Confidentiality in the Face of Pervasive Surveillance: A Threat Model and Problem Statement
RFC 7624
Document Type RFC - Informational (August 2015; No errata)
Last updated 2015-08-20
Stream IAB
Formats plain text html pdf htmlized bibtex
Stream IAB state Published RFC
Consensus Boilerplate Unknown
RFC Editor Note (None)
Email authors IPR References Referenced by Nits 
Internet Architecture Board (IAB)                              R. Barnes
Request for Comments: 7624                                   B. Schneier
Category: Informational                                      C. Jennings
ISSN: 2070-1721                                                T. Hardie
                                                             B. Trammell
                                                              C. Huitema
                                                             D. Borkmann
                                                             August 2015

         Confidentiality in the Face of Pervasive Surveillance:
                  A Threat Model and Problem Statement

Abstract

   Since the initial revelations of pervasive surveillance in 2013,
   several classes of attacks on Internet communications have been
   discovered.  In this document, we develop a threat model that
   describes these attacks on Internet confidentiality.  We assume an
   attacker that is interested in undetected, indiscriminate
   eavesdropping.  The threat model is based on published, verified
   attacks.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Architecture Board (IAB)
   and represents information that the IAB has deemed valuable to
   provide for permanent record.  It represents the consensus of the
   Internet Architecture Board (IAB).  Documents approved for
   publication by the IAB are not a candidate for any level of Internet
   Standard; see Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc7624.

Barnes, et al.                Informational                     [Page 1]
RFC 7624              Confidentiality Threat Model           August 2015

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  An Idealized Passive Pervasive Attacker . . . . . . . . . . .   5
     3.1.  Information Subject to Direct Observation . . . . . . . .   6
     3.2.  Information Useful for Inference  . . . . . . . . . . . .   6
     3.3.  An Illustration of an Ideal Passive Pervasive Attack  . .   7
       3.3.1.  Analysis of IP Headers  . . . . . . . . . . . . . . .   7
       3.3.2.  Correlation of IP Addresses to User Identities  . . .   8
       3.3.3.  Monitoring Messaging Clients for IP Address
               Correlation . . . . . . . . . . . . . . . . . . . . .   9
       3.3.4.  Retrieving IP Addresses from Mail Headers . . . . . .   9
       3.3.5.  Tracking Address Usage with Web Cookies . . . . . . .  10
       3.3.6.  Graph-Based Approaches to Address Correlation . . . .  10
       3.3.7.  Tracking of Link-Layer Identifiers  . . . . . . . . .  10
   4.  Reported Instances of Large-Scale Attacks . . . . . . . . . .  11
   5.  Threat Model  . . . . . . . . . . . . . . . . . . . . . . . .  13
     5.1.  Attacker Capabilities . . . . . . . . . . . . . . . . . .  14
     5.2.  Attacker Costs  . . . . . . . . . . . . . . . . . . . . .  17
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .  19
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  20
     7.1.  Normative References  . . . . . . . . . . . . . . . . . .  20
     7.2.  Informative References  . . . . . . . . . . . . . . . . .  20
   IAB Members at the Time of Approval . . . . . . . . . . . . . . .  23
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  24
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  24

Barnes, et al.                Informational                     [Page 2]
RFC 7624              Confidentiality Threat Model           August 2015

1.  Introduction

   Starting in June 2013, documents released to the press by Edward
   Snowden have revealed several operations undertaken by intelligence
   agencies to exploit Internet communications for intelligence
   purposes.  These attacks were largely based on protocol
   vulnerabilities that were already known to exist.  The attacks were
   nonetheless striking in their pervasive nature, in terms of both the
   volume of Internet traffic targeted and the diversity of attack
   techniques employed.

   To ensure that the Internet can be trusted by users, it is necessary
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools