[Cryptography] traffic analysis -> let's write an RFC?

John Denker jsd at av8n.com
Thu Jan 29 14:35:19 EST 2015 

On 01/29/2015 04:03 AM, Ben Laurie wrote:
> Clearly the idea was you design your network so that you do own the link.
> Which brings me back to my question (even Google cannot afford that much
> network, I suspect).

1) Owning the physical link is unnecessary and irrelevant.
 In the question, let's replace the concept of physical
 "link" with /virtual circuit/.  Assume the carrier who
 owns the physical link is untrustworthy.  You can still
 buy a virtual circuit with X amount of bandwidth for a 
 finite price.  You can fill that bandwidth with traffic 
 -- cover traffic or otherwise -- and secure the traffic
 using crypto.

2) It may help to distinguish "traffic analysis" from 
 "traffic engineering".  Imagine a cat-and-mouse game,
 where the mice are trying to communicate, and the cats
 are attacking by means of traffic analysis.  The mice
 need to do traffic engineering, so as to maximize the
 amount of traffic they can move, maximize the security,
 and minimize the cost.

 Traffic engineering starts from the observation that
 peak demand is eeeenormously larger than average demand.
 Therefore there is /traffic gain/ to be had by sharing.
 Under "some" favorable conditions, this can be done
 while still defending against traffic analysis.

 Here is a scenario.  This does not solve all the world's
 problems, but it has some value.  If nothing else, it
 proves we should not give up.

 Suppose there exist cheap links and expensive links,
 e.g. local versus transatlantic.  Suppose you have
 a group of N friends whom you trust.  The group is
 connected by cheap links.  All traffic is secured
 by crypto.  Each member of the group puts X amount
 of steady traffic on the expensive link, for a total 
 of N*X.  When you have a burst of traffic that
 exceeds X, you distribute it (cheaply!) to your
 friends, and ask them to forward it.

        _______
       |       |
       |   A   |                _________
       |_______|---------------|         |
          +   +           -----| carrier |---(ocean)---
          +   +_______   |   --|_________|
          +   |       |  |  |
          +   |   B   |--   |
          +   |_______|     |
          +    +            |
        __+____+            |
       |       |            |
       |   C   |------------
       |_______|
  
  "++" = cheap link
  "--" = expensive link

 In this scenario, you can achieve traffic gain in
 proportion to the number of people you can trust.
 Increasing N increases your peak bandwidth, at the
 cost of a proportional increase in attack surface.

 One must also analyze this from the cats' point of
 view.  Assume the cats' goal is to spy on /everybody/.
 Suppose M of the N sites can be compromised, meaning
 that the cat can now tell the difference between null
 and non-null traffic at that site.  It then becomes 
 a statistic problem to figure out where the non-null
 traffic originated.  As a function of M:
  -- how good are the statistics?
  -- what is the direct cost?
  -- what are the indirect costs, such as the chance
   that some mouse will notice that he's been pwned?

This is obviously just the sketch of an outline, but
it shows there are some things that can be done,
without requiring us to redesign all protocols from
layer 1 upward.

More information about the cryptography mailing list