draft-iab-privsec-confidentiality-threat-04.txt   draft-iab-privsec-confidentiality-threat-05.txt 
Network Working Group R. Barnes Network Working Group R. Barnes
Internet-Draft Internet-Draft
Intended status: Informational B. Schneier Intended status: Informational B. Schneier
Expires: September 12, 2015 Expires: October 31, 2015
C. Jennings C. Jennings
T. Hardie T. Hardie
B. Trammell B. Trammell
C. Huitema C. Huitema
D. Borkmann D. Borkmann
April 29, 2015
March 11, 2015
Confidentiality in the Face of Pervasive Surveillance: A Threat Model Confidentiality in the Face of Pervasive Surveillance: A Threat Model
and Problem Statement and Problem Statement
draft-iab-privsec-confidentiality-threat-04 draft-iab-privsec-confidentiality-threat-05
Abstract Abstract
Documents published since initial revelations in 2013 have revealed Since the initial revelations of pervasive surveillance in 2013,
several classes of pervasive surveillance attack on Internet several classes of attacks on Internet communications have been
communications. In this document we develop a threat model that discovered. In this document we develop a threat model that
describes these pervasive attacks. We start by assuming an attacker describes these attacks on Internet confidentiality. We assume an
with an interest in undetected, indiscriminate eavesdropping, then attacker that is interested in undetected, indiscriminate
expand the threat model with a set of verified attacks that have been eavesdropping. The threat model is based on published, verified
published. attacks.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 12, 2015. This Internet-Draft will expire on October 31, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 23 skipping to change at page 3, line 23
document. Note especially that "passive" and "active" below do not document. Note especially that "passive" and "active" below do not
refer to the effort used to mount the attack; a "passive attack" is refer to the effort used to mount the attack; a "passive attack" is
any attack that accesses a flow but does not modify it, while an any attack that accesses a flow but does not modify it, while an
"active attack" is any attack that modifies a flow. Some passive "active attack" is any attack that modifies a flow. Some passive
attacks involve active interception and modifications of devices, attacks involve active interception and modifications of devices,
rather than simple access to the medium. The introduced terms are: rather than simple access to the medium. The introduced terms are:
Pervasive Attack: An attack on Internet communications that makes Pervasive Attack: An attack on Internet communications that makes
use of access at a large number of points in the network, or use of access at a large number of points in the network, or
otherwise provides the attacker with access to a large amount of otherwise provides the attacker with access to a large amount of
Internet traffic; see [RFC7258] Internet traffic; see [RFC7258].
Passive Pervasive Attack: An eavesdropping attack undertaken by a Passive Pervasive Attack: An eavesdropping attack undertaken by a
pervasive attacker, in which the packets in a traffic stream pervasive attacker, in which the packets in a traffic stream
between two endpoints are eavesdropped upon, but in which the between two endpoints are intercepted, but in which the attacker
attacker does not modify the packets in the traffic stream between does not modify the packets in the traffic stream between two
two endpoints, modify the treatment of packets in the traffic endpoints, modify the treatment of packets in the traffic stream
stream (e.g. delay, routing), or add or remove packets in the (e.g. delay, routing), or add or remove packets in the traffic
traffic stream. Passive pervasive attacks are undetectable from stream. Passive pervasive attacks are undetectable from the
the endpoints. Equivalent to passive wiretapping as defined in endpoints. Equivalent to passive wiretapping as defined in
[RFC4949]; we use an alternate term here since the methods [RFC4949]; we use an alternate term here since the methods
employed are wider than those implied by the word "wiretapping", employed are wider than those implied by the word "wiretapping",
including the active compromise of intermediate systems. including the active compromise of intermediate systems.
Active Pervasive Attack: An attack undertaken by a pervasive Active Pervasive Attack: An attack undertaken by a pervasive
attacker, which in addition to the elements of a passive pervasive attacker, which in addition to the elements of a passive pervasive
attack, also includes modification, addition, or removal of attack, also includes modification, addition, or removal of
packets in a traffic stream, or modification of treatment of packets in a traffic stream, or modification of treatment of
packets in the traffic stream. Active pervasive attacks provide packets in the traffic stream. Active pervasive attacks provide
more capabilities to the attacker at the cost of possible more capabilities to the attacker at the risk of possible
detection at the endpoints. Equivalent to active wiretapping as detection at the endpoints. Equivalent to active wiretapping as
defined in [RFC4949]. defined in [RFC4949].
