[rssac-caucus] FOR REVIEW: Harmonizing the Anonymization of Queries to the Root

[Paul Hoffman]

On Feb 22, 2018, at 3:51 AM, John Bond <john.bond at icann.org> wrote:
> 
> Hi Paul, 
> 
> Thanks for the response
> 
>> 
>>>> 3.3 ipcrypt
>>> The one-to-one mapping also means it is susceptible to a know plain text attack but to what severity is unknown however the lack of prefix preservation would likely make any attack harder [then Cryptopan attacks]
>> 
>> A known-plaintext attack returns the key used, or allows the attacker some other way of de-anonymizing other addresses. That is not possible in the methods other than Cryptopan. However, if I can inject a query using a known source address to a particular root using an identifiable QNAME, I can find the result in the anonymized PCAP. What is important is that an attacker cannot use this to then determine the random key that was used.
> I don't believe that someone needs to send a specifically crafted DNS query to reveal the true addresses. I suspect many researchers some of whom are on this list can already identify popular resolvers by looking at there DNS traffic signatures.  Further i believe that comparing an anonymised DITL with one from a previous year that had not been anonymised would allow one to start correlating traffic patterns.  Further statistical frequency analysis would likely reverse mappings as well.   These attacks fundamentally rely on statistics and pattern correlation therefore as the dataset grows it becomes easier to reverse the anonymisation.

These are all very good points. To be clear, they are not "known plaintext attacks" in the cryptographic sense, but they are ways to deanonymize addresses. I believe that none of them can be prevented, even by using 0.0.0.0 for every source address.

> We should also consider the attack you suggest where a user can poison the dataset by injecting unique qname queries that identify individual users.  I believe this is very similar to how Geoff's ad network research works but also how many ad networks work.

It is not. He doesn't look at root traffic (as far as I can remember). Instead, he uses per-user query names and looks in his logs.

>>>> 4 ASN and recommendation 3
>>> I'm strongly apposed to this as i it would make de-annonamising the information and the know text attacks mentioned above much simpler to execute. 
>> 
>> Are you suggesting that we remove the recommendation (which Geoff Huston made) or simply make it clear that it is optional?
> I personally think it should be removed.  At the very least this would allow a research to reverse the IP addresses of most/all ISP and public resolver infrastructure 

I'll start a new thread on this.

--Paul
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3906 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/rssac-caucus/attachments/20180222/c97d70ae/smime.p7s>