rfc7624v2.txt   rfc7624.txt 
Internet Architecture Board (IAB) R. Barnes Internet Architecture Board (IAB) R. Barnes
Request for Comments: 7622 Request for Comments: 7624 B. Schneier
Category: Informational B. Schneier Category: Informational C. Jennings
ISSN: 2070-1721 ISSN: 2070-1721 T. Hardie
C. Jennings
T. Hardie
B. Trammell B. Trammell
C. Huitema C. Huitema
D. Borkmann D. Borkmann
August 2015 August 2015
Confidentiality in the Face of Pervasive Surveillance: Confidentiality in the Face of Pervasive Surveillance:
A Threat Model and Problem Statement A Threat Model and Problem Statement
Abstract Abstract
Since the initial revelations of pervasive surveillance in 2013, Since the initial revelations of pervasive surveillance in 2013,
several classes of attacks on Internet communications have been several classes of attacks on Internet communications have been
skipping to change at page 1, line 45 skipping to change at page 1, line 39
This document is a product of the Internet Architecture Board (IAB) This document is a product of the Internet Architecture Board (IAB)
and represents information that the IAB has deemed valuable to and represents information that the IAB has deemed valuable to
provide for permanent record. It represents the consensus of the provide for permanent record. It represents the consensus of the
Internet Architecture Board (IAB). Documents approved for Internet Architecture Board (IAB). Documents approved for
publication by the IAB are not a candidate for any level of Internet publication by the IAB are not a candidate for any level of Internet
Standard; see Section 2 of RFC 5741. Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata, Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7622. http://www.rfc-editor.org/info/rfc7624.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. to this document.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. An Idealized Passive Pervasive Attacker . . . . . . . . . . . 5 3. An Idealized Passive Pervasive Attacker . . . . . . . . . . . 5
3.1. Information Subject to Direct Observation . . . . . . . . 5 3.1. Information Subject to Direct Observation . . . . . . . . 6
3.2. Information Useful for Inference . . . . . . . . . . . . 6 3.2. Information Useful for Inference . . . . . . . . . . . . 6
3.3. An Illustration of an Ideal Passive Pervasive Attack . . 7 3.3. An Illustration of an Ideal Passive Pervasive Attack . . 7
3.3.1. Analysis of IP Headers . . . . . . . . . . . . . . . 7 3.3.1. Analysis of IP Headers . . . . . . . . . . . . . . . 7
3.3.2. Correlation of IP Addresses to User Identities . . . 8 3.3.2. Correlation of IP Addresses to User Identities . . . 8
3.3.3. Monitoring Messaging Clients for IP Address 3.3.3. Monitoring Messaging Clients for IP Address
Correlation . . . . . . . . . . . . . . . . . . . . . 8 Correlation . . . . . . . . . . . . . . . . . . . . . 9
3.3.4. Retrieving IP Addresses from Mail Headers . . . . . . 9 3.3.4. Retrieving IP Addresses from Mail Headers . . . . . . 9
3.3.5. Tracking Address Usage with Web Cookies . . . . . . . 9 3.3.5. Tracking Address Usage with Web Cookies . . . . . . . 10
3.3.6. Graph-Based Approaches to Address Correlation . . . . 10 3.3.6. Graph-Based Approaches to Address Correlation . . . . 10
3.3.7. Tracking of Link-Layer Identifiers . . . . . . . . . 10 3.3.7. Tracking of Link-Layer Identifiers . . . . . . . . . 10
4. Reported Instances of Large-Scale Attacks . . . . . . . . . . 11 4. Reported Instances of Large-Scale Attacks . . . . . . . . . . 11
5. Threat Model . . . . . . . . . . . . . . . . . . . . . . . . 13 5. Threat Model . . . . . . . . . . . . . . . . . . . . . . . . 13
5.1. Attacker Capabilities . . . . . . . . . . . . . . . . . . 13 5.1. Attacker Capabilities . . . . . . . . . . . . . . . . . . 14
5.2. Attacker Costs . . . . . . . . . . . . . . . . . . . . . 16 5.2. Attacker Costs . . . . . . . . . . . . . . . . . . . . . 17
6. Security Considerations . . . . . . . . . . . . . . . . . . . 19 6. Security Considerations . . . . . . . . . . . . . . . . . . . 19
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 20
7.1. Normative References . . . . . . . . . . . . . . . . . . 20 7.1. Normative References . . . . . . . . . . . . . . . . . . 20
