Internet Architecture Board (IAB)                              R. Barnes
Request for Comments: 7624                                   B. Schneier
Category: Informational                                      C. Jennings
ISSN: 2070-1721                                                T. Hardie
                                                             B. Trammell
                                                              C. Huitema
                                                             D. Borkmann
                                                             August 2015
        
Internet Architecture Board (IAB)                              R. Barnes
Request for Comments: 7624                                   B. Schneier
Category: Informational                                      C. Jennings
ISSN: 2070-1721                                                T. Hardie
                                                             B. Trammell
                                                              C. Huitema
                                                             D. Borkmann
                                                             August 2015
        

Confidentiality in the Face of Pervasive Surveillance: A Threat Model and Problem Statement

普遍监视下的保密性:威胁模型和问题陈述

Abstract

摘要

Since the initial revelations of pervasive surveillance in 2013, several classes of attacks on Internet communications have been discovered. In this document, we develop a threat model that describes these attacks on Internet confidentiality. We assume an attacker that is interested in undetected, indiscriminate eavesdropping. The threat model is based on published, verified attacks.

自2013年首次发现普遍监控以来,已经发现了几类针对互联网通信的攻击。在本文档中,我们开发了一个威胁模型,描述了这些对互联网机密性的攻击。我们假设攻击者对未被发现的、不加区分的窃听感兴趣。威胁模型基于已发布、已验证的攻击。

Status of This Memo

关于下段备忘

This document is not an Internet Standards Track specification; it is published for informational purposes.

本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。

This document is a product of the Internet Architecture Board (IAB) and represents information that the IAB has deemed valuable to provide for permanent record. It represents the consensus of the Internet Architecture Board (IAB). Documents approved for publication by the IAB are not a candidate for any level of Internet Standard; see Section 2 of RFC 5741.

本文件是互联网体系结构委员会(IAB)的产品,代表IAB认为有价值提供永久记录的信息。它代表了互联网体系结构委员会(IAB)的共识。IAB批准发布的文件不适用于任何级别的互联网标准;见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7624.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7624.

Copyright Notice

版权公告

Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2015 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。

Table of Contents

目录

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  An Idealized Passive Pervasive Attacker . . . . . . . . . . .   5
     3.1.  Information Subject to Direct Observation . . . . . . . .   6
     3.2.  Information Useful for Inference  . . . . . . . . . . . .   6
     3.3.  An Illustration of an Ideal Passive Pervasive Attack  . .   7
       3.3.1.  Analysis of IP Headers  . . . . . . . . . . . . . . .   7
       3.3.2.  Correlation of IP Addresses to User Identities  . . .   8
       3.3.3.  Monitoring Messaging Clients for IP Address
               Correlation . . . . . . . . . . . . . . . . . . . . .   9
       3.3.4.  Retrieving IP Addresses from Mail Headers . . . . . .   9
       3.3.5.  Tracking Address Usage with Web Cookies . . . . . . .  10
       3.3.6.  Graph-Based Approaches to Address Correlation . . . .  10
       3.3.7.  Tracking of Link-Layer Identifiers  . . . . . . . . .  10
   4.  Reported Instances of Large-Scale Attacks . . . . . . . . . .  11
   5.  Threat Model  . . . . . . . . . . . . . . . . . . . . . . . .  13
     5.1.  Attacker Capabilities . . . . . . . . . . . . . . . . . .  14
     5.2.  Attacker Costs  . . . . . . . . . . . . . . . . . . . . .  17
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .  19
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  20
     7.1.  Normative References  . . . . . . . . . . . . . . . . . .  20
     7.2.  Informative References  . . . . . . . . . . . . . . . . .  20
   IAB Members at the Time of Approval . . . . . . . . . . . . . . .  23
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  24
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  24
        
   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  An Idealized Passive Pervasive Attacker . . . . . . . . . . .   5
     3.1.  Information Subject to Direct Observation . . . . . . . .   6
     3.2.  Information Useful for Inference  . . . . . . . . . . . .   6
     3.3.  An Illustration of an Ideal Passive Pervasive Attack  . .   7
       3.3.1.  Analysis of IP Headers  . . . . . . . . . . . . . . .   7
       3.3.2.  Correlation of IP Addresses to User Identities  . . .   8
       3.3.3.  Monitoring Messaging Clients for IP Address
               Correlation . . . . . . . . . . . . . . . . . . . . .   9
       3.3.4.  Retrieving IP Addresses from Mail Headers . . . . . .   9
       3.3.5.  Tracking Address Usage with Web Cookies . . . . . . .  10
       3.3.6.  Graph-Based Approaches to Address Correlation . . . .  10
       3.3.7.  Tracking of Link-Layer Identifiers  . . . . . . . . .  10
   4.  Reported Instances of Large-Scale Attacks . . . . . . . . . .  11
   5.  Threat Model  . . . . . . . . . . . . . . . . . . . . . . . .  13
     5.1.  Attacker Capabilities . . . . . . . . . . . . . . . . . .  14
     5.2.  Attacker Costs  . . . . . . . . . . . . . . . . . . . . .  17
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .  19
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  20
     7.1.  Normative References  . . . . . . . . . . . . . . . . . .  20
     7.2.  Informative References  . . . . . . . . . . . . . . . . .  20
   IAB Members at the Time of Approval . . . . . . . . . . . . . . .  23
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  24
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  24
        
1. Introduction
1. 介绍

Starting in June 2013, documents released to the press by Edward Snowden have revealed several operations undertaken by intelligence agencies to exploit Internet communications for intelligence purposes. These attacks were largely based on protocol vulnerabilities that were already known to exist. The attacks were nonetheless striking in their pervasive nature, in terms of both the volume of Internet traffic targeted and the diversity of attack techniques employed.

从2013年6月开始,爱德华·斯诺登(Edward Snowden)向媒体发布的文件披露了情报机构利用互联网通信进行情报活动的几次行动。这些攻击主要基于已知存在的协议漏洞。尽管如此,从目标互联网流量和所采用的攻击技术的多样性来看,这些攻击的普遍性仍然引人注目。

To ensure that the Internet can be trusted by users, it is necessary for the Internet technical community to address the vulnerabilities exploited in these attacks [RFC7258]. The goal of this document is to describe more precisely the threats posed by these pervasive attacks, and based on those threats, lay out the problems that need to be solved in order to secure the Internet in the face of those threats.

为了确保用户可以信任互联网,互联网技术界有必要解决这些攻击中利用的漏洞[RFC7258]。本文档的目标是更准确地描述这些无处不在的攻击所造成的威胁,并根据这些威胁,列出需要解决的问题,以便在面临这些威胁时保护互联网。

The remainder of this document is structured as follows. In Section 3, we describe an idealized passive pervasive attacker, one which could completely undetectably compromise communications at Internet scale. In Section 4, we provide a brief summary of some attacks that have been disclosed, and use these to expand the assumed capabilities of our idealized attacker. Note that we do not attempt to describe all possible attacks, but focus on those that result in undetected eavesdropping. Section 5 describes a threat model based on these attacks, focusing on classes of attack that have not been a focus of Internet engineering to date.

本文件其余部分的结构如下。在第3节中,我们描述了一个理想化的被动普适攻击者,它可以完全不可检测地破坏互联网规模的通信。在第4节中,我们简要总结了已披露的一些攻击,并利用这些攻击扩展了我们理想化攻击者的假定能力。请注意,我们并不试图描述所有可能的攻击,而是将重点放在那些导致未被发现的窃听的攻击上。第5节描述了基于这些攻击的威胁模型,重点介绍了迄今为止尚未成为互联网工程重点的攻击类别。

2. Terminology
2. 术语

This document makes extensive use of standard security and privacy terminology; see [RFC4949] and [RFC6973]. Terms used from [RFC6973] include Eavesdropper, Observer, Initiator, Intermediary, Recipient, Attack (in a privacy context), Correlation, Fingerprint, Traffic Analysis, and Identifiability (and related terms). In addition, we use a few terms that are specific to the attacks discussed in this document. Note especially that "passive" and "active" below do not refer to the effort used to mount the attack; a "passive attack" is any attack that accesses a flow but does not modify it, while an "active attack" is any attack that modifies a flow. Some passive attacks involve active interception and modifications of devices, rather than simple access to the medium. The introduced terms are:

本文件广泛使用标准安全和隐私术语;参见[RFC4949]和[RFC6973]。[RFC6973]中使用的术语包括窃听者、观察者、发起人、中间人、接收者、攻击(在隐私上下文中)、相关性、指纹、流量分析和可识别性(以及相关术语)。此外,我们使用了一些特定于本文档中讨论的攻击的术语。请特别注意,下面的“被动”和“主动”并不是指用于发动攻击的努力;“被动攻击”是指访问流但不修改流的任何攻击,而“主动攻击”是指修改流的任何攻击。一些被动攻击涉及主动拦截和修改设备,而不是简单地访问媒体。引入的术语为:

Pervasive Attack: An attack on Internet communications that makes use of access at a large number of points in the network, or otherwise provides the attacker with access to a large amount of Internet traffic; see [RFC7258].

普遍攻击:对互联网通信的攻击,利用网络中大量点的访问,或以其他方式让攻击者访问大量互联网流量;见[RFC7258]。

Passive Pervasive Attack: An eavesdropping attack undertaken by a pervasive attacker, in which the packets in a traffic stream between two endpoints are intercepted, but in which the attacker does not modify the packets in the traffic stream between two endpoints, modify the treatment of packets in the traffic stream (e.g., delay, routing), or add or remove packets in the traffic stream. Passive pervasive attacks are undetectable from the endpoints. Equivalent to passive wiretapping as defined in [RFC4949]; we use an alternate term here since the methods employed are wider than those implied by the word "wiretapping", including the active compromise of intermediate systems.

被动普适攻击:普适攻击者进行的一种窃听攻击,在这种攻击中,两个端点之间的流量流中的数据包被截获,但攻击者不修改两个端点之间的流量流中的数据包,修改流量流中数据包的处理(例如,延迟、路由),或者在流量流中添加或删除数据包。被动普及攻击无法从端点检测到。等同于[RFC4949]中定义的被动窃听;我们在这里使用另一个术语,因为所采用的方法比“窃听”一词所暗示的方法更广泛,包括中间系统的主动妥协。

Active Pervasive Attack: An attack that is undertaken by a pervasive attacker and, in addition to the elements of a passive pervasive attack, also includes modification, addition, or removal of packets in a traffic stream, or modification of treatment of packets in the traffic stream. Active pervasive attacks provide more capabilities to the attacker at the risk of possible detection at the endpoints. Equivalent to active wiretapping as defined in [RFC4949].

