Performance Analysis of Real Traffic Carried with Encrypted Cover Flows - PowerPoint PPT Presentation

1 / 23

About This Presentation

Title:

Performance Analysis of Real Traffic Carried with Encrypted Cover Flows

Description:

Performance Analysis of Real Traffic Carried with Encrypted Cover Flows – PowerPoint PPT presentation

Number of Views:47

Avg rating:3.0/5.0

Slides: 24

Provided by: csU70

Category:

more less

Transcript and Presenter's Notes

Title: Performance Analysis of Real Traffic Carried with Encrypted Cover Flows

1
Performance Analysis of Real Traffic Carried with
Encrypted Cover Flows
4 June 2008

Nabil Schear
David M. Nicol
University of Illinois at Urbana-Champaign
Department of Computer Science
Information Trust Institute

2
Network Session Encryption

SSL, IPsec widespread use
Provide strong confidentiality through encryption
I depend on SSL dailyso probably do you!
But, session encryption does not mask packet
sizes and timing
For performance reasons
Privacy can be breached by traffic analysis
attacks

3
Traffic Analysis Example Attack
Port 443 Small message Request!
Attackers Vantage Point
On-line Bank
GET /request? myacccount. Transfer.html HTTP/1.1
Encrypt
29874ABA.XM.FJ DFALAPDJFA.MF 2304AODJHFA0U _at_)(KJ
FAKDJA
29874ABA.XM.FJ DFALAPDJFA.MF 2304AODJHFA0U _at_)(KJ
FAKDJA
Decrypt
Your Computer
29874ABA.XM.FJ DFALAPDJFA.MF 2304AODJHFA0U _at_)(KJ
FAKDJA 29874ABA.XM.FJ DFALAPDJFA.MF 23(KJFAKDJ
A 29874ABA.XM.FJ DFALAPDJFA.MF 2304AODJHFA0U _at_)(
KJFAKDJA
Encrypt
Requested money Transfer for the Amount of
3000 Do you wish to Accept?
Decrypt
Your Transfer Request Page
29874ABA.XM.FJ DFALAPDJFA.MF 2304AODJHFA0U _at_)(KJ
FAKDJA 29874ABA.XM.FJ DFALAPDJFA.MF 23(KJFAKDJ
A 29874ABA.XM.FJ DFALAPDJFA.MF 2304AODJHFA0U _at_)(
KJFAKDJA
Response of length 14328 bytes Fund Transfer Page!
4
Traffic Analysis Example Attack
Port 443 Small message Request!
Attackers Vantage Point
On-line Bank
GET /request? myacccount. Transfer.html HTTP/1.1
Encrypt
29874ABA.XM.FJ DFALAPDJFA.MF 2304AODJHFA0U _at_)(KJ
FAKDJA
29874ABA.XM.FJ DFALAPDJFA.MF 2304AODJHFA0U _at_)(KJ
FAKDJA
Decrypt
Your Computer
29874ABA.XM.FJ DFALAPDJFA.MF 2304AODJHFA0U _at_)(KJ
FAKDJA 29874ABA.XM.FJ DFALAPDJFA.MF 23(KJFAKDJ
A 29874ABA.XM.FJ DFALAPDJFA.MF 2304AODJHFA0U _at_)(
KJFAKDJA
Encrypt
Requested money Transfer for the Amount of
3000 Do you wish to Accept?
Decrypt
Your Transfer Request Page
29874ABA.XM.FJ DFALAPDJFA.MF 2304AODJHFA0U _at_)(KJ
FAKDJA 29874ABA.XM.FJ DFALAPDJFA.MF 23(KJFAKDJ
A 29874ABA.XM.FJ DFALAPDJFA.MF 2304AODJHFA0U _at_)(
KJFAKDJA

Attacker saw no content
BUT still knows what you did

Response of length 14328 bytes Fund Transfer Page!
5
Our Approach Mimicry

Tunneling over independent cover traffic
Independent packet size and timing
Attacker cant tell which packets have data and
which are cover because of encryption
Use model to generate plausible cover traffic
Who needs this?
Spies, dissidents, whistle blowers, privacy
advocates

6
Performance Analysis

Explore the properties of our technique with
simulation and analytic modeling
Questions
Impact on user experience delay and throughput?
Overhead over standard transmission?
Is this feasible with disparate traffic patterns?
Can we assess these impacts by using data-driven
models of tunnel-free network behavior, and
analytic models of tunneling?

7
Outline

Simulation
Results
Analytic Model
Evaluating delay and model validation
Slowdown
Stability
Future work and conclusions

8
Simulation Design

Use Flows model the system with request/response
pairs (TCP)
Cover traffic runs continuously with delay
between flows
Real traffic starts some time into simulation
Consumes as much space in cover messages as is
available
May have to wait for multiple cover sessions

9
SSFNet Implementation

Measured native https data suggests 4 traffic
classes
Request
Text
Graphics
Heavy
Built SSFNet model of real over cover flows based
on real prototype implementation
Request size (both flows) sampled same
distribution
Separate traffic type distribution assigned
cover, real

server
10
Results

Notable trends
Real text decreases with cover intensity
Others increase with cover intensity
Throughput degradation runs 65 - 85

11
Analytic Model

Using what we learned from simulation, what can
we discover with a model?
Validation
Compare against simulation data
Slowdown
Ratio of time to deliver tunneled real traffic
vs. native real traffic delivery
Stability
Whether cover traffic keep up with real traffic

12
Modeling Cover Sessions

Simplify imagine only response sessions
Cover traffic behavior in time is on-off renewal

13
Modeling Cover Sessions

Simplify imagine only response sessions
Cover traffic behavior in time is on-off renewal

14
Modeling Cover Sessions

Simplify imagine only response sessions
Cover traffic behavior in time is on-off renewal

on
on
off
on
off
off
time
15
Modeling Cover Sessions

Simplify imagine only response sessions
Cover traffic behavior in time is on-off renewal

on
on
off
on
off
off
time
Random on time is scaled geometric,
mean Renewal theory gives us Prstate is on
Eon / (EonEoff)
16
Modeling Real Sessions

Real sessions model users
Assume think time then interaction
Wait for interaction to complete

real session
off
off
time
17
Modeling Real Sessions
on
on
real session
time
cover session
Multiple Components to the on time 1. time
spent tunneling 2. real traffic arrives between
cover sessions 3. real traffic overruns cover
session Both 2 and 3 have to wait for new
session
18
Validation

Predictions of model validated against data
gathered from simulator
Values of estimated from
data
Important to understand that per kilobyte
transfer costs depend on session
lengths, background traffic---and are independent
of tunneling
Can be obtained from
Network trace data
Detailed network simulation
Key thing is that these parameters dont depend
on tunnelingbut can be used to explain tunneling

19
Validation Results