7.2. Informative References . . . . . . . . . . . . . . . . . 20 7.2. Informative References . . . . . . . . . . . . . . . . . 20
IAB Members at the Time of Approval . . . . . . . . . . . . . . . 23 IAB Members at the Time of Approval . . . . . . . . . . . . . . . 23
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 23 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 24
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24
1. Introduction 1. Introduction
Starting in June 2013, documents released to the press by Edward Starting in June 2013, documents released to the press by Edward
Snowden have revealed several operations undertaken by intelligence Snowden have revealed several operations undertaken by intelligence
agencies to exploit Internet communications for intelligence agencies to exploit Internet communications for intelligence
purposes. These attacks were largely based on protocol purposes. These attacks were largely based on protocol
vulnerabilities that were already known to exist. The attacks were vulnerabilities that were already known to exist. The attacks were
nonetheless striking in their pervasive nature, in terms of both the nonetheless striking in their pervasive nature, in terms of both the
skipping to change at page 10, line 43 skipping to change at page 11, line 10
visited networks. For instance, certain techniques such as the use visited networks. For instance, certain techniques such as the use
of "hidden SSIDs" require the mobile device to broadcast the network of "hidden SSIDs" require the mobile device to broadcast the network
identifier together with the device identifier. This combination can identifier together with the device identifier. This combination can
further expose the user to inference attacks, as more information can further expose the user to inference attacks, as more information can
be derived from the combination of MAC address, SSID being probed, be derived from the combination of MAC address, SSID being probed,
time, and current location. For example, a user actively probing for time, and current location. For example, a user actively probing for
a semi-unique SSID on a flight out of a certain city can imply that a semi-unique SSID on a flight out of a certain city can imply that
the user is no longer at the physical location of the corresponding the user is no longer at the physical location of the corresponding
AP. Given that large-scale databases of the MAC addresses of AP. Given that large-scale databases of the MAC addresses of
wireless access points for geolocation purposes have been known to wireless access points for geolocation purposes have been known to
exist for some time, the attacker could easily build a a database exist for some time, the attacker could easily build a database that
that maps link-layer identifiers and time with device or user maps link-layer identifiers and time with device or user identities,
identities, and use it to track the movement of devices and of their and use it to track the movement of devices and of their owners. On
owners. On the other hand, if the network does not use some form of the other hand, if the network does not use some form of Wi-Fi
Wi-Fi encryption, or if the attacker can access the decrypted encryption, or if the attacker can access the decrypted traffic, the
traffic, the analysis will also provide the correlation between link- analysis will also provide the correlation between link- layer
layer identifiers such as MAC addresses and IP addresses. Additional identifiers such as MAC addresses and IP addresses. Additional
monitoring using techniques exposed in the previous sections will monitoring using techniques exposed in the previous sections will
reveal the correlation between MAC addresses, IP addresses, and user reveal the correlation between MAC addresses, IP addresses, and user
identity. For instance, similarly to the use of web cookies, MAC identity. For instance, similarly to the use of web cookies, MAC
addresses provide identity information that can be used to associate addresses provide identity information that can be used to associate
a user to different IP addresses. a user to different IP addresses.
