metadata protection considerations for tls present and
play

Metadata Protection Considerations for TLS Present and Future Bryan - PowerPoint PPT Presentation

Feb 23, 2023 •163 likes •612 views

Metadata Protection Considerations for TLS Present and Future Bryan Ford Swiss Federal Institute of Technology (EPFL) Lausanne, Switzerland TRON Workshop February 21, 2016 Outline T h r e a t M o d e l s : W h o i s t h e A t t a c k e

  1. Metadata Protection Considerations for TLS Present and Future Bryan Ford Swiss Federal Institute of Technology (EPFL) Lausanne, Switzerland TRON Workshop – February 21, 2016

  2. Outline ● T h r e a t M o d e l s : W h o i s t h e A t t a c k e r ? ● The Many Levels of Metadata Leakage ● Potential Countermeasures for TLS – P a d d i n g a n d R e c o r d B o u n d a r y H i d i n g – Encryption of Handshaking Metadata – Padding considerations for TLS implementations ● Conclusion

  3. Threat Models Philosophy: A v o i d S e c u r i t y N i h i l i s m Must consider both “strong” and “weak” attackers ● Yes we should do what we can against the strong, all-seeing attacker ● But weaker, more limited attackers are probably far more numerous on the real Internet Just because protection measure X doesn't stop all-powerful attacker doesn't mean X is useless!

  4. Particular Threat Models of Interest ● Passive Eavesdropper (EVE): can monitor traffic but not inject packets. Ex: router taps ● Man-On-The-Side (MOTS): can monitor and inject but not block packets. Ex: WiFi snooper ● Man-In-The-Middle (MITM): can monitor, inject, and block legit packets. Ex: router ● Man-On-The-Inside (MOTI): can exert some control over c o n t e n t of encrypted traffic. Ex: via malicious JavaScript (CRIME attack)

  5. What Does the Attacker Want? Many possible objectives, e.g., ● What website(s) or page(s) is this user visiting? – Bank? How many digits in balance? ● What user(s) are visiting this site? – Are these TLS flows from same or different users? ● What software, version(s) are endpoints using? – Pinpoint a version with a known bug we can exploit ● Tor de-anonymization via end-to-end correlation – Is flow X “going in” same as flow Y “going out”?

  6. Outline ● Threat Models: Who is the Attacker? ● The Many Levels of Metadata Leakage ● Potential Countermeasures for TLS – Padding and Record Boundary Hiding – Encryption of Handshaking Metadata – Padding considerations for TLS implementations ● Conclusion

  7. Sample of Relevant Background Website fingerprinting: e.g., ● Dyer et al, “Peek-a-Boo, I Still See You: Why Efficient Traffic Analysis Countermeasures Fail”, IEEE Security/Privacy 2012 ● Cai et al, “Touching from a distance: Website fingerprinting attacks and defenses”, CCS '12 ● Wang et al, “Effective attacks and provable defenses for website fingerprinting”, Sec '14 (and many others)

  8. Many Levels of Metadata Leakage Leakage Level Who Can Mitigate? ● Net activity bursts ● TLS impl, application ● Directional patterns ● TLS implementation ● TLS nego metadata ● TLS spec , impl ● TLS record metadata ● TLS spec , impl ● TCP metadata ● TLS impl, TCP stack ● Endpoints (IP, etc) ● WiFi, Proxy, VPN, Tor

  9. Network Activity Bursts Coarse-grained, macroscopic views of flows based on amount, timing of transmitted bytes ● Easy, efficient for eavesdropper to measure ● But results likely to be noisy, error-prone Web browsing over TLS: (click) (load) (idle) (click) (load) (idle) Audio stream over TLS: Video stream TLS:

  10. Directional flow & timing patterns Attacker can use fine-grain upstream/downstream patterns within each burst of activity ● Much richer, more detailed, less error (click) (load) (idle) (click) (load) (idle) (GET .html) (GET logo.png) (GET foo.jpg) (GET bar.js) (.html) (logo.png) (foo.jpg) (bar.js)

