[Cryptography] BBC to deploy detection vans to snoop on internet users

ianG iang at iang.org
Sat Aug 20 02:04:07 EDT 2016 

On 8/08/2016 18:29 pm, Jerry Leichter wrote:

> The claim that detectors could work on packet length and timing does bring up a point I've mentioned before:  We define security for ciphers algorithms, and often for modes and even protocols, in a way that completely ignores leakage of message length and timing - assuming that it doesn't really matter very much (if you use a block cipher the length is only know mod 16 or maybe somewhat more, who cares) or, in the case of timing, that this is simply outside the domain of analysis.

In other words, we define what we can fix, then we re-work the threat 
model to ignore that which we can't fix.  Then we teach the users that 
this is their problem, their fault, they've been socially engineered.

> And yet we keep seeing attacks (or even proposals for attacks) that look at exactly this "metadata" that we leave unencrypted.  We've seen such things as recovery of encrypted compressed speech based entirely on the sequence of packet lengths; discovery of web pages being read over and HTTPS connection based, again, on the sequence of lengths of messages; a bunch of attacks that make the attacked element an oracle for the "have you seen this string in the data you encrypted recently?" by checking the length of responses.

Right.  There is this incredible bias in cryptology to even ignore 
actual results that breach our shared acceptable threat model.  This I 
posted last year and it disappeared without a trace ... which was really 
odd - the authors claim to have actually recovered encrypted 
conversation from so-called metadata n VoIP.


-------- Forwarded Message --------
Subject: [Cryptography] attacks on packet length may be surprisingly 
good: Hookt on fon-iks
Date: Sat, 24 Oct 2015 18:52:21 +0100

Phonotactic Reconstruction of Encrypted VoIP Conversations:
              Hookt on fon-iks

Abstract—
In this work, we unveil new privacy threats against Voice-over-IP (VoIP) 
communications. Although prior work has shown that the interaction of 
variable bit-rate codecs and length-preserving stream ciphers leaks 
information, we show that the threat is more serious than previously 
thought. In particular, we derive *approximate transcripts* of encrypted 
VoIP conversations by segmenting an observed packet stream into 
subsequences representing individual phonemes and classifying those 
subsequences by the phonemes they encode. Drawing on insights from the 
computational linguistics and speech recognition communities, we apply 
novel techniques for unmasking parts of the conversation. We believe our 
ability to do so underscores the importance of designing secure (yet 
efficient) ways to protect the confidentiality of VoIP conversations.

http://wwwx.cs.unc.edu/~kzsnow/uploads/8/8/6/2/8862319/foniks-oak11.pdf



> It's time to take this stuff seriously.


Hell yeah!

> Widely used encryption algorithms and modes guarantee "semantic security" where the semantics is defined by the bits being transmitted.  Blocking, message lengths, and delays between blocks or messages are not considered.  In this situation, it's important that senders avoid coupling sensitive semantics to stuff "outside the semantic envelope".  In particular, compression of data before encryption is a disaster, as it inherently leaks information about the bit-level semantics in the lengths of the messages.  Any non-uniformity in message sizes or sending rates that's tied to the underlying bits similarly moves information from the protected domain to the (deliberately) unprotected one.
>
> If we broaden the definition of "semantic security" to include "the attacker gains no (or a defined, limited amount of) information about message lengths and timings" - can we define cryptosystems that inherently provide such security?  Or do we need to fall back to the old definitions of security that required the sender to follow some rules about message formation?  (For example, not so long ago, ciphers were not secure against known-plaintext attacks, so the rule was that information sent through such a system was *never* released in its original form.  So announcements would be sent to overseas embassies - and then paraphrased before being delivered.)
>                                                         -- Jerry

There was a company called Zero Knowledge Systems back in around 1999 
that bombed.  One of the reasons it bombed was because it insisted that 
its message streams would be 128kbps continuous.  At the time that was a 
non-starter.  But now, we need to re-evaluate such techniques.

For my part I'd say we should be obfuscating, not eliminating. 
Bandwidth and so forth is still an issue.  But this becomes an open 
research topic, I suspect.

iang

More information about the cryptography mailing list