主动普适攻击:由普适攻击者实施的攻击,除了被动普适攻击的元素外,还包括修改、添加或删除流量流中的数据包,或修改流量流中数据包的处理。主动普适攻击为攻击者提供了更多的功能,但有可能在端点被检测到。等同于[RFC4949]中定义的主动窃听。

Observation: Information collected directly from communications by an eavesdropper or observer. For example, the knowledge that <alice@example.com> sent a message to <bob@example.com> via SMTP taken from the headers of an observed SMTP message would be an observation.

观察:窃听者或观察者直接从通信中收集的信息。例如,知识<alice@example.com>向…发送消息<bob@example.com>从观察到的SMTP邮件的邮件头中获取的via SMTP将是一个观察。

Inference: Information derived from analysis of information collected directly from communications by an eavesdropper or observer. For example, the knowledge that a given web page was accessed by a given IP address, by comparing the size in octets of measured network flow records to fingerprints derived from known sizes of linked resources on the web servers involved, would be an inference.

推断:通过分析窃听者或观察者直接从通信中收集的信息而得到的信息。例如,通过将测量的网络流量记录的大小(以八位字节为单位)与所涉及的web服务器上链接资源的已知大小得出的指纹进行比较,可以推断出给定的IP地址访问了给定的网页。

Collaborator: An entity that is a legitimate participant in a communication, and provides information about that communication to an attacker. Collaborators may either deliberately or unwittingly cooperate with the attacker, in the latter case because the attacker has subverted the collaborator through technical, social, or other means.

合作者:通信中的合法参与者,并向攻击者提供有关该通信的信息的实体。合作者可能有意或无意地与攻击者合作,后者是因为攻击者通过技术、社会或其他手段颠覆了合作者。

Key Exfiltration: The transmission of cryptographic keying material for an encrypted communication from a collaborator, deliberately or unwittingly, to an attacker.

密钥泄漏:合作者有意或无意地将加密通信的加密密钥材料传输给攻击者。

Content Exfiltration: The transmission of the content of a communication from a collaborator, deliberately or unwittingly, to an attacker

内容外泄:合作者有意或无意地将通信内容传输给攻击者

3. An Idealized Passive Pervasive Attacker
3. 理想化的被动攻击者

In considering the threat posed by pervasive surveillance, we begin by defining an idealized passive pervasive attacker. While this attacker is less capable than those that we now know to have compromised the Internet from press reports, as elaborated in Section 4, it does set a lower bound on the capabilities of an attacker interested in indiscriminate passive surveillance while interested in remaining undetectable. We note that, prior to the Snowden revelations in 2013, the assumptions of attacker capability presented here would be considered on the border of paranoia outside the network security community.

在考虑普适监视带来的威胁时,我们首先定义一个理想化的被动普适攻击者。虽然该攻击者的能力不如我们现在所知的那些通过新闻报道破坏互联网的攻击者,如第4节所述,但它确实设置了一个对不分青红皂白的被动监视感兴趣的攻击者的能力下限,同时对保持不可检测感兴趣。我们注意到,在2013年斯诺登事件曝光之前,此处提出的攻击者能力假设将被视为网络安全社区之外的偏执狂。

Our idealized attacker is an indiscriminate eavesdropper that is on an Internet-attached computer network and:

我们理想化的攻击者是一个不分青红皂白的窃听者,位于连接互联网的计算机网络上,并且:

o can observe every packet of all communications at any hop in any network path between an initiator and a recipient;

o 可以在发起方和接收方之间的任何网络路径的任何跃点上观察所有通信的每个数据包;

o can observe data at rest in any intermediate system between the endpoints controlled by the initiator and recipient; and

o 可以在发起方和接收方控制的端点之间的任何中间系统中观察静态数据;和

o can share information with other such attackers; but

o 可以与其他此类攻击者共享信息;但是

o takes no other action with respect to these communications (i.e., blocking, modification, injection, etc.).

o 对这些通信不采取任何其他行动(即阻塞、修改、注入等)。

The techniques available to our ideal attacker are direct observation and inference. Direct observation involves taking information directly from eavesdropped communications, such as URLs identifying content or email addresses identifying individuals from application-layer headers. Inference, on the other hand, involves analyzing observed information to derive new information, such as searching for application or behavioral fingerprints in observed traffic to derive information about the observed individual. The use of encryption is generally sufficient to provide confidentiality by preventing direct observation of content, assuming of course, uncompromised encryption implementations and cryptographic keying material. However, encryption provides less complete protection against inference,

我们理想的攻击者可用的技术是直接观察和推断。直接观察涉及直接从被窃听的通信中获取信息,例如从应用层头中识别内容的URL或识别个人的电子邮件地址。另一方面,推断涉及分析观察到的信息以获得新信息,例如在观察到的流量中搜索应用程序或行为指纹以获得有关观察到的个体的信息。加密的使用通常足以通过防止直接观察内容来提供机密性,当然,假设采用不妥协的加密实现和加密密钥材料。但是,加密提供了不太完整的防推断保护,

especially inferences based only on plaintext portions of communications, such as IP and TCP headers for TLS-protected traffic [RFC5246].

特别是仅基于通信的明文部分的推断,如TLS保护通信的IP和TCP报头[RFC5246]。

3.1. Information Subject to Direct Observation
3.1. 可直接观察的信息

Protocols that do not encrypt their payload make the entire content of the communication available to the idealized attacker along their path. Following the advice in [RFC3365], most such protocols have a secure variant that encrypts the payload for confidentiality, and these secure variants are seeing ever-wider deployment. A noteworthy exception is DNS [RFC1035], as DNSSEC [RFC4033] does not have confidentiality as a requirement.

不加密有效负载的协议使通信的全部内容可供理想化的攻击者沿其路径访问。按照[RFC3365]中的建议,大多数此类协议都有一个安全变体,用于加密有效负载以实现机密性,并且这些安全变体的部署范围越来越广。值得注意的例外是DNS[RFC1035],因为DNSSEC[RFC4033]没有保密要求。

This implies that, in the absence of changes to the protocol as presently under development in the IETF's DNS Private Exchange (DPRIVE) working group [DPRIVE], all DNS queries and answers generated by the activities of any protocol are available to the attacker.

这意味着,在IETF的DNS专用交换(DPRIVE)工作组[DPRIVE]目前正在开发的协议没有更改的情况下,攻击者可以使用由任何协议的活动生成的所有DNS查询和答案。

When store-and-forward protocols are used (e.g., SMTP [RFC5321]), intermediaries leave this data subject to observation by an attacker that has compromised these intermediaries, unless the data is encrypted end-to-end by the application-layer protocol or the implementation uses an encrypted store for this data.

当使用存储和转发协议(例如SMTP[RFC5321])时,除非数据由应用层协议端到端加密,或者实现使用加密存储来存储此数据,否则中间层会将此数据留给危害这些中间层的攻击者进行观察。

3.2. Information Useful for Inference
3.2. 有助于推理的信息

Inference is information extracted from later analysis of an observed or eavesdropped communication, and/or correlation of observed or eavesdropped information with information available from other sources. Indeed, most useful inference performed by the attacker falls under the rubric of correlation. The simplest example of this is the observation of DNS queries and answers from and to a source and correlating those with IP addresses with which that source communicates. This can give access to information otherwise not available from encrypted application payloads (e.g., the "Host:" HTTP/1.1 request header when HTTP is used with TLS).

推断是从随后对观察到的或被窃听的通信的分析中提取的信息,和/或观察到的或被窃听的信息与其他来源的信息的关联。事实上,攻击者执行的最有用的推断属于相关性。最简单的例子是观察来自或到一个源的DNS查询和应答,并将这些查询和应答与该源通信的IP地址相关联。这可以访问加密应用程序有效载荷(例如,HTTP与TLS一起使用时的“主机:”HTTP/1.1请求头)中不可用的信息。

Protocols that encrypt their payload using an application- or transport-layer encryption scheme (e.g., TLS) still expose all the information in their network- and transport-layer headers to the attacker, including source and destination addresses and ports. IPsec Encapsulating Security Payload (ESP) [RFC4303] further encrypts the transport-layer headers but still leaves IP address information unencrypted; in tunnel mode, these addresses correspond to the tunnel endpoints. Features of the security protocols themselves, e.g., the TLS session identifier, may leak information that can be used for

使用应用程序或传输层加密方案(例如TLS)加密其有效负载的协议仍然会向攻击者公开其网络和传输层头中的所有信息,包括源地址和目标地址以及端口。IPsec封装安全有效载荷(ESP)[RFC4303]进一步加密传输层报头,但仍保留未加密的IP地址信息;在隧道模式下,这些地址对应于隧道端点。安全协议本身的功能,例如TLS会话标识符,可能泄漏可用于

correlation and inference. While this information is much less semantically rich than the application payload, it can still be useful for inferring an individual's activities.

关联与推理。虽然这些信息在语义上远不如应用程序负载丰富,但它仍然可以用于推断个人的活动。

Inference can also leverage information obtained from sources other than direct traffic observation. Geolocation databases, for example, have been developed that map IP addresses to a location, in order to provide location-aware services such as targeted advertising. This location information is often of sufficient resolution that it can be used to draw further inferences toward identifying or profiling an individual.

推理还可以利用从直接交通观察以外的来源获得的信息。例如,已经开发了地理定位数据库,将IP地址映射到一个位置,以便提供定位感知服务,如定向广告。该位置信息通常具有足够的分辨率,可用于进一步推断身份或特征。

Social media provide another source of more or less publicly accessible information. This information can be extremely semantically rich, including information about an individual's location, associations with other individuals and groups, and activities. Further, this information is generally contributed and curated voluntarily by the individuals themselves: it represents information that the individuals are not necessarily interested in protecting for privacy reasons. However, correlation of this social networking data with information available from direct observation of network traffic allows the creation of a much richer picture of an individual's activities than either alone.

社交媒体提供了另一个或多或少可以公开获取的信息来源。这些信息在语义上非常丰富,包括关于个人位置、与其他个人和团体的关联以及活动的信息。此外,该信息通常由个人自愿提供和管理:它代表个人出于隐私原因不一定有兴趣保护的信息。然而,将这些社交网络数据与直接观察网络流量所获得的信息相关联,可以创建比单独观察更丰富的个人活动图片。

We note with some alarm that there is little that can be done at protocol design time to limit such correlation by the attacker, and that the existence of such data sources in many cases greatly complicates the problem of protecting privacy by hardening protocols alone.