Observation: Information collected directly from communications by Observation: Information collected directly from communications by
an eavesdropper or observer. For example, the knowledge that an eavesdropper or observer. For example, the knowledge that
<alice@example.com> sent a message to <bob@example.com> via SMTP <alice@example.com> sent a message to <bob@example.com> via SMTP
taken from the headers of an observed SMTP message would be an taken from the headers of an observed SMTP message would be an
observation. observation.
Inference: Information extracted from analysis of information Inference: Information extracted from analysis of information
skipping to change at page 4, line 22 skipping to change at page 4, line 22
Collaborator: An entity that is a legitimate participant in a Collaborator: An entity that is a legitimate participant in a
communication, but who deliberately provides information about communication, but who deliberately provides information about
that interaction to an attacker. that interaction to an attacker.
Unwitting Collaborator: An entity that is a legitimate participant Unwitting Collaborator: An entity that is a legitimate participant
in a communication, and who is the source of information obtained in a communication, and who is the source of information obtained
by the attacker without the entity's consent or intention, because by the attacker without the entity's consent or intention, because
the attacker has exploited some technology used by the entity. the attacker has exploited some technology used by the entity.
Key Exfiltration: The transmission of keying material for an Key Exfiltration: The transmission of cryptographic keying material
encrypted communication from a collaborator, deliberately or for an encrypted communication from a collaborator, deliberately
unwittingly, to an attacker or unwittingly, to an attacker.
Content Exfiltration: The transmission of the content of a Content Exfiltration: The transmission of the content of a
communication from a collaborator, deliberately or unwittingly, to communication from a collaborator, deliberately or unwittingly, to
an attacker an attacker
3. An Idealized Passive Pervasive Attacker 3. An Idealized Passive Pervasive Attacker
In considering the threat posed by pervasive surveillance, we begin In considering the threat posed by pervasive surveillance, we begin
by defining an idealized passive pervasive attacker. While this by defining an idealized passive pervasive attacker. While this
attacker is less capable than those which we now know to have attacker is less capable than those which we now know to have
skipping to change at page 5, line 7 skipping to change at page 5, line 7
o can observe every packet of all communications at any hop in any o can observe every packet of all communications at any hop in any
network path between an initiator and a recipient; network path between an initiator and a recipient;
o can observe data at rest in any intermediate system between the o can observe data at rest in any intermediate system between the
endpoints controlled by the initiator and recipient; and endpoints controlled by the initiator and recipient; and
o can share information with other such attackers; but o can share information with other such attackers; but
o takes no other action with respect to these communications (i.e., o takes no other action with respect to these communications (i.e.,
blocking, modification, injection, etc.). blocking, modification, injection, etc.).
The techniques available to our ideal attacker are direct observation The techniques available to our ideal attacker are direct
and inference. Direct observation involves taking information observation and inference. Direct observation involves taking
directly from eavesdropped communications - e.g., URLs identifying information directly from eavesdropped communications, such as
content or email addresses identifying individuals from application- URLs identifying content or email addresses identifying
layer headers. Inference, on the other hand, involves analyzing individuals from application- layer headers. Inference, on the
eavesdropped information to derive new information from it; e.g., other hand, involves analyzing observed information to derive new
searching for application or behavioral fingerprints in observed information, such as searching for application or behavioral
traffic to derive information about the observed individual from fingerprints in observed traffic to derive information about the
them, in absence of directly-observed sources of the same observed individual. The use of encryption is generally
information. The use of encryption to protect confidentiality is sufficient to provide confidentiality by preventing direct
generally enough to prevent direct observation of unencrypted observation of content, assuming of course, uncompromised
content, assuming uncompromised encryption implementations and key encryption implementations and cryptographic keying material.
material. However, it provides less complete protection against However, encryption provides less complete protection against
inference, especially inference based only on unprotected portions of inference, especially inferences based only on plaintext portions
communications (e.g. IP and TCP headers for TLS [RFC5246]). of communications, such as IP and TCP headers for TLS-protected
traffic [RFC5246]).
3.1. Information subject to direct observation 3.1. Information subject to direct observation
Protocols which do not encrypt their payload make the entire content Protocols which do not encrypt their payload make the entire content
of the communication available to the idealized attacker along their of the communication available to the idealized attacker along their
path. Following the advice in [RFC3365], most such protocols have a path. Following the advice in [RFC3365], most such protocols have a
secure variant which encrypts payload for confidentiality, and these secure variant which encrypts payload for confidentiality, and these
secure variants are seeing ever-wider deployment. A noteworthy secure variants are seeing ever-wider deployment. A noteworthy
exception is DNS [RFC1035], as DNSSEC [RFC4033] does not have exception is DNS [RFC1035], as DNSSEC [RFC4033] does not have
confidentiality as a requirement. confidentiality as a requirement.
This implies that, in the absence of changes to the protocol as This implies that, in the absence of changes to the protocol as
presently under development in the IETF's DNS Private Exchange presently under development in the IETF's DNS Private Exchange
(DPRIVE) working group [I-D.ietf-dprive-problem-statement], all DNS (DPRIVE) working group [I-D.ietf-dprive-problem-statement], all DNS
queries and answers generated by the activities of any protocol are queries and answers generated by the activities of any protocol are
available to the attacker. available to the attacker.
Protocols which imply the storage of some data at rest in When store-and-forward protocols are used, (e.g. SMTP [RFC5321])
intermediaries (e.g. SMTP [RFC5321]) leave this data subject to intermediaries leave this data subject to observation by an attacker
observation by an attacker that has compromised these intermediaries, that has compromised these intermediaries, unless the data is
unless the data is encrypted end-to-end by the application layer encrypted end-to-end by the application layer protocol, or the
protocol, or the implementation uses an encrypted store for this implementation uses an encrypted store for this data.
data.
3.2. Information useful for inference 3.2. Information useful for inference
Inference is information extracted from later analysis of an observed Inference is information extracted from later analysis of an observed
or eavesdropped communication, and/or correlation of observed or or eavesdropped communication, and/or correlation of observed or
eavesdropped information with information available from other eavesdropped information with information available from other
sources. Indeed, most useful inference performed by the attacker sources. Indeed, most useful inference performed by the attacker
falls under the rubric of correlation. The simplest example of this falls under the rubric of correlation. The simplest example of this
is the observation of DNS queries and answers from and to a source is the observation of DNS queries and answers from and to a source
and correlating those with IP addresses with which that source and correlating those with IP addresses with which that source
skipping to change at page 6, line 18 skipping to change at page 6, line 18
available from encrypted application payloads (e.g., the Host: available from encrypted application payloads (e.g., the Host:
HTTP/1.1 request header when HTTP is used with TLS). HTTP/1.1 request header when HTTP is used with TLS).
Protocols which encrypt their payload using an application- or Protocols which encrypt their payload using an application- or
transport-layer encryption scheme (e.g. TLS) still expose all the transport-layer encryption scheme (e.g. TLS) still expose all the
information in their network and transport layer headers to the information in their network and transport layer headers to the
attacker, including source and destination addresses and ports. attacker, including source and destination addresses and ports.
IPsec ESP[RFC4303] further encrypts the transport-layer headers, but IPsec ESP[RFC4303] further encrypts the transport-layer headers, but
still leaves IP address information unencrypted; in tunnel mode, still leaves IP address information unencrypted; in tunnel mode,
these addresses correspond to the tunnel endpoints. Features of the these addresses correspond to the tunnel endpoints. Features of the
cryptographic protocols themselves, e.g. the TLS session identifier, security protocols themselves, e.g. the TLS session identifier, may
may leak information that can be used for correlation and inference. leak information that can be used for correlation and inference.
While this information is much less semantically rich than the While this information is much less semantically rich than the
application payload, it can still be useful for the inferring an application payload, it can still be useful for the inferring an
individual's activities. individual's activities.
Inference can also leverage information obtained from sources other Inference can also leverage information obtained from sources other
than direct traffic observation. Geolocation databases, for example, than direct traffic observation. Geolocation databases, for example,
have been developed map IP addresses to a location, in order to have been developed that map IP addresses to a location, in order to
provide location-aware services such as targeted advertising. This provide location-aware services such as targeted advertising. This
location information is often of sufficient resolution that it can be location information is often of sufficient resolution that it can be
used to draw further inferences toward identifying or profiling an used to draw further inferences toward identifying or profiling an
individual. individual.
Social media provide another source of more or less publicly Social media provide another source of more or less publicly
accessible information. This information can be extremely accessible information. This information can be extremely
semantically rich, including information about an individual's semantically rich, including information about an individual's
location, associations with other individuals and groups, and location, associations with other individuals and groups, and
activities. Further, this information is generally contributed and activities. Further, this information is generally contributed and
skipping to change at page 10, line 5 skipping to change at page 10, line 5
with an individual to various public services (e.g. websites, mail with an individual to various public services (e.g. websites, mail
servers, game servers), and exploit patterns in the observed traffic servers, game servers), and exploit patterns in the observed traffic
to correlate this address with other addresses that show similar to correlate this address with other addresses that show similar
patterns. For example, any two addresses that show connections to patterns. For example, any two addresses that show connections to
the same IMAP or webmail services, the same set of favorite websites, the same IMAP or webmail services, the same set of favorite websites,
and game servers at similar times of day may be associated with the and game servers at similar times of day may be associated with the
same individual. Correlated addresses can then be tied to an same individual. Correlated addresses can then be tied to an
individual through one of the techniques above, walking the "network individual through one of the techniques above, walking the "network
graph" to expand the set of attributable traffic. graph" to expand the set of attributable traffic.
3.3.7. Tracking of MAC Addresses 3.3.7. Tracking of Link Layer Identifiers
Moving back down the stack, technologies like Ethernet or Wi-Fi use Moving back down the stack, technologies like Ethernet or Wi-Fi use
MAC Addresses to identify link-level destinations. MAC Addresses MAC Addresses to identify link-level destinations. MAC Addresses
assigned according to IEEE-802 standards are unique to the device. assigned according to IEEE-802 standards are globally-unique
If the link is publicly accessible, an attacker can track it. For identifiers for the device. If the link is publicly accessible, an
example, the attacker can track the wireless traffic at public Wi-Fi attacker can eavesdrop and perform tracking. For example, the
attacker can track the wireless traffic at publicly accessible Wi-Fi
networks. Simple devices can monitor the traffic, and reveal which networks. Simple devices can monitor the traffic, and reveal which
MAC Addresses are present. If the network does not use some form of MAC Addresses are present. Also, devices do not need to be connected
Wi-Fi encryption, or if the attacker can access the decrypted to a network to expose link-layer identifiers. Active service
traffic, the analysis will also provide the correlation between MAC discovery always discloses the MAC address of the user, and sometimes
the SSIDs of previously visited networks. For instance, certain
techniques such as the use of "hidden SSIDs" require the mobile
device to broadcast the network identifier together with the device
identifier. This combination can further expose the user to
inference attacks, as more information can be derived from the
combination of MAC address, SSID being probed, time and current
location. For example, a user actively probing for a semi-unique
SSID on a flight out of a certain city can imply that the user is no
longer at the physical location of the corresponding AP. Given that
large-scale databases of the MAC addresses of wireless access points
for geolocation purposes have been known to exist for some time, the
attacker could easily build a database linking link-layer
identifiers, time and device or user identities, and use it to track
the movement of devices and of their owners. On the other hand, if
the network does not use some form of Wi-Fi encryption, or if the
attacker can access the decrypted traffic, the analysis will also
provide the correlation between link-layer identifiers such as MAC
Addresses and IP addresses. Additional monitoring using techniques Addresses and IP addresses. Additional monitoring using techniques
exposed in the previous sections will reveal the correlation between exposed in the previous sections will reveal the correlation between
MAC Addresses, IP Addresses, and user identity. MAC addresses, IP addresses, and user identity. For instance,
similarly to the use of web cookies, MAC addresses provide identity
Given that large-scale databases of the MAC addresses of wireless information that can be used to associate a user to different IP
access points for geolocation purposes have been known to exist for addresses.
some time, the attacker could easily build a database linking MAC
Addresses and device or user identities, and use it to track the
movement of devices and of their owners.
4. Reported Instances of Large-Scale Attacks 4. Reported Instances of Large-Scale Attacks
The situation in reality is more bleak than that suggested by an The situation in reality is more bleak than that suggested by an
analysis of our idealized attacker. Through revelations of sensitive analysis of our idealized attacker. Through revelations of sensitive
documents in several media outlets, the Internet community has been documents in several media outlets, the Internet community has been
made aware of several intelligence activities conducted by US and UK made aware of several intelligence activities conducted by US and UK
national intelligence agencies, particularly the US National Security national intelligence agencies, particularly the US National Security
Agency (NSA) and the UK Government Communications Headquarters Agency (NSA) and the UK Government Communications Headquarters
(GCHQ). These documents have revealed methods that these agencies (GCHQ). These documents have revealed methods that these agencies
skipping to change at page 11, line 20 skipping to change at page 11, line 34
portable devices such as smartphones. portable devices such as smartphones.
However, the capabilities described by these reports go beyond those However, the capabilities described by these reports go beyond those
of our idealized attacker. They include the compromise of of our idealized attacker. They include the compromise of
cryptographic protocols, including decryption of TLS-protected cryptographic protocols, including decryption of TLS-protected
Internet sessions [dec1][dec2][dec3]. For example, the NSA BULLRUN Internet sessions [dec1][dec2][dec3]. For example, the NSA BULLRUN
project worked to undermine encryption through multiple approaches, project worked to undermine encryption through multiple approaches,
including covert modifications to cryptographic software on end including covert modifications to cryptographic software on end
systems. systems.
They also include the direct compromise of intermediate systems and Reported capabilities include the direct compromise of intermediate
arrangements with service providers for bulk data and metadata access systems and arrangements with service providers for bulk data and
[dir1][dir2][dir3], bypassing the need to capture traffic on the metadata access [dir1][dir2][dir3], bypassing the need to capture
wire. For example, the NSA PRISM program provides the agency with traffic on the wire. For example, the NSA PRISM program provides the
access to many types of user data (e.g., email, chat, VoIP). agency with access to many types of user data (e.g., email, chat,
VoIP).
The reported capabilities also include elements of active pervasive The reported capabilities also include elements of active pervasive
attack, including: attack, including:
o Insertion of devices as a man-in-the-middle of Internet o Insertion of devices as a man-in-the-middle of Internet
transactions [TOR1][TOR2]. For example, NSA's QUANTUM system transactions [TOR1][TOR2]. For example, NSA's QUANTUM system
appears to use several different techniques to hijack HTTP appears to use several different techniques to hijack HTTP
connections, ranging from DNS response injection to HTTP 302 connections, ranging from DNS response injection to HTTP 302
redirects. redirects.
skipping to change at page 12, line 38 skipping to change at page 13, line 5
high degree of pervasiveness with regard to the Internet in China. high degree of pervasiveness with regard to the Internet in China.
5. Threat Model 5. Threat Model
Given these disclosures, we must consider a broader threat model. Given these disclosures, we must consider a broader threat model.
Pervasive surveillance aims to collect information across a large Pervasive surveillance aims to collect information across a large
number of Internet communications, analyzing the collected number of Internet communications, analyzing the collected
communications to identify information of interest within individual communications to identify information of interest within individual
communications, or inferring information from correlated communications, or inferring information from correlated
communications. his analysis sometimes benefits from decryption of communications. This analysis sometimes benefits from decryption of
encrypted communications and deanonymization of anonymized encrypted communications and deanonymization of anonymized
communications. As a result, these attackers desire both access to communications. As a result, these attackers desire both access to
the bulk of Internet traffic and to the keying material required to the bulk of Internet traffic and to the keying material required to
decrypt any traffic that has been encrypted. Even if keys are not decrypt any traffic that has been encrypted. Even if keys are not
available, note that the presence of a communication and the fact available, note that the presence of a communication and the fact
that it is encrypted may both be inputs to an analysis, even if the that it is encrypted may both be inputs to an analysis, even if the
attacker cannot decrypt the communication. attacker cannot decrypt the communication.
