Infranet Cir cumv enting eb Censorship and Sur eillanc - PDF document

Infranet:CircumventingWebCensorshipandSurveillanceNickFeamster,MagdalenaBalazinska,GregHarfst,HariBalakrishnan,DavidKargerMITLaboratoryforComputerSciencefeamster,mbalazin,gch,hari,karger
@lcs.mit.eduhttp://nms.lcs.mit.edu/projects/infranetAbstractAnincreasingnumberofcountriesandcompaniesrou-tinelyblockormonitoraccesstopartsoftheInternet.Tocounteractthesemeasures,weproposeInfranet,asys-temthatenablesclientstosurreptitiouslyretrievesensitivecontentviacooperatingWebserversdistributedacrosstheglobalInternet.TheseInfranetserversprovideclientsac-cesstocensoredsiteswhilecontinuingtohostnormalun-censoredcontent.Infranetusesatunnelprotocolthatpro-videsacovertcommunicationchannelbetweenitsclientsandservers,modulatedoverstandardHTTPtransactionsthatresembleinnocuousWebbrowsing.Intheupstreamdirection,InfranetclientssendcovertmessagestoInfranetserversbyassociatingmeaningtothesequenceofHTTPrequestsbeingmade.Inthedownstreamdirection,Infranetserversreturncontentbyhidingcensoreddatainuncen-soredimagesusingsteganographictechniques.Wedescribethedesign,aprototypeimplementation,securityproperties,andperformanceofInfranet.OursecurityanalysisshowsthatInfranetcansuccessfullycircumventseveralsophisti-catedcensoringtechniques.1IntroductionTheWorldWideWebisaprimefacilitatoroffreespeech;manypeoplerelyonittovoicetheirviewsandtogainaccesstoinformationthattraditionalpublishingvenuesmaybeloathtopublish.However,overthepastfewyears,manycountries,politicalregimes,andcorporationshaveat-temptedtomonitorandoftenrestrictaccesstoportionsoftheWebbyclientswhousenetworkstheycontrol.Manyoftheseattemptshavebeensuccessful,andtheuseoftheWebasafree-owingmediumforinformationexchangeisbeingseverelycompromised.SeveralcountrieslterInternetcontentattheirborders,fearfulofalternatepoliticalviewsorexternalinuences.Forexample,Chinaforbidsaccesstomanynewssitesthathavebeencriticalofthecountry'sdomesticpolicies.SaudiArabiaiscurrentlysolicitingcontentltervendorstohelpblockaccesstositesthatthegovernmentdeemsinappro-priateforpoliticalorreligiousreasons[10].Germanycen-sorsallNazi-relatedmaterial.Australia'slawsbanpornog-raphy.Inaddition,Internetcensorshiprepeatedlythreat-enstocrosspoliticalboundaries.Forexample,theU.S.SupremeCourtrecentlyrejectedFrance'srequesttocensorNazi-relatedmaterialonYahoo'ssite[12].Censorshipandsurveillancealsoextendintofreeenterprise,withseveralcompaniesintheU.S.reportedlyblockingaccesstositesthatarenotrelatedtoconductingbusiness.Inadditiontoblockingsites,manycompaniesroutinelymonitortheirem-ployees'Websurnghabits.Thispaperfocusesonthechallengingtechnicalprob-lemsofcircumventingWebcensorshipandlargelyignoresthemanyrelatedpolitical,legal,andpolicyissues.Inpar-ticular,weinvestigatehowtoleverageWebcommunicationwithaccessibleserversinordertosurreptitiouslyretrievecensoredcontent,whilesimultaneouslymaintainingplausi-bledeniabilityagainstreceivingthatcontent.Tothisend,wedevelopacovertcommunicationtunnelthatsecurelyhidestheexchangeofcensoredcontentinnormal,innocu-ousWebtransactions.Oursystem,calledInfranet,consistsofrequestersandresponderscommunicatingoverthiscoverttunnel.Are-quester,runningonauser'scomputer,rstusesthetunneltorequestcensoredcontent.Uponreceivingtherequest,theresponder,astandardpublicWebserverrunningInfranetsoftware,retrievesthesoughtcontentfromtheWebandre-turnsittotherequesterviathetunnel.1ThecoverttunnelprotocolbetweenanInfranetrequesterandrespondermustbedifculttodetectandblock.Morespecically,acensorshouldnotbeabletodetectthataWebserverisanInfranetresponderorthataclientisanIn-1Weusetheterms“requester”and“responder”ratherthanthemoretraditional“client”and“server”toavoidconfusionwithWebclients(“browsers”)andWebservers.Wealsoconsideredanumberoftermslike“proxy”,“gateway”,“front-end”,etc.,butrejectedthemforsimilarreasons. franetrequester.NothingintheirHTTPtransactionsoughttoarousesuspicion.TheInfranettunnelprotocolusesnoveltechniquesforcovertupstreamcommunication.Itmodulatescovertmes-sagesonstandardHTTPrequestsforuncensoredcon-tentusingacondentiallynegotiatedfunctionwhichmapsURLstomessagefragmentsthatcomposerequestsforcen-soredcontent.Fordownstreamcommunication,thetunnelprotocolleveragesexistingdatahidingtechniques,suchassteganography.Whilesteganographyprovideslittledefenseagainstcertainattacks,wearecondentthattheideaswepresentcanbeusedinconjunctionwithotherdatahidingtechniques.Themainchallengeinthedesignofthetunnelprotocolisensuringcovertnesswhileprovidingalevelofperformancesuitableforinteractivebrowsing.Furthermore,thetunnelprotocolmustdefendagainstacensorcapableofpassiveat-tacksbasedonloggingalltransactionsandpackets,activeattacksthatmodifymessagesortransactions,andimper-sonationattackswheretheadversarypretendstobealegit-imateInfranetrequesterorresponder.Oursecurityanaly-sisindicatesthatInfranetcansuccessfullycircumventsev-eralsophisticatedcensoringtechniques,includingvariousactiveandpassiveattacks.Oursystemhandlesalmostallofthesethreatswhileachievingreasonableperformance.Thisisachievedbytakingadvantageoftheasymmetricband-widthrequirementsofWebtransactions,whichrequiresig-nicantlylessupstreambandwidththandownstreamband-width.Toassessthefeasibilityofourdesign,weimplementedanInfranetprototypeandconductedaseriesoftestsusingclient-sideWebtracestoevaluatetheperformanceofoursystem.OurexperimentalevaluationshowsthatInfranetprovidesacceptablebandwidthforcovertWebbrowsing.Ourrange-mappingalgorithmforupstreamcommunicationallowsarequestertoinnocuouslytransmitahiddenrequestinanumberofvisibleHTTPrequeststhatisproportionaltothebinaryentropyofthehiddenrequestdistribution.FortwotypicalWebsitesrunningInfranetresponders,wendthatarequesterusingrange-mappingcanmodulate50%ofallrequestsforhiddencontentin6visibleHTTPrequestsorfewerand90%ofallhiddenrequestsin10visibleHTTPre-questsorfewer.UsingtypicalWebimages,ourimplemen-tationofdownstreamhidingtransmitsapproximately1kBofhiddendatapervisibleHTTPresponse.2RelatedWorkManyexistingsystemsseektocircumventcensorshipandsurveillanceofInternettrafc.Anonymizer.comprovidesanonymousWebsessionsbyrequiringuserstomakeWebrequeststhroughaproxythatanonymizesuser-specicinformation,suchastheuser'sIPaddress[2].ThecompanyalsoprovidesaproductthatencryptsHTTPre-queststoprotectuserprivacy;ZeroKnowledgeprovidesasimilarproduct[24].SquidisacachingWebproxythatcanbeusedasananonymizingproxy[21].Theprimaryshortcomingoftheseschemesisthatawell-knownproxyissubjecttobeingblockedbyacensor.Additionally,theuseofanencryptedtunnelbetweenauserandtheanonymizingproxy(e.g.,portforwardingoverssh)engenderssuspicion.Becausecensoringorganizationsareactivelydiscover-ingandblockinganonymizingproxies,SafeWebhaspro-posedaproductcalledTriangleBoy,apeer-to-peerappli-cationthatvolunteersrunontheirpersonalmachinesandthatforwardsclients'WebrequeststoSafeWeb'sanonymiz-ingproxy[19,27].SafeWebrecentlyformedanalliancewiththeVoiceofAmerica[28],whosemissionistoen-ableChineseInternetuserstogainaccesstocensoredsites.However,TriangleBoyhasseveraldrawbacks.First,theencryptedconnectiontoamachinerunningTriangleBoyissuspiciousandcanbetriviallyblockedsinceSSLhandshak-ingisunencrypted.Second,SafeWeb'sdependenceonanencryptedchannelforcondentialitymakesitsusceptibletotrafcanalysis,sinceWebsitengerprintingcanexposetheWebsitesthatauserrequests,eveniftherequestitselfisen-crypted[7].Third,SafeWebisvulnerabletoseveralattacksthatallowanadversarytodiscovertheidentityofaSafeWebuser,aswellaseveryWebsitevisitedbythatuser[11].PeekabootyalsoattemptstocircumventcensoringrewallsbysendingSSL-encryptedrequestsforcensoredcontenttoathirdparty,butitsrelianceonSSLalsomakesitsuscepti-bletotrafcanalysisandblockingattacks[26].Varioussystemshaveattemptedtoprotectanonymityforuserswhopublishandretrievecensoredcontent.InCrowds,usersjoinalarge,geographicallydiversegroupwhosememberscooperateinissuingrequests,thusmak-ingitdifculttoassociaterequestswiththeoriginatinguser[18].Onionroutingalsoseparatesrequestsfromtheuserswhomakethem[25].Publius[30],Tangler[29],andFreeHaven[4]focusonprotectingtheanonymityofpub-lishersofcensoredcontentandthecontentitself.Freenetprovidesanonymouscontentstorageandretrieval[3].Infranetaimstoovercomecensorshipandsurveillance,butalsoprovidesplausibledeniabilityforusers.InadditiontoestablishingasecurechannelbetweenusersandInfranetresponders,oursystemcreatesacovertchannelwithinHTTP,i.e.,acommunicationchannelthattransmitsinfor-mationinamannernotenvisionedbytheoriginaldesignofHTTP[9].Incontrastwithtechniquesthatattempttoover-comecensorshipusingacondentialchannel(e.g.,usingSSL,whichistrivialtodetectandblock)[19,23,24,26],ourapproachissignicantlyhardertodetectorblock.Tobeeffectiveagainstblocking,aschemeforcircumventingcensorshipmustbecovertaswellassecure. Infranet\rRequester\rInfranet\rResponder\rUser\rWeb\rBrowser\rOrigin\rWeb\rServer\rCommunication Tunnel\rCensor\rVisible HTTP\rReq/\rHidden msg\rStandard\rHTTP\rVisible HTTP\rResp/\rHidden content\rVisible HTTP\rResp/\rHidden content\rVisible HTTP\rReq/\rHidden msg\rUser Machine\rFigure1.Infranetsystemarchitecture.3SystemArchitectureThissectionpresentsInfranet'sdesignconsiderationsandsystemarchitectureandgivesanoverviewofthesys-tem'scommunicationprotocols.3.1TerminologyFigure1showsthesystemarchitectureofInfranetandintroducesrelevantterminology.UserssurfWebcontentasusualviaaWebbrowser.Toretrievecensoredcontent,thebrowserusesasoftwareentitythatrunsonthesamehost,calledtheInfranetrequester,asitslocalproxy.TheIn-franetrequesterknowsaboutoneormoreInfranetrespon-ders,whichareWebserversintheglobalInternetthatim-plementadditionalInfranetfunctionality.TheideaisfortheWebbrowsertorequestcensoredcontentviatheIn-franetrequester,whichinturnsendsamessagetoanIn-franetresponder.TheresponderretrievesthiscontentfromtheappropriateoriginWebserverandreturnsittothere-quester,whichdeliverstherequestedcontenttothebrowser.Therequesterandrespondercommunicatewitheachotherusingacoverttunnel.Technically,Infranetinvolvesthreedistinctfunctions—issuingahiddenrequest,decodingthehiddenrequest,andservingtherequestedcontent.Werstdescribeasystemwherebytheresponderperformsthelattertwofunctions.WedescribeadesignenhancementinSec-tion8wherebyanuntrustedforwardercanforwardhiddenrequestsandservehiddencontent,therebymakingitmoredifcultforacensortoblockaccesstothesystem.ThecensorshowninFigure1mighthaveawiderangeofcapabilities.Ataminimum,thecensorcanblockspecicIPaddresses(e.g.,ofcensoredsitesandsuspectedInfranetresponders).Morebroadly,thecensormighthavethecapa-bilitytoanalyzelogsofallobservedWebtrafc,oreventomodifythetrafcitself.Thelong-termsuccessofInfranetdependsonthewidespreaddeploymentofInfranetrespondersintheInter-net.OnewayofachievingthismightbetobundlerespondersoftwarewithstandardWebserversoftware(e.g.,Apache).Hopefully,asignicantnumberofpeoplewillrunInfranetrespondersduetoaltruismorbecausetheybelieveinfreespeech.3.2DesignGoalsWedesignedInfranettomeetanumberofgoals.Or-deredbypriority,thegoalsare:1.DeniabilityforanyInfranetrequester.ItshouldbecomputationallyintractabletoconrmthatanyindividualisintentionallydownloadinginformationviaInfranet,ortodeterminewhatthatinformationmightbe.2.Statisticaldeniabilityfortherequester.EvenifitisimpossibletoconrmthataclientisusingInfranet,anad-versarymightnoticestatisticalanomaliesinbrowsingpat-ternsthatsuggestaclientisusingInfranet.Ideally,anIn-franetuser'sbrowsingpatternsshouldbestatisticallyindis-tinguishablefromthoseofnormalWebusers.3.Respondercovertness.SinceanadversarywilllikelyblockallknownInfranetresponders,itmustbedifculttodetectthataWebserverisrunningInfranetsimplybywatchingitsbehavior.Ofcourse,anyrequesterusingtheserverwillknowthattheserverisanInfranetresponder;however,thisknowledgeshouldonlyarisefrompossessionofasecretthatremainsunavailabletothecensor.Ifthecen-sorchoosesnottoblockaccesstotheresponderbutrathertowatchclientsconnectingtoitforsuspiciousactivities,de-niabilityshouldnotbecompromised.TherespondermustassumethatallclientsareInfranetrequesters.ThisensuresthatInfranetrequesterscannotbedistinguishedfrominno-centusersbasedontheresponder'sbehavior.4.Communicationrobustness.TheInfranetchannelshouldberobustinthepresenceofcensorshipactivitiesde-signedtointerferewithInfranetcommunication.Notethatitisimpossibletobeinnitelyrobust,becauseacensorwhoblocksallInternetaccesswillsuccessfullypreventInfranetcommunication.Thus,weassumethecensorpermitssomecommunicationwithnon-censoredsites. AnytechniquethatpreventsasitefrombeingusedasanInfranetrespondershouldmakethatsitefundamentallyun-usablebynon-Infranetclients.Asanexampleofaschemethatisnotrobust,considerusingSSLasourInfranetchan-nel.Whilethisprovidesfullrequesterandresponderde-niabilityandcovertness(sincemanyWebserversrunSSLforinnocentreasons),itisquiteplausibleforacensortoblockallSSLaccesstotheInternet,sincevastamountsofinformationremainaccessiblethroughnon-encryptedcon-nections.Thus,acensorcanblockSSL-InfranetwithoutcompletelyrestrictingInternetaccess.Inasimilarvein,ifthecensorhasconcludedthatapar-ticularsiteisanInfranetresponder,weshouldensurethattheironlyoptionforblockingInfranetaccessistoblockallaccesstothesuspectedsite.Hopefully,thiswillmakethecensormorereluctanttoblocksites,whichwillallowmoreInfranetresponderstoremainaccessible.5.Performance.WeseektomaximizetheperformanceofInfranetcommunication,subjecttoourotherobjectives.3.3OverviewArequestermustbeabletobothjoinanduseInfranetwithoutarousingsuspicion.TojoinInfranet,ausermustobtaintheInfranetrequestersoftware,plustheIPaddressandpublickeyofatleastoneInfranetresponder.UsersmustbeabletoobtainInfranetrequestersoftwarewithoutrevealingthattheyaredoingso.InformationaboutInfranetrespondersmustbeavailabletolegitimateusers,butshouldnotfallintothehandsofanadversarywhocouldthencon-gureasimpleIP-basedlteringproxy.Onewaytodis-tributesoftwareisout-of-bandviaaCD-ROMoroppydisk.UserscansharecopiesofthesoftwareandlearnaboutInfranetrespondersdirectlyfromoneanother.Thedesignandimplementationofagoodtunnelproto-colbetweenanInfranetrequesterandresponderisthecrit-icaldeterminantofInfranet'sviability.Therestofthissec-tiongivesanoverviewoftheprotocol,andSection4de-scribestheprotocolindetail.Wedenethetunnelprotocolbetweentherequesterandresponderintermsofthreeabstractionlayers:1.Messageexchange.Thislayerofabstractionspecieshigh-levelnotionsofinformationthatrequesterandre-spondercommunicatetoeachother.2.Symbolconstruction.Anycommunicationsystemmustspecifyanunderlyingalphabetofsymbolsthataretransmitted.Thislayerofabstractionspeciesthealphabetsforbothdirectionsofcommunication.Theprimarydesignconstraintiscovertness.3.Modulation.Thelowestlayerofabstractionspeci-esthemappingbetweensymbolsinthealphabetandmessagefragments.Themaindesigngoalisreason-ablecommunicationbandwidth,withoutcompromis-ingcovertness. \n\r  \r\n \n\r \r  \r\n
=0;
=0; "!"#%$'&)(+*-,/.10+2354-687"9":%;'G H"I-J@KML-N/O+P1QR5S-T8UWVX+Y5Z@[B\+Z@]_^`a\rbdcefFigure2.Top­mostlayerofabstractionincommunicationtunnel.Thetop-mostlayerofabstractionistheexchangeofmes-sagesbetweentherequesterandresponder.Therequestersendsrequestsforcontenttotheresponder,hiddeninvis-ibleHTTPtrafc.Theresponderanswerswithrequestedcontent,hiddeninvisibleHTTPresponses,afterobtainingitfromtheoriginserver.AsshowninFigure2,messagesarehiddenwithahidingfunctiongihMSGjCOVERjSECRETk,whereMSGisthemessagetobehidden,COVERisthevisi-bletrafcmediuminwhichMSGishidden,andSECRETen-suresthatonlytherequesterandrespondercanrevealMSG.Designingthehidingfunctionginvolvesdeningasetofsymbolsthatmapontomessagefragments.Thesetofallsymbolsusedtotransmitmessagefragmentsiscalledanalphabet.Sinceanorderedsequenceoffragmentsformsamessage,anorderedsequenceofsymbols,alongwiththehidingfunction,alsorepresentamessage.Bothupstreamanddownstreamcommunicationrequireasetofsymbolsfortransmittingmessages.Thelowestabstractionlayerismodulation,whichspeci-esthemappingbetweenmessagefragmentsandsymbols.Wediscussseveralwaystomodulatemessagesintheup-streamanddownstreamdirectionsinSections4.2and4.3.3.3.1UpstreamCommunicationInourdesign,thecovermediumforupstreamcommunica-tion,COVERl-m,issequencesofHTTPrequests(notethatwhichlinkisselectedonthepagecontainsinformationandcanthereforebeusedforcommunication).ThealphabetisthesetofURLsontheresponder'sWebsite.Otherpossiblealphabetsexist,suchasvariouseldsintheHTTPandTCPheaders.WechoosetousethesetofURLsasouralphabetbecauseitismoredifcultforthetransmissionofmessagestobedetected,itisimmunetomaliciouseldmodicationsbyacensor,anditprovidesreasonablebandwidth.CarefulmeteringoftheorderandtimingofthecoverHTTPcommunicationmakesitdif-cultforthecensortodistinguishInfranet-relatedtrafcfromregularWebbrowsing.Upstreammodulationcorresponds nopqrsot"uv tswxt"ysut"qnopqrsotsuv tsysz{)o|tsq}d~~@€ƒ‚s„†…‚s‡Wˆ‰Š‹ŠŒdŽŽ'd‘†’W“s”†•’‘†–—•†˜‘†™›šœ†ž1Ÿ ¡£¢¤¦¥§d¨©sª«¬­¯®°s±"²"³M´µ¶)··¹¸»º)¼s½»¾"¿›À)Á"ÂsÃÅĹÆ-ÇÈÇɦÊË\rÌÍ"ÎÏBÐÒÑ5ÓÔÓÕÖ¦×)Ø؛ٻÚ)Û"Ü"ÝßÞ"à›á)âsã"äæåDçèsé"ê ëìíî"ïð'ñò\róôõõö÷+ø@ù)úú›ûýü)þ"ÿ

\n\r

! "#%$&'')(+*,
-/.