我们警觉地注意到,在协议设计时,几乎无法限制攻击者的这种关联性,而且在许多情况下,这种数据源的存在使仅通过强化协议来保护隐私的问题变得非常复杂。

3.3. An Illustration of an Ideal Passive Pervasive Attack
3.3. 一个理想的被动普适攻击示例

To illustrate how capable the idealized attacker is even given its limitations, we explore the non-anonymity of encrypted IP traffic in this section. Here, we examine in detail some inference techniques for associating a set of addresses with an individual, in order to illustrate the difficulty of defending communications against our idealized attacker. Here, the basic problem is that information radiated even from protocols that have no obvious connection with personal data can be correlated with other information that can paint a very rich behavioral picture; it only takes one unprotected link in the chain to associate with an identity.

为了说明理想化的攻击者的能力如何,我们将在本节中探讨加密IP流量的非匿名性。在这里,我们详细研究了将一组地址与个人关联的一些推理技术,以说明针对我们理想化的攻击者防御通信的困难。这里的基本问题是,即使是从与个人数据没有明显联系的协议中辐射出来的信息,也可以与其他能够描绘出非常丰富的行为画面的信息相关联;只需链中一个未受保护的链接即可与标识关联。

3.3.1. Analysis of IP Headers
3.3.1. IP报头分析

Internet traffic can be monitored by tapping Internet links or by installing monitoring tools in Internet routers. Of course, a single link or a single router only provides access to a fraction of the

可以通过点击互联网链接或在互联网路由器中安装监控工具来监控互联网流量。当然,一条链路或一个路由器只能提供对一小部分网络的访问

global Internet traffic. However, monitoring a number of high-capacity links or a set of routers placed at strategic locations provides access to a good sampling of Internet traffic.

全球互联网流量。然而,通过监测一些高容量链路或放置在战略位置的一组路由器,可以很好地对互联网流量进行采样。

Tools like the IP Flow Information Export (IPFIX) Protocol [RFC7011] allow administrators to acquire statistics about sequences of packets with some common properties that pass through a network device. The most common set of properties used in flow measurement is the "five-tuple" of source and destination addresses, protocol type, and source and destination ports. These statistics are commonly used for network engineering but could certainly be used for other purposes.

IP流信息导出(IPFIX)协议[RFC7011]等工具允许管理员获取有关通过网络设备的具有某些公共属性的数据包序列的统计信息。流量测量中最常用的一组属性是源和目标地址、协议类型以及源和目标端口的“五元组”。这些统计数据通常用于网络工程,但肯定可以用于其他目的。

Let's assume for a moment that IP addresses can be correlated to specific services or specific users. Analysis of the sequences of packets will quickly reveal which users use what services, and also which users engage in peer-to-peer connections with other users. Analysis of traffic variations over time can be used to detect increased activity by particular users or, in the case of peer-to-peer connections, increased activity within groups of users.

让我们假设IP地址可以与特定服务或特定用户关联。对数据包序列的分析将快速揭示哪些用户使用哪些服务,以及哪些用户与其他用户进行点对点连接。流量随时间变化的分析可用于检测特定用户的活动增加,或者在对等连接的情况下,检测用户组内活动增加。

3.3.2. Correlation of IP Addresses to User Identities
3.3.2. IP地址与用户身份的关联

The correlation of IP addresses with specific users can be done in various ways. For example, tools like reverse DNS lookup can be used to retrieve the DNS names of servers. Since the addresses of servers tend to be quite stable and since servers are relatively less numerous than users, an attacker could easily maintain its own copy of the DNS for well-known or popular servers to accelerate such lookups.

IP地址与特定用户的关联可以通过多种方式完成。例如,可以使用反向DNS查找等工具检索服务器的DNS名称。由于服务器的地址往往相当稳定,而且服务器的数量相对少于用户,因此攻击者可以轻松地为知名或流行的服务器维护自己的DNS副本,以加速此类查找。

On the other hand, the reverse lookup of IP addresses of users is generally less informative. For example, a lookup of the address currently used by one author's home network returns a name of the form "c-192-000-002-033.hsd1.wa.comcast.net". This particular type of reverse DNS lookup generally reveals only coarse-grained location or provider information, equivalent to that available from geolocation databases.

另一方面,反向查找用户的IP地址通常信息量较小。例如,查找一位作者的家庭网络当前使用的地址时,返回的名称格式为“c-192-000-002-033.hsd1.wa.comcast.net”。这种特定类型的反向DNS查找通常只显示粗粒度的位置或提供者信息,相当于地理位置数据库中的信息。

In many jurisdictions, Internet Service Providers (ISPs) are required to provide identification on a case-by-case basis of the "owner" of a specific IP address for law enforcement purposes. This is a reasonably expedient process for targeted investigations, but pervasive surveillance requires something more efficient. This provides an incentive for the attacker to secure the cooperation of the ISP in order to automate this correlation.

在许多司法管辖区,互联网服务提供商(ISP)需要根据具体情况提供特定IP地址“所有者”的身份证明,以便于执法。这对于有针对性的调查是一个合理的权宜之计,但普遍的监视需要更有效的方法。这会促使攻击者获得ISP的合作,以实现这种关联的自动化。

3.3.3. Monitoring Messaging Clients for IP Address Correlation
3.3.3. 监视消息传递客户端的IP地址相关性

Even if the ISP does not cooperate, user identity can often be obtained via inference. POP3 [RFC1939] and IMAP [RFC3501] are used to retrieve mail from mail servers, while a variant of SMTP is used to submit messages through mail servers. IMAP connections originate from the client, and typically start with an authentication exchange in which the client proves its identity by answering a password challenge. The same holds for the SIP protocol [RFC3261] and many instant messaging services operating over the Internet using proprietary protocols.

即使ISP不合作,通常也可以通过推理获得用户身份。POP3[RFC1939]和IMAP[RFC3501]用于从邮件服务器检索邮件,而SMTP的一个变体用于通过邮件服务器提交邮件。IMAP连接源于客户端,通常从身份验证交换开始,在该交换中,客户端通过回答密码质询来证明其身份。SIP协议[RFC3261]和许多使用专有协议在互联网上运行的即时消息服务也是如此。

The username is directly observable if any of these protocols operate in cleartext; the username can then be directly associated with the source address.

如果这些协议中的任何一个以明文形式运行,用户名是可以直接观察到的;然后,用户名可以直接与源地址关联。

3.3.4. Retrieving IP Addresses from Mail Headers
3.3.4. 从邮件头中检索IP地址

SMTP [RFC5321] requires that each successive SMTP relay adds a "Received" header to the mail headers. The purpose of these headers is to enable audit of mail transmission, and perhaps to distinguish between regular mail and spam. Here is an extract from the headers of a message recently received from the perpass mailing list:

SMTP[RFC5321]要求每个后续SMTP中继向邮件标头添加一个“已接收”标头。这些邮件头的目的是对邮件传输进行审计,也许是为了区分普通邮件和垃圾邮件。以下是最近从perpass邮件列表收到的邮件标题摘录:

   Received: from 192-000-002-044.zone13.example.org (HELO
   ?192.168.1.100?) (xxx.xxx.xxx.xxx) by lvps192-000-002-219.example.net
   with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 27 Oct
   2013 21:47:14 +0100 Message-ID: <526D7BD2.7070908@example.org> Date:
   Sun, 27 Oct 2013 20:47:14 +0000 From: Some One <some.one@example.org>
        
   Received: from 192-000-002-044.zone13.example.org (HELO
   ?192.168.1.100?) (xxx.xxx.xxx.xxx) by lvps192-000-002-219.example.net
   with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 27 Oct
   2013 21:47:14 +0100 Message-ID: <526D7BD2.7070908@example.org> Date:
   Sun, 27 Oct 2013 20:47:14 +0000 From: Some One <some.one@example.org>
        

This is the first "Received" header attached to the message by the first SMTP relay; for privacy reasons, the field values have been anonymized. We learn here that the message was submitted by "Some One" on October 27, from a host behind a NAT (192.168.1.100) [RFC1918] that used the IP address 192.0.2.44. The information remained in the message and is accessible by all recipients of the perpass mailing list, or indeed by any attacker that sees at least one copy of the message.

这是第一个SMTP中继附加到邮件的第一个“已接收”标头;出于隐私原因,字段值已匿名化。我们在这里了解到,消息是由“某个人”在10月27日从使用IP地址192.0.2.44的NAT(192.168.1.100)[RFC1918]后面的主机提交的。该信息保留在邮件中,perpass邮件列表的所有收件人都可以访问该信息,甚至任何看到至少一份邮件副本的攻击者都可以访问该信息。

An attacker that can observe sufficient email traffic can regularly update the mapping between public IP addresses and individual email identities. Even if the SMTP traffic was encrypted on submission and relaying, the attacker can still receive a copy of public mailing lists like perpass.

能够观察到足够电子邮件流量的攻击者可以定期更新公共IP地址和个人电子邮件身份之间的映射。即使SMTP通信在提交和中继时被加密,攻击者仍然可以接收公共邮件列表的副本,如perpass。

3.3.5. Tracking Address Usage with Web Cookies
3.3.5. 使用Web Cookie跟踪地址使用情况

Many web sites only encrypt a small fraction of their transactions. A popular pattern is to use HTTPS for the login information, and then use a "cookie" to associate following cleartext transactions with the user's identity. Cookies are also used by various advertisement services to quickly identify the users and serve them with "personalized" advertisements. Such cookies are particularly useful if the advertisement services want to keep tracking the user across multiple sessions that may use different IP addresses.

许多网站只加密其事务的一小部分。一种流行的模式是使用HTTPS作为登录信息,然后使用“cookie”将以下明文事务与用户的身份关联起来。Cookie还被各种广告服务用来快速识别用户并为他们提供“个性化”广告。如果广告服务希望在可能使用不同IP地址的多个会话中跟踪用户,则此类cookie特别有用。

As cookies are sent in cleartext, an attacker can build a database that associates cookies to IP addresses for non-HTTPS traffic. If the IP address is already identified, the cookie can be linked to the user identify. After that, if the same cookie appears on a new IP address, the new IP address can be immediately associated with the predetermined identity.

由于Cookie以明文形式发送,攻击者可以构建一个数据库,将Cookie与非HTTPS流量的IP地址关联起来。如果已经标识了IP地址,则可以将cookie链接到用户标识。之后,如果相同的cookie出现在新的IP地址上,则新的IP地址可以立即与预定的标识相关联。

3.3.6. Graph-Based Approaches to Address Correlation
3.3.6. 基于图的地址相关方法

An attacker can track traffic from an IP address not yet associated with an individual to various public services (e.g., web sites, mail servers, game servers) and exploit patterns in the observed traffic to correlate this address with other addresses that show similar patterns. For example, any two addresses that show connections to the same IMAP or webmail services, the same set of favorite web sites, and game servers at similar times of day may be associated with the same individual. Correlated addresses can then be tied to an individual through one of the techniques above, walking the "network graph" to expand the set of attributable traffic.

