draft-iab-privsec-confidentiality-threat-02.txt   draft-iab-privsec-confidentiality-threat-03.txt 
Network Working Group R. Barnes Network Working Group R. Barnes
Internet-Draft Internet-Draft
Intended status: Informational B. Schneier Intended status: Informational B. Schneier
Expires: August 10, 2015 Expires: August 24, 2015
C. Jennings C. Jennings
T. Hardie T. Hardie
B. Trammell B. Trammell
C. Huitema C. Huitema
D. Borkmann D. Borkmann
February 06, 2015 February 20, 2015
Confidentiality in the Face of Pervasive Surveillance: A Threat Model Confidentiality in the Face of Pervasive Surveillance: A Threat Model
and Problem Statement and Problem Statement
draft-iab-privsec-confidentiality-threat-02 draft-iab-privsec-confidentiality-threat-03
Abstract Abstract
Documents published in 2013 revealed several classes of pervasive Documents published since initial revelations in 2013 have revealed
surveillance attack on Internet communications. In this document we several classes of pervasive surveillance attack on Internet
develop a threat model that describes these pervasive attacks. We communications. In this document we develop a threat model that
start by assuming a completely passive attacker with an interest in describes these pervasive attacks. We start by assuming an attacker
undetected, indiscriminate eavesdropping, then expand the threat with an interest in undetected, indiscriminate eavesdropping, then
model with a set of verified attacks that have been published. Based expand the threat model with a set of verified attacks that have been
on this threat model, we discuss the techniques that can be employed published.
in Internet protocol design to increase the protocols robustness to
pervasive surveillance.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 10, 2015.
This Internet-Draft will expire on August 24, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 41 skipping to change at page 2, line 40
To ensure that the Internet can be trusted by users, it is necessary To ensure that the Internet can be trusted by users, it is necessary
for the Internet technical community to address the vulnerabilities for the Internet technical community to address the vulnerabilities
exploited in these attacks [RFC7258]. The goal of this document is exploited in these attacks [RFC7258]. The goal of this document is
to describe more precisely the threats posed by these pervasive to describe more precisely the threats posed by these pervasive
attacks, and based on those threats, lay out the problems that need attacks, and based on those threats, lay out the problems that need
to be solved in order to secure the Internet in the face of those to be solved in order to secure the Internet in the face of those
threats. threats.
The remainder of this document is structured as follows. In The remainder of this document is structured as follows. In
Section 3, we describe an idealized passive attacker, one which could Section 3, we describe an idealized flow access attacker, one which
completely undetectably compromise communications at Internet scale. could completely undetectably compromise communications at Internet
In Section 4, we provide a brief summary of some attacks that have scale. In Section 4, we provide a brief summary of some attacks that
been disclosed, and use these to expand the assumed capabilities of have been disclosed, and use these to expand the assumed capabilities
our idealized attacker. Section 5 describes a threat model based on of our idealized attacker. Note that we do not attempt to describe
these attacks, focusing on classes of attack that have not been a all possible attacks, but focus on those which result in undetected
focus of Internet engineering to date. eavesdropping. Section 5 describes a threat model based on these
attacks, focusing on classes of attack that have not been a focus of
Internet engineering to date.
2. Terminology 2. Terminology
This document makes extensive use of standard security and privacy This document makes extensive use of standard security and privacy
terminology; see [RFC4949] and [RFC6973]. Terms used from [RFC6973] terminology; see [RFC4949] and [RFC6973]. Terms used from [RFC6973]
include Eavesdropper, Observer, Initiator, Intermediary, Recipient, include Eavesdropper, Observer, Initiator, Intermediary, Recipient,
Attack (in a privacy context), Correlation, Fingerprint, Traffic Attack (in a privacy context), Correlation, Fingerprint, Traffic
Analysis, and Identifiability (and related terms). In addition, we Analysis, and Identifiability (and related terms). In addition, we
use a few terms that are specific to the attacks discussed here: use a few terms that are specific to the attacks discussed here:
Passive Attack: In this document, the term passive attack is used Flow Access Attack: An eavesdropping attack in which the packets
with respect to the traffic stream: a passive attack does not in a traffic stream between two endpoints are eavesdropped upon,
modify the packets in the traffic stream between two endpoints, but in which the attacker does not modify the packets in the
modify the treatment of packets in the traffic stream (e.g. delay, traffic stream between two endpoints, modify the treatment of
routing), or add or remove packets in the traffic stream. Passive packets in the traffic stream (e.g. delay, routing), or add or
attacks are undetectable from the endpoints. remove packets in the traffic stream. Flow access attacks are
undetectable from the endpoints.
