Traffic analysis can help warn of terrorist attacks, but it can also be used to crack encryption, so we need to act now.
Mention traffic analysis and most people will probably think of those poor souls sat on the side of the road with clipboards and dayglow jackets, but in the communications security world, traffic analysis is an art in its own right.
Where communications interception normally aims for the gold standard of decrypted messages, in the real world it's often not possible to break the encryption. This means you're left with a large collection of apparently unintelligible data. But there is still information to be gained by looking at who talks to whom, and how these communications correlate with other events. For example, we often hear of “increased chatter” prior to terrorist attacks, or you might see a leap in communications between two businesses prior to a merger or major deal.
Although many histories of traffic analysis put the start point at the First World War, it goes back much further, to the days when there was a direct correlation between communications and foot traffic. This “physical” traffic analysis is still relevant today. Although stories of the relationship between the Pentagon's alert status and the volume of late-night pizza sales in Washington are probably apocryphal, it is likely that a long-range camera pointed at the Pentagon's car park would yield some idea of how busy things are.
This is just one example of non-technical traffic analysis. The study of social networks, determining the existence and structure of hidden organisations by looking at their communications, is equally valuable. Following the 9/11 attacks, analysis of the communications of the known perpetrators revealed a far wider network (see http://tinyurl.com/5bd5hf for example). Unfortunately, due to the famous “six degrees of separation” issue, such analysis can be subject to false positives, so must be interpreted with care.
Recent developments in traffic analysis have even managed to put a few chinks in the cryptographic armour surrounding internet communications. Although encryption is supposed to deny the adversary any useful information, clever analysis of the characteristics of encrypted web traffic can reveal a surprising amount.
One early example was an attack on SSH logins (http://tinyurl.com/5b4ykp). Interactive input sent via SSH, such as passwords, is sent one character at a time. There is a surprisingly close relationship between the timings of keystrokes and their location on the keyboard, and careful analysis can be used to make it much easier to get at the unencrypted data.
More recently, similar attacks have been mounted against encrypted voice communications using VoIP. Statistical analysis of the length of VoIP packets can reveal the speakers' language with an accuracy of more than 80 per cent, which is astounding.
The same techniques make it possible to deduce which protocols are in use in encrypted traffic. This is of particular interest to ISPs, who are under increasing pressure to stop or at least monitor the use of certain application protocols. Many of the peer-to-peer file sharing applications now make use of encryption to hide their traffic and prevent their connection speed being throttled. This sort of analysis may weaken such protection.
The normal military solution to traffic analysis, padding messages to ensure a constant stream of traffic regardless of the “real” communication, is not practical for the web in general. ISPs depend on people not using all their bandwidth simultaneously. If padding traffic becomes the norm, the internet will grind to a halt.
Fortunately the clever introduction of a relatively small amount of padding, effectively “blurring” the packets, can make analysis much harder and return to the “good old days” when the nature of encrypted traffic still remained hidden. Recent measures to capture and store traffic data across the EU for “counterterrorism” will no doubt encourage the development of such protection.
Traffic analysis serves as a timely reminder that encryption should be considered as a single layer of protection, not an impenetrable shield.
Nick Barron is a security consultant. He can be contacted at firstname.lastname@example.org