The attacks listed above highlight new avenues both for access to The attacks listed above highlight new avenues both for access to
traffic and for access to relevant encryption keys. They further traffic and for access to relevant encryption keys. They further
skipping to change at page 14, line 6 skipping to change at page 14, line 21
than an attacker that collects at a single point. Even the usual than an attacker that collects at a single point. Even the usual
claim that encryption defeats passive pervasive attackers is claim that encryption defeats passive pervasive attackers is
weakened, since a pervasive flow access attacker can infer weakened, since a pervasive flow access attacker can infer
relationships from correlations over large numbers of sessions, e.g., relationships from correlations over large numbers of sessions, e.g.,
pairing encrypted sessions with unencrypted sessions from the same pairing encrypted sessions with unencrypted sessions from the same
host, or performing traffic fingerprinting between known and unknown host, or performing traffic fingerprinting between known and unknown
encrypted sessions. Reports on the NSA XKEYSCORE system would encrypted sessions. Reports on the NSA XKEYSCORE system would
indicate it is an example of such an attacker. indicate it is an example of such an attacker.
An active pervasive attacker likewise has capabilities beyond those An active pervasive attacker likewise has capabilities beyond those
of a localized active attacker. flow modification attacks are often of a localized active attacker. Flow modification attacks are often
limited by network topology, for example by a requirement that the limited by network topology, for example by a requirement that the
attacker be able to see a targeted session as well as inject packets attacker be able to see a targeted session as well as inject packets
into it. A pervasive flow modification attacker with access at into it. A pervasive flow modification attacker with access at
multiple points within the core of the Internet is able to overcome multiple points within the core of the Internet is able to overcome
these topological limitations and perform attacks over a much broader these topological limitations and perform attacks over a much broader
scope. Being positioned in the core of the network rather than the scope. Being positioned in the core of the network rather than the
edge can also enable an active pervasive attacker to reroute targeted edge can also enable an active pervasive attacker to reroute targeted
traffic, amplifying the ability to perform both eavesdropping and traffic, amplifying the ability to perform both eavesdropping and
traffic injection. Active pervasive attackers can also benefit from traffic injection. Active pervasive attackers can also benefit from
passive pervasive collection to identify vulnerable hosts. passive pervasive collection to identify vulnerable hosts.
skipping to change at page 15, line 20 skipping to change at page 15, line 37
frequent communications with the attacker; the transfer of keying frequent communications with the attacker; the transfer of keying
material may be virtual. For example, if an endpoint were modified material may be virtual. For example, if an endpoint were modified
in such a way that the attacker could predict the state of its in such a way that the attacker could predict the state of its
psuedorandom number generator, then the attacker would be able to psuedorandom number generator, then the attacker would be able to
derive per-session keys even without per-session communications. derive per-session keys even without per-session communications.
Finally, content exfiltration is the attack in which the collaborator Finally, content exfiltration is the attack in which the collaborator
simply provides the attacker with the desired data or metadata. simply provides the attacker with the desired data or metadata.
Unlike the key exfiltration cases, this attack does not require the Unlike the key exfiltration cases, this attack does not require the
attacker to capture the desired data as it flows through the network. attacker to capture the desired data as it flows through the network.
The risk is to data at rest as opposed to data in transit. This The exfiltration is of data at rest, rather than data in transit.
increases the scope of data that the attacker can obtain, since the This increases the scope of data that the attacker can obtain, since
attacker can access historical data - the attacker does not have to the attacker can access historical data - the attacker does not have
be listening at the time the communication happens. to be listening at the time the communication happens.
Exfiltration attacks can be accomplished via attacks against one of Exfiltration attacks can be accomplished via attacks against one of
the parties to a communication, i.e., by the attacker stealing the the parties to a communication, i.e., by the attacker stealing the
keys or content rather than the party providing them willingly. In keys or content rather than the party providing them willingly. In
these cases, the party may not be aware that they are collaborating, these cases, the party may not be aware that they are collaborating,
at least at a human level. Rather, the subverted technical assets at least at a human level. Rather, the subverted technical assets
are "collaborating" with the attacker (by providing keys/content) are "collaborating" with the attacker (by providing keys/content)
without their owner's knowledge or consent. without their owner's knowledge or consent.