Active Attack: In constrast to a passive attack, and active attack Flow Modification Attack: An attack which includes both
may modify a traffic stream, at the cost of possible detection at eavesdropping (as in a flow access attack) as well as
the endpoints. modification, addition, or removal of packets in a traffic stream,
or modification of treatment of packets in the traffic stream.
Flow modification attacks provide more capabilities to the
attacker at the cost of possible detection at the endpoints.
Pervasive Attack: An attack on Internet communications that makes Pervasive Attack: An attack on Internet communications that makes
use of access at a large number of points in the network, or use of access at a large number of points in the network, or
otherwise provides the attacker with access to a large amount of otherwise provides the attacker with access to a large amount of
Internet traffic; see [RFC7258] Internet traffic; see [RFC7258]
Observation: Information collected directly from communications by Observation: Information collected directly from communications by
an eavesdropper or observer. For example, the knowledge that an eavesdropper or observer. For example, the knowledge that
<alice@example.com> sent a message to <bob@example.com> via SMTP <alice@example.com> sent a message to <bob@example.com> via SMTP
taken from the headers of an observed SMTP message would be an taken from the headers of an observed SMTP message would be an
observation. observation.
skipping to change at page 4, line 13 skipping to change at page 4, line 18
the attacker has exploited some technology used by the entity. the attacker has exploited some technology used by the entity.
Key Exfiltration: The transmission of keying material for an Key Exfiltration: The transmission of keying material for an
encrypted communication from a collaborator, deliberately or encrypted communication from a collaborator, deliberately or
unwittingly, to an attacker unwittingly, to an attacker
Content Exfiltration: The transmission of the content of a Content Exfiltration: The transmission of the content of a
communication from a collaborator, deliberately or unwittingly, to communication from a collaborator, deliberately or unwittingly, to
an attacker an attacker
3. An Idealized Pervasive Passive Attacker 3. An Idealized Pervasive Flow Access Attacker
In considering the threat posed by pervasive surveillance, we begin In considering the threat posed by pervasive surveillance, we begin
by defining an idealized pervasive passive attacker. While this by defining an idealized pervasive flow access attacker. While this
attacker is less capable than those which we now know to have attacker is less capable than those which we now know to have
compromised the Internet from press reports, as elaborated in compromised the Internet from press reports, as elaborated in
Section 4, it does set a lower bound on the capabilities of an Section 4, it does set a lower bound on the capabilities of an
attacker interested in indiscriminate passive surveillance while attacker interested in indiscriminate passive surveillance while
interested in remaining undetectable. We note that, prior to the interested in remaining undetectable. We note that, prior to the
Snowden revelations in 2013, the assumptions of attacker capability Snowden revelations in 2013, the assumptions of attacker capability
presented here would be considered on the border of paranoia outside presented here would be considered on the border of paranoia outside
the network security community. the network security community.
Our idealized attacker is an indiscriminate eavesdropper on an Our idealized attacker is an indiscriminate eavesdropper on an
skipping to change at page 6, line 31 skipping to change at page 6, line 36
networking data with information available from direct observation of networking data with information available from direct observation of
network traffic allows the creation of a much richer picture of an network traffic allows the creation of a much richer picture of an
individual's activities than either alone. individual's activities than either alone.
We note with some alarm that there is little that can be done at We note with some alarm that there is little that can be done at
protocol design time to limit such correlation by the attacker, and protocol design time to limit such correlation by the attacker, and
that the existence of such data sources in many cases greatly that the existence of such data sources in many cases greatly
complicates the problem of protecting privacy by hardening protocols complicates the problem of protecting privacy by hardening protocols
alone. alone.
3.3. An illustration of an ideal passive attack 3.3. An illustration of an ideal flow access attack
To illustrate how capable the idealized attacker is even given its To illustrate how capable the idealized attacker is even given its
limitations, we explore the non-anonymity of encrypted IP traffic in limitations, we explore the non-anonymity of encrypted IP traffic in
this section. Here we examine in detail some inference techniques this section. Here we examine in detail some inference techniques
for associating a set of addresses with an individual, in order to for associating a set of addresses with an individual, in order to
illustrate the difficulty of defending communications against our illustrate the difficulty of defending communications against our
idealized attacker. Here, the basic problem is that information idealized attacker. Here, the basic problem is that information
radiated even from protocols which have no obvious connection with radiated even from protocols which have no obvious connection with
personal data can be correlated with other information which can personal data can be correlated with other information which can
paint a very rich behavioral picture, that only takes one unprotected paint a very rich behavioral picture, that only takes one unprotected
skipping to change at page 11, line 10 skipping to change at page 11, line 13
email, chat, VoIP). email, chat, VoIP).
o Use of implants (covert modifications or malware) to undermine o Use of implants (covert modifications or malware) to undermine
security and anonymity features [dec2][TOR1][TOR2]. For example: security and anonymity features [dec2][TOR1][TOR2]. For example:
* NSA appears to use the QUANTUM man-in-the-middle system to * NSA appears to use the QUANTUM man-in-the-middle system to
direct users to a FOXACID server, which delivers an implant to direct users to a FOXACID server, which delivers an implant to
compromise the browser of a user of the Tor anonymous compromise the browser of a user of the Tor anonymous
communications network. communications network.
* Implants are apparently available for Cisco, Juniper, Huawei,
Dell, and HP network elements, provided by the NSA Advanced
Network Technology group [spiegel1]
* Compromised hosts at botnet scale, using tools by the NSA's
Remote Operations Center [spiegel3]
* The BULLRUN program mentioned above includes the addition of * The BULLRUN program mentioned above includes the addition of
covert modifications to software as one means to undermine covert modifications to software as one means to undermine
encryption. encryption.
* There is also some suspicion that NSA modifications to the * There is also some suspicion that NSA modifications to the
DUAL_EC_DRBG random number generator were made to ensure that DUAL_EC_DRBG random number generator were made to ensure that
keys generated using that generator could be predicted by NSA. keys generated using that generator could be predicted by NSA.
These suspicions have been reinforced by reports that RSA These suspicions have been reinforced by reports that RSA
Security was paid roughly $10M to make DUAL_EC_DRBG the default Security was paid roughly $10M to make DUAL_EC_DRBG the default
in their products. in their products.
skipping to change at page 12, line 35 skipping to change at page 12, line 47
| Active | Manipulate / inject data in transit | | Active | Manipulate / inject data in transit |
| | | | | |
| Static key exfiltration | Obtain key material once / rarely | | Static key exfiltration | Obtain key material once / rarely |
| | | | | |
| Dynamic key exfiltration | Obtain per-session key material | | Dynamic key exfiltration | Obtain per-session key material |
| | | | | |
| Content exfiltration | Access data at rest | | Content exfiltration | Access data at rest |
+--------------------------+-------------------------------------+ +--------------------------+-------------------------------------+
Security analyses of Internet protocols commonly consider two classes Security analyses of Internet protocols commonly consider two classes
of attacker: Passive attackers, who can simply listen in on of attacker: flow access attackers, who can simply listen in on
communications as they transit the network, and active attackers, who communications as they transit the network, and flow modification
can modify or delete packets in addition to simply collecting them. attackers, who can modify or delete packets in addition to simply
collecting them.
In the context of pervasive passive surveillance, these attacks take In the context of pervasive passive surveillance, these attacks take
on an even greater significance. In the past, these attackers were on an even greater significance. In the past, these attackers were
often assumed to operate near the edge of the network, where attacks often assumed to operate near the edge of the network, where attacks
can be simpler. For example, in some LANs, it is simple for any node can be simpler. For example, in some LANs, it is simple for any node
to engage in passive listening to other nodes' traffic or inject to engage in passive listening to other nodes' traffic or inject
packets to accomplish active attacks. However, as we now know, both packets to accomplish flow modification attacks. However, as we now
passive and active attacks are undertaken by pervasive attackers know, both passive and flow modification attacks are undertaken by
closer to the core of the network, greatly expanding the scope and pervasive attackers closer to the core of the network, greatly
capability of the attacker. expanding the scope and capability of the attacker.
