Data in Transit Security

Meier, Roland

doi:10.1007/978-3-031-33386-6_24

Roland Meier⁵

4828 Accesses

Abstract

Data in transit, or network traffic, can be eavesdropped on and potentially leak sensitive information. This information can be in the payload, headers, or metadata. To mitigate this, many communication protocols encrypt traffic on different layers exist. However, even if encrypted traffic leaks information through its metadata. The percentage of encrypted network traffic has risen continuously in the past years, and we expect this trend to continue in the following years. On the other hand, measures to protect metadata are limited, leaving network traffic vulnerable to traffic-analysis attacks.

You have full access to this open access chapter, Download chapter PDF

1 Introduction

Data in transit, or network traffic, can be eavesdropped on and potentially leak sensitive information. This information can be in the form of the payload (the message being transmitted), headers (which contain information about the sender and receiver), or metadata (protocol information about the packet). To prevent information leakage, various technologies exist that encrypt the payload and headers, such as MACsec, IPsec, and TLS. However, it is more challenging to protect metadata, as it involves hiding more than just the contents of the packet. Techniques to hide metadata include obfuscating packet sizes, timing, and path, but these methods often come with trade-offs, such as increased latency or decreased network performance. Therefore, it is essential to consider data security in transit and implement appropriate measures to prevent unauthorized access and information leaks.

2 Analysis

2.1 Definition

Data in transit (i.e., network traffic) is susceptible to eavesdropping and can leak information through the following channels:

Payload: The packet payload contains the message transmitted (e.g., parts of a website or email).
Headers: The packet headers contain the information required to deliver the packet to the correct destination and parse it correctly by the receiving application. Packet headers, therefore, contain information about the sender and receiver of a packet (e.g., their IP and MAC addresses) and information about the user application and protocol.
Metadata: Metadata in network traffic is normally considered as the protocol information including the packet headers They are not contained in the packet directly but can be observed when recording the packet (e.g., the packet size or the time when it was received). If a packet is received at multiple locations, this reveals additional information (e.g., the path a packet takes through the network).

For an eavesdropper, extracting information from unprotected headers and payloads is easy. Nevertheless, even if headers and payloads are protected (i.e., encrypted), several so-called traffic-analysis attacks can infer sensitive information based on traffic metadata.

For each type of information channels, there exist technologies to prevent the leakage:

Protecting Payload and Headers

The usual approach to protecting the payload and packet headers is to encrypt them. To do so, various encrypted protocols exist that encrypt data on various layers (not only the payload but also some headers). Widely used protocols include MACsec, IPsec, and TLS, which are explained in more detail below.

MACsec (Medium Access Control security) [1]: Operates on the link layer and encrypts packets between (layer 2) switches. MACsec encrypts the entire packet, including all headers except the source and destination addresses in the link layer (i.e., the source and destination MAC address). MACsec is typically used to protect individual links in a local area network (LAN) or wide area network (WAN) against eavesdropping.
IPsec (Internet Protocol Security) [2]: Operates on the network layer and can be used in two modes: transport mode and tunnel mode. In transport mode, IPsec encrypts the payload of the IP layer (i.e., the headers of the transport-layer protocol and packet payloads). In tunnel mode, IPsec creates a tunnel from the sender to a destination and encrypts the IP header and its payload. To do so, it encapsulates the original IP packet within a new IP packet whose destination address is the tunnel’s endpoint, thereby revealing the IP addresses of both ends of the tunnel. IPsec is typically used to create tunnels between locations connected over an untrusted network (e.g., the Internet). For more information about tunnels and so-called Virtual Private Networks (VPNs), see Chap. 26.
TLS (Transport Layer Security) [3]: Operates on the transport layer and encrypts only its payload. Therefore, it does not hide other packet headers such as the source and destination IP addresses. TLS is used for many applications, but its most well-known use case is web browsing over HTTPS.

Protecting Metadata

Hiding packet metadata is more difficult compared to hiding packet contents because hiding metadata involves more than just encrypting the actual traffic. Completely hiding metadata is often impossible because packets need to be sent at some point. There exists various options:

Obfuscating packet sizes: Obfuscating the size of packets or flows can be achieved by adding padding to the original contents of a packet or by splitting one packet into multiple fragments. For example, IPsec and TLS allow adding a random amount of padding to each packet before encrypting it to conceal its real size. However, it has been shown that this padding is too little to prevent traffic-analysis attacks [4].
Obfuscating packet timing: Obfuscating the timing of packets can be achieved by delaying the sending time of a packet. However, this inevitably leads to an increase in latency and, therefore, a decrease in network performance. Therefore, systems to hide the timing mainly exist as prototypes presented in research papers (e.g., [4,5,6]), and are rarely used in practice.
Obfuscating packet’s path: Obfuscating the path of packets can be achieved by re-encrypting the packet multiple times while it crosses the network. The most well-known technique to do this is Onion Routing and its implementation in the TOR network. However, more than re-encrypting packets is needed; packet timings and sizes need to be concealed, too, in order to prevent correlation attacks such as the ones discussed in [7].

Reliably preventing traffic analysis attacks based on metadata requires making the traffic that crosses the network independent of the actual production traffic in terms of packet size, timing, and contents. This can be achieved by reshaping and encrypting production traffic such that it is sent at a fixed rate, and the encryption makes packets indistinguishable from each other.

Unfortunately, preventing traffic analysis attacks typically adds large amounts of overhead in terms of additional delays, packet padding, and cover traffic and, therefore, often comes at the cost of throughput decrease or latency increase.

2.2 Trends

The percentage of encrypted network traffic has risen continuously in the past years, and we expect this trend to continue in the following years.

