Confidentiality in the Face of Pervasive Surveillance: A Threat Model and Problem Statement
RFC 7624
Internet Architecture Board (IAB) R. Barnes
Request for Comments: 7624 B. Schneier
Category: Informational C. Jennings
ISSN: 2070-1721 T. Hardie
B. Trammell
C. Huitema
D. Borkmann
August 2015
Confidentiality in the Face of Pervasive Surveillance:
A Threat Model and Problem Statement
Abstract
Since the initial revelations of pervasive surveillance in 2013,
several classes of attacks on Internet communications have been
discovered. In this document, we develop a threat model that
describes these attacks on Internet confidentiality. We assume an
attacker that is interested in undetected, indiscriminate
eavesdropping. The threat model is based on published, verified
attacks.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Architecture Board (IAB)
and represents information that the IAB has deemed valuable to
provide for permanent record. It represents the consensus of the
Internet Architecture Board (IAB). Documents approved for
publication by the IAB are not a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7624.
Barnes, et al. Informational [Page 1]
RFC 7624 Confidentiality Threat Model August 2015
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. An Idealized Passive Pervasive Attacker . . . . . . . . . . . 5
3.1. Information Subject to Direct Observation . . . . . . . . 6
3.2. Information Useful for Inference . . . . . . . . . . . . 6
3.3. An Illustration of an Ideal Passive Pervasive Attack . . 7
3.3.1. Analysis of IP Headers . . . . . . . . . . . . . . . 7
3.3.2. Correlation of IP Addresses to User Identities . . . 8
3.3.3. Monitoring Messaging Clients for IP Address
Correlation . . . . . . . . . . . . . . . . . . . . . 9
3.3.4. Retrieving IP Addresses from Mail Headers . . . . . . 9
3.3.5. Tracking Address Usage with Web Cookies . . . . . . . 10
3.3.6. Graph-Based Approaches to Address Correlation . . . . 10
3.3.7. Tracking of Link-Layer Identifiers . . . . . . . . . 10
4. Reported Instances of Large-Scale Attacks . . . . . . . . . . 11
5. Threat Model . . . . . . . . . . . . . . . . . . . . . . . . 13
5.1. Attacker Capabilities . . . . . . . . . . . . . . . . . . 14
5.2. Attacker Costs . . . . . . . . . . . . . . . . . . . . . 17
6. Security Considerations . . . . . . . . . . . . . . . . . . . 19
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 20
7.1. Normative References . . . . . . . . . . . . . . . . . . 20
7.2. Informative References . . . . . . . . . . . . . . . . . 20
IAB Members at the Time of Approval . . . . . . . . . . . . . . . 23
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 24
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24
Barnes, et al. Informational [Page 2]
RFC 7624 Confidentiality Threat Model August 2015
1. Introduction
Starting in June 2013, documents released to the press by Edward
Snowden have revealed several operations undertaken by intelligence
agencies to exploit Internet communications for intelligence
purposes. These attacks were largely based on protocol
vulnerabilities that were already known to exist. The attacks were
nonetheless striking in their pervasive nature, in terms of both the
volume of Internet traffic targeted and the diversity of attack
techniques employed.
To ensure that the Internet can be trusted by users, it is necessary
Show full document text