Any party that has access to encryption keys or unencrypted data can Any party that has access to encryption keys or unencrypted data can
skipping to change at page 17, line 14 skipping to change at page 17, line 27
receiver, greatly increasing the probability the attacker will be receiver, greatly increasing the probability the attacker will be
discovered (e.g., using direction-finding technology). Active discovered (e.g., using direction-finding technology). Active
attacks are also much more observable at higher layers of the attacks are also much more observable at higher layers of the
network. For example, an active attacker that attempts to use a mis- network. For example, an active attacker that attempts to use a mis-
issued certificate could be detected via Certificate Transparency issued certificate could be detected via Certificate Transparency
[RFC6962]. [RFC6962].
In terms of raw implementation complexity, passive pervasive attacks In terms of raw implementation complexity, passive pervasive attacks
require only enough processing to extract information from the require only enough processing to extract information from the
network and store it. Active pervasive attacks, by contrast, often network and store it. Active pervasive attacks, by contrast, often
depend on winning race conditions to inject pakets into active depend on winning race conditions to inject packets into active
connections. So active pervasive attacks in the core of the network connections. So active pervasive attacks in the core of the network
require processing hardware to that can operate at line speed require processing hardware to that can operate at line speed
(roughly 100Gbps to 1Tbps in the core) to identify opportunities for (roughly 100Gbps to 1Tbps in the core) to identify opportunities for
attack and insert attack traffic in a high-volume traffic. Key attack and insert attack traffic in a high-volume traffic. Key
exfiltration attacks rely on passive pervasive attack for access to exfiltration attacks rely on passive pervasive attack for access to
encrypted data, with the collaborator providing keys to decrypt the encrypted data, with the collaborator providing keys to decrypt the
data. So the attacker undertakes the cost and risk of a passive data. So the attacker undertakes the cost and risk of a passive
pervasive attack, as well as additional risk of discovery via the pervasive attack, as well as additional risk of discovery via the
interactions that the attacker has with the collaborator. interactions that the attacker has with the collaborator.
Some active attacks are more expensive than others. For example,
active man-in-the-middle (MITM) attacks require access to the entire
network session and path in order to intercept and potentially
modify, as well as drop, legitimate packets in favor of the
attacker's packets. A similar but weaker form of attack, called an
active man-on-the-side (MOTS), does not require access to the entire
session and only part of the path. In an active MOTS attack, the
attacker need only be able to inject or modify traffic on the network
element the attacker has access to. While this may not allow for
full control of a communication session (as in an MITM attack), the
attacker can perform a number of powerful attacks, including but not
limited to: injecting packets that could terminate the session (e.g.,
TCP RST packets), sending a fake DNS reply to redirect ensuing TCP
connections to an address of the attacker's choice (i.e., winning a
"DNS response race"), and mounting an HTTP Redirect attack by
observing a TCP/HTTP connection to a target address and injecting a
TCP data packet containing an HTTP redirect. For example, the system
dubbed by researchers as China's "Great Cannon" [great-cannon] can
operate in ful MITM mode to accomplish very complex attacks that can
modify content in transit while the well-known Great Firewall of
China is a MOTS system that focuses on blocking access to certain
kinds of traffic and destinations via TCP RST packet injection.
In this sense, static exfiltration has a lower risk profile than In this sense, static exfiltration has a lower risk profile than
dynamic. In the static case, the attacker need only interact with dynamic. In the static case, the attacker need only interact with
the collaborator a small number of times, possibly only once, say to the collaborator a small number of times, possibly only once, say to
exchange a private key. In the dynamic case, the attacker must have exchange a private key. In the dynamic case, the attacker must have
continuing interactions with the collaborator. As noted above these continuing interactions with the collaborator. As noted above these
interactions may real, such as in-person meetings, or virtual, such interactions may be real, such as in-person meetings, or virtual,
as software modifications that render keys available to the attacker. such as software modifications that render keys available to the
Both of these types of interactions introduce a risk that they will attacker. Both of these types of interactions introduce a risk that
be discovered, e.g., by employees of the collaborator organization they will be discovered, e.g., by employees of the collaborator
noticing suspicious meetings or suspicious code changes. organization noticing suspicious meetings or suspicious code changes.
