Traffic analysis

Traffic analysis is the process of intercepting and examining messages in order to deduce information from patterns in communication. It can be performed even when the messages are encrypted and cannot be decrypted. In general, the greater the number of messages observed, or even intercepted and stored, the more that can be inferred from the traffic. Traffic analysis can be performed in the context of military intelligence or counter-intelligence, and is a concern in computer security.

In military intelligence

In a military context, traffic analysis is usually performed by a signals intelligence agency, and can be a source of information about the intentions and actions of the enemy. Examples patterns include:

• Frequent communications — can denote planning
• Rapid, short, communications — can denote negotiations
• A lack of communication — can indicate a lack of activity, or completion of a finalized plan
• Frequent communication to specific stations from a central station — can highlight the chain of command
• Who talks to whom — can indicate which stations are 'in charge' and which aren't, which further implies something about the personnel associated with each station
• Who talks when — can indicate which stations are active in connection with events, which implies something about the information being passed and perhaps something about the personnel/access of those associated with some stations
• Who changes from station to station, or medium to medium — can indicate movement, fear of interception

In computer security

Traffic analysis is also a concern in computer security. An attacker can gain important information by monitoring, for example, the frequency and timing of network packets. For example, a timing attack on the SSH protocol used timing information to deduce information about passwords (Song et al, 2001). For interactive sessions, SSH transmits a message after each key stroke. The timings between messages can be studied using Hidden Markov Models, and the authors estimate that it can be used to recover the password fifty times faster than a brute force attack.

Remailer systems can also be attacked via traffic analysis. If a message is observed going to a remailing server, and an identical length (if now anonymized) message is observed leaving that server shortly thereafter, a traffic analyst may be able (automatically) to pierce the anonymity of that sender by connecting the sender with the ultimate receiver. Several variations in remailer operation have been developed which can make such analysis much less informative.

Countermeasures

It is difficult to completely eliminate traffic analysis: "It is extremely hard to hide information such as the size or the timing of the messages. The known solutions require Alice to send a continuous stream of messages at the maximum bandwidth she will ever use...This might be acceptable for military applications, but it is not acceptable for most civilian applications." (Ferguson and Schneier, 2003).

The usefulness of traffic analysis can be reduced if traffic is faked or if traffic cannot be intercepted.

Both occurred in the period before the attack on Pearl Harbor.

• During the planning and rehearsal for the attack, very little interceptable traffic was generated. The ships, units, and commands involved were all in Japan and in touch by phone, courier, or even signal lamp. None of that traffic was interceptable, and so could not be analyzed.
• The espionage effort against Pearl Harbor before December didn't send an unusual number of messages; Japanese vessels regularly called in Hawaii and messages could be (and were) carried aboard by consular personnel. At least one such vessel carried some Japanese Navy Intelligence officers. Such messages cannot be analyzed. The consulate had every opportunity to hide intelligence reports to Tokyo in routine traffic from a busy consulate (see steganography). If undetected, this traffic cannot be analyzed either. A famous example, probably concealing something other than the surface content, was the intercepted phone conversation about flowers shortly before the 7th.
• The Japanese Navy played radio games to block traffic analysis (see Examples, below) with the attack force after it sailed in late November.
• Though not strictly related to traffic analysis limitations, it might be noted that those messages from the Hawaiian consulate (including some from Ensign Yoshikawa on Oahu) which were intercepted and decrypted didn't include clear evidence, or even mention, of a planned attack. They were evaluated as the usual intelligence every consulate routinely picked up and sent home. The only exception, a message sent on the 6th, was not decrypted until after the 7th.

Examples

• British analysts in WWI noticed that the call sign of German Vice Admiral Reinhard Scheer, commander of a nearby fleet, had been transferred to a different land-based station. A British Admiralty official dismissed the importance of the transfer, being ignorant of Scheer's practice of leaving his sign to a land station and taking a new one upon leaving harbor, and disregarding analysts attempts to make the point. The German fleet sortied, and the British were late in meeting them at the Battle of Jutland. Had traffic analysis been taken more seriously, the British might have done better than a 'draw'.

• In early WWII, the aircraft carrier HMS Glorious was evacuating pilots and planes from Norway. Traffic analysis produced indications that Scharnhorst and Gneisenau were moving into the North Sea, but the Admiralty dismissed the report as unproven. Glorious' Captain did not keep sufficient lookout, and Glorious was both surprised by them and sunk. Harry Hinsley, the young Bletchley Park liaison to the Admiralty, later said that his reports from the traffic analysts were taken much more seriously thereafter.

• Admiral Nagumo's Pearl Harbor Attack Force sailed under radio silence, with its radios physically locked down, and left its radio operators in Japan to simulate ordinary traffic for the benefit of listeners, as, in those days, an operator's 'fist' was individually recognizable. There was a famous exchange on December 2, 1941, five days before the Pearl Harbor attack, between Admiral Husband Kimmel, Pacific Fleet Commander, and his Intelligence Officer, Captain Edwin Layton. Kimmel remarked on the absence of information about Japanese aircraft carriers, and Layton explained that he didn't know where most of them were. Kimmel then asked whether they might be rounding Diamond Head! Layton replied that he didn't think so. Pearl Harbor was hit five days later.

See also

• SIGINT
• Anonymous remailer

References

• Ferguson, Niels, Schneier, Bruce. Practical Cryptography, 2003. p114. ISBN 0471223573.
• Dawn Xiaodong Song, David Wagner and Xuqing Tian, Timing Analysis of Keystrokes and Timing Attacks on SSH, 10th USENIX Security Symposium, 2001.