Eavesdropping and observation at a larger scale make passive Eavesdropping and observation at a larger scale make passive
inference attacks easier to carry out: a passive attacker with access inference attacks easier to carry out: a flow access attacker with
to a large portion of the Internet can analyze collected traffic to access to a large portion of the Internet can analyze collected
create a much more detailed view of individual behavior than an traffic to create a much more detailed view of individual behavior
attacker that collects at a single point. Even the usual claim that than an attacker that collects at a single point. Even the usual
encryption defeats passive attackers is weakened, since a pervasive claim that encryption defeats flow access attackers is weakened,
passive attacker can infer relationships from correlations over large since a pervasive flow access attacker can infer relationships from
numbers of sessions, e.g., pairing encrypted sessions with correlations over large numbers of sessions, e.g., pairing encrypted
unencrypted sessions from the same host, or performing traffic sessions with unencrypted sessions from the same host, or performing
fingerprinting between known and unknown encrypted sessions. Reports traffic fingerprinting between known and unknown encrypted sessions.
on the NSA XKEYSCORE system would indicate it is an example of such Reports on the NSA XKEYSCORE system would indicate it is an example
an attacker. of such an attacker.
A pervasive active attacker likewise has capabilities beyond those of A pervasive flow modification attacker likewise has capabilities
a localized active attacker. Active attacks are often limited by beyond those of a localized flow modification attacker. flow
network topology, for example by a requirement that the attacker be modification attacks are often limited by network topology, for
able to see a targeted session as well as inject packets into it. A example by a requirement that the attacker be able to see a targeted
pervasive active attacker with access at multiple points within the session as well as inject packets into it. A pervasive flow
core of the Internet is able to overcome these topological modification attacker with access at multiple points within the core
limitations and perform attacks over a much broader scope. Being of the Internet is able to overcome these topological limitations and
positioned in the core of the network rather than the edge can also perform attacks over a much broader scope. Being positioned in the
enable a pervasive active attacker to reroute targeted traffic, core of the network rather than the edge can also enable a pervasive
amplifying the ability to perform both eavesdropping and traffic flow modification attacker to reroute targeted traffic, amplifying
injection. Pervasive active attackers can also benefit from the ability to perform both eavesdropping and traffic injection.
pervasive passive collection to identify vulnerable hosts. Pervasive flow modification attackers can also benefit from pervasive
passive collection to identify vulnerable hosts.
While not directly related to pervasiveness, attackers that are in a While not directly related to pervasiveness, attackers that are in a
position to mount a pervasive active attack are also often in a position to mount a pervasive flow modification attack are also often
position to subvert authentication, a traditional protection against in a position to subvert authentication, a traditional protection
such attacks. Authentication in the Internet is often achieved via against such attacks. Authentication in the Internet is often
trusted third party authorities such as the Certificate Authorities achieved via trusted third party authorities such as the Certificate
(CAs) that provide web sites with authentication credentials. An Authorities (CAs) that provide web sites with authentication
attacker with sufficient resources may also be able to induce an credentials. An attacker with sufficient resources may also be able
authority to grant credentials for an identity of the attacker's to induce an authority to grant credentials for an identity of the
choosing. If the parties to a communication will trust multiple attacker's choosing. If the parties to a communication will trust
authorities to certify a specific identity, this attack may be multiple authorities to certify a specific identity, this attack may
mounted by suborning any one of the authorities (the proverbial be mounted by suborning any one of the authorities (the proverbial
"weakest link"). Subversion of authorities in this way can allow an "weakest link"). Subversion of authorities in this way can allow an
active attack to succeed in spite of an authentication check. flow modification attack to succeed in spite of an authentication
check.
Beyond these three classes (observation, inference, and active), Beyond these three classes (observation, inference, and active),
reports on the BULLRUN effort to defeat encryption and the PRISM reports on the BULLRUN effort to defeat encryption and the PRISM
effort to obtain data from service providers suggest three more effort to obtain data from service providers suggest three more
classes of attack: classes of attack:
o Static key exfiltration o Static key exfiltration
o Dynamic key exfiltration o Dynamic key exfiltration
skipping to change at page 15, line 39 skipping to change at page 16, line 7
Each of the attack types discussed in the previous section entails Each of the attack types discussed in the previous section entails
certain costs and risks. These costs differ by attack, and can be certain costs and risks. These costs differ by attack, and can be
helpful in guiding response to pervasive attack. helpful in guiding response to pervasive attack.
