Side channel attack against encrypted tunnels (OpenVPN, SSH, HTTPS,..)

[OpenSourcerer 1359]

Security researchers have developed an application called pacumen to analyze encrypted traffic. With the information provided by it an attacker can find out if a certain (specified) application is communicating behind an encrypted connection. This analysis technique is called a side channel attack.

 

In pacumen, you create a classifier (detection rules for the application you'd like to uncover in the traffic) and a pcap file with sniffed traffic (preferably covering hours of length). It then starts analyzing it and calculates a value, representing the similarity of the analyzed traffic with the specified rules.

For example: The researchers tried to uncover usage of Skype inside an SSH tunnel and were quite successful. The same thing can be done with any other protocol, let's say, to see if some user is using Facebook over HTTPS. Or identifying BitTorrent inside OpenVPN.

China and Iran could theoretically use it to uncover OpenVPN over SSH/SSL.

 

Countermeasures are padding of all packets and/or sending contant dummy packets. Note that both of them would lower performance of tunnels drastically.