IETF Logo Mail Archive

Re: Privacy holes (was: Re: Getting to consensus on packet number encryption)

Kazuho Oku <kazuhooku@gmail.com> Fri, 13 April 2018 00:32 UTC

Return-Path: <kazuhooku@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4DD4127876 for <quic@ietfa.amsl.com>; Thu, 12 Apr 2018 17:32:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FfbMvBhOwgSS for <quic@ietfa.amsl.com>; Thu, 12 Apr 2018 17:32:31 -0700 (PDT)
Received: from mail-pl0-x22b.google.com (mail-pl0-x22b.google.com [IPv6:2607:f8b0:400e:c01::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1753A126D3F for <quic@ietf.org>; Thu, 12 Apr 2018 17:32:30 -0700 (PDT)
Received: by mail-pl0-x22b.google.com with SMTP id 59-v6so5020400plc.13 for <quic@ietf.org>; Thu, 12 Apr 2018 17:32:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=dDxlPvMPp1tT1oWmmeNc5lVL76h/WRa+idpt+SNKLz8=; b=p3WacuAobU/JJTSoL33JgAPMfvHbwiNsSskvNoj+YW9EcDwNgu+RolVZWgEjDceqff O+fKm05R0MBnm4Arg2GQG/hZmyTUspxsWDOaTiDut2L5U46MsFap502t5i4CSa/zoCWa c5CZ4W1jaAdk8b0t/oZqKSiKWnoFc5RnbmLnOganJDsiSsW5//0Z9Ld5yjejfkyklJmt uNKxUX7gjv5MnUFpAoz6vwtwDOB0Cv1CSXFoyAPbOsC4m4Q6xX3VymFMAbnhOFfr2pdZ iNkAE070AfUVFeGyAUii0780JlTljdQDREuqmK+2T87knfR6lMPQtDrUsrBUs7xFvu2b JM+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=dDxlPvMPp1tT1oWmmeNc5lVL76h/WRa+idpt+SNKLz8=; b=PA5ZTEj9Zkmy6fL2nW3LyS9B4qSliwV7VPEV4AwPTXgvXR0NYDjA7dCnS7RpyNkMOe 44Z48fOi3VKIegDXTqqPTl5DXr46PhFVhC47SsxNO0uQTwuSphJtSF2onTDNILd/vE1M eAFIhOHB+J2uGGtUIQwF0uFLEATw070jHD9GWxGVdTEpK1PBzz+y39pxy09t4deJld9B Qf00FYjK1zKR48GKV1U3ae/uCqAYUgPn5pjje1zBrp4GeHcJr0CtJklXWE0sVgPK7P2e HLJR+UURV96K+iHHTirAtZaHh87maLRyJ3gIlzpQwI9PPM5Ta7VhJPtWPE65Iqg6npv3 VTFg==
X-Gm-Message-State: ALQs6tBB9e5yCJV2LxzfZR8mA1iNJ9Xxj0nSSXxbhYCZlDnLQQgrJWjO 0tFkxK6bHtJxXXBI1RVUBo+1RhlOkh+PzYGcjyTA3874
X-Google-Smtp-Source: AIpwx4+dsb++6KX1iYJqefxTYjJlEzxGHVK2kdJCX68U3miLIbIwkijZUkyA8TKKjJZCeoZOLvNonmxF65VXUbnrjqw=
X-Received: by 2002:a17:902:102c:: with SMTP id b41-v6mr3154874pla.39.1523579550455; Thu, 12 Apr 2018 17:32:30 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.145.130 with HTTP; Thu, 12 Apr 2018 17:32:29 -0700 (PDT)
In-Reply-To: <CAKcm_gNW7QsWKfa6x_6ua+63RPtTtxfhYTF9LAODyNw8CjVojA@mail.gmail.com>
References: <7fd34142-2e14-e383-1f65-bc3ca657576c@huitema.net> <BBB8D1DE-25F8-4F3D-B274-C317848DE872@akamai.com> <CAN1APdd=47b2eXkvMg+Q_+P254xo4vo-Tu-YQu6XoUGMByO_eQ@mail.gmail.com> <CAKcm_gMpz4MpdmrHLtC8MvTf5uO9LjD915jM-i2LfpKY384O2w@mail.gmail.com> <HE1PR0702MB3611A67E764EE1C7D1644FAD84AD0@HE1PR0702MB3611.eurprd07.prod.outlook.com> <d8e35569-e939-4064-9ec4-2cccfba2f341@huitema.net> <CACpbDccqKoF-Y1poHMN2cLOK9GOuvtMTPsF-QEen3b30kUo9bg@mail.gmail.com> <CAKcm_gNffwpraF-H2LQBF33vUhYFx0bi_UXJ3N14k4Xj4NmWUw@mail.gmail.com> <40C1F6FE-2B2C-469F-8F98-66329703ED50@mnot.net> <21C36B57-6AE2-40EF-9549-7196D7FA9B45@tik.ee.ethz.ch> <B176FC07-887D-4135-B01E-FE8B4986A5EE@mnot.net> <CAKcm_gOCeocLyrYpOS7Ud332xdz3xHSH0psPN8T6BGRjoL9ptQ@mail.gmail.com> <CY4PR21MB0630FA0EDD343396AD414641B6A40@CY4PR21MB0630.namprd21.prod.outlook.com> <CAN1APde13JTzCvKFFvMd183Fka6QGD1kGBjsa9fcoLrYeA2hsA@mail.gmail.com> <CY4PR21MB0630C0FD4FBECBFEC3C863BBB6A40@CY4PR21MB0630.namprd21.prod.outlook.com> <B0F49097-F77A-4831-B68B-4266AA880A86@tik.ee.ethz.ch> <759C5BE4-DE4C-4A82-929C-B03234B88A37@huitema.net> <CY4PR21MB063098C907E732B0384B2824B6BE0@CY4PR21MB0630.namprd21.prod.outlook.com> <DM5PR2101MB0901E6C75EDCFDA209714D89B3BE0@DM5PR2101MB0901.namprd21.prod.outlook.com> <CY4PR21MB0630A6C5D63C175F390CC650B6BD0@CY4PR21MB0630.namprd21.prod.outlook.com> <CAKcm_gNW7QsWKfa6x_6ua+63RPtTtxfhYTF9LAODyNw8CjVojA@mail.gmail.com>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Fri, 13 Apr 2018 09:32:29 +0900
Message-ID: <CANatvzz2-o9VBRb-b_hGMoDTaSVpZkyEKXpgULZOJhHF5+xv2w@mail.gmail.com>
Subject: Re: Privacy holes (was: Re: Getting to consensus on packet number encryption)
To: Ian Swett <ianswett=40google.com@dmarc.ietf.org>
Cc: Praveen Balasubramanian <pravb=40microsoft.com@dmarc.ietf.org>, IETF QUIC WG <quic@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/1GIvpQvILtr7iveD5bhhh9BsEdE>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Apr 2018 00:32:32 -0000