Depending on the attack, the attacker may be exposed to several types Depending on the attack, the attacker may be exposed to several types
of risk, ranging from simply losing access to arrest or prosecution. of risk, ranging from simply losing access to arrest or prosecution.
In order for any of these negative consequences to occur, however, In order for any of these negative consequences to occur, however,
the attacker must first be discovered and identified. So the primary the attacker must first be discovered and identified. So the primary
risk we focus on here is the risk of discovery and attribution. risk we focus on here is the risk of discovery and attribution.
A passive attack is the simplest to mount in some ways. The base A flow access attack is the simplest to mount in some ways. The base
requirement is that the attacker obtain physical access to a requirement is that the attacker obtain physical access to a
communications medium and extract communications from it. For communications medium and extract communications from it. For
example, the attacker might tap a fiber-optic cable, acquire a mirror example, the attacker might tap a fiber-optic cable, acquire a mirror
port on a switch, or listen to a wireless signal. The need for these port on a switch, or listen to a wireless signal. The need for these
taps to have physical access or proximity to a link exposes the taps to have physical access or proximity to a link exposes the
attacker to the risk that the taps will be discovered. For example, attacker to the risk that the taps will be discovered. For example,
a fiber tap or mirror port might be discovered by network operators a fiber tap or mirror port might be discovered by network operators
noticing increased attenuation in the fiber or a change in switch noticing increased attenuation in the fiber or a change in switch
configuration. Of course, passive attacks may be accomplished with configuration. Of course, flow access attacks may be accomplished
the cooperation of the network operator, in which case there is a with the cooperation of the network operator, in which case there is
risk that the attacker's interactions with the network operator will a risk that the attacker's interactions with the network operator
be exposed. will be exposed.
In many ways, the costs and risks for an active attack are similar to In many ways, the costs and risks for an flow modification attack are
those for a passive attack, with a few additions. An active attacker similar to those for a flow access attack, with a few additions. An
requires more robust network access than a passive attacker, since flow modification attacker requires more robust network access than a
for example they will often need to transmit data as well as flow access attacker, since for example they will often need to
receiving it. In the wireless example above, the attacker would need transmit data as well as receiving it. In the wireless example
to act as an transmitter as well as receiver, greatly increasing the above, the attacker would need to act as an transmitter as well as
probability the attacker will be discovered (e.g., using direction- receiver, greatly increasing the probability the attacker will be
finding technology). Active attacks are also much more observable at discovered (e.g., using direction-finding technology). flow
higher layers of the network. For example, an active attacker that modification attacks are also much more observable at higher layers
of the network. For example, an flow modification attacker that
attempts to use a mis-issued certificate could be detected via attempts to use a mis-issued certificate could be detected via
Certificate Transparency [RFC6962]. Certificate Transparency [RFC6962].
In terms of raw implementation complexity, passive attacks require In terms of raw implementation complexity, flow access attacks
only enough processing to extract information from the network and require only enough processing to extract information from the
store it. Active attacks, by contrast, often depend on winning race network and store it. flow modification attacks, by contrast, often
conditions to inject pakets into active connections. So active depend on winning race conditions to inject pakets into active
attacks in the core of the network require processing hardware to connections. So flow modification attacks in the core of the network
that can operate at line speed (roughly 100Gbps to 1Tbps in the core) require processing hardware to that can operate at line speed
to identify opportunities for attack and insert attack traffic in a (roughly 100Gbps to 1Tbps in the core) to identify opportunities for
high-volume traffic. attack and insert attack traffic in a high-volume traffic. Key
Key exfiltration attacks rely on passive attack for access to exfiltration attacks rely on flow access attack for access to
encrypted data, with the collaborator providing keys to decrypt the encrypted data, with the collaborator providing keys to decrypt the
data. So the attacker undertakes the cost and risk of a passive data. So the attacker undertakes the cost and risk of a flow access
attack, as well as additional risk of discovery via the interactions attack, as well as additional risk of discovery via the interactions
that the attacker has with the collaborator. that the attacker has with the collaborator.
