Randomness of Encrypted Network Traffic
Category: Network security
Location: Zurich/Thun/Lausanne
Contact:
Martin Burkhart, Bernhard Tellenbach
Background
Application activity in networks is often monitored for network management and security purposes. While the increasing use of network traffic encryption, e.g. using TLS, is a benefit for confidentiality, it complicates classification of application traffic in the network. In theory, a good encryption algorithm should produce ciphertexts that look random and hence make all applications look similar on the network layer. Yet, some researchers claim that randomness of widespread ciphers is not as good as expected (1,2). They identified differences due to the use of different cipher algorithms (e.g., AES-GCM, AES-CBC, CHA20, ARC4, 3DES), key lengths and library versions. Since applications used different cipher configurations, this makes them detectable even in encrypted traffic, the researchers claim.
Goal of the project
The goal of this thesis is to confirm or refute the claim of suboptimal randomness in encrypted network traffic. Statistical tests used by NIST to scrutinize random number generators (3) should be used to analyze the randomness of various ciphers and quantum random sources (4). In a test setup, traffic from real applications should be captured and analyzed. Differences in lab setups versus real network conditions should be explored: How do platform environments (e.g., encryption services on Android) and modern protocols such as HTTP/3 influence results? What is the impact of the application protocol that is encrypted (e.g., video streaming versus small infrequent messages)? Could this be used to detect different VPN solutions?
Tasks
- Literature review on state-of-the art in encrypted traffic analysis.
- Read up on statistical randomness testing.
- Measure randomness of widely used ciphers.
- Perform experiments with real network traffic to see if results hold in practice. A traffic analyzing pipeline developed in previous theses can be used as a starting point.
- Review the randomness claims made in literature.
Requirements
- Knowledge of networks and internet protocols (HTTPS, TLS, TCP)
- Strong interest in network security and monitoring
- Experience with network traffic analysis is a plus
- Experience with efficient processing of big data is a plus
- Mindset to learn the additional skills
Supervision
- Martin Burkhart
- Bernhard Tellenbach