0)123
457698:;&#x=000;@?ACBD
EFHGIJKL)MKLONQPRR)S+TU
VWXY)Z[
\
]^Q_`
abcdfemnmopgpqrpsetvuqgpuoyzxogpu|f}k{k~e€ehj‚wgetvuwqgpuyzxgpuƒlqoik„pg…exeikgƒlqoik„pg…eik‚uoike‡ˆj‰Šj‹ŒjŽv‘Šj’ˆj“”•––—˜™—š•›™š—œžŸšœš—Figure3.Messagesexchangedduringthetunnelsetupandsteadystatecommunicationphases.Messageex­changesaredrivenbyacommonstatemachineshownontheleft.IntheoptionalInitializeModulationFunc­tionstate,therespondersendsaninitialmodulationfunction ¢¡)£¤¡totherequester.tomappingasequenceofoneormoreURLretrievals,visi-bletoacensor,toasurreptitiousrequestforacensoredWebobject.3.3.2DownstreamCommunicationThecovermediuminthedownstreamdirection,COVER¦9§©¨£,isprovidedbyJPEGimages(withinHTTPresponsestreams).Theresponderusesthehighfrequencycomponentsofimagesasitsalphabetforsendingmessagestotherequester.Thistechniqueprovidesgoodbandwidthandhidingproperties.Downstreammodulationconsistsofmappingasequenceofhigh-frequencyimagecomponentstothecensoredwebobject,suchasHTMLorMIME-encodedcontent.4TunnelProtocolTheInfranettunnelprotocolisdividedintothreemaincomponents:tunnelsetup,upstreamcommunication,anddownstreamcommunication.Tunnelsetupallowsbothpartiestoagreeoncommunicationparameters.Upstreamcommunicationconsistsofmessagetransmissionsfromre-questertoresponder.Downstreamcommunicationconsistsofmessagetransmissionsintheoppositedirection.BoththerequesterandresponderoperateaccordingtothenitestatemachineshownintheleftcolumnofFigure3.Therstfourstatesconstitutetunnelsetup.Thelasttwocomposesteadystatecommunication,wheretherequestertransmitshiddenURLsandtheresponderanswerswiththecorrespondingcontent.Wenowexplorevariousdesignalternativesanddescribethemechanismsusedforeachpartoftheprotocol.4.1TunnelSetupAnInfranetrequesterandresponderestablishatunnelbyagreeingonparameterstothehidingfunctionsgl-mandgª¦9§¨£.Therequesterandresponderexchangethesepa-rameterssecurely,therebyensuringcondentialityduringfuturemessageexchanges.Figure3showsthemessagesinvolvedinestablishingthetunnel.CommunicationwithanInfranetresponderbeginswitharequestforanHTMLpageservedbytheresponder.Thisrstrequestinitiatesthefollowingtunnelsetupproto-col:1.SetUserIDTherequestersendsanimplicitHELLOmessagetotheresponderbyrequestinganHTMLdocument,suchasindex.html.Toidentifysubsequentmessagetransmissionsfromtherequester,therespondercreatesauniqueuserIDfortherequester.ThisuserIDcouldbeexplicitlysetviaaWebcookie.However,forgreaterdefenseagainsttampering,theuserIDshouldbesetimplicitly.Asex-plainedlater,therespondermodiesthevisibleURLsonitsWebsiteforeachrequester.SuchmodicationissufcienttoidentifyrequestersbasedonwhichURLsarerequested.2.ExchangeKeyToensurecondentiality,therequesterusesaresponder-specicmodulationfunction ¢¡)£¤¡¥tosendasharedsecret,SKEY,encryptedwiththepublickeyoftheresponder.TheresponderrecoversSKEYusingitsprivatekey.3.UpdateModulationFunctionTheresponderrstselectsarequester-specicmodu-lationfunction ¢¥l£¤£¬«Q­.Next,theresponderhidesthefunctioninanHTTPresponsestreamwiththesharedsecretSKEY.Therequesterrecovers ®¥l£¤£¬«­fromtheHTTPre-sponsestreamusingSKEY. Thus,thetunnelsetupconsistsoftheexchangeoftwosecrets:asecretkeySKEY,andasecretmodulationfunc-tion ¥l£¬£¬«Q­.SKEYensuresthatonlytherequesterisca-pableofdecodingthemessageshiddeninHTTPresponsestreams. ¥l£¬£¬«Q­allowstherequestertohidemessagesinHTTPrequeststreams.Thesecrecyof ¥l£¤£¬«Q­providescondentialityforupstreammessagesbyensuringthatitishardforacensortouncoverthesurreptitiousrequests,evenifarequesterisdiscovered.InorderfortherequestertoinitiatethetransmissionofSKEY,encryptedwiththeInfranetresponder'spublickey,therequestermusthaveawayofsendingamessagetotheresponder.Thetransmissionisdoneusinganinitialmodu-lationfunction, ¯¡£¤¡¥.Thisinitialfunctionmaybeawell-knownfunction.Alternatively,therespondermaysendaninitialmodulationfunction, ¡)£¤¡¥totherequester.Topro-tectrespondercovertness,thisinitialfunctionshouldbehid-denusingaresponder-specickeyIKEY.TherequestermaylearnIKEYwiththeIPaddressandpublickeyoftherespon-der.Thismethod,whichrequirestheadditionalInitializeModulationFunctionstate,hastheadvantageofallowingresponderstoperiodicallychangemodulationschemes,butsuffersthedisadvantageofrequiringmoreHTTPmessageexchangestoestablishatunnel.Withthetunnelestablished,therequesterandrespon-derentertheTransmitRequeststate.Inthisstate,there-questeruses ®¥l£¤£¬«­tohidearequestforcontentinaseriesofHTTPrequestssenttotheInfranetresponder.Whenthecovertrequestcompletes,therequesterandresponderentertheTransmitResponsestate,atwhichpointtheresponderfetchestherequestedcontentandhidesitinanHTTPre-sponsestreamusingSKEY.Whenthetransmissioniscom-plete,therequesterandresponderbothre-entertheTrans­mitRequeststate.4.2UpstreamCommunicationAtthemostfundamentallevel,arequestersendsames-sageupstreambysendingtheresponderavisibleHTTPre-questthatcontainsadditionalhiddeninformation.Figure4showsthedecompositionoftheupstreamhidingfunctiongl-mBhMSGjHTTPREQUESTSTREAMj ¢°k,whereMSGisthetransmittedinformation(e.g.,requestforhiddencon-tent),HTTPREQUESTSTREAMisthecovermedium,and ¢°isamodulationfunctionthathidesthemessageinavis-ibleHTTPrequeststream.Thespecicmappingfrommes-sagefragmentstovisibleHTTPrequestsdependsonthepa-rameter±.Tosendahiddenmessage,arequesterdividesitintomultiplefragments,eachofwhichtranslatestoavisi-bleHTTPrequest.Theresponderapplies ³²´°tothere-quester'sHTTPrequeststoextractthemessagefragmentsandreassemblesthemtorecoverthehiddenmessage.Therearemanypossiblechoicesfortheupstreammod-µ¶)·¸¹v¶)ºf»¼jº¾½Q¿)ºfÀf»ºv¸µ¶·)¸¹v¶º»¼jºÀvÁÂöQÄ)ºv¸ÅÆÆÇÉÈÊËjÌÊjÍ
ÎÏ!ÐQÑjÒ¾ÓÔÕÃÖ֏×ÙØÃÚÛ
ÜÝjÞÛÚßjàvá)âfãÃäå%æçñòójôjõ©ö÷ùøújûkü
