diff options
author | Christian Grothoff <christian@grothoff.org> | 2019-04-20 21:45:25 +0200 |
---|---|---|
committer | Christian Grothoff <christian@grothoff.org> | 2019-04-20 21:45:25 +0200 |
commit | 32485c3b58983ada1943b3fa27eac3b0cff2a9da (patch) | |
tree | 1e439c5054194faef2f52a86f16a7c13f5f5aa20 /doc/handbook | |
parent | 5fab02b10baef639121723aacf3b1351e5db8003 (diff) | |
download | gnunet-32485c3b58983ada1943b3fa27eac3b0cff2a9da.tar.gz gnunet-32485c3b58983ada1943b3fa27eac3b0cff2a9da.zip |
try to address #5660:
Diffstat (limited to 'doc/handbook')
-rw-r--r-- | doc/handbook/chapters/keyconcepts.texi | 26 | ||||
-rw-r--r-- | doc/handbook/chapters/user.texi | 16 |
2 files changed, 26 insertions, 16 deletions
diff --git a/doc/handbook/chapters/keyconcepts.texi b/doc/handbook/chapters/keyconcepts.texi index 4b49a7ffb..4900ed328 100644 --- a/doc/handbook/chapters/keyconcepts.texi +++ b/doc/handbook/chapters/keyconcepts.texi | |||
@@ -15,7 +15,7 @@ The second part describes concepts specific to anonymous file-sharing. | |||
15 | * Accounting to Encourage Resource Sharing:: | 15 | * Accounting to Encourage Resource Sharing:: |
16 | * Confidentiality:: | 16 | * Confidentiality:: |
17 | * Anonymity:: | 17 | * Anonymity:: |
18 | * Deniability:: | 18 | * Deniability:: |
19 | * Peer Identities:: | 19 | * Peer Identities:: |
20 | * Zones in the GNU Name System (GNS Zones):: | 20 | * Zones in the GNU Name System (GNS Zones):: |
21 | * Egos:: | 21 | * Egos:: |
@@ -165,16 +165,20 @@ and Bart Preneel. Towards measuring anonymity. | |||
165 | (@uref{https://git.gnunet.org/bibliography.git/plain/docs/article-89.pdf, https://git.gnunet.org/bibliography.git/plain/docs/article-89.pdf})) | 165 | (@uref{https://git.gnunet.org/bibliography.git/plain/docs/article-89.pdf, https://git.gnunet.org/bibliography.git/plain/docs/article-89.pdf})) |
166 | that can help quantify the level of anonymity that a given mechanism | 166 | that can help quantify the level of anonymity that a given mechanism |
167 | provides, there is no such thing as "complete anonymity". | 167 | provides, there is no such thing as "complete anonymity". |
168 | |||
168 | GNUnet's file-sharing implementation allows users to select for each | 169 | GNUnet's file-sharing implementation allows users to select for each |
169 | operation (publish, search, download) the desired level of anonymity. | 170 | operation (publish, search, download) the desired level of anonymity. |
170 | The metric used is the amount of cover traffic available to hide the | 171 | The metric used is based on the amount of cover traffic needed to hide |
171 | request. | 172 | the request. |
172 | While this metric is not as good as, for example, the theoretical metric | 173 | |
173 | given in scientific metrics, | 174 | While there is no clear way to relate the amount of available cover |
174 | it is probably the best metric available to a peer with a purely local | 175 | traffic to traditional scientific metrics such as the anonymity set or |
175 | view of the world that does not rely on unreliable external information. | 176 | information leakage, it is probably the best metric available to a |
176 | The default anonymity level is @code{1}, which uses anonymous routing but | 177 | peer with a purely local view of the world, in that it does not rely |
177 | imposes no minimal requirements on cover traffic. It is possible | 178 | on unreliable external information or a particular adversary model. |
179 | |||
180 | The default anonymity level is @code{1}, which uses anonymous routing | ||
181 | but imposes no minimal requirements on cover traffic. It is possible | ||
178 | to forego anonymity when this is not required. The anonymity level of | 182 | to forego anonymity when this is not required. The anonymity level of |
179 | @code{0} allows GNUnet to use more efficient, non-anonymous routing. | 183 | @code{0} allows GNUnet to use more efficient, non-anonymous routing. |
180 | 184 | ||
