Communications - May 2011

with sufficient risk and/or value at stake will check such signatures, associate them with higher-level transactions, and log them for enough time to cover their risk. Building such a capability is straightforward using conventional digital signatures and some form of public-key infrastructure, albeit with some performance cost—and one significant drawback: complete lack of privacy.

Privacy requirements. The approach we’ve just described would allow anyone receiving such a packet to attribute its physical origin. There is also a history of vigorous opposition to such capabilities. For example, in early 1999, Intel Corporation announced that new generations of its popular Pentium microprocessors would include a new feature—the Processor Serial Number (PSN)—a per-processor unique identifier intended as a building block for future security applications. Even though this feature was completely passive, public-interest groups quickly identified potential risks to privacy stemming from an available globally unique identifier. In April 2000, Intel abandoned plans to include PSN in future versions of its microprocessors.

We thus posit another critical requirement for a practical forensics tool:

Privacy. To balance the need for forensic attribution against the public’s interest in privacy, packet signatures must be non-identifying, in a strong sense, to an unprivileged observer. Moreover, the signatures must not serve as an identifier (even an opaque one). As such, distinct packets sent from the same source must carry different signatures. Internet users should have at least the same expectation of anonymity they have today, except for authorized investigations.

A strawman solution to this problem is to digitally sign each packet using a per-source key that is in turn escrowed with a trusted third party. Indeed, the ill-fated Clipper chip used such an approach. If a single third party is not widely trusted (likely, given past experience), then the scheme may accommodate multiple third parties responsible for different sets of machines and/or a secret sharing approach in which multiple third parties collaborate to gener-

unlike physical
evidence (such as
fingerprints and
Dna), digital objects
are, prima facie,
not unique.

ate the keying material to validate the origin of a signature; for example, in the U.S., both the Department of Justice and the American Civil Liberties Union might be required to agree an investigation is warranted. However, this approach also involves a critical vulnerability. Since, by design, a normal observer cannot extract information from a packet signature, nothing prevents adversaries from incorrectly signing their packets, or random “signatures.” Any attempt at post-hoc authentication is useless. Thus, to be practical, our attribution architecture is motivated by a final requirement:

Attributability. To enforce the attribution property, any observer on the network must be empowered to verify a packet signature—to prove that the packet could be attributed if necessary, though the process of performing the proof must not reveal any information about the physical originator itself. This requirement has a natural fate-sharing property, since choosing to verify a packet is made by the recipient with a future interest in having an attribution capability.

Remaining challenges. As important as our design goals are, so, too, are our non-goals—what we do not attempt to accomplish. For one, our work is not designed to address IP-address spoofing. While there is operational value in preventing spoofing or allowing easier filtering of DDoS attacks, the virtual nature of IP addresses makes them inherently ill-suited for forensic purposes. More significant, our work is limited to attributing the physical machine that sent a particular packet and not necessarily the complete causal chain of events leading to the packet being generated. This distinction is common to most kinds of forensic investigations (such as unraveling offshore shell accounts in forensic accounting or insider communication in securities fraud investigations) but can manifest easily in the Internet context; for example, an attack might be laundered through one or more intermediate nodes, either as part of a legitimate anonymizing overlay network (such as Tor) or via proxies installed on compromised hosts, botnets, or other intermediaries.