攻击者可以跟踪从尚未与个人关联的IP地址到各种公共服务(例如,网站、邮件服务器、游戏服务器)的流量,并利用观察到的流量中的模式将此地址与显示类似模式的其他地址相关联。例如,显示在一天中类似时间连接到相同IMAP或webmail服务、相同收藏网站集和游戏服务器的任意两个地址都可能与同一个人关联。然后,可以通过上述技术之一将相关地址绑定到个人,遍历“网络图”以扩展可归属流量集。

3.3.7. Tracking of Link-Layer Identifiers
3.3.7. 链路层标识符的跟踪

Moving back down the stack, technologies like Ethernet or Wi-Fi use MAC (Media Access Control) addresses to identify link-level destinations. MAC addresses assigned according to IEEE 802 standards are globally unique identifiers for the device. If the link is publicly accessible, an attacker can eavesdrop and perform tracking. For example, the attacker can track the wireless traffic at publicly accessible Wi-Fi networks. Simple devices can monitor the traffic and reveal which MAC addresses are present. Also, devices do not need to be connected to a network to expose link-layer identifiers. Active service discovery always discloses the MAC address of the user, and sometimes the Service Set Identifiers (SSIDs) of previously visited networks. For instance, certain techniques such as the use of "hidden SSIDs" require the mobile device to broadcast the network identifier together with the device identifier. This combination can further expose the user to inference attacks, as more information can

回过头来看,以太网或Wi-Fi等技术使用MAC(媒体访问控制)地址来识别链路级目的地。根据IEEE 802标准分配的MAC地址是设备的全局唯一标识符。如果链接可公开访问,攻击者可以窃听并执行跟踪。例如,攻击者可以在可公开访问的Wi-Fi网络上跟踪无线通信量。简单的设备可以监控流量并显示存在哪些MAC地址。此外,设备不需要连接到网络以公开链路层标识符。主动服务发现总是公开用户的MAC地址,有时还公开先前访问的网络的服务集标识符(SSID)。例如,诸如使用“隐藏ssid”的某些技术要求移动设备将网络标识符与设备标识符一起广播。这种组合可以进一步使用户暴露于推理攻击,因为更多的信息可以

be derived from the combination of MAC address, SSID being probed, time, and current location. For example, a user actively probing for a semi-unique SSID on a flight out of a certain city can imply that the user is no longer at the physical location of the corresponding AP. Given that large-scale databases of the MAC addresses of wireless access points for geolocation purposes have been known to exist for some time, the attacker could easily build a database that maps link-layer identifiers and time with device or user identities, and use it to track the movement of devices and of their owners. On the other hand, if the network does not use some form of Wi-Fi encryption, or if the attacker can access the decrypted traffic, the analysis will also provide the correlation between link-layer identifiers such as MAC addresses and IP addresses. Additional monitoring using techniques exposed in the previous sections will reveal the correlation between MAC addresses, IP addresses, and user identity. For instance, similarly to the use of web cookies, MAC addresses provide identity information that can be used to associate a user to different IP addresses.

可以从MAC地址、被探测的SSID、时间和当前位置的组合中派生。例如,用户在离开某个城市的航班上主动探测半唯一SSID可能意味着该用户不再位于相应AP的物理位置。鉴于用于地理定位目的的无线接入点MAC地址的大规模数据库已经存在一段时间,攻击者可以轻松构建一个数据库,将链路层标识符和时间与设备或用户身份进行映射,并使用该数据库跟踪设备及其所有者的移动。另一方面,如果网络不使用某种形式的Wi-Fi加密,或者如果攻击者可以访问解密的流量,则分析还将提供链路层标识符(如MAC地址和IP地址)之间的相关性。使用前面章节中公开的技术进行的额外监控将揭示MAC地址、IP地址和用户身份之间的相关性。例如,与web cookie的使用类似,MAC地址提供身份信息,可用于将用户与不同的IP地址关联。

4. Reported Instances of Large-Scale Attacks
4. 报告的大规模攻击事件

The situation in reality is more bleak than that suggested by an analysis of our idealized attacker. Through revelations of sensitive documents in several media outlets, the Internet community has been made aware of several intelligence activities conducted by US and UK national intelligence agencies, particularly the US National Security Agency (NSA) and the UK Government Communications Headquarters (GCHQ). These documents have revealed methods that these agencies use to attack Internet applications and obtain sensitive user information. There is little reason to suppose that only the US or UK governments are involved in these sorts of activities; the examples are just ones that were disclosed. We note that these reports are primarily useful as an illustration of the types of capabilities fielded by pervasive attackers as of the date of the Snowden leaks in 2013.

现实中的情况比我们理想化的攻击者的分析所显示的更为惨淡。通过几家媒体披露的敏感文件,互联网社区了解到美国和英国国家情报机构,特别是美国国家安全局(NSA)和英国政府通信总部(GCHQ)开展的几项情报活动。这些文件揭示了这些机构用来攻击互联网应用程序和获取敏感用户信息的方法。几乎没有理由认为只有美国或英国政府参与了这类活动;这些例子只是被披露的例子。我们注意到,这些报告主要用于说明截至2013年斯诺登泄密之日普遍存在的攻击者部署的能力类型。

First, they confirm the deployment of large-scale passive collection of Internet traffic, which confirms the existence of pervasive passive attackers with at least the capabilities of our idealized attacker. For example, as described in [pass1], [pass2], [pass3], and [pass4]:

首先,他们确认了大规模被动收集互联网流量的部署,这证实了普遍存在的被动攻击者,至少具备我们理想化攻击者的能力。例如,如[pass1]、[pass2]、[pass3]和[pass4]中所述:

o NSA's XKEYSCORE system accesses data from multiple access points and searches for "selectors" such as email addresses, at the scale of tens of terabytes of data per day.

o NSA的XKEYSCORE系统从多个接入点访问数据,并以每天数十TB的数据规模搜索“选择器”,如电子邮件地址。

o GCHQ's Tempora system appears to have access to around 1,500 major cables passing through the UK.

o GCHQ的Tempora系统似乎可以接入约1500条穿过英国的主要电缆。

o NSA's MUSCULAR program has tapped cables between data centers belonging to major service providers.

o 美国国家安全局的强大计划已经在属于主要服务提供商的数据中心之间架设了电缆。

o Several programs appear to perform wide-scale collection of cookies in web traffic and location data from location-aware portable devices such as smartphones.

o 有几个程序似乎在网络流量中广泛收集cookie,并从智能手机等位置感知便携式设备收集位置数据。

However, the capabilities described by these reports go beyond those of our idealized attacker. They include the compromise of cryptographic protocols, including decryption of TLS-protected Internet sessions [dec1] [dec2] [dec3]. For example, the NSA BULLRUN project worked to undermine encryption through multiple approaches, including covert modifications to cryptographic software on end systems.

然而,这些报告描述的功能超出了我们理想化的攻击者的能力。它们包括加密协议的妥协,包括TLS保护的互联网会话的解密[dec1][dec2][dec3]。例如,NSA BULLRUN项目通过多种方法破坏加密,包括对终端系统上的加密软件进行隐蔽修改。

Reported capabilities include the direct compromise of intermediate systems and arrangements with service providers for bulk data and metadata access [dir1] [dir2] [dir3], bypassing the need to capture traffic on the wire. For example, the NSA PRISM program provides the agency with access to many types of user data (e.g., email, chat, VoIP).

报告的功能包括直接折衷中间系统,并与服务提供商就批量数据和元数据访问[dir1][dir2][dir3]达成协议,从而绕过捕获在线流量的需要。例如,NSA PRISM计划为该机构提供了多种类型的用户数据访问(例如,电子邮件、聊天、VoIP)。

The reported capabilities also include elements of active pervasive attack, including:

报告的能力还包括主动普适攻击的要素,包括:

o Insertion of devices as a man-in-the-middle of Internet transactions [TOR1] [TOR2]. For example, NSA's QUANTUM system appears to use several different techniques to hijack HTTP connections, ranging from DNS response injection to HTTP 302 redirects.

o 在互联网交易过程中作为人插入设备[TOR1][TOR2]。例如,NSA的量子系统似乎使用几种不同的技术劫持HTTP连接,从DNS响应注入到HTTP 302重定向。

o Use of implants on end systems to undermine security and anonymity features [dec2] [TOR1] [TOR2]. For example, QUANTUM is used to direct users to a FOXACID server, which in turn delivers an implant to compromise browsers of Tor users.

o 在终端系统上使用植入物破坏安全和匿名功能[dec2][TOR1][TOR2]。例如,QUANTUM被用于将用户引导到FOXACID服务器,而FOXACID服务器反过来提供了一个植入物,以危害Tor用户的浏览器。

o Use of implants on network elements from many major equipment providers, including Cisco, Juniper, Huawei, Dell, and HP, as provided by the NSA's Advanced Network Technology group [spiegel1].

o NSA的高级网络技术集团[spiegel1]提供了许多主要设备供应商(包括思科、Juniper、华为、戴尔和惠普)在网络元件上使用的植入物。

o Use of botnet-scale collections of compromised hosts [spiegel2].

o 使用僵尸网络规模的受损主机集合[spiegel2]。

The scale of the compromise extends beyond the network to include subversion of the technical standards process itself. For example, there is suspicion that NSA modifications to the DUAL_EC_DRBG random number generator (RNG) were made to ensure that keys generated using that generator could be predicted by NSA. This RNG was made part of

妥协的范围超出了网络,包括对技术标准过程本身的颠覆。例如,有人怀疑NSA对DUAL_EC_DRBG随机数生成器(RNG)进行了修改,以确保NSA可以预测使用该生成器生成的密钥。此RNG是其中的一部分

NIST's SP 800-90A, for which NIST acknowledges the NSA's assistance. There have also been reports that the NSA paid RSA Security for a related contract with the result that the curve became the default in the RSA BSAFE product line.

NIST的SP 800-90A,NIST承认NSA的协助。也有报道称,NSA为相关合同向RSA Security支付了费用,结果该曲线成为RSA BSAFE产品线的默认曲线。

We use the term "pervasive attack" [RFC7258] to collectively describe these operations. The term "pervasive" is used because the attacks are designed to indiscriminately gather as much data as possible and to apply selective analysis on targets after the fact. This means that all, or nearly all, Internet communications are targets for these attacks. To achieve this scale, the attacks are physically pervasive; they affect a large number of Internet communications. They are pervasive in content, consuming and exploiting any information revealed by the protocol. And they are pervasive in technology, exploiting many different vulnerabilities in many different protocols.

我们使用术语“普遍攻击”[RFC7258]来共同描述这些操作。之所以使用“普及”一词,是因为攻击旨在不加区别地收集尽可能多的数据,并在事后对目标进行选择性分析。这意味着所有或几乎所有的互联网通信都是这些攻击的目标。为了达到这个规模,攻击在物理上是无处不在的;它们影响了大量的互联网通信。它们在内容中无处不在,消费和利用协议所揭示的任何信息。它们在技术上无处不在,利用许多不同协议中的许多不同漏洞。

Again, it's important to note that, although the attacks mentioned above were executed by the NSA and GCHQ, there are many other organizations that can mount pervasive surveillance attacks. Because of the resources required to achieve pervasive scale, these attacks are most commonly undertaken by nation-state actors. For example, the Chinese Internet filtering system known as the "Great Firewall of China" uses several techniques that are similar to the QUANTUM program and that have a high degree of pervasiveness with regard to the Internet in China. Therefore, legal restrictions in any one jurisdiction on pervasive monitoring activities cannot eliminate the risk of pervasive attack to the Internet as a whole.

同样,需要注意的是,尽管上述攻击是由NSA和GCHQ执行的,但还有许多其他组织可以发起普遍的监视攻击。由于实现普遍规模所需的资源,这些攻击通常由民族国家行为者实施。例如,被称为“中国长城”的中国互联网过滤系统使用了几种类似于量子计划的技术,在中国互联网上具有高度的普及性。因此,任何一个司法管辖区对普遍监测活动的法律限制都无法消除对整个互联网普遍攻击的风险。

5. Threat Model
5. 威胁模型

Given these disclosures, we must consider a broader threat model.

鉴于这些披露,我们必须考虑更广泛的威胁模型。

Pervasive surveillance aims to collect information across a large number of Internet communications, analyzing the collected communications to identify information of interest within individual communications, or inferring information from correlated communications. This analysis sometimes benefits from decryption of encrypted communications and deanonymization of anonymized communications. As a result, these attackers desire both access to the bulk of Internet traffic and to the keying material required to decrypt any traffic that has been encrypted. Even if keys are not available, note that the presence of a communication and the fact that it is encrypted may both be inputs to an analysis, even if the attacker cannot decrypt the communication.

普适性监视旨在收集大量互联网通信中的信息,分析收集的通信以识别个人通信中感兴趣的信息,或从相关通信中推断信息。这种分析有时得益于加密通信的解密和匿名通信的非对称化。因此,这些攻击者希望访问大部分互联网流量和解密任何已加密流量所需的密钥材料。即使密钥不可用,请注意,即使攻击者无法解密通信,通信的存在和加密的事实也可能是分析的输入。

The attacks listed above highlight new avenues both for access to traffic and for access to relevant encryption keys. They further indicate that the scale of surveillance is sufficient to provide a general capability to cross-correlate communications, a threat not previously thought to be relevant at the scale of the Internet.

上面列出的攻击突出了访问流量和访问相关加密密钥的新途径。它们进一步表明,监视的规模足以提供相互关联通信的一般能力,这是一种以前认为与互联网规模无关的威胁。

5.1. Attacker Capabilities
5.1. 攻击者能力
    +--------------------------+-------------------------------------+
    | Attack Class             | Capability                          |
    +--------------------------+-------------------------------------+
    | Passive observation      | Directly capture data in transit    |
    |                          |                                     |
    | Passive inference        | Infer from reduced/encrypted data   |
    |                          |                                     |
    | Active                   | Manipulate / inject data in transit |
    |                          |                                     |
    | Static key exfiltration  | Obtain key material once / rarely   |
    |                          |                                     |
    | Dynamic key exfiltration | Obtain per-session key material     |
    |                          |                                     |
    | Content exfiltration     | Access data at rest                 |
    +--------------------------+-------------------------------------+
        
    +--------------------------+-------------------------------------+
    | Attack Class             | Capability                          |
    +--------------------------+-------------------------------------+
    | Passive observation      | Directly capture data in transit    |
    |                          |                                     |
    | Passive inference        | Infer from reduced/encrypted data   |
    |                          |                                     |
    | Active                   | Manipulate / inject data in transit |
    |                          |                                     |
    | Static key exfiltration  | Obtain key material once / rarely   |
    |                          |                                     |
    | Dynamic key exfiltration | Obtain per-session key material     |
    |                          |                                     |
    | Content exfiltration     | Access data at rest                 |
    +--------------------------+-------------------------------------+
        

Security analyses of Internet protocols commonly consider two classes of attacker: passive pervasive attackers, who can simply listen in on communications as they transit the network, and active pervasive attackers, who can modify or delete packets in addition to simply collecting them.

互联网协议的安全性分析通常考虑两类攻击者:被动普适攻击者,他们可以简单地监听通信时,他们通过网络,以及积极无处不在的攻击者,谁可以修改或删除数据包,除了简单地收集它们。

In the context of pervasive passive surveillance, these attacks take on an even greater significance. In the past, these attackers were often assumed to operate near the edge of the network, where attacks can be simpler. For example, in some LANs, it is simple for any node to engage in passive listening to other nodes' traffic or inject packets to accomplish active pervasive attacks. However, as we now know, both passive and active pervasive attacks are undertaken by pervasive attackers closer to the core of the network, greatly expanding the scope and capability of the attacker.

在普遍被动监视的背景下,这些攻击具有更大的意义。在过去,这些攻击者通常被认为是在网络边缘附近操作的,在那里攻击可能更简单。例如,在某些局域网中,任何节点都很容易被动监听其他节点的通信量或注入数据包来完成主动普适攻击。然而,正如我们现在所知,被动和主动普及攻击都是由靠近网络核心的普及攻击者实施的,这大大扩展了攻击者的范围和能力。

Eavesdropping and observation at a larger scale make passive inference attacks easier to carry out: a passive pervasive attacker with access to a large portion of the Internet can analyze collected traffic to create a much more detailed view of individual behavior than an attacker that collects at a single point. Even the usual claim that encryption defeats passive pervasive attackers is weakened, since a pervasive flow access attacker can infer relationships from correlations over large numbers of sessions, e.g.,

更大规模的窃听和观察使被动推理攻击更容易实施:访问大部分互联网的被动普适攻击者可以分析收集的流量,以创建比在单个点收集流量更详细的个人行为视图。即使是加密击败被动普适攻击者的通常说法也被削弱了,因为普适流访问攻击者可以从大量会话的相关性中推断关系,例如。,

pairing encrypted sessions with unencrypted sessions from the same host, or performing traffic fingerprinting between known and unknown encrypted sessions. Reports on the NSA XKEYSCORE system would indicate it is an example of such an attacker.

将加密会话与来自同一主机的未加密会话配对,或在已知和未知加密会话之间执行流量指纹识别。NSA XKEYSCORE系统的报告将表明它就是此类攻击者的一个例子。

An active pervasive attacker likewise has capabilities beyond those of a localized active attacker. Flow modification attacks are often limited by network topology, for example, by a requirement that the attacker be able to see a targeted session as well as inject packets into it. A pervasive flow modification attacker with access at multiple points within the core of the Internet is able to overcome these topological limitations and perform attacks over a much broader scope. Being positioned in the core of the network rather than the edge can also enable an active pervasive attacker to reroute targeted traffic, amplifying the ability to perform both eavesdropping and traffic injection. Active pervasive attackers can also benefit from passive pervasive collection to identify vulnerable hosts.

主动普适攻击者的能力也同样超出了本地化主动攻击者的能力。流修改攻击通常受到网络拓扑的限制,例如,要求攻击者能够看到目标会话并向其中注入数据包。通过在互联网核心内的多个点进行访问的普适流修改攻击者能够克服这些拓扑限制,并在更大范围内执行攻击。定位在网络核心而不是边缘还可以使活跃的普适攻击者重新路由目标流量,从而增强执行窃听和流量注入的能力。主动普适攻击者还可以从被动普适收集中获益,以识别易受攻击的主机。

While not directly related to pervasiveness, attackers that are in a position to mount an active pervasive attack are also often in a position to subvert authentication, a traditional protection against such attacks. Authentication in the Internet is often achieved via trusted third-party authorities such as the Certificate Authorities (CAs) that provide web sites with authentication credentials. An attacker with sufficient resources may also be able to induce an authority to grant credentials for an identity of the attacker's choosing. If the parties to a communication will trust multiple authorities to certify a specific identity, this attack may be mounted by suborning any one of the authorities (the proverbial "weakest link"). Subversion of authorities in this way can allow an active attack to succeed in spite of an authentication check.

虽然与普遍性没有直接关系,但能够发起主动普遍攻击的攻击者通常也能够破坏身份验证,这是一种针对此类攻击的传统保护。Internet中的身份验证通常通过可信的第三方机构实现,如为网站提供身份验证凭据的证书颁发机构(CA)。拥有足够资源的攻击者还可以诱导授权机构为攻击者选择的身份授予凭据。如果通信各方信任多个机构来认证特定身份,则可以通过收买任何一个机构(俗称“最薄弱环节”)来发起此攻击。以这种方式颠覆权限可以允许主动攻击成功,而无需进行身份验证检查。

Beyond these three classes (observation, inference, and active), reports on the BULLRUN effort to defeat encryption and the PRISM effort to obtain data from service providers suggest three more classes of attack:

除了这三类攻击(观察、推断和主动),关于BULLRUN破解加密和PRISM从服务提供商处获取数据的报告还提出了三类攻击:

o Static key exfiltration

o 静态键外渗

o Dynamic key exfiltration

o 动态键过滤

o Content exfiltration

o 内容物渗出

These attacks all rely on a collaborator providing the attacker with some information, either keys or data. These attacks have not traditionally been considered in scope for the Security Considerations sections of IETF protocols, as they occur outside the protocol.

这些攻击都依赖于合作者向攻击者提供一些信息(密钥或数据)。这些攻击传统上不在IETF协议安全考虑部分的范围内,因为它们发生在协议之外。

The term "key exfiltration" refers to the transfer of keying material for an encrypted communication from the collaborator to the attacker. By "static", we mean that the transfer of keys happens once or rarely and that the transferred key is typically long-lived. For example, this case would cover a web site operator that provides the private key corresponding to its HTTPS certificate to an intelligence agency.

术语“密钥外泄”是指将加密通信的密钥材料从合作者转移到攻击者。所谓“静态”,我们的意思是密钥的传输只发生一次或很少,并且传输的密钥通常是长寿命的。例如,本案例将涵盖向情报机构提供与其HTTPS证书对应的私钥的网站运营商。

"Dynamic" key exfiltration, by contrast, refers to attacks in which the collaborator delivers keying material to the attacker frequently, e.g., on a per-session basis. This does not necessarily imply frequent communications with the attacker; the transfer of keying material may be virtual. For example, if an endpoint were modified in such a way that the attacker could predict the state of its pseudorandom number generator, then the attacker would be able to derive per-session keys even without per-session communications.

相比之下,“动态”密钥外泄指的是合作者频繁向攻击者发送密钥材料的攻击,例如,基于每个会话的攻击。这并不一定意味着与攻击者频繁通信;键控材料的传输可能是虚拟的。例如,如果对端点进行了修改,使得攻击者能够预测其伪随机数生成器的状态,那么即使没有每会话通信,攻击者也能够派生每会话密钥。

Finally, content exfiltration is the attack in which the collaborator simply provides the attacker with the desired data or metadata. Unlike the key exfiltration cases, this attack does not require the attacker to capture the desired data as it flows through the network. The exfiltration is of data at rest, rather than data in transit. This increases the scope of data that the attacker can obtain, since the attacker can access historical data -- the attacker does not have to be listening at the time the communication happens.

最后,内容过滤是一种攻击,协作者仅向攻击者提供所需的数据或元数据。与关键的渗出情况不同,此攻击不需要攻击者在所需数据流经网络时捕获数据。Exfilter是指静止的数据,而不是传输中的数据。这增加了攻击者可以获取的数据范围,因为攻击者可以访问历史数据——在通信发生时,攻击者不必监听。

Exfiltration attacks can be accomplished via attacks against one of the parties to a communication, i.e., by the attacker stealing the keys or content rather than the party providing them willingly. In these cases, the party may not be aware, at least at a human level, that they are collaborating. Rather, the subverted technical assets are "collaborating" with the attacker (by providing keys/content) without their owner's knowledge or consent.

渗出攻击可以通过攻击通信的一方来实现,即攻击者窃取密钥或内容,而不是主动提供密钥或内容的一方。在这些情况下,缔约方可能不知道,至少在人的层面上,他们正在合作。相反,被颠覆的技术资产在未经所有者知情或同意的情况下(通过提供密钥/内容)与攻击者“合作”。

Any party that has access to encryption keys or unencrypted data can be a collaborator. While collaborators are typically the endpoints of a communication (with encryption securing the links), intermediaries in an unencrypted communication can also facilitate content exfiltration attacks as collaborators by providing the attacker access to those communications. For example, documents describing the NSA PRISM program claim that NSA is able to access user data directly from servers, where it is stored unencrypted. In these cases, the operator of the server would be a collaborator, if an unwitting one. By contrast, in the NSA MUSCULAR program, a set of collaborators enabled attackers to access the cables connecting data centers used by service providers such as Google and Yahoo. Because communications among these data centers were not encrypted, the collaboration by an intermediate entity allowed the NSA to collect unencrypted user data.

有权访问加密密钥或未加密数据的任何一方都可以是合作者。虽然协作者通常是通信的端点(通过加密保护链接),但未加密通信中的中介体也可以通过向攻击者提供对这些通信的访问来促进作为协作者的内容外泄攻击。例如,描述NSA PRISM计划的文件声称NSA能够直接从服务器访问用户数据,这些数据在服务器上未加密存储。在这些情况下,服务器的操作员将是合作者(如果是无意中的合作者)。相比之下,在NSA的肌肉计划中,一组合作者使攻击者能够访问连接谷歌和雅虎等服务提供商使用的数据中心的电缆。由于这些数据中心之间的通信未加密,中间实体的协作允许NSA收集未加密的用户数据。

5.2. Attacker Costs
5.2. 攻击者成本
     +--------------------------+-----------------------------------+
     | Attack Class             | Cost / Risk to Attacker           |
     +--------------------------+-----------------------------------+
     | Passive observation      | Passive data access               |
     |                          |                                   |
     | Passive inference        | Passive data access + processing  |
     |                          |                                   |
     | Active                   | Active data access + processing   |
     |                          |                                   |
     | Static key exfiltration  | One-time interaction              |
     |                          |                                   |
     | Dynamic key exfiltration | Ongoing interaction / code change |
     |                          |                                   |
     | Content exfiltration     | Ongoing, bulk interaction         |
     +--------------------------+-----------------------------------+
        
     +--------------------------+-----------------------------------+
     | Attack Class             | Cost / Risk to Attacker           |
     +--------------------------+-----------------------------------+
     | Passive observation      | Passive data access               |
     |                          |                                   |
     | Passive inference        | Passive data access + processing  |
     |                          |                                   |
     | Active                   | Active data access + processing   |
     |                          |                                   |
     | Static key exfiltration  | One-time interaction              |
     |                          |                                   |
     | Dynamic key exfiltration | Ongoing interaction / code change |
     |                          |                                   |
     | Content exfiltration     | Ongoing, bulk interaction         |
     +--------------------------+-----------------------------------+
        

Each of the attack types discussed in the previous section entails certain costs and risks. These costs differ by attack and can be helpful in guiding response to pervasive attack.

上一节讨论的每种攻击类型都会带来一定的成本和风险。这些成本因攻击而异,有助于指导对普遍攻击的响应。

Depending on the attack, the attacker may be exposed to several types of risk, ranging from simply losing access to arrest or prosecution. In order for any of these negative consequences to occur, however, the attacker must first be discovered and identified. So, the primary risk we focus on here is the risk of discovery and attribution.

根据攻击的不同,攻击者可能会面临多种类型的风险,从简单地失去访问权限到逮捕或起诉。然而,为了发生这些负面后果,必须首先发现并识别攻击者。因此,我们在这里关注的主要风险是发现和归因的风险。

A passive pervasive attack is the simplest to mount in some ways. The base requirement is that the attacker obtain physical access to a communications medium and extract communications from it. For example, the attacker might tap a fiber-optic cable, acquire a mirror port on a switch, or listen to a wireless signal. The need for these taps to have physical access or proximity to a link exposes the attacker to the risk that the taps will be discovered. For example, a fiber tap or mirror port might be discovered by network operators noticing increased attenuation in the fiber or a change in switch configuration. Of course, passive pervasive attacks may be accomplished with the cooperation of the network operator, in which case there is a risk that the attacker's interactions with the network operator will be exposed.

被动的普遍攻击在某些方面是最简单的。基本要求是攻击者获得对通信介质的物理访问并从中提取通信。例如,攻击者可能轻触光纤电缆、获取交换机上的镜像端口或监听无线信号。这些窃听需要物理访问或接近链接,这使攻击者面临被发现窃听的风险。例如,网络运营商注意到光纤衰减增加或交换机配置发生变化时,可能会发现光纤抽头或镜像端口。当然,在网络运营商的合作下,可能会实现被动的普遍攻击,在这种情况下,攻击者与网络运营商的交互有暴露的风险。

In many ways, the costs and risks for an active pervasive attack are similar to those for a passive pervasive attack, with a few additions. An active attacker requires more robust network access than a passive attacker, since, for example, they will often need to transmit data as well as receive it. In the wireless example above,

在许多方面,主动普适攻击的成本和风险与被动普适攻击的成本和风险相似,只是增加了一些。主动攻击者比被动攻击者需要更强大的网络访问能力,因为,例如,他们通常需要发送和接收数据。在上面的无线示例中,

the attacker would need to act as a transmitter as well as a receiver, greatly increasing the probability the attacker will be discovered (e.g., using direction-finding technology). Active attacks are also much more observable at higher layers of the network. For example, an active attacker that attempts to use a mis-issued certificate could be detected via Certificate Transparency [RFC6962].

攻击者将需要充当发送器和接收器,这将大大增加发现攻击者的概率(例如,使用测向技术)。主动攻击在网络的更高层也更容易观察到。例如,可以通过证书透明性[RFC6962]检测到试图使用错误颁发的证书的活动攻击者。

In terms of raw implementation complexity, passive pervasive attacks require only enough processing to extract information from the network and store it. Active pervasive attacks, by contrast, often depend on winning race conditions to inject packets into active connections. So, active pervasive attacks in the core of the network require processing hardware that can operate at line speed (roughly 100 Gbps to 1 Tbps in the core) to identify opportunities for attack and insert attack traffic in high-volume traffic. Key exfiltration attacks rely on passive pervasive attack for access to encrypted data, with the collaborator providing keys to decrypt the data. So, the attacker undertakes the cost and risk of a passive pervasive attack, as well as additional risk of discovery via the interactions that the attacker has with the collaborator.

就原始实现复杂性而言,被动普适攻击只需要足够的处理就可以从网络中提取并存储信息。相反,主动普适攻击通常依赖于获胜的竞争条件将数据包注入主动连接。因此,网络核心中的主动普适攻击需要能够以线路速度(核心中大约为100 Gbps到1 Tbps)运行的处理硬件来识别攻击机会,并在高容量流量中插入攻击流量。密钥外泄攻击依赖于被动普及攻击来访问加密数据,协作者提供密钥来解密数据。因此,攻击者承担被动普遍攻击的成本和风险,以及通过攻击者与合作者的交互发现的额外风险。

Some active attacks are more expensive than others. For example, active man-in-the-middle (MITM) attacks require access to one or more points on a communication's network path that allow visibility of the entire session and the ability to modify or drop legitimate packets in favor of the attacker's packets. A similar but weaker form of attack, called an active man-on-the-side (MOTS), requires access to only part of the session. In an active MOTS attack, the attacker need only be able to inject or modify traffic on the network element the attacker has access to. While this may not allow for full control of a communication session (as in an MITM attack), the attacker can perform a number of powerful attacks, including but not limited to: injecting packets that could terminate the session (e.g., TCP RST packets), sending a fake DNS reply to redirect ensuing TCP connections to an address of the attacker's choice (i.e., winning a "DNS response race"), and mounting an HTTP redirect attack by observing a TCP/HTTP connection to a target address and injecting a TCP data packet containing an HTTP redirect. For example, the system dubbed by researchers as China's "Great Cannon" [great-cannon] can operate in full MITM mode to accomplish very complex attacks that can modify content in transit, while the well-known Great Firewall of China is a MOTS system that focuses on blocking access to certain kinds of traffic and destinations via TCP RST packet injection.

