[tor-talk] End-to-end correlation for fun and profit

Maxim Kammerer mk at dee.su
Wed Aug 22 06:48:19 UTC 2012


On Wed, Aug 22, 2012 at 8:51 AM, Andreas Krey <a.krey at gmx.de> wrote:
> Buying software for a) will probably show up in public records, and b)
> may be hindered by the paranoia of the participating LEAs. Even the software
> needed to get all the intercepted data in one place could be nightmarish.

I don't think that buying the software would be that difficult. For a
big project, LE could outsource it to one of those shady companies
selling exploits, or (more likely) to a government contractor with
security clearance. For something smaller, a hungry grad student
should do, after making them sign an NDA, or, in case of a really
arrogant LE, some national secrecy act. Writing the service as
something innocent in accounting is probably par for the course.

Closer to the topic, I think that traffic correlation can be performed
in a distributed fashion, if you know the target IPs to watch for
(which can be gathered beforehand locally on exit nodes, and
aggregated and analyzed afterwards). Exit nodes that see packets
to/from target hosts aggregate their exact timestamps for a few
seconds, and then send the chunks to all other nodes (so yes, you
can't correlate too much traffic). All other (guard) nodes then try to
locally correlate the received packets with their own traffic, and
aggregate successes for later reports. In this fashion, each node
needs to keep perhaps a minute of timestamped traffic. It is also
possible to play with traffic / disk space / success probability
tradeoffs: send chunks to rotating sets of nodes, increase recorded
traffic window (to be able to send old chunks to nodes that didn't see
traffic to a given IP yet), etc.

-- 
Maxim Kammerer
Liberté Linux: http://dee.su/liberte


More information about the tor-talk mailing list