  11. Exposed TLS Negotiation Metadata Attacker can learn a lot just from the unencrypted negotiation metadata at beginning of TLS session ● Cyphersuites & groups supported, selected ● Server Name Indication (SNI) ● Reused “ephemeral” keys (link sessions) Even “innocent” variation (e.g., ordering of fields) helps attacker fingerprint TLS impls, versions ● Useful for selective blocking, focusing attacks unencrypted unencrypted ClientHello Cert, Finished Record ServerHello, Cert, … Record Record

  12. Exposed TLS Record Metadata Unencrypted 5-byte headers “give away” exact lengths, boundaries of each TLS record 5-byte 5-byte IV Encrypted Payload MAC IV Encrypted Payload MAC header header Application write() boundaries often translate to readily-visible TLS record boundaries How important is this leak? ● Depends on how application protocol uses TLS

  13. Example: HTTP/1.1 vs HTTP/2.0 HTTP/1.1 without pipelining or fixed-rate padding: ● Individual HTTP request size/pattern visible either via TLS records or via TCP-level bursts GET GET GET logo.png foo.js(1) foo.js(2) bar.jpg HTTP/2.0 with pipelining & multi-streaming: ● Concurrent bursts could obscure individual requests... ● Except that TLS record metadata still reveals them GET GET GET logo.png foo.js(1) bar.jpg foo.js(2)

  14. TCP Segment Metadata TCP segment boundaries may reveal TLS records ● If TLS write() translates to immediate TCP push TLS ... TCP ... MTU <MTU <MTU MTU <MTU But also may not , as kernel forms MTU-len segs: ● Flow is congestion-limited, TX buffer nonempty ● If TCP_CORK or MSG_MORE options used TLS ... TCP ... MTU MTU MTU MTU MTU

  15. IP and Lower-Level Metadata IP addresses, MAC addresses, HW fingerprints Can be (partially) addressed via: ● WiFi encryption (if attacker isn’t on same net) ● MAC address randomization ● HTTP proxies ● Corporate VPNs ● Tor Not TLS’s problem, or for TLS to solve.

  16. Outline ● Threat Models: Who is the Attacker? ● The Many Levels of Metadata Leakage ● Potential Countermeasures for TLS – Padding and Record Boundary Hiding – Encryption of Handshaking Metadata – Padding considerations for TLS implementations ● Conclusion

  17. Measures for TLS Implementations Many countermeasures could be implemented without affecting basic TLS protocol spec ● Padding traffic to fixed-rate or maximum-rate ● Padding activity bursts until next idle period ● TCP segment MTU-size normalization Recommendation: develop, standardize separate, follow-on “best practices” document for traffic analysis protection in TLS implementations

  18. Example Padding Policies 1. Pad to fixed-rate or congestion-limited rate ● Effective but probably too costly for most users ● May be practical client↔proxy or client↔VPN, but not client↔all-domains-a-page-depends-on (click) (load) (idle) (click) (load) (idle)

  19. Example Padding Policies 2. Pad traffic only during “activity bursts” ● Costs probably more tolerable to many users ● But total size/length metrics can still leak info (click) (load) (idle) (click) (load) (idle) (GET .html) (GET logo.png) (GET foo.jpg) (GET bar.js) (.html) (logo.png) (foo.jpg) (bar.js)

  20. Example Padding Policies 3. No special/costly padding measures ● Many users won’t know or care enough to “pay” almost anything for padding ● Many TLS implementations won’t implement Can we still get some traffic analysis protection at low/no cost? (Repeat: avoid security nihilism!)

  21. Example Padding Policies Can we still get some traffic analysis protection at low/no cost? (Repeat: avoid security nihilism!) Yes: HTTP/2.0 will help, if TLS doesn’t undermine ● Traffic analysis gets a lot harder/noisier if hard to distinguish individal requests/replies GET GET GET logo.png foo.js(1) bar.jpg foo.js(2)

  22. Measures for TLS Specification Two relevant potential countermeasures ● Hide record boundaries ● Hide handshake metadata Ideal: “ encrypt everything” ● All parts of stream look uniformly random to any eavesdropper without relevant keys Too ambitious for TLS 1.3, but baby steps...

