Upgrading Mixminion
I've recently spent some time playing with Mixminion for a project that a student and I are working on. Mixminion is a third-generation remailer project developed by George Danezis, Roger Dingledine, and Nick Mathewson. Their paper on the protocol for Mixminion is located here. Mixminion is the third generation after the Cypherpunk anonymous remailer, and the Mixmaster anonymous remailer (in this numbering scheme, version 0 was the penet remailer). There have also been a few other attempts along the way to provide these kind of high-latency mix networks that have either been broken, not achieved wide popularity, or not yet implemented.
Mixminion has been neglected for a long time. Development efforts essentially ceased in late 2007 or early 2008. The primary developers moved on to play key roles in the creation of that well-known and quite successful low-latency onion network, the Tor network. On the one hand, that's a good thing because Tor has certainly benefited from their stewardship. On the other hand, it has been tough going for high-latency projects such as Mixminion.
Over the years, the code has gotten a bit stale, with crypto parameters substandard with respect to what we expect now, and other code issues as well. As a result, I've taken a bit of time to upgrade Mixminion, fixing problems so that it is in a usable form again. These changes are published in my mixminion github repo.
There are basically three modifications that I have made. I summarize them here:
- Upgrade the Diffie-Hellman parameters to use a 2048-bit prime (it was 512!).
- Disable the SSLv3 protocol for inter-server connections. SSLv2 was already disabled.
- Get the directory server (mixminion dir) functionality working again.
The SSL/TLS stuff was straightforward. The only downside here is that for slow servers, or those without lots of entropy, it can take a bit of time to generate the DH parameters on initial start or on replacement of these parameters. Such is the cost of progress...
The directory server stuff was a bit more complex. However, a brief exchange with Nick Mathewson help set me straight. In essence, I rolled the directory server code back to the bf7e8642b17fc49479d00aee3f6e157bca5d3ef6
commit. This rollback included all files in lib/mixminion/directory. Luckily for me, it Just Worked. An important point to make here is that this directory server represents a single point of failure for the network. So the work started by Nick to create a decentralized directory server structure is not complete by any means, but it functions well enough for the project I have in mind.
Setting up the Mixminion directory server
The directory server strings are hard-coded into the source. To run your own directory server, you need to edit appropriate lines in the following files to point to your own directory server:
lib/mixminion/ClientDirectory.py (points to the Directory.gz download link)
lib/mixminion/server/ServerKeys.py (points to the link with the CGI script listed below)
lib/mixminion/directory/DirCGI.py (the DIRECTORY_BASE variable points to the same place as Homedir below)
The ClientDirectory.py file also contains the fingerprint of your directory server, which you can find by executing the mixminion dir fingerprint
command on the node running the directory server.
You also need to place the directory server configuration file .mixminion_dir.cf
at the root of the user running mixminiond. My version of the file looks like this:
[Directory-Store]
Homedir = /home/mixminion/MixminonDirectory
DirUser = mixminion
CGIUser = www-data
CGIGroup = www-data
[Directory]
ClientVersions = 0.0.7 0.0.8alpha3
ServerVersions = 0.0.7 0.0.8alpha3
[Publishing]
Location = /var/www/mixminion/Directory.gz
Homedir points to the base directory for the directory server files (create the required directory structure with mixminion dir initialize
. DirUser, CGIUser, and CGIGroup are the user running mixminiond, and the CGI user and group respectively. ClientVersions and ServerVersions are strings to highlight recommended mixminion versions. Finally, Location is the location where your published Directory.gz file will be served from.
Nick also gave me this simple CGI script to run when the publish
URL is queried.
#!/usr/bin/python
import sys
sys.path[0:0] = ['/usr/local/lib/python2.7/dist-packages']
import mixminion.directory.DirCGI
mixminion.directory.DirCGI.run()
This script will copy the ServerDesc file to the appropriate location in the directory server for further processing.
Useful commands for interacting with the mixminion directory server are found using the mixminion dir
command.
Enjoy!