i2p.www/pages/how_threatmodel.html

<h1>Threatmodel</h1>
<p>
There are a great many other applications and projects working on anonymous 
communication and <B style="color:black;background-color:#ffff66">I2P</B> has been inspired by much of their efforts.  This is not 
a comprehensive list of anonymity resources - both freehaven's 
<a href="http://freehaven.net/anonbib/topic.html">Anonymity Bibliography</a>
and GNUnet's <a href="http://www.ovmj.org/GNUnet/links.php3">related projects</a> serve
that purpose well.  That said, a few systems stand out for further comparison:</p>

<UL>
<li> Morphmix and Tarzan
<li> TOR / Onion Routing
<li> Mixminion / Mixmaster
<li> Freenet
<li> JAP
</UL>

<H2>Morphmix and Tarzan</H2>

<i><a href="http://www.tik.ee.ethz.ch/~morphmix/">[Morphmix]</a> 
   <a href="http://www.pdos.lcs.mit.edu/tarzan/">[Tarzan]</a></i>

<p>
Morphmix and Tarzan are both fully distributed, peer to peer networks of 
anonymizing proxies, allowing people to tunnel out through the low latency 
mix network.  Morphmix includes some very interesting collusion detection 
algorithms and Sybil defenses, while Tarzan makes use of the scarcity of IP
addresses to accomplishs the same.  The two primary differences between 
these systems and <B style="color:black;background-color:#ffff66">I2P</B> are related to <B style="color:black;background-color:#ffff66">I2P's</B> <a href="/book/view/41?PHPSESSID=42d2b0545f243f2537476db228ce1636"><B style="color:black;background-color:#A0FFFF">threat </B><B style="color:black;background-color:#99ff99">model</B></a> 
and their out-proxy design (as opposed to providing both sender and receiver 
anonymity).  There is source code available to both systems, but we are not aware 
of their use outside of academic environments.</p>
<p>
Stealing quite directly from the Tarzan paper, the following includes a quick
comparison of Tarzan, Crowds, Onion Routing (OR), and <B style="color:black;background-color:#ffff66">I2P</B>:</p>

<img src="http://i2p.net/~jrandom/wiki/comparison.png">

<H2>TOR / Onion Routing</H2>

<i><a href="http://freehaven.net/tor/">[TOR]</a> 
   <a href="http://www.onion-router.net">[Onion Routing]</a></i>
<p>
TOR and Onion Routing are both anonymizing proxy networks, allowing people
to tunnel out through their low latency mix network.  The two primary 
differences between TOR / OnionRouting and <B style="color:black;background-color:#ffff66">I2P</B> are again related to differences
in the <B style="color:black;background-color:#A0FFFF">threat </B><B style="color:black;background-color:#99ff99">model</B> and the out-proxy design (though TOR is working to provide 
redevous points within the mix network, which will provide recipient anonymity).
In addition, these networks take the directory based approach - providing a 
centralized point to manage the overall 'view' of the network, as well as gather 
and report statistics, as opposed to <B style="color:black;background-color:#ffff66">I2P's</B> distributed 

<a href="/book/view/44?PHPSESSID=42d2b0545f243f2537476db228ce1636">network database</a> and <a href="/book/view/135?PHPSESSID=42d2b0545f243f2537476db228ce1636">peer selection</a>.</p>

<p>On the technical side, there are 5 main differences between TOR and <B style="color:black;background-color:#ffff66">I2P</B>:</p>
<ul>
 <li>TOR is centrally managed (trusted directories, only some people fully participate
     in the network with cover traffic) while <B style="color:black;background-color:#ffff66">I2P</B> is fully distributed.  This has serious
     anonymity implications for people using TOR that are not one of the TOR nodes,
     since a powerful attacker could determine your identity, or coerce the maintainer 
     of TOR's directory server to include untrustworthy nodes.</li>

