Skip to main content
SpringerLink
Log in

On Fingerprinting Attacks and Length-Hiding Encryption

  • Conference paper
  • First Online:
Book cover Topics in Cryptology – CT-RSA 2022 (CT-RSA 2022)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13161))

Included in the following conference series:

Abstract

It is well known that already the length of encrypted messages may reveal sensitive information about encrypted data. Fingerprinting attacks enable an adversary to determine web pages visited by a user and even the language and phrases spoken in voice-over-IP conversations.

Prior research has established the general perspective that a length-hiding padding which is long enough to improve security significantly incurs an unfeasibly large bandwidth overhead. We argue that this perspective is a consequence of the choice of the security models considered in prior works, which are based on classical indistinguishability of two messages, and that this does not reflect the attacker model of typical fingerprinting attacks well.

Therefore we propose a new perspective on length-hiding encryption, which aims to capture security against fingerprinting attacks more accurately. This makes it possible to concretely quantify the security provided by length-hiding padding against fingerprinting attacks, depending on the real message distribution of an application. We find that for many real-world applications (such as webservers with static content, DNS requests, Google search terms, or Wikipedia page visits) and their specific message distributions, even length-hiding padding with relatively small bandwidth overhead of only 2–5% can already significantly improve security against fingerprinting attacks. This gives rise to a new perspective on length-hiding encryption, which helps understanding how and under what conditions length-hiding encryption can be used to improve security.

Supported by the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme, grant agreement 802823. We thank Hans-Jörg Bauer and Michael Simon, ZIM of University of Wuppertal, for their assistance with determining a real-world DNS host name distribution and the anonymous reviewers of CT-RSA 2022 for helpful comments.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://www.ssllabs.com/ssl-pulse/.

  2. 2.

    We also considered basing this analysis on other web sites, such as Wikipedia and a user that accesses a certain Wikipedia page. However, the IACR ePrint server also enables us to easily consider a natural extension to more complex access pattern, see below.

  3. 3.

    In practice the TLS protocol would be used for these three connections, where different keys are used for sending and receiving data, but we view these keys as a single symmetric key.

  4. 4.

    We use this server since URLs from the IACR ePrint archive are particularly easy to parse and analyse.

  5. 5.

    To make our calculation more realistic, we consider the ciphertext is split across TLS fragments with a maximum payload of \(2^{14}\) bytes per fragment, whereby each fragment needs an additional 22 bytes reserved for the fragment header. The length for all the TLS headers is also considered and summed to the ciphertext length.

  6. 6.

    As we will discuss below, we aim to extend OpenSSL to allow for length-hiding padding beyond the TLS fragment boundary, by appending further TLS fragments, if necessary.

  7. 7.

    For example, if we have only two messages with length 12 and 17, a block length of 10 would perfectly hide everything, while a block length of 15 would not.

References

  1. Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: 38th FOCS, pp. 394–403. IEEE Computer Society Press (1997)

    Google Scholar 

  2. Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. J. Cryptol. 21(4), 469–491 (2008)

    Article  MathSciNet  Google Scholar 

  3. Boldyreva, A., Degabriele, J.P., Paterson, K.G., Stam, M.: Security of symmetric encryption in the presence of ciphertext fragmentation. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 682–699. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_40

    Chapter  MATH  Google Scholar 

  4. Cai, X., Nithyanand, R., Wang, T., Johnson, R., Goldberg, I.: A systematic approach to developing and evaluating website fingerprinting defenses. In: ACM CCS 2014, pp. 227–238. ACM Press (2014)

    Google Scholar 

  5. Degabriele, J.P.: Hiding the lengths of encrypted messages via Gaussian padding. In: ACM CCS 2021 (2021, to appear). Preliminary copy directly obtained from the author

    Google Scholar 

  6. Duong, T., Rizzo, J.: The CRIME attack (2012). http://www.ekoparty.org/archive/2012/CRIME_ekoparty2012.pdf

  7. Dyer, K.P., Coull, S.E., Ristenpart, T., Shrimpton, T.: Peek-a-boo, i still see you: why efficient traffic analysis countermeasures fail. In: 2012 IEEE Symposium on Security and Privacy, pp. 332–346. IEEE Computer Society Press (2012)

    Google Scholar 

  8. Gellert, K., Jager, T., Lyu, L., Neuschulten, T.: On fingerprinting attacks and length-hiding encryption. Cryptology ePrint Archive, Report 2021/1027 (2021). https://eprint.iacr.org/2021/1027

  9. Gillmor, D.K.: Empirical DNS padding policy (2017). https://dns.cmrg.net/ndss2017-dprive-empirical-DNS-traffic-size.pdf

  10. Gong, X., Borisov, N., Kiyavash, N., Schear, N.: Website detection using remote traffic analysis. In: Fischer-Hübner, S., Wright, M. (eds.) PETS 2012. LNCS, vol. 7384, pp. 58–78. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31680-7_4

    Chapter  Google Scholar 

  11. Gueron, S., Lindell, Y.: GCM-SIV: full nonce misuse-resistant authenticated encryption at under one cycle per byte. In: ACM CCS 2015, pp. 109–119. ACM Press (2015)

    Google Scholar 

  12. Gueron, S., Lindell, Y.: Simpleenc and simpleencsmall - an authenticated encryption mode for the lightweight setting. Cryptology ePrint Archive, Report 2019/712 (2019). https://eprint.iacr.org/2019/712

  13. Harsha, B., Morton, R., Blocki, J., Springer, J., Dark, M.: Bicycle attacks considered harmful: Quantifying the damage of widespread password length leakage (2020)

    Google Scholar 

  14. Hayes, J., Danezis, G.: k-fingerprinting: a robust scalable website fingerprinting technique. In: USENIX Security 2016, pp. 1187–1203. USENIX Association (2016)

    Google Scholar 

  15. Herrmann, D., Wendolsky, R., Federrath, H.: Website fingerprinting: attacking popular privacy enhancing technologies with the multinomial Naïve-Bayes classifier. In: CCSW, pp. 31–42. ACM (2009)

    Google Scholar 

  16. Hintz, A.: Fingerprinting websites using traffic analysis. In: Dingledine, R., Syverson, P. (eds.) PET 2002. LNCS, vol. 2482, pp. 171–178. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36467-6_13

    Chapter  Google Scholar 

  17. Hollenbeck, S.: Transport Layer Security Protocol Compression Methods. RFC 3749 (2004). https://doi.org/10.17487/RFC3749, https://rfc-editor.org/rfc/rfc3749.txt

  18. Jager, T., Stam, M., Stanley-Oakes, R., Warinschi, B.: Multi-key authenticated encryption with corruptions: reductions are lossy. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 409–441. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_14

    Chapter  Google Scholar 

  19. Katz, J., Yung, M.: Characterization of security notions for probabilistic private-key encryption. J. Cryptol. 19(1), 67–95 (2006)

    Article  MathSciNet  Google Scholar 

  20. Kohls, K., Rupprecht, D., Holz, T., Pöpper, C.: Lost traffic encryption: fingerprinting LTE/4G traffic on layer two. In: WiSec, pp. 249–260. ACM (2019)

    Google Scholar 

  21. Liberatore, M., Levine, B.N.: Inferring the source of encrypted HTTP connections. In: ACM CCS 2006, pp. 255–263. ACM Press (2006)

    Google Scholar 

  22. Mayrhofer, A.: Padding policies for extension mechanisms for DNS (EDNS(0)). RFC 8467 (2018). https://doi.org/10.17487/RFC8467, https://rfc-editor.org/rfc/rfc8467.txt

  23. Miller, B., Huang, L., Joseph, A.D., Tygar, J.D.: I know why you went to the clinic: risks and realization of HTTPS traffic analysis. In: De Cristofaro, E., Murdoch, S.J. (eds.) PETS 2014. LNCS, vol. 8555, pp. 143–163. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08506-7_8

    Chapter  Google Scholar 

  24. Paterson, K.G., Ristenpart, T., Shrimpton, T.: Tag size does matter: attacks and proofs for the TLS record protocol. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 372–389. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_20

    Chapter  Google Scholar 

  25. Rescorla, E.: The Transport Layer Security (TLS) protocol Version 1.3. RFC 8446 (2018). https://doi.org/10.17487/RFC8446, https://rfc-editor.org/rfc/rfc8446.txt

  26. Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_23

    Chapter  Google Scholar 

  27. Shusterman, A., et al.: Robust website fingerprinting through the cache occupancy channel. In: USENIX Security 2019, pp. 639–656. USENIX Association (2019)

    Google Scholar 

  28. Sirinam, P., Imani, M., Juárez, M., Wright, M.: Deep fingerprinting: undermining website fingerprinting defenses with deep learning. In: ACM CCS 2018, pp. 1928–1943. ACM Press (2018)

    Google Scholar 

  29. Tezcan, C., Vaudenay, S.: On hiding a plaintext length by Preencryption. In: Lopez, J., Tsudik, G. (eds.) ACNS 2011. LNCS, vol. 6715, pp. 345–358. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21554-4_20

    Chapter  Google Scholar 

  30. Wang, T., Goldberg, I.: On realistically attacking tor with website fingerprinting. PoPETs 2016(4), 21–36 (2016)

    Google Scholar 

  31. Wang, T., Goldberg, I.: Walkie-talkie: an efficient defense against passive website fingerprinting attacks. In: USENIX Security 2017, pp. 1375–1390. USENIX Association (2017)

    Google Scholar 

  32. Wright, C.V., Ballard, L., Coull, S.E., Monrose, F., Masson, G.M.: Spot me if you can: Uncovering spoken phrases in encrypted VoIP conversations. In: 2008 IEEE Symposium on Security and Privacy. pp. 35–49. IEEE Computer Society Press, 2008

    Google Scholar 

  33. Wright, C.V., Ballard, L., Monrose, F., Masson, G.M.: Language identification of encrypted VoIP traffic: Alejandra y roberto or alice and bob? In: USENIX Security 2007. USENIX Association, 2007

    Google Scholar 

  34. Wright, C.V., Coull, S.E., Monrose, F.: Traffic morphing: An efficient defense against statistical traffic analysis. In: NDSS 2009. The Internet Society, 2009

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Bergische Universität Wuppertal, Wuppertal, Germany

    Kai Gellert, Tibor Jager, Lin Lyu & Tom Neuschulten

Authors
  1. Kai Gellert
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tibor Jager
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Lin Lyu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Tom Neuschulten
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Kai Gellert , Tibor Jager , Lin Lyu or Tom Neuschulten .

Editor information

Editors and Affiliations

  1. University of Auckland, Auckland, New Zealand

    Steven D. Galbraith

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Gellert, K., Jager, T., Lyu, L., Neuschulten, T. (2022). On Fingerprinting Attacks and Length-Hiding Encryption. In: Galbraith, S.D. (eds) Topics in Cryptology – CT-RSA 2022. CT-RSA 2022. Lecture Notes in Computer Science(), vol 13161. Springer, Cham. https://doi.org/10.1007/978-3-030-95312-6_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-95312-6_15

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-95311-9

  • Online ISBN: 978-3-030-95312-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation