Re: attack by traffic analysis

On Wed, 11 Jul 2001, Kenji Takahashi wrote:

> Now I found that I did not explain my point clearly. Traffic analysis is
> not just a traceroute.
> For example, by wire-tapping on network links or by an active attack against
> routers the bad guy retrieve send and receipent address from the message.
> Even with proxies, the bad guy may analyze inputs and outpus of proxies and
> guess the destinations and sources from timing, packet sizes or other
> statistical patterns. These things are actively studied by researchers -
> two well-knon works are David Chaum's MIX-net and DC-net. There are even
> commercial services like Zero Knowledge and Anonymizer. Also I recently
> found that a research group named NymIP has been established - actually
> NymIP is mentioned in the WG charter.

I am familiar with Zero Knowledge and participated in their Beta program,
and with the previous "crowds" project at AT&T. I think I mention
Zero Knowledge in my draft as an example of a proxy service that might
combat this kind of identification.

I am not sure to what extent these threats are real and significant to the
averge user, in terms of risk, compared to the privacy risks assumed in
everyday life - for example, caller ID, radio scanners being used to
intercept cellphone and cordless phone conversations, or even the
existence of telephone books and their republishing by online services.

I believe that attacking routers and wire-tapping requires physical access
or hacking skills, and is normally illegal. The threat is thus less than
that posed by everyday tools such as traceroute, DNS lookup or caller ID.
If the user does not trust their mobile network provider they have a big
problem, since the provider has physical access to the base station.

In your cafe scenario, John has a cellphone with an IPv6 address, and
the bad guy (let's say Bill) wants to know where he is. Bill might somehow
obtain John's ip address, perhaps by sending John an HTML email
message with a web bug, otherwise getting John to connect to a server
under Bill's control, or obtaining access to server logs elsewhere.
Bill might then do a traceroute to John. If John is not using a proxy or
address translation, the trace would complete and the penultimate hop
might reveal something about John's location. One might be able to
obtain its location from public records, or someone may create a map by
roaming on the same network and moving around. The uncertainty in
this location would depend on the cell size and the routing employed
by the mobile service provider - it might be 100', a city, or
a whole country.

If John is using a single HTTP proxy, then the trace would end at the
proxy server. As you say, traffic analysis on the server might reveal
John's real address. This would require Bill to hack into the server,
or otherwise gain access to adjacent nodes. If Bill is, say, the CIA
or law enforcement then a court order may compel the proxy operator
to grant access. The ZeroKnowledge service uses multiple proxies,
encrypted traffic, and random hold times on email to defeat such
analysis. This would not help if Bill already knows John's ip address.
John might use a firewall to ignore all traffic except the VPN to
the proxy service, to prevent John discovering his address in the first
place.

If Bill is able to locate John to within a single cell, then Bill
might be able to locate John precisely by triangulation, by pinging
John and using a radio receiver to directly intercept John's replies.
This would again require special equipment, and might be considered
a risk that the average user would consider acceptable.

In draft-daviel-http-*, where John's device is equipped with a unit such
as GPS which actively transmits his location, I recommend the creation of
access controls. If John does not trust Bill, he will not send location
data to Bill's server. Bill could however obtain access to a server which
John does trust, then send John a web bug on that server. Again, feasible
if Bill is the CIA, but otherwise probably within normal acceptable risk.

Andrew Daviel
Vancouver Webpages

-- 
Andrew Daviel
http://huzizit.com - transferable ID for your stuff