2018-04-13 8:36 GMT+09:00 Ian Swett <ianswett=40google.com@dmarc.ietf.org>:
> Yes, for a powerful adversary, this seems fairly tractable..
>
> Making connection migration look like a new connection would likely help a
> lot.

I am not sure if that is the right path.

We have three ways in which a new set of 5-tuple starts getting used.

* new connection
* voluntary migration
* involuntary migration (i.e. NAT rebinding)

For the involuntary migration case, the first packet will always be a
short header packet.

If we make voluntary migration look like a new connection, the chance
of involuntary migration getting blocked by a middlebox becomes higher
(as we have seen gateways blocking the TLS 1.3 records, or the '07'
case).

Therefore, my preference goes to making all the three cases
indistinguishable (which is ideal but hard), or keeping voluntary and
non-voluntary migration look the same (as we do now) at the same time
making sure that the middlebox developers understand migration happens
[1].

[1] https://www.ietf.org/mail-archive/web/quic/current/msg03820.html

> On Wed, Apr 11, 2018 at 3:18 PM Praveen Balasubramanian
> <pravb=40microsoft.com@dmarc.ietf.org> wrote:
>>
>> Going back to Christian's original question on privacy holes, there is an
>> attack for linking IP addresses in the voluntary migration case.
>>
>> Let's consider the parking lot problem or in general case losing one
>> network and roaming to another network. This is the primary use case for
>> connection migration. In this case all active QUIC connections that can
>> migrate, will do so. When these connections migrate they can change the CID,
>> the local port number and packet numbers. However do notice that only the
>> local 2-tuple changes for each connection, the server's 2-tuple remains the
>> same.
>>
>> Let's assume a powerful adversary can collect a network sniff of all this
>> traffic and builds a massive dataset. The adversary can then run a machine
>> learning algorithm to identify time instants where a bunch of connections
>> change their local 2-tuple at near the same time instant but continue going
>> to the same server side 2-tuples. This will allow the adversary to link two
>> IP addresses. The more times the user roams between networks back and forth
>> the richer the correlation. The more open connections to different servers,
>> the richer the correlation. Geolocation information can minimize the number
>> of addresses the adversary needs to correlate.
>>
>> The fundamental problem seems to be that the substrate is UDP/IP and it is
>> in the clear and allows linkability.
>>
>> -----Original Message-----
>> From: QUIC [mailto:quic-bounces@ietf.org] On Behalf Of Christian Huitema
>> Sent: Thursday, April 5, 2018 8:34 AM
>> To: Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>
>> Cc: quic@ietf.org
>> Subject: Privacy holes (was: Re: Getting to consensus on packet number
>> encryption)
>>
>>
>>
>> > On Apr 5, 2018, at 2:26 AM, Mirja Kühlewind
>> > <mirja.kuehlewind@tik.ee..ethz.ch> wrote:
>> > ...
>> > Timing doesn’t help here either because you still have the same
>> > destination IP, both port numbers and the fact that a migrated connection
>> > does not have a handshake. If we want to address the linkability problem, we
>> > would need to do much more, probably baring more hits on performance.
>>
>> Mirja,
>>
>> You rightly point out that the connection ID and the Packet Number are not
>> the only elements that provide linkability. There is also of course the UDP
>> source port. That one is not much of an issue for servers, but it is an
>> issue for clients. We are not spelling that out in the draft. We should,
>> because clients can trivially close that hole when doing migration.
>>
>> I am not sure that the absence of negotiation divulges much data. It marks
>> the path as originating from a migration, but it does not tell from where.
>> But there might be an ossification issue. We will get that ossification if
>> we train middleboxes to believe that connection always start with an
>> observable negotiation. So maybe we should explore ways to grease that.
>>
>> Any other privacy hole that we should fix?
>>
>> -- Christian Huitema



-- 
Kazuho Oku

v2.23.0 | Report a Bug | By Email