一些主动攻击比其他攻击更昂贵。例如,主动中间人(MITM)攻击要求访问通信网络路径上的一个或多个点,以查看整个会话,并能够修改或丢弃有利于攻击者的合法数据包。一种类似但较弱的攻击形式,称为“侧边主动人”(MOTS),只需要访问会话的一部分。在主动MOTS攻击中,攻击者只需能够在攻击者有权访问的网元上注入或修改流量。虽然这可能不允许完全控制通信会话(如在MITM攻击中),但攻击者可以执行许多强大的攻击,包括但不限于:注入可能终止会话的数据包(例如TCP RST数据包),发送虚假DNS应答以将随后的TCP连接重定向到攻击者选择的地址(即赢得“DNS响应竞赛”),并通过观察到目标地址的TCP/HTTP连接并注入包含HTTP重定向的TCP数据包来发起HTTP重定向攻击。例如,被研究人员称为中国“大炮”(Great Cannon)的系统可以在全MITM模式下运行,完成非常复杂的攻击,可以修改传输中的内容,而中国著名的长城防火墙是一个MOTS系统,其重点是通过TCP RST数据包注入阻止对特定类型流量和目的地的访问。

In this sense, static exfiltration has a lower risk profile than dynamic. In the static case, the attacker need only interact with the collaborator a small number of times, possibly only once -- say,

从这个意义上讲,静态渗出比动态渗出具有更低的风险。在静态情况下,攻击者只需与合作者进行少量交互,可能只有一次,比如,

to exchange a private key. In the dynamic case, the attacker must have continuing interactions with the collaborator. As noted above, these interactions may be real, such as in-person meetings, or virtual, such as software modifications that render keys available to the attacker. Both of these types of interactions introduce a risk that they will be discovered, e.g., by employees of the collaborator organization noticing suspicious meetings or suspicious code changes.

交换私钥。在动态情况下,攻击者必须与合作者进行持续交互。如上所述,这些交互可能是真实的,如当面会议,也可能是虚拟的,如使密钥可供攻击者使用的软件修改。这两种类型的交互都会带来被发现的风险,例如,合作者组织的员工发现可疑会议或可疑代码更改。

Content exfiltration has a similar risk profile to dynamic key exfiltration. In a content exfiltration attack, the attacker saves the cost and risk of conducting a passive pervasive attack. The risk of discovery through interactions with the collaborator, however, is still present, and may be higher. The content of a communication is obviously larger than the key used to encrypt it, often by several orders of magnitude. So, in the content exfiltration case, the interactions between the collaborator and the attacker need to be much higher bandwidth than in the key exfiltration cases, with a corresponding increase in the risk that this high-bandwidth channel will be discovered.

内容外泄与动态密钥外泄具有类似的风险状况。在内容过滤攻击中,攻击者可以节省进行被动渗透攻击的成本和风险。然而,通过与合作者的互动发现的风险仍然存在,并且可能更高。通信的内容明显大于用于加密的密钥,通常是几个数量级。因此,在内容过滤案例中,合作者和攻击者之间的交互需要比关键过滤案例中的带宽高得多,发现这种高带宽通道的风险也相应增加。

It should also be noted that in these latter three exfiltration cases, the collaborator also undertakes a risk that his collaboration with the attacker will be discovered. Thus, the attacker may have to incur additional cost in order to convince the collaborator to participate in the attack. Likewise, the scope of these attacks is limited to cases where the attacker can convince a collaborator to participate. If the attacker is a national government, for example, it may be able to compel participation within its borders, but have a much more difficult time recruiting foreign collaborators.

还应注意的是,在后三种渗出情况下,合作者还承担发现其与攻击者合作的风险。因此,攻击者可能需要付出额外的代价才能说服合作者参与攻击。同样,这些攻击的范围仅限于攻击者能够说服合作者参与的情况。例如,如果袭击者是一个国家政府,它可能会迫使其在境内参与,但招募外国合作者的难度要大得多。

As noted above, the collaborator in an exfiltration attack can be unwitting; the attacker can steal keys or data to enable the attack. In some ways, the risks of this approach are similar to the case of an active collaborator. In the static case, the attacker needs to steal information from the collaborator once; in the dynamic case, the attacker needs continued presence inside the collaborators' systems. The main difference is that the risk in this case is of automated discovery (e.g., by intrusion detection systems) rather than discovery by humans.

如上所述,渗出攻击中的合作者可能是无意的;攻击者可以窃取密钥或数据来发起攻击。在某些方面,这种方法的风险与积极合作者的情况类似。在静态情况下,攻击者需要从协作者处窃取一次信息;在动态情况下,攻击者需要在合作者的系统中继续存在。主要区别在于,在这种情况下,风险在于自动发现(例如,通过入侵检测系统),而不是人工发现。

6. Security Considerations
6. 安全考虑

This document describes a threat model for pervasive surveillance attacks. Mitigations are to be given in a future document.

本文档描述了普遍监视攻击的威胁模型。缓解措施将在未来的文件中给出。

7. References
7. 工具书类
7.1. Normative References
7.1. 规范性引用文件

[RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., Morris, J., Hansen, M., and R. Smith, "Privacy Considerations for Internet Protocols", RFC 6973, DOI 10.17487/RFC6973, July 2013, <http://www.rfc-editor.org/info/rfc6973>.

[RFC6973]Cooper,A.,Tschofenig,H.,Aboba,B.,Peterson,J.,Morris,J.,Hansen,M.,和R.Smith,“互联网协议的隐私考虑”,RFC 6973,DOI 10.17487/RFC6973,2013年7月<http://www.rfc-editor.org/info/rfc6973>.

7.2. Informative References
7.2. 资料性引用

[dec1] Perlroth, N., Larson, J., and S. Shane, "N.S.A. Able to Foil Basic Safeguards of Privacy on Web", The New York Times, September 2013, <http://www.nytimes.com/2013/09/06/us/ nsa-foils-much-internet-encryption.html>.

[dec1]Perlroth,N.,Larson,J.,和S.Shane,“国家安全局能够挫败网络隐私的基本保护”,纽约时报,2013年9月<http://www.nytimes.com/2013/09/06/us/ nsa挫败了许多互联网加密。html>。

[dec2] The Guardian, "Project Bullrun -- classification guide to the NSA's decryption program", September 2013, <http://www.theguardian.com/world/interactive/2013/sep/05/ nsa-project-bullrun-classification-guide>.

[dec2]卫报,“Bullrun项目——国家安全局解密计划分类指南”,2013年9月<http://www.theguardian.com/world/interactive/2013/sep/05/ nsa项目bullrun分类指南>。

[dec3] Ball, J., Borger, J., and G. Greenwald, "Revealed: how US and UK spy agencies defeat internet privacy and security", The Guardian, September 2013, <http://www.theguardian.com/world/2013/sep/05/ nsa-gchq-encryption-codes-security>.

[dec3]Ball,J.,Borger,J.,和G.Greenwald,“揭露:美国和英国间谍机构如何击败互联网隐私和安全”,卫报,2013年9月<http://www.theguardian.com/world/2013/sep/05/ nsa gchq加密代码安全>。

[dir1] Greenwald, G., "NSA collecting phone records of millions of Verizon customers daily", The Guardian, June 2013, <http://www.theguardian.com/world/2013/jun/06/ nsa-phone-records-verizon-court-order>.

[dir1]Greenwald,G.,“NSA每天收集数百万Verizon客户的电话记录”,《卫报》,2013年6月<http://www.theguardian.com/world/2013/jun/06/ nsa电话记录verizon法庭命令>。

[dir2] Greenwald, G. and E. MacAskill, "NSA Prism program taps in to user data of Apple, Google and others", The Guardian, June 2013, <http://www.theguardian.com/world/2013/jun/06/ us-tech-giants-nsa-data>.

[dir2]Greenwald,G.和E.MacAskill,“NSA Prism程序利用苹果、谷歌和其他公司的用户数据”,《卫报》,2013年6月<http://www.theguardian.com/world/2013/jun/06/ 美国科技巨头nsa数据>。

[dir3] The Guardian, "Sigint -- how the NSA collaborates with technology companies", September 2013, <http://www.theguardian.com/world/interactive/2013/sep/05/ sigint-nsa-collaborates-technology-companies>.

[dir3]卫报,“Sigint——国家安全局如何与科技公司合作”,2013年9月<http://www.theguardian.com/world/interactive/2013/sep/05/ sigint nsa与技术公司合作>。

[DPRIVE] Bortzmeyer, S., "DNS privacy considerations", Work in Progress, draft-ietf-dprive-problem-statement-06, June 2015.

[DPRIVE]Bortzmeyer,S.,“DNS隐私注意事项”,正在进行的工作,草稿-ietf-DPRIVE-problem-statement-062015年6月。

[great-cannon] Marczak, B., Weaver, N., Dalek, J., Ensafi, R., Fifield, D., McKune, S., Rey, A., Scott-Railton, J., Deibert, R., and V. Paxson, "China's Great Cannon", The Citizen Lab, University of Toronto, 2015, <https://citizenlab.org/2015/04/chinas-great-cannon/>.

[大炮] Marczak,B,Weaver,N.,Dalek,J.,恩萨菲,R,Fifield,D,McKune,S,Rey,A,Scott Railton,J.,Deibert,R,和V. Paxson,“中国大炮”,公民实验室,多伦多大学,2015,<https://citizenlab.org/2015/04/chinas-great-cannon/>.

[pass1] Greenwald, G. and S. Ackerman, "How the NSA is still harvesting your online data", The Guardian, June 2013, <http://www.theguardian.com/world/2013/jun/27/ nsa-online-metadata-collection>.

[pass1]Greenwald,G.和S.Ackerman,“美国国家安全局如何仍在收集您的在线数据”,《卫报》,2013年6月<http://www.theguardian.com/world/2013/jun/27/ nsa在线元数据收集>。

[pass2] Ball, J., "NSA's Prism surveillance program: how it works and what it can do", The Guardian, June 2013, <http://www.theguardian.com/world/2013/jun/08/ nsa-prism-server-collection-facebook-google>.

[pass2]Ball,J.,“美国国家安全局的棱镜监视计划:如何工作以及它能做什么”,《卫报》,2013年6月<http://www.theguardian.com/world/2013/jun/08/ nsa prism服务器集合facebook google>。

[pass3] Greenwald, G., "XKeyscore: NSA tool collects 'nearly everything a user does on the internet'", The Guardian, July 2013, <http://www.theguardian.com/world/2013/jul/31/ nsa-top-secret-program-online-data>.

[pass3]Greenwald,G.,“XKeyscore:NSA工具收集‘用户在互联网上所做的几乎所有事情’”,《卫报》,2013年7月<http://www.theguardian.com/world/2013/jul/31/ nsa绝密计划在线数据>。

[pass4] MacAskill, E., Borger, J., Hopkins, N., Davies, N., and J. Ball, "How does GCHQ's internet surveillance work?", The Guardian, June 2013, <http://www.theguardian.com/uk/2013/jun/21/ how-does-gchq-internet-surveillance-work>.

[pass4]MacAskill,E.,Borger,J.,Hopkins,N.,Davies,N.,和J.Ball,“GCHQ的互联网监控是如何工作的?”,卫报,2013年6月<http://www.theguardian.com/uk/2013/jun/21/ gchq互联网监控如何工作>。

[RFC1035] Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, November 1987, <http://www.rfc-editor.org/info/rfc1035>.