 \n\r !#"$&%'()+**-,.+/01230/&#x=00;46587:9; \rCDFEGHIJLKMN8O:PQ&RSTUVW XY\rZ[\B]^^^Figure4.SequenceofHTTPrequestsandresponsesin­volvedinasingleupstreammessagetransmission.Bothpartiesmustknowthesecretmodulationfunction ¢°.ulationfunction ¢°.Eachoptionfor ¢°presentsadiffer-entdesigntradeoffbetweencovertnessandupstreamband-width.Therearemanymodulationfunctionsthatpro-videdeniabilityforanInfranetrequester—certaintypesofbasicmappingschemes,whenimplementedcorrectly,candoso.WedescribetwosuchexamplesinSec-tions4.2.1and4.2.2.Toprovidestatisticaldeniability,how-ever,requestsshouldfollowtypicalbrowsingpatternsmoreclosely.Toachievethis,weproposetherange-mappingschemeinSection4.2.3.4.2.1ImplicitMappingOneofthesimplest ¢°modulateseachbitofahiddenmes-sageasaseparateHTTPrequest.Whilethisapproachpro-videsextremelylimitedbandwidth,itoffersahighlevelofcovertness—onanygivenpagetherequestermayclickonanyoneofhalfofthelinkstospecifythenextfragment.Forexample,onecanspecifythatanyeven-numberedlinkonthepagecorrespondstoa0,whileanyodd-numberedlinkcorrespondstoa1.Ageneralizationofthisschemeusesthefunction_a`cbedgf,where_isspeciedbythe_thlinkonthelastrequestedpageandfisatmostequaltothetotalnumberoflinksonthatpage.Thismechanismmaybelesscovert,butsendshjih fßkbitsofinformationpervisibleHTTPrequest.4.2.2Dictionary-basedSchemesAnInfranetrespondercansendtherequesterastaticordy-namiccodebookthatmapsvisibleHTTPrequeststomes- sagefragments.WhileastaticmappingbetweenvisibleHTTPrequestsandURLsissimpletoimplement,there-sultingvisibleHTTPrequeststreamsmayresultinstrangebrowsingbehavior.Tocreateadynamicmapping,there-sponderusesimagesembeddedineachrequestedpagetosendupdatestothemodulationfunctionastheupstreamtransmissionprogresses.Therespondermayalsouseitslogofhiddenrequeststoprovidemostprobablecomple-tionstoanongoingmessagetransmission.Transmissionofak-bithiddenmessageusingadictionary-basedscheme,whereeachdictionaryentrycontainslbitsrequiresk+mlvisibleHTTPrequests.Thestructureofthedictionarydeterminesboththecovertnessandbandwidthofthemodulatedrequest.There-fore,thedictionarymightberepresentedasadirectedgraph,basedonthestructureoftheInfranetresponder'sWebsite.Topreservecondentialityintheeventthatacommunicationtunnelisrevealed,thedictionaryshouldbeknownonlytotherequesterandtheresponder.4.2.3Range-mappingTherequesterandrespondercommunicateviaachannelwithfargreaterbandwidthfromtherespondertothere-questerthanviceversa.BecausetheresponderservesmanyInfranetusers'requestsforhiddencontent,itcanmaintainthefrequencydistributionofhiddenmessages,n.Are-questerwantstosendamessage,URL,fromthedistributionn.ThiscommunicationmodelisessentiallytheasymmetriccommunicationmodelpresentedbyAdlerandMaggs[1].Weleveragetheirworktoproduceaniterativemodula-tionfunctionbasedonrange-mappingofthedistributionoflexicographicallyorderedURLs,n.Ineachround,there-spondersendstherequesterasetooftupleshp¡jq¡k,wherep¡isastringinthedomainofnandq¡isthevisibleHTTPrequestthatcommunicatesp¡.p¡iscalledasplit-string.Itspeciestherangeofstringsinnthatarelexicograph-icallysmallerthanitselfandlexicographicallylargerthantheprecedingsplit-stringino.Theclientdetermineswhichlexicographicintervalcontainsthehiddenmessageandre-spondswiththesplit-stringthatidentiesthatinterval.WhilethefocusoftheAdler-Maggsprotocolistoen-ablecommunicationoveranasymmetricchannel,wearealsoconcernedwithmaintainingcovertnessandstatisticaldeniability.Inparticular,weaimtoensurethatateachstep,theprobabilitythatanInfranetrequesterselectsaparticularlinkisequaltotheprobabilitythataninnocentbrowserse-lectsthatlink.Wethereforeincludelinktraversalprobabil-ityinformationasaparametertothealgorithmforchoos-ingsplit-strings.Weextracttheseprobabilitiesfromtheserver'saccesslog.Priortocommunicatingwiththerequester,therespondercomputesthefollowinginformationof-PROCEDUREMODULATE(URL,r)ss6teuwvuyx{zwz|yu~}{~€yvvuy}zy}‚6vƒz„j}{z…\rƒ†y‡‰ˆ…‹Šyr6Œss6vu&Žƒx{Šw‡w…:€‚6|yƒx{€wvvv€w…j‡wuy…Žz|y€w†URL ‘’“8”–•—™˜&š›œ
ž Ÿž¢¡rŒandž¤£¥žŽ¦¨§and©wª¡rs.t.ž«¦{§¬ª¬#ž­ss6®¯uw°y±wuy}{zwz|yu¯‚e€w‡yu~x{Šy…‹…juw}‚eŠw†y²yƒ†w‡³zŠ~z|yu‰}{uwvuyx{zuw²´}z…\rƒ†y‡¦µ›œrµ¶w·¸j¹Ÿr6Œ+·¸j¹«º‘’“8”y•—™˜&š­send¦Figure5.Pseudocodeforamodulationfunctionusingrange­mapping.ine:n,thecumulativefrequencydistributionforhiddenrequests;and»,thelink-traversalproba-bilities.Specically,»isthesetofprobabilities¼¡¾½¿Àhnextrequestisforpage¼½ÂÁcurrentpageis¼¡kforallpages¼¡and¼½in_,thesetofallpagesontheresponder'sWebsite.Ineachround,thesetocontainsÃtuples,whereÃisthenumberofpagesqforwhichÀhÄqÁqcurrentkÆÅÈÇ,i.e.,thenumberofpossibilitiesfortherequester'snextvisibleHTTPrequest,giventhecurrentpageqcurrent.Thesetu-plesspecifyÃconsecutiveprobabilityintervalswithinn.ThesizeofeachprobabilityintervalÉËÊ¡isproportionaltotheconditionalprobabilityÀhÄqÁqcurrentk.Byassigningprobabilityintervalsaccordingtothenext-hopprobabilitiesforHTTPrequestsonaWebsite,range-mappingprovidesstatisticaldeniabilityfortherequesterbymakingitmorelikelythattherequesterwilltakeapaththroughthesitethatwouldbetakenbyaninnocuousWebclient.2ThesumofallÃintervalsisequaltoÌ,thesizeoftheprobabilityintervalforthepreviousiteration,orto1fortherstiteration.PseudocodeforthemodulationfunctionisshowninFig-ure5.Ineachiteration,therequesterreceivesoandselectsthesplitstringpthatspeciestherangeinwhichitsmes-sageURLlies.ItthensendsthecorrespondingvisibleHTTPrequestq.Figure6showspseudocodeforthedemodulationfunc-tion.Theresponderinterpretstherequestqcurrentasarangespecication,boundedabovebythecorrespondingsplit-stringpcurrentandbelowbysplit-stringinowhichprecedespcurrentlexicographically.Giventhisnewrange,theresponderupdatestheboundsfortherange,Í-΁Ï
ÐjÑBiÂÒ³ÓÔandÍÎ
ρÐjÑBiÒ³Õ