Content exfiltration has a similar risk profile to dynamic key Content exfiltration has a similar risk profile to dynamic key
exfiltration. In a content exfiltration attack, the attacker saves exfiltration. In a content exfiltration attack, the attacker saves
the cost and risk of conducting a passive pervasive attack. The risk the cost and risk of conducting a passive pervasive attack. The risk
of discovery through interactions with the collaborator, however, is of discovery through interactions with the collaborator, however, is
still present, and may be higher. The content of a communication is still present, and may be higher. The content of a communication is
obviously larger than the key used to encrypt it, often by several obviously larger than the key used to encrypt it, often by several
orders of magnitude. So in the content exfiltration case, the orders of magnitude. So in the content exfiltration case, the
interactions between the collaborator and the attacker need to be interactions between the collaborator and the attacker need to be
much higher-bandwidth than in the key exfiltration cases, with a much higher-bandwidth than in the key exfiltration cases, with a
skipping to change at page 20, line 50 skipping to change at page 21, line 35
for Future Battle", January 2014, for Future Battle", January 2014,
<http://www.spiegel.de/international/world/new-snowden- <http://www.spiegel.de/international/world/new-snowden-
docs-indicate-scope-of-nsa-preparations-for-cyber-battle- docs-indicate-scope-of-nsa-preparations-for-cyber-battle-
a-1013409.html>. a-1013409.html>.
[key-recovery] [key-recovery]
Golle, P., "The Design and Implementation of Protocol- Golle, P., "The Design and Implementation of Protocol-
Based Hidden Key Recovery", 2003, Based Hidden Key Recovery", 2003,
<http://crypto.stanford.edu/~pgolle/papers/escrow.pdf>. <http://crypto.stanford.edu/~pgolle/papers/escrow.pdf>.
[great-cannon]
Paxson, V., "China's Great Cannon", 2015,
<https://citizenlab.org/2015/04/chinas-great-cannon/>.
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987. specification", STD 13, RFC 1035, November 1987.
[RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and [RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and
E. Lear, "Address Allocation for Private Internets", BCP E. Lear, "Address Allocation for Private Internets", BCP
5, RFC 1918, February 1996. 5, RFC 1918, February 1996.
[RFC1939] Myers, J. and M. Rose, "Post Office Protocol - Version 3", [RFC1939] Myers, J. and M. Rose, "Post Office Protocol - Version 3",
STD 53, RFC 1939, May 1996. STD 53, RFC 1939, May 1996.
skipping to change at page 22, line 36 skipping to change at page 23, line 25
[RFC7011] Claise, B., Trammell, B., and P. Aitken, "Specification of [RFC7011] Claise, B., Trammell, B., and P. Aitken, "Specification of
the IP Flow Information Export (IPFIX) Protocol for the the IP Flow Information Export (IPFIX) Protocol for the
Exchange of Flow Information", STD 77, RFC 7011, September Exchange of Flow Information", STD 77, RFC 7011, September
2013. 2013.
[RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an [RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an
Attack", BCP 188, RFC 7258, May 2014. Attack", BCP 188, RFC 7258, May 2014.
[I-D.ietf-dprive-problem-statement] [I-D.ietf-dprive-problem-statement]
Bortzmeyer, S., "DNS privacy considerations", draft-ietf- Bortzmeyer, S., "DNS privacy considerations", draft-ietf-
dprive-problem-statement-03 (work in progress), March dprive-problem-statement-02 (work in progress), February
2015. 2015.
Authors' Addresses Authors' Addresses
Richard Barnes Richard Barnes
Email: rlb@ipv.sx Email: rlb@ipv.sx
Bruce Schneier Bruce Schneier
skipping to change at page 23, line 15 skipping to change at page 24, line 4
Email: fluffy@cisco.com Email: fluffy@cisco.com
Ted Hardie Ted Hardie
Email: ted.ietf@gmail.com Email: ted.ietf@gmail.com
Brian Trammell Brian Trammell
Email: ietf@trammell.ch Email: ietf@trammell.ch
Christian Huitema Christian Huitema
Email: huitema@huitema.net Email: huitema@huitema.net
Daniel Borkmann Daniel Borkmann
Email: dborkman@redhat.com Email: dborkman@iogearbox.net
 End of changes. 29 change blocks. 
81 lines changed or deleted 122 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/