[RFC1035]Mockapetris,P.,“域名-实现和规范”,STD 13,RFC 1035,DOI 10.17487/RFC1035,1987年11月<http://www.rfc-editor.org/info/rfc1035>.

[RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., and E. Lear, "Address Allocation for Private Internets", BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, <http://www.rfc-editor.org/info/rfc1918>.

[RFC1918]Rekhter,Y.,Moskowitz,B.,Karrenberg,D.,de Groot,G.,和E.Lear,“私人互联网地址分配”,BCP 5,RFC 1918,DOI 10.17487/RFC1918,1996年2月<http://www.rfc-editor.org/info/rfc1918>.

[RFC1939] Myers, J. and M. Rose, "Post Office Protocol - Version 3", STD 53, RFC 1939, DOI 10.17487/RFC1939, May 1996, <http://www.rfc-editor.org/info/rfc1939>.

[RFC1939]迈尔斯,J.和M.罗斯,“邮局协议-第3版”,STD 53,RFC 1939,DOI 10.17487/RFC1939,1996年5月<http://www.rfc-editor.org/info/rfc1939>.

[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, DOI 10.17487/RFC3261, June 2002, <http://www.rfc-editor.org/info/rfc3261>.

[RFC3261]Rosenberg,J.,Schulzrinne,H.,Camarillo,G.,Johnston,A.,Peterson,J.,Sparks,R.,Handley,M.,和E.Schooler,“SIP:会话启动协议”,RFC 3261,DOI 10.17487/RFC3261,2002年6月<http://www.rfc-editor.org/info/rfc3261>.

[RFC3365] Schiller, J., "Strong Security Requirements for Internet Engineering Task Force Standard Protocols", BCP 61, RFC 3365, DOI 10.17487/RFC3365, August 2002, <http://www.rfc-editor.org/info/rfc3365>.

[RFC3365]Schiller,J.,“互联网工程任务组标准协议的强大安全要求”,BCP 61,RFC 3365,DOI 10.17487/RFC3365,2002年8月<http://www.rfc-editor.org/info/rfc3365>.

[RFC3501] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1", RFC 3501, DOI 10.17487/RFC3501, March 2003, <http://www.rfc-editor.org/info/rfc3501>.

[RFC3501]Crispin,M.,“互联网消息访问协议-版本4rev1”,RFC 3501,DOI 10.17487/RFC3501,2003年3月<http://www.rfc-editor.org/info/rfc3501>.

[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "DNS Security Introduction and Requirements", RFC 4033, DOI 10.17487/RFC4033, March 2005, <http://www.rfc-editor.org/info/rfc4033>.

[RFC4033]Arends,R.,Austein,R.,Larson,M.,Massey,D.,和S.Rose,“DNS安全介绍和要求”,RFC 4033,DOI 10.17487/RFC4033,2005年3月<http://www.rfc-editor.org/info/rfc4033>.

[RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303, DOI 10.17487/RFC4303, December 2005, <http://www.rfc-editor.org/info/rfc4303>.

[RFC4303]Kent,S.,“IP封装安全有效载荷(ESP)”,RFC 4303,DOI 10.17487/RFC4303,2005年12月<http://www.rfc-editor.org/info/rfc4303>.

[RFC4949] Shirey, R., "Internet Security Glossary, Version 2", FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, <http://www.rfc-editor.org/info/rfc4949>.

[RFC4949]Shirey,R.,“互联网安全词汇表,第2版”,FYI 36,RFC 4949,DOI 10.17487/RFC4949,2007年8月<http://www.rfc-editor.org/info/rfc4949>.

[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/RFC5246, August 2008, <http://www.rfc-editor.org/info/rfc5246>.

[RFC5246]Dierks,T.和E.Rescorla,“传输层安全(TLS)协议版本1.2”,RFC 5246,DOI 10.17487/RFC5246,2008年8月<http://www.rfc-editor.org/info/rfc5246>.

[RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, DOI 10.17487/RFC5321, October 2008, <http://www.rfc-editor.org/info/rfc5321>.

[RFC5321]Klensin,J.,“简单邮件传输协议”,RFC 5321DOI 10.17487/RFC5321,2008年10月<http://www.rfc-editor.org/info/rfc5321>.

[RFC6962] Laurie, B., Langley, A., and E. Kasper, "Certificate Transparency", RFC 6962, DOI 10.17487/RFC6962, June 2013, <http://www.rfc-editor.org/info/rfc6962>.

[RFC6962]Laurie,B.,Langley,A.和E.Kasper,“证书透明度”,RFC 6962,DOI 10.17487/RFC6962,2013年6月<http://www.rfc-editor.org/info/rfc6962>.

[RFC7011] Claise, B., Ed., Trammell, B., Ed., and P. Aitken, "Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information", STD 77, RFC 7011, DOI 10.17487/RFC7011, September 2013, <http://www.rfc-editor.org/info/rfc7011>.

[RFC7011]Claise,B.,Ed.,Trammell,B.,Ed.,和P.Aitken,“流量信息交换的IP流量信息导出(IPFIX)协议规范”,STD 77,RFC 7011,DOI 10.17487/RFC7011,2013年9月<http://www.rfc-editor.org/info/rfc7011>.

[RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May 2014, <http://www.rfc-editor.org/info/rfc7258>.

[RFC7258]Farrell,S.和H.Tschofenig,“普遍监控是一种攻击”,BCP 188,RFC 7258,DOI 10.17487/RFC7258,2014年5月<http://www.rfc-editor.org/info/rfc7258>.

[spiegel1] Appelbaum, J., Horchert, J., Reissmann, O., Rosenbach, M., Schindler, J., and C. Stocker, "NSA's Secret Toolbox: Unit Offers Spy Gadgets for Every Need", Spiegel Online, December 2013, <http://www.spiegel.de/international/world/ nsa-secret-toolbox-ant-unit-offers-spy-gadgets-for-every-need-a-941006.html>.

[spiegel1]Appelbaum,J.,Horchert,J.,Reissmann,O.,Rosenbach,M.,Schindler,J.,和C.Stocker,“国家安全局的秘密工具箱:单位为各种需要提供间谍小工具”,Spiegel Online,2013年12月<http://www.spiegel.de/international/world/ nsa-secret-toolbox-ant-unit-offers-spy-gadgets-for-every-need-a-941006.html>。

[spiegel2] Appelbaum, J., Gibson, A., Guarnieri, C., Muller-Maguhn, A., Poitras, L., Rosenbach, M., Schmundt, H., and M. Sontheimer, "The Digital Arms Race: NSA Preps America for Future Battle", Spiegel Online, January 2015, <http://www.spiegel.de/international/world/new-snowden-docs-indicate-scope-of-nsa-preparations-for-cyber-battle-a-1013409.html>.

[spiegel2]Appelbaum,J.,Gibson,A.,Guarnieri,C.,Muller Maguhn,A.,Poitras,L.,Rosenbach,M.,Schmundt,H.,和M.Sontheimer,“数字军备竞赛:国家安全局为未来战争做好准备”,明镜在线,2015年1月, <http://www.spiegel.de/international/world/new-snowden-docs-indicate-scope-of-nsa-preparations-for-cyber-battle-a-1013409.html>.

[TOR1] Schneier, B., "How the NSA Attacks Tor/Firefox Users With QUANTUM and FOXACID", Schneier on Security, October 2013, <https://www.schneier.com/blog/archives/2013/10/ how_the_nsa_att.html>.

[TOR1]Schneier,B.,“NSA如何使用QUANTUM和FOXACID攻击Tor/Firefox用户”,Schneier on Security,2013年10月<https://www.schneier.com/blog/archives/2013/10/ 如何访问nsa\u att.html>。

[TOR2] The Guardian, "'Tor Stinks' presentation -- read the full document", October 2013, <http://www.theguardian.com/world/interactive/2013/oct/04/ tor-stinks-nsa-presentation-document>.

[TOR2]卫报,“‘Tor Studes’陈述——阅读完整文件”,2013年10月<http://www.theguardian.com/world/interactive/2013/oct/04/ tor散发着nsa演示文档>。

IAB Members at the Time of Approval

批准时的IAB成员

Jari Arkko (IETF Chair) Mary Barnes Marc Blanchet Ralph Droms Ted Hardie Joe Hildebrand Russ Housley Erik Nordmark Robert Sparks Andrew Sullivan Dave Thaler Brian Trammell Suzanne Woolf

Jari Arkko(IETF主席)Mary Barnes Marc Blanchet Ralph Droms Ted Hardie Joe Hildebrand Russ Housley Erik Nordmark Robert Sparks Andrew Sullivan Dave Thaler Brian Trammell Suzanne Woolf

Acknowledgements

致谢

Thanks to Dave Thaler for the list of attacks and taxonomy; to Security Area Directors Stephen Farrell, Sean Turner, and Kathleen Moriarty for starting and managing the IETF's discussion on pervasive attack; and to Stephan Neuhaus, Mark Townsley, Chris Inacio, Evangelos Halepilidis, Bjoern Hoehrmann, Aziz Mohaisen, Russ Housley, Joe Hall, Andrew Sullivan, the IEEE 802 Privacy Executive Committee SG, and the IAB Privacy and Security Program for their input.

感谢Dave Thaler提供的攻击和分类列表;致安全区域主管斯蒂芬·法雷尔、肖恩·特纳和凯瑟琳·莫里亚蒂,感谢他们发起和管理IETF关于普遍攻击的讨论;斯蒂芬·纽豪斯、马克·汤斯利、克里斯·伊纳西奥、埃文盖洛斯·哈利皮利迪斯、比约恩·霍尔曼、阿齐兹·莫海森、罗斯·霍斯利、乔·霍尔、安德鲁·沙利文、IEEE 802隐私执行委员会SG和IAB隐私和安全计划,以获取他们的意见。

Authors' Addresses

作者地址

Richard Barnes

理查德·巴恩斯

   Email: rlb@ipv.sx
        
   Email: rlb@ipv.sx
        

Bruce Schneier

布鲁斯·施奈尔

   Email: schneier@schneier.com
        
   Email: schneier@schneier.com
        

Cullen Jennings

卡伦·詹宁斯

   Email: fluffy@cisco.com
        
   Email: fluffy@cisco.com
        

Ted Hardie

泰德·哈迪

   Email: ted.ietf@gmail.com
        
   Email: ted.ietf@gmail.com
        

Brian Trammell

布莱恩·特拉梅尔

   Email: ietf@trammell.ch
        
   Email: ietf@trammell.ch
        

Christian Huitema

克里斯蒂安·惠特马

   Email: huitema@huitema.net
        
   Email: huitema@huitema.net
        

Daniel Borkmann

丹尼尔·博克曼

   Email: dborkman@iogearbox.net
        
   Email: dborkman@iogearbox.net