled with our global passive adversary, this is dangerous.
-
Adversary can perform network analysis, determining which peers were connected to whom during a specified time window.
-
It could build a shortlist of IPs belong to the whistleblower.
Of course during the STORE procedure, if one of the nodes is malicious they will know to be on the look-out for particular chunks that belong to the sensitive-leaked-document. If the whistleblower tries to STORE to a bad node, then he reveals his IP quite trivially