 <li>TOR is circuit based (with reliable, ordered, bidirectional tunnels), while <B style="color:black;background-color:#ffff66">I2P</B>
     is packet based (with unreliable, unordered, unidirectional tunnels).  As with the
     TCP/IP separation, <B style="color:black;background-color:#ffff66">I2P</B> optionally adds TCL-like functionality on top of the packet
     based network by means of mihi's ministreaming library.</li>
 <li>TOR is low latency, while <B style="color:black;background-color:#ffff66">I2P</B> is variable latency (both ASAP and stop+go).  This will
     allow <B style="color:black;background-color:#ffff66">I2P</B> to provide a higher level of anonymity by blending the anonymity set of 
     different user bases together - for example, filesharing users and militants look 
     the same, though make use of different techniques to balance their own anonymity 
     and security needs)</li>

 <li>TOR is IP addressed, relying on the security of the IP layer for authenticating
     and securing the message delivery, while <B style="color:black;background-color:#ffff66">I2P</B> is cryptographically addressed.</li>
 <li>TOR is written in C on *nix (windows port w/ cygwin?), while <B style="color:black;background-color:#ffff66">I2P</B> is written in 
     Java and tested on *nix, windows, and macs</li>
</ul>

<H2>Mixminion / Mixmaster</H2>

<i><a href="http://mixminion.net/">[Mixminion]</a> 
   <a href="http://mixmaster.sourceforge.net/">[Mixmaster]</a></i>

<p>
Mixminion and Mixmaster are networks to support anonymous email against a very
powerful adversary.  <B style="color:black;background-color:#ffff66">I2P</B> aims to provide an adequate means to meet their <B style="color:black;background-color:#A0FFFF">threat
</B><B style="color:black;background-color:#99ff99">model</B> as we reach <B style="color:black;background-color:#ffff66">I2P</B> 3.0 along side the needs of low latency users, providing
a significantly larger anonymity set.  As with TOR and Onion Routing above, 
both Mixminion and Mixmaster take the directory based approach as well.</p>

<H2>Freenet</H2>

<i><a href="http://freenetproject.org/">[Freenet]</a></i>
<p>
Freenet is a fully distributed, peer to peer anonymous publishing network.  
As such, generic anonymous communication over it requires the use of the global
blackboard <B style="color:black;background-color:#99ff99">model</B> - storing data somewhere that the recipient will then check 
for a message.  Freenet also does not support the concept of user defined delays -
it stores and fetches data as quickly as it can, rather than queueing up, pooling,
delaying, and mixing the data, leaving a hole with regards to long term intersection
attacks.  In addition, there seem to be some performance issues that can arguably
be attributed to the global blackboard <B style="color:black;background-color:#99ff99">model</B> which will likely rule out interactive
low latency communication.</p>

<H2>JAP</H2>

<i><a href="http://anon.inf.tu-dresden.de/index_en.html">[JAP]</a></i>

<p>
JAP (Java Anonymous Proxy) is a network of mix cascades for anonymizing web requests,
and as such it has a few centralized nodes (participants in the cascade) that blend
and mix requests from clients through the sequence of nodes (the cascade) before 
proxying out onto the web.  The scope, <B style="color:black;background-color:#A0FFFF">threat </B><B style="color:black;background-color:#99ff99">model</B>, and security is substantially 
different from <B style="color:black;background-color:#ffff66">I2P</B>, but for those who don't require significant anonymity but still
are not satisfied with an Anonymizer-like service, JAP is worth reviewing.  One
caution to note is that anyone under the jurisdiction of the German courts may want
to take care, as the German Federal Bureau of Criminal Investigation (FBCI) has has 
successfully mounted an 
<a href="http://www.datenschutzzentrum.de/material/themen/presse/anonip3_e.htm">[attack]</a> 
on the network.  Even though the method of this attack was later found to be illegal 
in the German courts, the fact that the data was successfully collected is the 
concern.  Courts change their minds based upon circumstance, and this is evidence that 
if a government body or intelligence agency wanted to, they could gather the data, even 
if it may be found inadmissible in some courts later)
</p>
beginning of branch i2p.www.i2pwww 2004-07-06 20:39:18 +00:00			`<h1>Threatmodel</h1>`
			`<p>`
			`There are a great many other applications and projects working on anonymous`
			`communication and <B style="color:black;background-color:#ffff66">I2P</B> has been inspired by much of their efforts. This is not`
			`a comprehensive list of anonymity resources - both freehaven's`
			`<a href="http://freehaven.net/anonbib/topic.html">Anonymity Bibliography</a>`
			`and GNUnet's <a href="http://www.ovmj.org/GNUnet/links.php3">related projects</a> serve`
			`that purpose well. That said, a few systems stand out for further comparison:</p>`