  23. Outline ● Threat Models: Who is the Attacker? ● The Many Levels of Metadata Leakage ● Potential Countermeasures for TLS – P a d d i n g a n d R e c o r d B o u n d a r y H i d i n g – Encryption of Handshaking Metadata – Padding considerations for TLS implementations ● Conclusion

  24. Hiding TLS Record Boundaries? Feasible for TLS to hide its record boundaries? ● Leave nothing unencrypted after handshake Main challenge: how receiver finds record length? ● Normally the only “important” part of header ● Need to separately/specially encrypt length? Simpler alternative approach described in TLS mail list messages Dec 1 and Dec 12

  25. TLS Record Format Evolution TLS 1.2 Record 5-byte IV Encrypted Record Payload MAC header Encrypted Content Type (1B) TLS 1.3 Record (Current) 5-byte header Nonce AEAD-Encrypted Record Payload Padding MAC Encrypted Next Record Content Length (1-2B) Type (1B) TLS 1.3 Record (Proposed) header optional Nonce AEAD-Encrypted Record Payload Padding MAC

  26. Optional Headers in TLS 1.3 Proposed header rules: ● First record always has usual 5-byte header ● If Next Record Length field == 0, following record also has usual 5-byte header ● If Next Record Length field != 0, following record has indicated length, no header Upshot: sender gets to omit next record’s header, but must decide next record’s length in advance

  27. Design Advantages ● Minimal new receiver logic (1 state variable) ● Sender logic optional (can just set NextRec = 0) ● Sender logic trivial using fixed-length records ● Replace N L-byte records w/ N × L-byte record – Reduce per-record compute, bandwidth costs ● Can disable if middleboxes really want headers ● Can save 3-4 bytes per record, FWIW

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

DUNE Data Model Meeting: Metadata Metadata Needs And Considerations Steven Timm The following

DUNE Data Model Meeting: Metadata Metadata Needs And Considerations Steven Timm The following

DUNE Data Model Meeting: Metadata Metadata Needs And Considerations Steven Timm The following are design concerns for whatever new metadata system is written or adopted. They are written from the point of view of data management operations and

166 views • 4 slides
Considerations for Patent Protection of IT and Telecommunications Inventions Global IP Convention

Considerations for Patent Protection of IT and Telecommunications Inventions Global IP Convention

Considerations for Patent Protection of IT and Telecommunications Inventions Global IP Convention 2011 Susan Perng Pan span@sughrue.com April 28-30, 2011 Reasons for patenting market protection i4i v. Microsoft (93 USPQ2d 1943, Fed. Cir.

612 views • 24 slides
Geodemographics in a digital age: Ethical and data protection considerations CGG Seminar 2 nd

Geodemographics in a digital age: Ethical and data protection considerations CGG Seminar 2 nd

Geodemographics in a digital age: Ethical and data protection considerations CGG Seminar 2 nd May 2017 Dr. Michelle Goddard Director of Policy &amp; Standards Complicated matrix of ethical and legal data protection requirements ePrivacy

103 views • 6 slides
MPRESS MPRESS and the role of and the role of MetaData in Math in Math- -Net Net MetaData y

MPRESS MPRESS and the role of and the role of MetaData in Math in Math- -Net Net MetaData y

MPRESS MPRESS and the role of and the role of MetaData in Math in Math- -Net Net MetaData y Roland Schwnzl y roland@mathematik.uni-osnabrueck.de Content Content y MPRESS - history/present y Organizational Structure of Math-Net y Services

355 views • 32 slides
m e t a d a t a how much of a difference does metadata really make to your bottom line?

m e t a d a t a how much of a difference does metadata really make to your bottom line?

it might be the giant in the room, but it doesnt ha ve t o be scary l e t s t a l k a b o u t What is metadata? What differentiates great metadata from merely good? Do you really need to worry about it? As a publisher, m

253 views • 6 slides
Planning and Asset Protection Considerations Best Practices for Structure, Implementation and

Planning and Asset Protection Considerations Best Practices for Structure, Implementation and

Presenting a 90-Minute Encore Presentation of the Teleconference with Live, Interactive Q&amp;A Captive Insurance Companies: Business, Estate Planning and Asset Protection Considerations Best Practices for Structure, Implementation and Choice of

731 views • 69 slides
Why are human rights considerations fundamental to social protection responses to COVID-19? Photo

Why are human rights considerations fundamental to social protection responses to COVID-19? Photo

Welcome to the webinar Why are human rights considerations fundamental to social protection responses to COVID-19? Photo by Ursula Spaulding on Unsplash Social protection responses to #COVID19 This joint effort is inspired by colleagues and

790 views • 51 slides
From SDTM to displays, through ADaM &amp; Analyses Results Metadata, a flight on board METADATA

From SDTM to displays, through ADaM &amp; Analyses Results Metadata, a flight on board METADATA

From SDTM to displays, through ADaM &amp; Analyses Results Metadata, a flight on board METADATA Airlines Omar SEFIANI - Stphane BOUGET, Boehringer Ingelheim DH13, PhUSE Barcelona 2016, October, 12 th Outline Background Metadata Driven

683 views • 19 slides
Metadata In ArcGIS 10.0 Jason Cupp Whats New In ArcGIS 10.0 New Metadata Editor for

Metadata In ArcGIS 10.0 Jason Cupp Whats New In ArcGIS 10.0 New Metadata Editor for

Esri International User Conference | San Diego, CA Technical Workshops | 2011-07-12 Metadata In ArcGIS 10.0 Jason Cupp Whats New In ArcGIS 10.0 New Metadata Editor for Multiple Standards New Tools and Workflows Metadata Editor

332 views • 22 slides
UNSD metadata template / SDMX Metadata Structure Definition Elena De Jess, UNSD Standardized

UNSD metadata template / SDMX Metadata Structure Definition Elena De Jess, UNSD Standardized

UNSD metadata template / SDMX Metadata Structure Definition Elena De Jess, UNSD Standardized metadata improves usability and comparability Metadata (and data) that follow specific standardized patterns: are easier for users to interpret

991 views • 19 slides
Captive Insurance Companies: Business, Estate Planning and Asset Protection Considerations Best

Captive Insurance Companies: Business, Estate Planning and Asset Protection Considerations Best

Presenting a live 90-minute webinar with interactive Q&amp;A Captive Insurance Companies: Business, Estate Planning and Asset Protection Considerations Best Practices for Structure, Implementation and Choice of Domicile Through Industry-Specific

704 views • 69 slides
Considerations for the Hybrid Use of Trade Secret and Patent Protection of Green Technology 26 th

Considerations for the Hybrid Use of Trade Secret and Patent Protection of Green Technology 26 th

Considerations for the Hybrid Use of Trade Secret and Patent Protection of Green Technology 26 th Annual Intellectual Property Law Conference American Bar Association Section of Intellectual Property Law Susan Perng Pan span@sughrue.com April

640 views • 24 slides
Closing the Protection Gap Issues and Initiatives Joaquim Levy Closing the Protection Gap

Closing the Protection Gap Issues and Initiatives Joaquim Levy Closing the Protection Gap

Closing the Protection Gap Issues and Initiatives Joaquim Levy Closing the Protection Gap Be mindful of the future despite the blissful ignorance of the present. Today is the good old times of tomorrow. Karl Valentin (German

561 views • 14 slides
Expanding Metadata Reuse with an Islandora Metadata Extraction Utility Serhiy Polyakov and

Expanding Metadata Reuse with an Islandora Metadata Extraction Utility Serhiy Polyakov and

Expanding Metadata Reuse with an Islandora Metadata Extraction Utility Serhiy Polyakov and William E. Moen University of North Texas International conference Open Repositories 2013 Charlottetown, Prince Edward Island, Canada Paper presented at

474 views • 25 slides
Fair Lending Considerations Outlook Live Webinar August 6, 2013 Consumer Financial Protection

Fair Lending Considerations Outlook Live Webinar August 6, 2013 Consumer Financial Protection

Indirect Auto Lending Fair Lending Considerations Outlook Live Webinar August 6, 2013 Consumer Financial Protection Bureau Federal Reserve Board U.S. Department of Justice Visit us at www.consumercomplianceoutlook.org 1 Overview