Ö(lines12-13),andgeneratesanewsplit-stringsetoforthatrange(asshowninlines5-9andFig-ure7).ArequestercanusethisschemetomodulatethehiddenmessageURLevenifitisnotinthedomainofn.There-2Wepresenttherange-mappingmodelbasedonone-hopconditionalprobabilities.Itshouldbenotedthatalthoughthisapproachprovidestheappropriatedistributiononlinkprobabilitiesateachstep,itisnotguaran-teedtoproperlydistributemorecomplexquantitiessuchastheprobabilityofanentiresequenceoflinkchoices. PROCEDUREDEMODULATE(×¢ØٙØÚcurrentØÛ&ÜÝ-Þ¾ßµà—™áâØ&Û&ÜÝ-Þ:ßÂà—™˜&š)ss™ã´|yuw†´z|wu´…:€y†w‡yu‰…juw€yx{|wuy}Fäuw…jŠ¨å+…juyz±y…†‰z|yu‰}{z…\rƒ†y‡~ˆŠw±y†w²1if(Û&ÜÝ-Þ¾ßµà—™áâæÛ&ÜÝ-Þ¾ßµà—™˜&š)2returnÛ&ÜÝ-Þ¾ßµà—™áâelsess6篊y™‚e±wzu‰zŠyz€yv…:€y†w‡yu~ˆŠw…èz|yƒ}éƒzuy…:€yzƒŠy†3êëÈÙìÛ&ÜÝ-Þ¾ßµà—™˜&šyí¯îÙìÛ&ÜÝ-Þ¾ßµà—™áâwíss6ï†yƒzƒ€yvƒäu‰vŠµð«uw…ÂñwŠy±y†w²‰Šyˆyò…j}{z+}{±yñw„jƒ†wzuy…ó€yv4ô—™áâëõÙìÛ&ÜÝ-Þ¾ßµà—™áâíss6öèŠy…è€wvv{Š‚6uy†yv}{uy…óuy²¯‚6€y‡yuw}ڃ†´÷#åeð«|yuy…‹usse÷øƒ}éz|yu~}{uwzyŠyˆ+€yvv ‚e€y‡wuy}éŠy†‰z|yuLã³uyñ‰}{ƒzu5ù6Úûú÷sseteuwzyz|wu~±-‚y‚6uy…ŽñyŠw±y†y²~Šyˆ+z|wu´}{±wñy„‹ƒ†yzuw…óĀwv ‚e…‹Š‚6Šy…ÄzƒŠy†w€yvssezŠ‰z|wu‚6…jŠwñy€yñwƒvƒz#Šyˆy…‹uy°w±yuy}zƒ†y‡¯‚e€w‡yuÚ6ôLëÈê#ü¨×¤ìÚÂýÚcurrentíþô—™áâsseÿyŽz…‹€wx{zyz|wu‰}{z…\rƒ†w‡´€wzyz|wu~ñwŠy±w†y²y€w…Šwˆyz|wu´}±yñy„‹ƒ†yzuw…óĀwvss
¨|yƒ}Fƒ}z|wu´} ‚evƒz„‹}{z…\rƒ†w‡~ˆŠy…Žz|wu´}±yñy„‹ƒ†yzuw…óĀwv7´ëõÙ¨ìôíssete€Âóu´z|wu‚6€yƒ…ŽˆŠy…~uy²³ñ&}‚6vƒz„j}{z…\rƒ†y‡€y†w²¯‚e€y‡wuÚ8ë\n Žì\ryØÚí…ju‚6€y…‹u~zŠ´x{Šw‚6±yzu‰}{±wñy}{uw°y±wuy†yz+}{±wñy„jƒ†wzuy…ó€yv9ô—™áâëôss6teuy†w²´z|wu‰}{uyzwŠyˆy€wvv‚e€wƒ…j}FzŠ~z|yu‰…juw°y±wuy}{zuw…10sendss6®¯uyxuyƒ:óu~†wuÂð…juy°w±yuw}{z11receiveÚcurrentss‚e²w€yzu‰ƒ†wzuy…ó€yv{‡wƒ:óÄuw†‰z|yu~}{uyvuwx{zuw²~} ‚evƒz„‹}{z…\rƒ†w‡12Û&ÜÝ-Þ¾ßµà—™˜&šëŒý¶ æÚcurrent13Û&ÜÝ-Þ¾ßµà—™áâë!"ŒýŒ#þ%$æÛ&ÜÝ-Þ¾ßµà—™˜&š if'&æ)((otherwisess6ö±w…Äz|yuw…è…juy²w±yx{u‰ƒ†wzuy…ó€yv14returnDEMODULATEì×¢Ø+*#ØÚcurrentØÛ&ÜÝ-Þ¾ßµà—™áâØÛ&ÜÝ-Þ¾ßÂà—™˜&šíFigure6.Pseudocodeforademodulationfunctionusingrange­mapping.questerandrespondercanperformrange-mappinguntiltherangebecomestwoconsecutiveURLsinn.TheprexthatthesetwoURLssharebecomestheprex¼ofthehiddenmessage.Atthispoint,therequesterandrespondermaycontinuetherange-mappingalgorithmoverthesetofallstringsthathave¼asaprex.Sincetherequester'smessagemaybeofarbitrarylength,theremustexistanexplicitwaytostopthesearch.Oneso-lutionistoaddatuple,\r- .qend/too,where-indicatesthattherequesterisnishedsendingtherequest.Whenallsplit-stringsshareacommonprexequaltothehiddenmessage,therequestertransmitsqend.Range-mappingissimilartoarithmeticcoding,whichdividesthesizeofeachintervalinthespaceofbinarystringsaccordingtotheprobabilityofeachsymbolbeingtransmit-ted.Thebinaryentropy,01,Än/,istheexpectednumberofstring\r2min\rstring\r2max\rs\r21\rs\r22\rLexicographically\rordered strings\rv\r3min\rv\r31\rv\r2\rv\rmax\r...\r4...\rd \r5* P(r\r1\r|r\r6current\r)\r7d\r5d\r5 * P(r\r2\r|r\r6current\r)\r7C\r80\r91\r:Figure7.Oneiterationoftherange­mappingdemodulationfunction.Theinitialinterval;n, ÍÎ
ρÐjÑBiÒ³ÓÔ/.-n, ÍÎ
ρЋÑiÒ³Õ
Ö/=isdividedintoÃsub­intervalsaccordingtoprobabilitiesofrequestinganypageontheresponder'sWebsitegiventhecurrentpageqcurrent.Therespondergeneratesthesplit­stringsp´throughp�?thatcorrespondtosub­intervalboundariesandreturnsthemtotherequester.bitsrequiredtomodulateamessageinn.Arithmeticcodingofabinarystringrequires0@,n/
ACBtransmissions,assum-ingDbitpersymbol[31].Inourmodel,eachpagehasÃlinks.Therefore,eachvisibleHTTPrequesttransmitshji,Ã/bits,andtheexpectednumberofrequestsrequiredtomod-ulateahiddenrequestisE?FGIHKJLM�NA@B.4.3DownstreamCommunicationFigure8showsthedecompositionofthedownstreamhidingfunctionOª¦9§¨£.TherequesterreceivesahiddenmessagefromtheresponderbymakingaseriesofHTTPre-questsforimages.TheresponderappliesPtotherequestedimagesandsendstheresultingimagestotherequester.TherequestercanthenapplytheinversemodulationfunctionP²´torecoverthehiddenmessagefragment.Toensureinnocuousbrowsingpatterns,therequestershouldrequestanHTMLpageandsubsequentlyrequesttheembeddedim-agesfromthatpage(asopposedtomakingHTTPrequestsforimagesoutoftheblue).ForthemodulationfunctionP,weusetheoutguessutility[16],whichmodiesthehighfrequencycomponentsofanimageaccordingtoboththemessagebeingtransmit-tedandasecretkey.Modulationtakesplaceintwostages—ndingredundantbitsintheimage(i.e.,theleastsignicantbitsofDCTcoefcientsinthecaseofJPEG),andembed-dingthemessageinsomesubsetoftheseredundantbits.Therststageisstraightforward.Thesecondstageuses QRTSIUVRIWYXZ[WY\"]TWY^\rXWUQRISTUV_RTWYXZ\rW\r^_`Ia#RIbcW_Ud"eecfhg"i[j\rki[lnmopq_rstvuwx"yy=zh{"|\r}n~\r[€}|‚„ƒ…_†Y‡=ˆK‰Š‹ŒŽIY#‘’“•”=–Y—™˜›šnœ[Ÿž ¡¢c£\r¤+¥‚¦§¨[©ªT« ¬­¯®°c±\r²+³´µ¶¸·¹º¼»½¿¾[À+Á‚ÂÃÄÅ[ÆYÇIÈ ÉʯËÌ͙ΛÏnÐ[ÑhÒÓ"ÔÔcÕhÖ"×\rØ[Ù×\rÚÛÜÝÞ_ßYà=á#ânãä"åå=æhç"è\rénê[ë\rìéè[íîï_ðYñ=òKóôõööö÷ø¼ùúYûýü›þnÿ

\n \r

 !"$#%'&)(*+
,- ./01
23465&#x;000;78\n9:Figure8.DownstreamcommunicationalsoconsistsofasequenceofHTTPrequestsandresponses.Therespon­derhidesmessagesthatitsendstotherequesterintheHTTPresponses.Oneefcientdownstreamcommuni­cationmechanismusessteganographytohidedown­streammessagesinrequestedimages.thesharedsecretSKEYasaseedtoapseudorandomnum-bergeneratorthatdetermineswhichsubsetofthesebitswillcontainthemessage.Therefore,withoutknowingthesecretkey,anadversarycannotdeterminewhichbitsholdinfor-mation.Previousworkdescribesthisprocessingreaterde-tail[17].Steganographyisdesignedtohideamessageinacoverimage,wheretheadversarydoesnothaveaccesstotheorig-inalcoverandthuscannotdetectthepresenceofahiddenmessage.However,becauseaWebservertypicallyservesthesamecontenttomanydifferentusers(andeventothesameusermultipletimes),anadversarycandetecttheuseofsteganographysimplybynoticingthatthesamerequestedURLcorrespondstodifferentcontenteverytimeitisre-quested.Onesolutiontothisproblemistorequirethattheresponderneverservethesamelenametwiceforlesthatembedhiddeninformation.Forthisreason,awebcamservesasanexcellentmodefortransmittinghiddenmes-sagesdownstream,becausethelenamesandimagesthatawebcamservesregularlychangebysmallamounts.WediscussthisprobleminmoredetailinSection5.Topro-tectInfranetrequesters,Infranetrespondersembedcontentineveryimage,regardlessofwhethertheWebclientisanInfranetrequester.Therearemanyotherpossiblemodulationfunctionsforhidingdownstreammessages.OnepossibilityistoembedmessagesinHTTPresponseheadersorHTMLpages.How-ever,thisdoesnotprovidethedownstreambandwidththatisnecessarytodelivermessagestotherequesterinareason-ableamountoftime.Anotheralternativeistoembedmes-sagefragmentsinimagesusinghiddenwatermarks.Bothwatermarkingandsteganographyconcealhiddencontent;additionally,watermarksarerobusttomodicationbyanadversary.Pastworkhasinvestigatedwatermarkingtech-niquesforcompressedvideo[6].Afeasibledownstreammodulationfunctionmightusedownloadedorstreamingaudioorvideoclipstohidemessages.Notethatourdownstreammodulationschemedoesnotfundamentallydependontheuseofsteganography.Infact,itmaymakemoresensetouseadatahidingtechniquethatanadversarycannotmodifyorremovewithoutaffectingthevisiblyreturnedcontent.Forexample,ifaresponderuseslow-orderbitsofthebrightnessvaluesofanimagetoem-beddata,thecensorwillhavemoredifcultyremovingthecovertdatawithoutaffectingthevisiblecharacteristicsoftherequestedimage.Sinceweassumethatthecensordoesnotwanttoaffecttheexperienceofnormalusers,thistypeofdownstreamcommunicationmightbemoreappropriate.5SecurityAnalysisInthissection,wediscussInfranet'sabilitytohandleavarietyofattacksfromadeterminedadversarialcensor.Weareconcernedwithmaintainingdeniabilityandcovertnessinthefaceoftheseattacks,i.e.,makingithardforthecen-sortodetectrequestersandresponders.Inaddition,Infranetshouldprovidecondentiality,sothatevenifacensordis-coversanInfranetrequesterorresponder,itcannotrecoveranyofthemessagesexchanged.TheadversaryhasaccesstoalltrafcpassingbetweenitsnetworkandtheglobalInternet,especiallyallvisibleHTTPrequestsandresponses.Furthermore,theadversarycanactivelymodifyanytrafcthatpassesthroughit,aslongasthesemodicationsdonotaffectthecorrectnessoftheHTTPtransactionsthemselves.5.1DiscoveryAttacksAcensormightattempttodiscoverInfranetrequestersorrespondersbyjoiningInfranetasarequesterorarespon-der.TojoinInfranetasarequester,aparticipantmustdis-covertheIPaddressandpublickeyofaresponder.Oncetheclientjoins,allinformationexchangedwitharesponderisspecictothatrequester.Thus,byjoiningthenetworkasarequester,thecensorgainsnoadditionalinformationotherthanthatwhichmustalreadyhavebeenobtainedout-of-band.Alternatively,acensormightsetupanInfranetrespon-derinthehopethatsomeunluckyrequestersmightcon-tactit.BydeterminingwhichWebclients'visibleHTTPrequestsdemodulatetosensibleInfranetmessages,acen- HTTPRequestsHTTPResponsesNoTargetSuspiciousHTTPrequestheadersSuspiciousresponseheadersorcontentOneTargetHTTPrequestpatternsContentpatterns(e.g.,sameURL,differentimage)MultipleTargetsLinkrequestsacrossInfranetrequestersCommonpatternsinHTTPresponses(e.g.,forcommonlyrequestedforbiddenURLs)Table1.AtaxonomyofpassiveattacksonInfranet.Ifthecensorhastheabilitytotargetsuspectedusers,attacksinvolvemoresophisticatedanalysisofvisibleHTTPtrafc.sorcandistinguishinnocentWebclientsfromInfranetre-questers.Currently,werelyoneachrequestertrustingthelegitimacyofanyresponderitcontacts.Section8describesapossibledefenseagainstthisattackbyallowingforun-trustedforwarders.AcensormightmountapassiveattackinanattempttodiscoveranInfranetcommunicationtunnel.Becausethistypeofattackoftenrequirescarefultrafcanalysis,passiveattacksonInfranetaremuchmoredifculttomountthanactiveattacksbasedonlteringortamperingwithvisibleHTTPtrafc.Thetypesofattacksthatanadversarycanperformdependontheamountofstateithas,aswellaswhetherornotitistargetingoneormoreusers.Table1showsataxonomyofpassiveattacksthatacen-sorcanperformonInfranet.Potentialattacksbecomemoreseriousastheadversarytargetsmoreusers.WeakattacksinvolvedetectinganomaliesinHTTPheadersorcontent.Strongerattacksrequiremorecomplexanalysis,suchascorrelationofusers'browsingpatterns.Ifacensorobservesalltrafcthatpassesthroughitwithouttargetingusers,itcouldattempttouncoveranIn-franettunnelbydetectingsuspiciousHTTPrequestandre-sponseheaders,suchasarequestheaderwithastrangeDatevalueorgarbageintheresponseheader.Infranetdefendsagainsttheseattacksbyavoidingsuspiciousmod-icationstotheHTTPheadersandbyhidingdownstreamcontentwithsteganography.Additionally,byrequiringthatInfranetrespondersalwaysserveuniqueURLswhencon-tentchanges,Infranetguardsagainstadiscoveryattackonaresponder,wherebyacensornoticesthatslightlydifferentcontentisbeingservedfromthesameURLeachtimeitisrequested.AcensorwhotargetsasuspectedInfranetrequestercanmountstrongerattacks.AcensorcanobserveaWebuser'sbrowsingpatternsanddeterminewhetherthesepatternslooksuspicious.Sincethemodulationfunctiondeterminesthebrowsingpattern,afunctionthatselectssubsequentre-questsbasedonthestructureoftheresponder'sWebsitemighthelp,butdoesnotalwaysreectactualuserbehavior.Somepagesmightberarelyrequested,whileothersmightalwaysberequestedinsequence.Thus,itisbesttobasemodulationfunctionsoninformationfromrealaccesslogs.WhilegeneratingvisibleHTTPrequestsautomaticallyrequirestheleastworkonthepartoftheuser,thisisnottheonlyalternative.Aparticularlycautioususermightfearthatanyrequestsequencegeneratedbythesystemislikelytolook“strange”andthusarousesuspicion.Toovercomethis,thesystemcouldgivetheuseracertaindegreeofcon-troloverwhichvisiblerequestsaretransmitted.Oneex-ampleisfortherequestertoconrmeachURLwiththeuserbeforesendingit.IftheuserndstheURLstrange,hecanforcetherequestertosendadifferentURLthatcom-municatesthesamemessagefragment.Theseoverridesin-troducenoiseintotherequester'ssequence.However,therequestercanencodethemessagewithanerrorcorrectingcodethatallowsforsuchnoise.AnothersolutionwouldbetoensurethatmultipleURLsmaptoeachmessagefragmenttherequesterwantstosendtogivetheuserachoiceofwhichspecicvisibleURLtorequest.Weconjecturethatwithsufcientredundancy,auserwillfrequentlybeabletondaplausibleURLthatsendsthedesiredmessagefragment.Bytargetingmultipleusers,acensormaylearnaboutmanyInfranetusersasaresultofdiscoveringoneInfranetuser.Alternatively,acensorcouldbecomeanInfranetre-questerandcompareitsbehavioragainstothersuspectedusers.Wedefendagainstthesetypesofattacksbyusingrequester-specicsharedsecrets.5.2DisruptiveAttacksBecausealltrafcbetweenanInfranetrequesterandre-sponderpassesthroughthecensor,thecensorcandisruptInfranettunnelsbyperformingactiveattacksonHTTPtraf-c,suchasltering,transactiontampering,andsessiontampering.5.2.1FilteringAcensormayblockaccesstovariouspartsoftheInternetbasedonIPaddressorprexblock,DNSname,orport