.comment-link {margin-left:.6em;}


Newsbyteblog: the blog of newsbyte regarding all things IT, free speech, copyright and patents and other things deemed interesting.

Monday, May 23, 2005

Fingerprinting in Cyberspace

Since I'm all for open debate, I want to assure those that have commented, that I will try to respond in a not too far future.:-)

But first, I want to talk about something that cought my eye not long ago.

In the eternal cat&mouse game of those trying to make computers or communication safe, secure and anonymous, and those that try to break it, the latter have just got a considerable powerful tool.

It seems that a student by the name of Tadayoshi Kohno of the university of California has developed a way to identify a computer, regardless whether it is NATted or behind a firewall, and regardless what IP that computer uses or shows.

While at first the usual reaction would be disbelief, it seems he actually has a working way of doing exactly what he claims. However, it should be noted, that what he discribes in his paper as 'unique identification' is, in the context used, NOT about the geographical position of the computer. Thus, it is not knowing where, exactly, the computer is, it is rather knowing which (among the many) computer it is. Some might think: "so, what, that is not much more information than can be gathered from the IP of a machine", but this is not competely true.

His system, basically, works with the so-called 'Clock-skew' and goes way beyond what is possible with server-fingering or portscans and the like. Rather, it is a remote way of doing forensic research, using forensic techniques. His particular technique is based on how the TCP protocol works when used on the internet. Tcp tries to make use of the Net as efficiently as possible (for its protocol), but this is not an easy task, because it has to 'guess' how many bytes can be send to a random receiver - but this is, obviously, also dependent on the load of the network. The way it does that, is by starting slow and then going faster and faster, untill it goes wrong; then it takes a step back. Another way it does that is by using rfc 1332, which consists of two parts, one of which is a time-stamp. It is exactly that time-stamp that is the weak spot used in the method of Yoshi.

When one sends a tcp-packet, this packet receives a timestamp, after which the receiver, when the request is acknowledged, resends the original timestamp. That way, the sender can easily determine the time it took for it to arrive at the receiver, and how long it took to get back (RTT). This system is used to determine how fast data can be transmitted, and is a normal practise of the internet-workings. However, the timestamps are based on the clock of the computer who sends it, and there is where the problem lies: *every* clock in *every* computer around the world has a deviance. This is called the clock-skew, and even when it is a minute difference, it is still detectable, and what's more, the exact aumount of time it deviates turns out to be as telling as a fingerprint, and thus one can identify the sender (at least his computer).

This has big implications, because, wherever one uses his laptop/PC when connecting to the Net, even when doing so in Japan and the next day in the USA, BOTH times it is recognised as being exactly the same computer. It also means that, whether you are behind a firewall or NAT, it STILL sends the timestamps with the ICP-packets, and thus, your computer can STILL be uniquely identified. Which can have enormous consequences for systems that rely on anonimity, because, when requesting something, even if it is routed through another computer, it is still possible to identify the exact computer that requested whatever it was that it requested. At least for a system relying on 'reasonable deniability', such as Freenet, this is a great potential threat: obviously, if your computer can be uniquely identified as the one that requested something, you have *no* deniability left whatsoever.


Anonymous Anonymous said...

Ok, but you could use something on the low level to alter the timestamp, couldn't you? Basically spoofing the timestamp. Just a thought. Your views?

4:10 AM  
Anonymous nextgens said...

No, you can't as it relies on the low level IP stack of your OS...

It can be interresting to fingerpring idle computers but I don't think "loaded" ones are vulnerable.

Moreover, as freenet is using the CPU intensivly, I don't think a node could be fingerprinted this way... and even, in freenet topology, there is a NEW connection between each pear : no routing/nating is done. So basicaly, you can fingerprint only peers you are connected with ;)

6:36 PM  

Post a Comment

<< Home