A major driving factor for this is that the “Let’s Encrypt” certification authority [8] allows everyone to obtain TLS certificates for free. This led to a rapid increase in the websites reachable over encrypted connections, i.e., over HTTPS. In addition, website operators are further incentivized to deploy TLS because it leads to a better ranking in the Google search results [9].

In addition, QUIC, a new transport-layer protocol, was standardized in 2021 [10]. In contrast to TCP and UDP, QUIC is encrypted by default and provides better performance and reliability than TCP and UDP. Google initially introduced it and supports it in its products, but other platforms and services now support it as well.

TLS and QUIC are increasingly used to encrypt traffic that was traditionally not encrypted. For example, DNS queries are now sent over encrypted channels.

3 Consequences for Switzerland

Popular websites and services in Switzerland enforce encrypted connections leads to most web network traffic in Switzerland being encrypted. In addition, the major Swiss web hosting providers support TLS encryption for their customers’ websites free of charge and with an easy setup, further increasing the percentage of encrypted traffic.

On the other hand, measures to protect metadata are not widespread in Switzerland, leaving network traffic vulnerable to traffic-analysis attacks. However, these attacks primarily exist as research prototypes only.

3.1 Implementation Possibilities: Make or Buy

Buy: The widely available secure transport protocols and their implementations in popular libraries should be used for encryption.

Make: For sensitive environments, benefits outweigh metadata protection schemes’ potential costs (e.g., additional overhead). Unfortunately, there is no widespread solution here, and it would be necessary to develop a new solution for Switzerland’s use case (e.g., based on research projects from Swiss universities [5, 6, 11, 12]).

4 Conclusion

Unprotected traffic allows an eavesdropper to learn sensitive information about ongoing communication. To mitigate this, there exist many communication protocols that encrypt traffic on different layers. These protocols (MACsec, IPsec, and TLS) are widely used today and achieve good security for network traffic. However, even if traffic is encrypted, it leaks information through its metadata. Preventing this is more challenging, leads to more communication overhead, and is rarely done today.

References

802.1AE: MAC Security (MACsec) 1.ieee802.org. https://1.ieee802.org/security/802-1ae/. [Accessed 04-Nov-2022].
RFC 4301: Security Architecture for the Internet Protocol – rfc-editor.org. https://www.rfc-editor.org/rfc/rfc4301. [Accessed 04-Nov-2022].
RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3 — rfc-editor.org. https://www.rfc-editor.org/rfc/rfc8446. [Accessed 04-Nov-2022].
Kevin P. Dyer, Scott E. Coull, Thomas Ristenpart, and Thomas Shrimpton. Peek-a-boo, i still see you: Why efficient traffic analysis countermeasures fail. In 2012 IEEE Symposium on Security and Privacy, pages 332–346, 2012.
Google Scholar
Ludovic Barman, Italo Dacosta, Mahdi Zamani, Ennan Zhai, Bryan Ford, Jean-Pierre Hubaux, and Joan Feigenbaum. Prifi: A low-latency local-area anonymous communication network. arXiv preprint arXiv:1710.10237, 2017.
Google Scholar
Roland Meier, Vincent Lenders, and Laurent Vanbever. ditto: Wan traffic obfuscation at line rate. In NDSS Symposium 2022, 2022.
Google Scholar
Ishan Karunanayake, Nadeem Ahmed, Robert Malaney, Rafiqul Islam, and Sanjay K. Jha. De-anonymisation attacks on tor: A survey. IEEE Communications Surveys & Tutorials, 23(4):2324–2350, 2021.
Article Google Scholar
Lets Encrypt—letsencrypt.org. https://letsencrypt.org/. [Accessed 04-Nov-2022].
HTTPS as a ranking signal — Google Search Central Blog — Google Developers — developers.google.com. https://developers.google.com/search/blog/2014/08/https-as-ranking-signal. [Accessed 04-Nov-2022].
Martin Thomson. RFC 9000: QUIC: A UDP-Based Multiplexed and Secure Transport – rfc-editor.org. https://www.rfc-editor.org/rfc/rfc9000. [Accessed 04-Nov-2022].
Chen Chen, Daniele E Asoni, Adrian Perrig, David Barrera, George Danezis, and Carmela Troncoso. TARANET: Traffic-Analysis Resistant Anonymity at the Network Layer. 2018 IEEE European Symposium on Security and Privacy (EuroS&P), 2018.
Google Scholar
Chen Chen, Daniele E Asoni, David Barrera, George Danezis, and Adrain Perrig. Hornet: High-speed onion routing at the network layer. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015.
Google Scholar

Download references

Author information

Authors and Affiliations

Cyber-Defence Campus, Thun, Switzerland
Roland Meier

Authors

Roland Meier
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Roland Meier .

Editor information

Editors and Affiliations

Cyber-Defence Campus, armasuisse Science and Technology, Thun, Switzerland
Valentin Mulder
Cyber-Defence Campus, armasuisse Science and Technology, Thun, Switzerland
Alain Mermoud
Cyber-Defence Campus, armasuisse Science and Technology, Thun, Switzerland
Vincent Lenders
Cyber-Defence Campus, armasuisse Science and Technology, Thun, Switzerland
Bernhard Tellenbach

Rights and permissions

Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

Reprints and permissions

Copyright information

About this chapter

Cite this chapter

Meier, R. (2023). Data in Transit Security. In: Mulder, V., Mermoud, A., Lenders, V., Tellenbach, B. (eds) Trends in Data Protection and Encryption Technologies . Springer, Cham. https://doi.org/10.1007/978-3-031-33386-6_24

Download citation

DOI: https://doi.org/10.1007/978-3-031-33386-6_24
Published: 27 April 2023
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-33385-9
Online ISBN: 978-3-031-33386-6
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics