Thanks for the explanation. I am focusing on your 3 example to check
whether I correctly understood.
The goal of the adversary is to anonymize the communication, e.g.
matching client and destination. It does so by "volunteering" a number
of guards and exits. If a communication is routed through a Guard and an
Exit controlled by the attacker (E_a and G_a) r, the two will collaborate.
They could obviously collaborate and try to match timings of packets,
but it much easier to alter the end-to-end exchange between client and
destination, somehow inserting a mark at one end that can be recovered
at the other end. I assume that we have an onion setup, and that this
setup prevents G_a and M from actually seeing the packets send and
received by the client -- but of course E_a can see them. E_a and G_a
have to find a signal that will alter the volume and timing of packets
between client and server.
With QUIC, you believe that this can be achieved by inserting a bogus
packet, which will be relayed to the other end but will be discarded
because it does not pass decryption. Intermediaries like M cannot detect
this. That packet is inserted by E_a as if it came from the destination,
at a time when the destination would normally be silent. The "absence of
the expected silence" is the signal.
3) malicious guard and exit
Client-----G_a-----M-----E_a-----Destination
In that scenario, the adversary can abuse QUIC's robustness to derive
a perfect
traffic confirmation technique, as discussed above.
My current guess is that we cannot have a QUIC connection over a whole
circuit,
or over a set of MASQUE proxies that resists such an adversary without
impractical changes
in the QUIC protocol. Some research would be needed to know what
combination of
layers and protocols (and extensions; e.g., datagrams) would be safe
to use. I *think* QUIC
on stream would be, as long as it behaves like the TLS1.3 record layer.
The key issue there is that anybody can inject a packet and that QUIC
will drop it. With TCP, packet injection is likely to break the
connection. Breaking the connection matches one of the goals of the
adversary, as they know which connection was broken by the injection.
But breaking the connection can be observed.
The timing attack relies on the adversaries guessing that the
communication should remain silent for a particular time interval. The
first defense may be to break that guess. Either end of the QUIC
connection could also inject their own set of bogus QUIC packets at
random times. Would that be efficient?
-- Christian Huitema
