[Cryptography] Really good ideas, harsh reality, tailored covertraffic

Peter Fairbrother peter at tsto.co.uk
Thu Sep 3 17:38:08 EDT 2020 

On 03/09/2020 20:36, Dan McDonald wrote:
> On Thu, Sep 03, 2020 at 10:00:16AM -0400, Paul Wouters wrote:
>> https://tools.ietf.org/html/draft-ietf-ipsecme-iptfs-01
>>
>>     This document describes a mechanism to enhance IPsec traffic flow
>>     security by adding traffic flow confidentiality to encrypted IP
>>     encapsulated traffic.  Traffic flow confidentiality is provided by
>>     obscuring the size and frequency of IP traffic using a fixed-sized,
>>     constant-send-rate IPsec tunnel.  The solution allows for congestion
>>     control as well.

Haven't read it in detail, IETF draft language gives me a headache, but 
it looks a bit like the US-USSR hotline - when it wasn't in use random 
traffic was sent so an observer couldn't tell whether the traffic was 
random-looking-encrypted-real or just random. The rate of traffic 
was/is? constant.

> It looks like an attempt to reduce bandwidth waste.  

If (it is not clear) you are referring to tailored covertraffic, that is 
more effective in reducing total traffic.

To reduce total traffic the tailoring is done in such a way that the 
covertraffic has a rate distribution and/or other characteristics 
similar to the real traffic - so instead of just the real traffic 
looking suspicious, all the traffic looks suspicious.

However it is not (necessarily) done at a constant rate.

There are some caveats and notes - the only way to be 100% sure that 
traffic is concealed is to use a constant rate. However if 100% 
confidentiality is not required then tailored covertraffic can reduce 
traffic costs.

In the original application, a steganographic filing system, you can 
under duress (eg a warrant) give up some real traffic, and an observer 
can't say you haven't given up all the real traffic.

Probably doesn't work if the duress is torture, but against "beyond 
reasonable doubt" it should work.

One thing I worry about,
> if IP packets can span multiple tunnel IP packets, won't end-to-end
> performance suffer under even mild drop rates?

This can be overcome by splitting the traffic into m-of-n blocks, where 
the real traffic is split into n blocks using a block erasure code, and 
any m (<n) blocks can reconstruct the original.

Not perfect, you still need a resend mechanism, but it takes more than 
one dropout for a resend to be required. You can also tailor it to the 
dropout rate by changing n.


Peter Fairbrother

More information about the cryptography mailing list