Sampled Traffic Analysis by Internet-Exchange-Level Adversaries
Mike Perry
mikeperry at fscked.org
Wed May 30 09:46:20 UTC 2007
Thus spake Paul Syverson (syverson at itd.nrl.navy.mil):
> Anyway, the main reason I'm writing is that my objection was not just
> that the GPA was too strong but that it was too weak. Thinking you
> could have an adversary powerful enough to monitor all the links
> necessary to watch your whole large network but not able to do any
> active traffic shaping at all anywhere seems obviously nuts. This is
> one reason why padding on an open low-latency (lossless) network is
> problematic: an adversary with any active capability at all can induce
> a timing channel easily.
Actually, I'm going to disagree slightly because I don't feel like
sleeping yet :). It would take far less resources to passively tap the
traffic and filter out say Tor IPs and do analysis on just that data
offline. Trying to actively do that filter in-path PLUS arbitrarily
delay (ie queue in memory) that traffic in real time, all without
signficantly affecting pass-through traffic seems like it would be a
lot more expensive.
Also, not to mention there is a limited number of bits that can be
reliably encoded in this manner, and the purturbations of padding that
shares the same TLS connection will lower this effectiveness. The
adversary needs enough bits to get through to be able to track all the
parties it is interested in. If padding is in place, it will have to
spend considerable effort in redundancy to make sure that the
timestamp remains present in the exit stream.. Which again means more
queueing and more expense.
Of course, it also means more expense on the part of the anonymity
network in wasted bandwidth.. If padding slows down the network to the
point where users start to leave, other, more dangerous effects take
over.
Finally, going on what has been disclosed so far in the EFF v AT&T case,
it would seem that global adversary-style mass surveilance is in fact
ocurring passively, out of path. At least the illegal domestic stuff,
anyways. I suppose it's anyone's guess what they do when it's less
blatantly illegal.. Maybe Echelon is the reason my bbc is so slow! :)
--
Mike Perry
Mad Computer Scientist
fscked.org evil labs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20070530/c9e08493/attachment.pgp>
More information about the tor-talk
mailing list