Length Hiding VPN to Mitigate Compression Side-Channel and Traffic Analysis Attacks

Abstract

Internet traffic is more voluminous than ever before in history. This data transmission over a network involves a trade-off between efficiency and security. On the one hand, compressing data can increase the efficiency if it leads to fewer bytes being sent, but this makes the traffic susceptible to compression side-channel attacks. On the other hand choosing not to compress makes it immune to such attacks but fails to maximize efficiency. CRIME and BREACH are two compression side-channel attacks. These attacks exploiting the property of dictionary compression, where an increase in redundancy in data leads to a better compression. In addition to these, there are indirect attacks that can identify user behavior in spite of it being encrypted. These attacks known as traffic analysis attacks and identify user behavior based on traffic properties such as bandwidth, packet sizes, inter-packet arrival time and total time for data transfer. These aforementioned attacks deter or may deter applications from using compression for data being transferred over the network. Despite it being a safer option, it decreases the efficiency of data transfer, with effects more pronounced in low bandwidth networks. In this work, we try to improve the security-efficiency trade-off in the implementation of a VPN. To boost efficiency, we compress within the VPN so that the data might be available sooner at either end. Following compression, we use a padding scheme for traffic to hide user behavior, which attempts to maintain a fixed throughput irrespective of the compressibility of the data being sent or whether the user is active or idle. The VPN was tested using various data sets. 100 MBs each of Google, Facebook and YouTube data, which represent different degrees of compressibility of data (from most to least compressible). With compression enabled Google, Facebook and YouTube data transferred in 39%, 70.6% and 94.4% of the time it took to send it with compression disabled respectively, while maintaining a consistent throughput of approximately 6.3 megabits/second. These results clearly show that even with a fixed throughput, data transmission is more efficient with compression enabled. The changes made in order to mitigate TA attacks led to improvement in overall traffic characteristics by hiding more information than before but still reveal some information.