4. Reported Instances of Large-Scale Attacks 4. Reported Instances of Large-Scale Attacks
The situation in reality is more bleak than that suggested by an The situation in reality is more bleak than that suggested by an
analysis of our idealized attacker. Through revelations of sensitive analysis of our idealized attacker. Through revelations of sensitive
skipping to change at page 12, line 31 skipping to change at page 12, line 46
o Use of implants on end systems to undermine security and anonymity o Use of implants on end systems to undermine security and anonymity
features [dec2] [TOR1] [TOR2]. For example, QUANTUM is used to features [dec2] [TOR1] [TOR2]. For example, QUANTUM is used to
direct users to a FOXACID server, which in turn delivers an direct users to a FOXACID server, which in turn delivers an
implant to compromise browsers of Tor users. implant to compromise browsers of Tor users.
o Use of implants on network elements from many major equipment o Use of implants on network elements from many major equipment
providers, including Cisco, Juniper, Huawei, Dell, and HP, as providers, including Cisco, Juniper, Huawei, Dell, and HP, as
provided by the NSA's Advanced Network Technology group provided by the NSA's Advanced Network Technology group
[spiegel1]. [spiegel1].
o Use of botnet-scale collections of compromised hosts [spiegel3]. o Use of botnet-scale collections of compromised hosts [spiegel2].
The scale of the compromise extends beyond the network to include The scale of the compromise extends beyond the network to include
subversion of the technical standards process itself. For example, subversion of the technical standards process itself. For example,
there is suspicion that NSA modifications to the DUAL_EC_DRBG random there is suspicion that NSA modifications to the DUAL_EC_DRBG random
number generator (RNG) were made to ensure that keys generated using number generator (RNG) were made to ensure that keys generated using
that generator could be predicted by NSA. This RNG was made part of that generator could be predicted by NSA. This RNG was made part of
NIST's SP 800-90A, for which NIST acknowledges the NSA's assistance. NIST's SP 800-90A, for which NIST acknowledges the NSA's assistance.
There have also been reports that the NSA paid RSA Security for a There have also been reports that the NSA paid RSA Security for a
related contract with the result that the curve became the default in related contract with the result that the curve became the default in
the RSA BSAFE product line. the RSA BSAFE product line.
skipping to change at page 18, line 15 skipping to change at page 18, line 17
attacks are also much more observable at higher layers of the attacks are also much more observable at higher layers of the
network. For example, an active attacker that attempts to use a mis- network. For example, an active attacker that attempts to use a mis-
issued certificate could be detected via Certificate Transparency issued certificate could be detected via Certificate Transparency
[RFC6962]. [RFC6962].
In terms of raw implementation complexity, passive pervasive attacks In terms of raw implementation complexity, passive pervasive attacks
require only enough processing to extract information from the require only enough processing to extract information from the
network and store it. Active pervasive attacks, by contrast, often network and store it. Active pervasive attacks, by contrast, often
depend on winning race conditions to inject packets into active depend on winning race conditions to inject packets into active
connections. So, active pervasive attacks in the core of the network connections. So, active pervasive attacks in the core of the network
require processing hardware to that can operate at line speed require processing hardware that can operate at line speed (roughly
(roughly 100 Gbps to 1 Tbps in the core) to identify opportunities 100 Gbps to 1 Tbps in the core) to identify opportunities for attack
for attack and insert attack traffic in high-volume traffic. Key and insert attack traffic in high-volume traffic. Key exfiltration
exfiltration attacks rely on passive pervasive attack for access to attacks rely on passive pervasive attack for access to encrypted
encrypted data, with the collaborator providing keys to decrypt the data, with the collaborator providing keys to decrypt the data. So,
data. So, the attacker undertakes the cost and risk of a passive the attacker undertakes the cost and risk of a passive pervasive
pervasive attack, as well as additional risk of discovery via the attack, as well as additional risk of discovery via the interactions
interactions that the attacker has with the collaborator. that the attacker has with the collaborator.
Some active attacks are more expensive than others. For example, Some active attacks are more expensive than others. For example,
active man-in-the-middle (MITM) attacks require access to one or more active man-in-the-middle (MITM) attacks require access to one or more
points on a communication's network path that allow visibility of the points on a communication's network path that allow visibility of the
entire session and the ability to modify or drop legitimate packets entire session and the ability to modify or drop legitimate packets
in favor of the attacker's packets. A similar but weaker form of in favor of the attacker's packets. A similar but weaker form of
attack, called an active man-on-the-side (MOTS), requires access to attack, called an active man-on-the-side (MOTS), requires access to
only part of the session. In an active MOTS attack, the attacker only part of the session. In an active MOTS attack, the attacker
need only be able to inject or modify traffic on the network element need only be able to inject or modify traffic on the network element
the attacker has access to. While this may not allow for full the attacker has access to. While this may not allow for full
skipping to change at page 20, line 4 skipping to change at page 20, line 6
systems. The main difference is that the risk in this case is of systems. The main difference is that the risk in this case is of
automated discovery (e.g., by intrusion detection systems) rather automated discovery (e.g., by intrusion detection systems) rather
than discovery by humans. than discovery by humans.
6. Security Considerations 6. Security Considerations
This document describes a threat model for pervasive surveillance This document describes a threat model for pervasive surveillance
attacks. Mitigations are to be given in a future document. attacks. Mitigations are to be given in a future document.
7. References 7. References
7.1. Normative References 7.1. Normative References
[RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
Morris, J., Hansen, M., and R. Smith, "Privacy Morris, J., Hansen, M., and R. Smith, "Privacy
Considerations for Internet Protocols", RFC 6973, DOI Considerations for Internet Protocols", RFC 6973,
10.17487/RFC6973, July 2013, DOI 10.17487/RFC6973, July 2013,
<http://www.rfc-editor.org/info/rfc6973>. <http://www.rfc-editor.org/info/rfc6973>.
7.2. Informative References 7.2. Informative References
[dec1] Perlroth, N., Larson, J., and S. Shane, "N.S.A. Able to [dec1] Perlroth, N., Larson, J., and S. Shane, "N.S.A. Able to
Foil Basic Safeguards of Privacy on Web", The New York Foil Basic Safeguards of Privacy on Web", The New York
Times, September 2013, Times, September 2013,
<http://www.nytimes.com/2013/09/06/us/ <http://www.nytimes.com/2013/09/06/us/
nsa-foils-much-internet-encryption.html>. nsa-foils-much-internet-encryption.html>.
skipping to change at page 22, line 6 skipping to change at page 22, line 6
STD 53, RFC 1939, DOI 10.17487/RFC1939, May 1996, STD 53, RFC 1939, DOI 10.17487/RFC1939, May 1996,
<http://www.rfc-editor.org/info/rfc1939>. <http://www.rfc-editor.org/info/rfc1939>.
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E. A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261, Schooler, "SIP: Session Initiation Protocol", RFC 3261,
DOI 10.17487/RFC3261, June 2002, DOI 10.17487/RFC3261, June 2002,
<http://www.rfc-editor.org/info/rfc3261>. <http://www.rfc-editor.org/info/rfc3261>.
[RFC3365] Schiller, J., "Strong Security Requirements for Internet [RFC3365] Schiller, J., "Strong Security Requirements for Internet
Engineering Task Force Standard Protocols", BCP 61, RFC Engineering Task Force Standard Protocols", BCP 61,
3365, DOI 10.17487/RFC3365, August 2002, RFC 3365, DOI 10.17487/RFC3365, August 2002,
<http://www.rfc-editor.org/info/rfc3365>. <http://www.rfc-editor.org/info/rfc3365>.
[RFC3501] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION [RFC3501] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION
4rev1", RFC 3501, DOI 10.17487/RFC3501, March 2003, 4rev1", RFC 3501, DOI 10.17487/RFC3501, March 2003,
<http://www.rfc-editor.org/info/rfc3501>. <http://www.rfc-editor.org/info/rfc3501>.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements", RFC Rose, "DNS Security Introduction and Requirements",
4033, DOI 10.17487/RFC4033, March 2005, RFC 4033, DOI 10.17487/RFC4033, March 2005,
<http://www.rfc-editor.org/info/rfc4033>. <http://www.rfc-editor.org/info/rfc4033>.
[RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)",
4303, DOI 10.17487/RFC4303, December 2005, RFC 4303, DOI 10.17487/RFC4303, December 2005,
<http://www.rfc-editor.org/info/rfc4303>. <http://www.rfc-editor.org/info/rfc4303>.
