Tarzan Overview

Over the past decade, the Internet has seen explosive growth in both the number of users and the sheer quantity of available materials. This expansion has changed its role from the realm of academic research towards mainstream use. As more conventional activities are performed on the Internet everyday, the potential becomes ever greater that personal information will be monitored and logged.

The New Yorker magazine explained in a famous cartoon, ``On the Internet, nobody knows you're a dog''. Unfortunately, the opposite has become increasingly true. While people do not communicate face-to-face in this medium, identities can be assigned to Internet users nontheless. Virtually every email a user sends, every post to a newsgroup, every purchase made online, and every World Wide Web page accessed can be monitered and logged by some third party. Furthermore, the growth of database use, the technological trend of cheaper and larger hard disk storage, and the increased speed of communications channel all provide the means for easier storage of personal information.

In these ways, the Internet provides an improved means of forming personal dossiers on individuals. A collection of information from a diverse sources, these dossiers may be created and used by a multitude of entities: governments, corporations, organizations, and other individuals.

The lack of privacy for online activities is fairly obvious. Email headers include the routing paths of email messages, including DNS names and IP addresses. Commonly-used online chat applications such as ICQ and Instant Messanger divulge IP addresses. Web browsers also display user IP addresses; web servers can be configured to log this information, the servers that referred clients to it, and the frequency and times of user accesses. Cookies on a client's browser may be used to store and cross-link persistant user-information.

But the Internet also offers the potential for greater personal privacy. Enabling technologies can bring privacy to areas and activities where that was previously impossible. Communications anonymity provides a means for reaching this goal. This type of anonymity ``blinds'' any information that may be divulged on a communcations channel between any two or more parties.

However, free services (in the sense of freely usable and extensible) for anonymous communications and transactions on the Internet are still relatively primitive. People continue to use the Mixmaster remailer system for anonymous communication despite latency, reliability, and software complexity problems. Academics who are trying to solve these problems are reluctant to begin deploying a system until all of the hard problems are solved; theoreticians appear willing to sacrifice efficiency to achieve some protection against very strong threat models. Companies such as ZKS and Anonymizer are tackling these problems from a commercial perspective, but their solutions must emphasize user convenience and experience, as well as creating centralized bottlenecks to maintain some control over the system. Furthermore, they end up paying money to maintain a robust reliable infrastructure from which to offer their service.

The widespread increase in availability of bandwidth and processing power allows for another alternative: an infrastructure built out of volunteer peers. A robust free infrastructure which can anonymize any streaming connection (such as web browsing or file sharing) would benefit a wide array of current p2p systems, since the anonymous connection could seamlessly replace the current connection.

The communication primitive in Tarzan works similarly to Onion Routing: it builds a layered block of asymmetric encryptions which describes a source-routed path through a set of nodes. This allows those nodes to build a {\em virtual circuit}, in which each node knows its predecessor and successor, but no others. Traffic flowing down the circuit is unwrapped by a symmetric key at each node. Specifically, this primitive allows for a forward anonymous channel: it can be used for any tcp communication from an anonymous host to an identified host.

The Tarzan design is motivated by what we consider a more realistic average-case threat model for Internet communications. A Chaumian MIX was design to protect against a global passive observer, who may sniff every link in the network. Providing such protection requires cover traffic, mixing, and batching, all which greatly reduce the efficiency, scalability, and practicality of the system. Instead of using a smaller number of MIX servers and many clients, we seek a system built of peers which all provide relay services. As we distribute this system across various jurisdictional and operational lines among thousands of peers or more, we posit that performing wide-spread passive observation is very difficult, virtually impossible for any except major governmental organizations and the like. We therefore choose {\em not} to implement any type of mixing in the Chaumian sense, nor timing delays and cover traffic.

Instead, we defend against the threat model of a limited active adversary. Our adversary will be willing to create a variety of new misbehaving nodes, and will have a limited ability to be a passive or active adversary (e.g., by sniffing links, or by performing a ``subpeona attack'' with a court order for each node or small set of nodes). He will be unable (due to resources) or unwilling (due to legal constructs, such as wiretapping laws) to locate a significant number of hosts. As such, he will have no real resources to perform wide-spread traffic analysis.

The ultimate goal of Tarzan is the widespread deployment of an anonymizing system based on peer-to-peer technology, so that the average Internet user can enjoy privacy and security on the 'Net.