new ranonymize() tool
Peter Van Epp
vanepp at sfu.ca
Thu Oct 10 16:16:28 EDT 2002
Without (yet) having looked at Carter's new tool here are some thoughts
on this subject from a discussion some months ago about putting Argus up
locally and being able to release the traffic traces for network researchers.
Note in this case we want to keep at least destination port numbers to allow
researchers to determine what kind of traffic it was and keep the time
syncronization (possibly offset by a constant amount to obscure it slightly).
A later look over the CAIDA web site indicates they don't have a solution
either, the anomymiser they use is fairly simple and doesn't appear to address
the issues raised below.
A fly in the anonymous ointment. Unfortunatly I thought about the
issue of anonymizing trace data on the way back to the hill. It is essentially
cryptography (we want to encryt the data but not decrypt it) which is
unfortunatly trivially subject to a chosen plaintext attack which will defeat
the encryption (and thus the anonymity).
If we postulate the following users: I (innocent victem) A (scumbag
attacker) and sites AS (attacker's site) IS (innocent victem's site) P1 (porno
site 1) and p2 (porno site 2) then look at the possibilities in anonymized
trace data we find a problem. Assume we have anonymized both IP addresses by
random translation and shifted time by a fixed amount to try and defeat traffic
pattern analysis as we discussed this morning. Unfortunatly since we are on a
public network, if we assume the attacker can identify the victem and determine
the IP address the victem is using then our entire scheme can be defeated as
follows:
A pings (logging the current time on machine AS) the victem's machine IS,
P1, and P2. He may need to ping in an unusual pattern to make the pattern
stand out in that anonymized logfile. Now the attacker obtains the anonymized
trace file for the time period described above. By sorting all the data by
source and dest IP address he can pick out the ping pattern that he initiated
above. He knows his IP address (and now what his IP address has translated in
to in the anonymous trace, no net gain here). Unfortunatly by the first ping
made by his machine (who's anonymous ID he now knows) he has identified the
anonymized IP address of the victem's machine IS. The next 2 pings give him
the anonymized IP addresses of porn sites p1 and p2. Now a search of the trace
file for anonymized IS for connections to anonymized p1 and p2 will tell the
attacker if the victem IP address has accessed the porn sites which is what we
are trying to prevent. On the way by (given the time stamps in our trace file
and the real time from his local log) he has also extracted the fixed time
offset we used and can trivially convert the trace file back to real time.
I'm not sure thats deadly, but it does make the time shift idea not really
useful for defeating traffic analysis attacks.
This may make an interesting problem for a grad student interested in
crypto since there may be a solution (although I have a sneaking suspicion
because of the uncontrolled nature of the public net there isn't ...). We
should also ask the CIADA folks how they deal with this problem in their traces
(or if indeed they have thought of this issue, although I hope they have). We
do need to make the risk clear to the bosses that have to approve this being
done. I'm pretty sure Worth was assuming that I meant that the data would be
anonymous (which I just demonstrated it isn't) when he said he thought he
could get permission to release our traces. In the end all it may mean is that
we have to restrict distribution of trace files more than we would like (i.e.
researchers in I2 and elsewhere may not be deemed safe enough ...).
Happy paranoia day :-)
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the argus
mailing list