			`<UL>`
			`<li> Morphmix and Tarzan`
			`<li> TOR / Onion Routing`
			`<li> Mixminion / Mixmaster`
			`<li> Freenet`
			`<li> JAP`
			`</UL>`

			`<H2>Morphmix and Tarzan</H2>`

			`<i><a href="http://www.tik.ee.ethz.ch/~morphmix/">[Morphmix]</a>`
			`<a href="http://www.pdos.lcs.mit.edu/tarzan/">[Tarzan]</a></i>`

			`<p>`
			`Morphmix and Tarzan are both fully distributed, peer to peer networks of`
			`anonymizing proxies, allowing people to tunnel out through the low latency`
			`mix network. Morphmix includes some very interesting collusion detection`
			`algorithms and Sybil defenses, while Tarzan makes use of the scarcity of IP`
			`addresses to accomplishs the same. The two primary differences between`
			`these systems and <B style="color:black;background-color:#ffff66">I2P</B> are related to <B style="color:black;background-color:#ffff66">I2P's</B> <a href="/book/view/41?PHPSESSID=42d2b0545f243f2537476db228ce1636"><B style="color:black;background-color:#A0FFFF">threat </B><B style="color:black;background-color:#99ff99">model</B></a>`
			`and their out-proxy design (as opposed to providing both sender and receiver`
			`anonymity). There is source code available to both systems, but we are not aware`
			`of their use outside of academic environments.</p>`
			`<p>`
			`Stealing quite directly from the Tarzan paper, the following includes a quick`
			`comparison of Tarzan, Crowds, Onion Routing (OR), and <B style="color:black;background-color:#ffff66">I2P</B>:</p>`

			`<img src="http://i2p.net/~jrandom/wiki/comparison.png">`

			`<H2>TOR / Onion Routing</H2>`

			`<i><a href="http://freehaven.net/tor/">[TOR]</a>`
			`<a href="http://www.onion-router.net">[Onion Routing]</a></i>`
			`<p>`
			`TOR and Onion Routing are both anonymizing proxy networks, allowing people`
			`to tunnel out through their low latency mix network. The two primary`
			`differences between TOR / OnionRouting and <B style="color:black;background-color:#ffff66">I2P</B> are again related to differences`
			`in the <B style="color:black;background-color:#A0FFFF">threat </B><B style="color:black;background-color:#99ff99">model</B> and the out-proxy design (though TOR is working to provide`
			`redevous points within the mix network, which will provide recipient anonymity).`
			`In addition, these networks take the directory based approach - providing a`
			`centralized point to manage the overall 'view' of the network, as well as gather`
			`and report statistics, as opposed to <B style="color:black;background-color:#ffff66">I2P's</B> distributed`

			`<a href="/book/view/44?PHPSESSID=42d2b0545f243f2537476db228ce1636">network database</a> and <a href="/book/view/135?PHPSESSID=42d2b0545f243f2537476db228ce1636">peer selection</a>.</p>`

			`<p>On the technical side, there are 5 main differences between TOR and <B style="color:black;background-color:#ffff66">I2P</B>:</p>`
			`<ul>`
			`<li>TOR is centrally managed (trusted directories, only some people fully participate`
			`in the network with cover traffic) while <B style="color:black;background-color:#ffff66">I2P</B> is fully distributed. This has serious`
			`anonymity implications for people using TOR that are not one of the TOR nodes,`
			`since a powerful attacker could determine your identity, or coerce the maintainer`
			`of TOR's directory server to include untrustworthy nodes.</li>`