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2", FYI [RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
36, RFC 4949, DOI 10.17487/RFC4949, August 2007, FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
<http://www.rfc-editor.org/info/rfc4949>. <http://www.rfc-editor.org/info/rfc4949>.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/ (TLS) Protocol Version 1.2", RFC 5246,
RFC5246, August 2008, DOI 10.17487/RFC5246, August 2008,
<http://www.rfc-editor.org/info/rfc5246>. <http://www.rfc-editor.org/info/rfc5246>.
[RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321,
DOI 10.17487/RFC5321, October 2008, DOI 10.17487/RFC5321, October 2008,
<http://www.rfc-editor.org/info/rfc5321>. <http://www.rfc-editor.org/info/rfc5321>.
[RFC6962] Laurie, B., Langley, A., and E. Kasper, "Certificate [RFC6962] Laurie, B., Langley, A., and E. Kasper, "Certificate
Transparency", RFC 6962, DOI 10.17487/RFC6962, June 2013, Transparency", RFC 6962, DOI 10.17487/RFC6962, June 2013,
<http://www.rfc-editor.org/info/rfc6962>. <http://www.rfc-editor.org/info/rfc6962>.
[RFC7011] Claise, B., Ed., Trammell, B., Ed., and P. Aitken, [RFC7011] Claise, B., Ed., Trammell, B., Ed., and P. Aitken,
"Specification of the IP Flow Information Export (IPFIX) "Specification of the IP Flow Information Export (IPFIX)
Protocol for the Exchange of Flow Information", STD 77, Protocol for the Exchange of Flow Information", STD 77,
RFC 7011, DOI 10.17487/RFC7011, September 2013, RFC 7011, DOI 10.17487/RFC7011, September 2013,
<http://www.rfc-editor.org/info/rfc7011>. <http://www.rfc-editor.org/info/rfc7011>.
[RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an [RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an
Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May
2014, <http://www.rfc-editor.org/info/rfc7258>. 2014, <http://www.rfc-editor.org/info/rfc7258>.
[spiegel1] [spiegel1] Appelbaum, J., Horchert, J., Reissmann, O., Rosenbach, M.,
Appelbaum, J., Horchert, J., Reissmann, O., Rosenbach, M.,
Schindler, J., and C. Stocker, "NSA's Secret Toolbox: Unit Schindler, J., and C. Stocker, "NSA's Secret Toolbox: Unit
Offers Spy Gadgets for Every Need", Spiegel Online, Offers Spy Gadgets for Every Need", Spiegel Online,
December 2013, <http://www.spiegel.de/international/world/ December 2013, <http://www.spiegel.de/international/world/
nsa-secret-toolbox-ant-unit-offers-spy-gadgets-for-every- nsa-secret-toolbox-ant-unit-offers-spy-gadgets-for-every-
need-a-941006.html>. need-a-941006.html>.
[spiegel3] [spiegel2] Appelbaum, J., Gibson, A., Guarnieri, C., Muller-Maguhn,
Appelbaum, J., Gibson, A., Guarnieri, C., Muller-Maguhn,
A., Poitras, L., Rosenbach, M., Schmundt, H., and M. A., Poitras, L., Rosenbach, M., Schmundt, H., and M.
Sontheimer, "The Digital Arms Race: NSA Preps America for Sontheimer, "The Digital Arms Race: NSA Preps America for
Future Battle", Spiegel Online, January 2015, Future Battle", Spiegel Online, January 2015,
<http://www.spiegel.de/international/world/new-snowden- <http://www.spiegel.de/international/world/new-snowden-
docs-indicate-scope-of-nsa-preparations-for-cyber-battle- docs-indicate-scope-of-nsa-preparations-for-cyber-battle-
a-1013409.html>. a-1013409.html>.
[TOR1] Schneier, B., "How the NSA Attacks Tor/Firefox Users With [TOR1] Schneier, B., "How the NSA Attacks Tor/Firefox Users With
QUANTUM and FOXACID", Schneier on Security, October 2013, QUANTUM and FOXACID", Schneier on Security, October 2013,
<https://www.schneier.com/blog/archives/2013/10/ <https://www.schneier.com/blog/archives/2013/10/
 End of changes. 23 change blocks. 
50 lines changed or deleted 43 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/