In this sense, static exfiltration has a lower risk profile than In this sense, static exfiltration has a lower risk profile than
dynamic. In the static case, the attacker need only interact with dynamic. In the static case, the attacker need only interact with
the collaborator a small number of times, possibly only once, say to the collaborator a small number of times, possibly only once, say to
exchange a private key. In the dynamic case, the attacker must have exchange a private key. In the dynamic case, the attacker must have
continuing interactions with the collaborator. As noted above these continuing interactions with the collaborator. As noted above these
interactions may real, such as in-person meetings, or virtual, such interactions may real, such as in-person meetings, or virtual, such
as software modifications that render keys available to the attacker. as software modifications that render keys available to the attacker.
Both of these types of interactions introduce a risk that they will Both of these types of interactions introduce a risk that they will
be discovered, e.g., by employees of the collaborator organization be discovered, e.g., by employees of the collaborator organization
noticing suspicious meetings or suspicious code changes. noticing suspicious meetings or suspicious code changes.
Content exfiltration has a similar risk profile to dynamic key Content exfiltration has a similar risk profile to dynamic key
exfiltration. In a content exfiltration attack, the attacker saves exfiltration. In a content exfiltration attack, the attacker saves
the cost and risk of conducting a passive attack. The risk of the cost and risk of conducting a flow access attack. The risk of
discovery through interactions with the collaborator, however, is discovery through interactions with the collaborator, however, is
still present, and may be higher. The content of a communication is still present, and may be higher. The content of a communication is
obviously larger than the key used to encrypt it, often by several obviously larger than the key used to encrypt it, often by several
orders of magnitude. So in the content exfiltration case, the orders of magnitude. So in the content exfiltration case, the
interactions between the collaborator and the attacker need to be interactions between the collaborator and the attacker need to be
much higher-bandwidth than in the key exfiltration cases, with a much higher-bandwidth than in the key exfiltration cases, with a
corresponding increase in the risk that this high-bandwidth channel corresponding increase in the risk that this high-bandwidth channel
will be discovered. will be discovered.
It should also be noted that in these latter three exfiltration It should also be noted that in these latter three exfiltration
skipping to change at page 19, line 31 skipping to change at page 20, line 5
secure", 2013, secure", 2013,
<http://www.theguardian.com/world/2013/sep/05/ <http://www.theguardian.com/world/2013/sep/05/
nsa-how-to-remain-secure-surveillance>. nsa-how-to-remain-secure-surveillance>.
[snowden] Technology Review, "NSA Leak Leaves Crypto-Math Intact but [snowden] Technology Review, "NSA Leak Leaves Crypto-Math Intact but
Highlights Known Workarounds", 2013, Highlights Known Workarounds", 2013,
<http://www.technologyreview.com/news/519171/nsa-leak- <http://www.technologyreview.com/news/519171/nsa-leak-
leaves-crypto-math-intact-but-highlights-known- leaves-crypto-math-intact-but-highlights-known-
workarounds/>. workarounds/>.
[spiegel1]
C Stocker, ., "NSA's Secret Toolbox: Unit Offers Spy
Gadgets for Every Need", December 2013,
<http://www.spiegel.de/international/world/nsa-secret-
toolbox-ant-unit-offers-spy-gadgets-for-every-need-
a-941006.html>.
[spiegel3]
H Schmundt, ., "The Digital Arms Race: NSA Preps America
for Future Battle", January 2014,
<http://www.spiegel.de/international/world/new-snowden-
docs-indicate-scope-of-nsa-preparations-for-cyber-battle-
a-1013409.html>.
[key-recovery] [key-recovery]
Golle, P., "The Design and Implementation of Protocol- Golle, P., "The Design and Implementation of Protocol-
Based Hidden Key Recovery", 2003, Based Hidden Key Recovery", 2003,
<http://crypto.stanford.edu/~pgolle/papers/escrow.pdf>. <http://crypto.stanford.edu/~pgolle/papers/escrow.pdf>.
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987. specification", STD 13, RFC 1035, November 1987.
[RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and [RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and
E. Lear, "Address Allocation for Private Internets", BCP E. Lear, "Address Allocation for Private Internets", BCP
 End of changes. 26 change blocks. 
99 lines changed or deleted 129 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/