@@ -192,7 +196,7 @@ In particular, we assume that the adversary can see all the traffic on | |||
192 | the Internet. And while we assume that the adversary | 196 | the Internet. And while we assume that the adversary |
193 | can not break our encryption, we assume that the adversary has many | 197 | can not break our encryption, we assume that the adversary has many |
194 | participating nodes in the network and that it can thus see many of the | 198 | participating nodes in the network and that it can thus see many of the |
195 | node-to-node interactions since it controls some of the nodes. | 199 | node-to-node interactions since it controls some of the nodes. |
196 | 200 | ||
197 | The system tries to achieve anonymity based on the idea that users can be | 201 | The system tries to achieve anonymity based on the idea that users can be |
198 | anonymous if they can hide their actions in the traffic created by other | 202 | anonymous if they can hide their actions in the traffic created by other |
@@ -235,7 +239,7 @@ Even if the user that downloads data and the server that provides data are | |||
235 | anonymous, the intermediaries may still be targets. In particular, if the | 239 | anonymous, the intermediaries may still be targets. In particular, if the |
236 | intermediaries can find out which queries or which content they are | 240 | intermediaries can find out which queries or which content they are |
237 | processing, a strong adversary could try to force them to censor | 241 | processing, a strong adversary could try to force them to censor |
238 | certain materials. | 242 | certain materials. |
239 | 243 | ||
240 | With the file-encoding used by GNUnet's anonymous file-sharing, this | 244 | With the file-encoding used by GNUnet's anonymous file-sharing, this |
241 | problem does not arise. | 245 | problem does not arise. |
diff --git a/doc/handbook/chapters/user.texi b/doc/handbook/chapters/user.texi index 37c5849ab..55518bc34 100644 --- a/doc/handbook/chapters/user.texi +++ b/doc/handbook/chapters/user.texi | |||
@@ -1054,8 +1054,17 @@ anonymity level of "1" means that anonymous routing is desired, but no | |||
1054 | particular amount of cover traffic is necessary. A powerful adversary | 1054 | particular amount of cover traffic is necessary. A powerful adversary |
1055 | might thus still be able to deduce the origin of the traffic using | 1055 | might thus still be able to deduce the origin of the traffic using |
1056 | traffic analysis. Specifying higher anonymity levels increases the | 1056 | traffic analysis. Specifying higher anonymity levels increases the |
1057 | amount of cover traffic required. While this offers better privacy, | 1057 | amount of cover traffic required. |
1058 | it can also significantly hurt performance. | 1058 | |
1059 | The specific numeric value (for anonymity levels above 1) is simple: | ||
1060 | Given an anonymity level L (above 1), each request FS makes on your | ||
1061 | behalf must be hidden in L-1 equivalent requests of cover traffic | ||
1062 | (traffic your peer routes for others) in the same time-period. The | ||
1063 | time-period is twice the average delay by which GNUnet artificially | ||
1064 | delays traffic. | ||
1065 | |||
1066 | While higher anonymity levels may offer better privacy, they can also | ||
1067 | significantly hurt performance. | ||
1059 | 1068 | ||
1060 | @node Content Priority | 1069 | @node Content Priority |
1061 | @subsubsection Content Priority | 1070 | @subsubsection Content Priority |
@@ -2324,6 +2333,3 @@ service offered by that peer, you can create an IP tunnel to | |||
2324 | that peer by specifying the peer's identity, service name and | 2333 | that peer by specifying the peer's identity, service name and |
2325 | protocol (--tcp or --udp) and you will again receive an IP address | 2334 | protocol (--tcp or --udp) and you will again receive an IP address |
2326 | that will terminate at the respective peer's service. | 2335 | that will terminate at the respective peer's service. |
2327 | |||
2328 | |||
2329 | |||