424 views • 30 slides
The Practice of Metadata The hows and whys of metadata at USGS U.S. Department of the

The Practice of Metadata The hows and whys of metadata at USGS U.S. Department of the

The Practice of Metadata The hows and whys of metadata at USGS U.S. Department of the Interior U.S. Geological Survey Presenter Viv Hutchison USGS Core Science Systems / Core Science Analytics and Synthesis (CSAS) Program Denver,

639 views • 44 slides
Is Isle le of Man Tourism In Industry ry Day 2019 Travel tr trends for th the over 50s

Is Isle le of Man Tourism In Industry ry Day 2019 Travel tr trends for th the over 50s

Is Isle le of Man Tourism In Industry ry Day 2019 Travel tr trends for th the over 50s What is is Sil ilver Travel Advisor? Website, 150,000 newsletters, 100,000 members independent magazine, + 43,000 reviews, tips, and Silver

643 views • 39 slides
Safe Harbor 401(k) Plans With Robert M. Kaplan, CFP, CPC, QPA, APA AGENDA The Basics

Safe Harbor 401(k) Plans With Robert M. Kaplan, CFP, CPC, QPA, APA AGENDA The Basics

7/17/2014 Safe Harbor 401(k) Plans With Robert M. Kaplan, CFP, CPC, QPA, APA AGENDA The Basics Getting Started Documentation and Disclosure Creative Plan Design The QACA Watch outs Distribution Issues Its Over

722 views • 29 slides
Fatigue Tensile/Lap shear TG &amp; Fibre volume Compression Microsection

Fatigue Tensile/Lap shear TG &amp; Fibre volume Compression Microsection

Fatigue Tensile/Lap shear TG &amp; Fibre volume Compression Microsection Analysis In-Plane shear &amp; V-Notch shear Inter-laminar shear &amp; Flexure Environmental testing Specimen Preparation Bearing testing

585 views • 19 slides
Compressive sensing principles and iterative sparse recovery for inverse and ill-posed problems

Compressive sensing principles and iterative sparse recovery for inverse and ill-posed problems

Compressive sensing principles and iterative sparse recovery for inverse and ill-posed problems Evelyn Herrholz Gerd Teschke November 9, 2010 Abstract In this paper we shall be concerned with compressive sampling strategies and sparse

417 views • 30 slides
1 2 In the 2009 MUTCD, FYA was formally approved as the recommended configuration for

1 2 In the 2009 MUTCD, FYA was formally approved as the recommended configuration for

1 2 In the 2009 MUTCD, FYA was formally approved as the recommended configuration for protected/permissive and permissive left turn displays. Per Section 4D.13, circular green indications for permissive left turns should not be located over or in

572 views • 27 slides
The changing world of work Developing enterprise skills in young people The New Work Order

The changing world of work Developing enterprise skills in young people The New Work Order

The changing world of work Developing enterprise skills in young people The New Work Order Foundation for Young Australians Our young people today More than likely to report doing acts of kindness than their parents 62% 4.3m feel

604 views • 31 slides
Refmecting on the First Year of Refmecting on the First Year of Implementation of an

Refmecting on the First Year of Refmecting on the First Year of Implementation of an

Refmecting on the First Year of Refmecting on the First Year of Implementation of an Institution-wide Implementation of an Institution-wide First- Year Academy Initiative First- Year Academy Initiative Highlights and Challenges

642 views • 28 slides
DRIVER BEHAVIOR IN THE PRESENCE OF PEDESTRIANS AT SIGNALIZED INTERSECTIONS OPERATING THE FLASHING

DRIVER BEHAVIOR IN THE PRESENCE OF PEDESTRIANS AT SIGNALIZED INTERSECTIONS OPERATING THE FLASHING

DRIVER BEHAVIOR IN THE PRESENCE OF PEDESTRIANS AT SIGNALIZED INTERSECTIONS OPERATING THE FLASHING YELLOW ARROW Oregon ITE Technical Workshop Portland, Oregon February 4, 2013 Presenters: David Hurwitz, Assistant Professor, OSU Chris Monsere,

769 views • 25 slides

More recommend