			`<li>TOR is circuit based (with reliable, ordered, bidirectional tunnels), while <B style="color:black;background-color:#ffff66">I2P</B>`
			`is packet based (with unreliable, unordered, unidirectional tunnels). As with the`
			`TCP/IP separation, <B style="color:black;background-color:#ffff66">I2P</B> optionally adds TCL-like functionality on top of the packet`
			`based network by means of mihi's ministreaming library.</li>`
			`<li>TOR is low latency, while <B style="color:black;background-color:#ffff66">I2P</B> is variable latency (both ASAP and stop+go). This will`
			`allow <B style="color:black;background-color:#ffff66">I2P</B> to provide a higher level of anonymity by blending the anonymity set of`
			`different user bases together - for example, filesharing users and militants look`
			`the same, though make use of different techniques to balance their own anonymity`
			`and security needs)</li>`

			`<li>TOR is IP addressed, relying on the security of the IP layer for authenticating`
			`and securing the message delivery, while <B style="color:black;background-color:#ffff66">I2P</B> is cryptographically addressed.</li>`
			`<li>TOR is written in C on *nix (windows port w/ cygwin?), while <B style="color:black;background-color:#ffff66">I2P</B> is written in`
			`Java and tested on *nix, windows, and macs</li>`
			`</ul>`

			`<H2>Mixminion / Mixmaster</H2>`

			`<i><a href="http://mixminion.net/">[Mixminion]</a>`
			`<a href="http://mixmaster.sourceforge.net/">[Mixmaster]</a></i>`

			`<p>`
			`Mixminion and Mixmaster are networks to support anonymous email against a very`
			`powerful adversary. <B style="color:black;background-color:#ffff66">I2P</B> aims to provide an adequate means to meet their <B style="color:black;background-color:#A0FFFF">threat`
			`</B><B style="color:black;background-color:#99ff99">model</B> as we reach <B style="color:black;background-color:#ffff66">I2P</B> 3.0 along side the needs of low latency users, providing`
			`a significantly larger anonymity set. As with TOR and Onion Routing above,`
			`both Mixminion and Mixmaster take the directory based approach as well.</p>`

			`<H2>Freenet</H2>`

			`<i><a href="http://freenetproject.org/">[Freenet]</a></i>`
			`<p>`
			`Freenet is a fully distributed, peer to peer anonymous publishing network.`
			`As such, generic anonymous communication over it requires the use of the global`
			`blackboard <B style="color:black;background-color:#99ff99">model</B> - storing data somewhere that the recipient will then check`
			`for a message. Freenet also does not support the concept of user defined delays -`
			`it stores and fetches data as quickly as it can, rather than queueing up, pooling,`
			`delaying, and mixing the data, leaving a hole with regards to long term intersection`
			`attacks. In addition, there seem to be some performance issues that can arguably`
			`be attributed to the global blackboard <B style="color:black;background-color:#99ff99">model</B> which will likely rule out interactive`
			`low latency communication.</p>`

			`<H2>JAP</H2>`

			`<i><a href="http://anon.inf.tu-dresden.de/index_en.html">[JAP]</a></i>`

			`<p>`
			`JAP (Java Anonymous Proxy) is a network of mix cascades for anonymizing web requests,`
			`and as such it has a few centralized nodes (participants in the cascade) that blend`
			`and mix requests from clients through the sequence of nodes (the cascade) before`
			`proxying out onto the web. The scope, <B style="color:black;background-color:#A0FFFF">threat </B><B style="color:black;background-color:#99ff99">model</B>, and security is substantially`
			`different from <B style="color:black;background-color:#ffff66">I2P</B>, but for those who don't require significant anonymity but still`
			`are not satisfied with an Anonymizer-like service, JAP is worth reviewing. One`
			`caution to note is that anyone under the jurisdiction of the German courts may want`
			`to take care, as the German Federal Bureau of Criminal Investigation (FBCI) has has`
			`successfully mounted an`
			`<a href="http://www.datenschutzzentrum.de/material/themen/presse/anonip3_e.htm">[attack]</a>`
			`on the network. Even though the method of this attack was later found to be illegal`
			`in the German courts, the fact that the data was successfully collected is the`
			`concern. Courts change their minds based upon circumstance, and this is evidence that`
			`if a government body or intelligence agency wanted to, they could gather the data, even`
			`if it may be found inadmissible in some courts later)`
			`</p>`