number.Additionally,censorscanblockaccesstocontentbylteringoutWebpagesthatcontaincertainkeywords.Forinstance,SaudiArabiaisreportedlytryingtoacquiresuchlteringsoftware[10].Infranet'ssuccessagainstlteringattacksdependsonthepervasivenessofInfranetrespondersthroughouttheWeb.BecauseInfranetrespondersarediscoveredout-of-band,acensorcannotrapidlylearnaboutInfranetrespondersbycrawlingtheWebwithanautomatedscript.Whileacen-sorcouldconceivablylearnaboutrespondersout-of-bandandsystematicallyblockaccesstothesemachines,theout-of-bandmechanismmakesitmoredifcultforacensortoblockaccesstoallInfranetresponders.Thewiderthede-ploymentofrespondersonWebserversaroundtheworld,themorelikelyitisthatInfranetwillsucceed.Notethatbecausetheadversarymayltertrafcbasedoncontentandportnumber,itisrelativelyeasyforthead-versarytoblockSSLbylteringSSLhandshakemessages.Thus,InfranetprovidesfarbetterdefenseagainstlteringthanasystemthatsimplyreliesonSSL.5.2.2TransactionTamperingAcensormayattempttodisruptInfranettunnelcommuni-cationbymodifyingHTTPrequestsandresponsesinwaysthatdonotaffectHTTPprotocolconformance.Forexam-ple,theadversarymaychangeeldsinHTTPrequestorresponseheaders(e.g.,changingthevalueoftheDate:eld),reordereldswithinheaders,orevenremoveoraddelds.Infranetisresistanttotheseattacksbecausethetun-nelprotocoldoesnotrelyonmodicationstotheHTTPheader.AsdescribedinSection4.1,theInfranetrequestermustpresentauniqueuseridentierwitheachHTTPrequestinordertoberecognizedacrossmultipleHTTPtransactions.ArequestercouldsenditsuserIDinaWebcookiewitheachHTTPrequest.However,ifthecensorremovescookies,wesuggestmaintainingclientstatebyembeddingtheuserID(orsometokenthatisaderivativeoftheuserID)ineachURLrequestedbytheclient.Ofcourse,topreservetherequester'sdeniability,therespondermustrewriteallembeddedlinkstoincludethisclienttoken.Thecensormaymodifythereturnedcontentitself.Forexample,itmightinsertorremoveembeddedlinksonare-questedWebpageoripbitsinrequestedimages.Linkinsertionanddeletiondoesnotaffecttunnelcommunica-tionsthatuseacodebookbecausetheclientsendsmes-sagesupstreamaccordingtothiscodebook.AttacksonimagecontentcoulddisruptthecorrectInfranetcommuni-cation.Traditionalrobustwatermarkingtechniquesdefendagainstsuchattacks.Infranetdetectsandblockssuchdis-ruptionsbyembeddingthenameoftheservedURLineachresponse.5.2.3SessionTamperingAnadversarymightattempttodisrupttunnelcommunica-tionbyinterferingwithsequencesofHTTPrequests.Acensorcouldservearequester'svisibleHTTPrequestfromitsowncacheratherthanforwardingthisrequesttotheIn-franetresponder.Topreventsuchanattack,theInfranetre-questermustensurethatitsHTTPrequestsareneverservedfromacache.OnewaytodothisistoalwaysrequestuniqueURLs.Weconsiderthisrequirementfairlyreason-able:manysitesthatservedynamiccontent(e.g.,CGI-basedpages,webcams,etc.)constantlychangetheirURLs.AnotheroptionistousethePragma:no-cachedi-rective,althoughacensoringproxywilllikelyignorethis.Alternatively,acensormightinsert,remove,orreorderHTTPrequestsandresponses.IfacensoraltersHTTPre-questpatterns,theInfranetrespondermightseeerrorsinthereceivedmessage.However,InfranetrespondersincludethenameoftheservedURLineachresponsestream,thusen-ablingtherequestertodetectsessioncorruptionandrestartthetransmission.Inthecaseofrange-mapping,upstreamtransmissionerrorswillbereectedinthesplit-stringsre-turnedbytheresponder.Therequestercanalsodefendagainsttheseattackswitherrorcorrectiontechniquesthatrecoverfromtheinsertion,deletion,andtranspositionofbits[20].6ImplementationOurimplementationofInfranetconsistsoftwocompo-nents:theInfranetrequesterandtheInfranetresponder.TherequesterfunctionsasaWebproxyandisresponsibleformodulatingaWebbrowser'srequestforhiddencontentasasequenceofvisibleHTTPrequeststotheInfranetrespon-der.TheresponderfunctionsasaWebserverextensionandisresponsiblefordemodulatingtherequester'smessagesanddeliveringrequestedcontent.Therequesterandrespon-derutilizeacommonlibrary,libinfranet,thatimple-mentscommonfunctionality,suchasmodulation,hiding,andcryptography.Inthissection,wediscussourimplemen-tationoftheInfranetrequesterandresponder,aswellasthecommonfunctionalityimplementedinlibinfranet.6.1RequesterWeimplementedtheInfranetrequesterasanasyn-chronousWebproxyinabout2,000linesofC++.Weusedlibtclfortheasynchronousevent-drivenfunctionality.TherequestersendsvisibleHTTPrequeststoanInfranetresponder,basedonaninitialURLattheresponder,there-sponder'spublickey,andoptionallyaninitialkeyIKEY.TherequesterqueuesHTTPrequestsfromtheuser'sbrowserandmodulatesthemsequentially.Iftherequester Fragment OffsetMessage Length102345678901023456789102345678912013VersionTypeZEmptyFragment LengthFigure9.Responderheaderformat.knowsaboutmorethanoneresponder,itcanservicere-questsinparallelbyusingmultipleresponders.Inourimplementation,visibleHTTPrequestsfromtherequesteraregeneratedentirelyautomatically.AsdiscussedinSection5.1,wecouldalsoallowtheusertoparticipateinlinkselectiontoprovideincreasedcovertness.6.2ResponderWeimplementedtheInfranetresponderasanApachemodule,modinfranetinabout2,000linesofC++,whichweintegratedwithApache1.3.22runningonLinux2.4.2.TheApacherequestcycleconsistsofmanyphases,includingURItranslation,content-handling,andauthoriza-tion[22].Ourmodinfranetmoduleaugmentsthecon-tenthandlerphaseoftheApacherequestloop.Therespon-derprocessesrequestsasitnormallywouldbutalsointer-pretsthemasmodulatedhiddenmessages.AnInfranetrespondermustmaintainstateforarequesteracrossmultipleHTTPtransactions.Thecurrentimplemen-tationoftheresponderusesWebcookiestomaintainclientstatebecausethismechanismwassimpletoimplement;inthefuture,weplantoimplementtheURLrewritingmech-anismoutlinedinSection5becauseofitsstrongerdefenseagainstpassivediscoveryattacks.TheresponderusestheREQUESTERTOKENcookie,whichcontainsauniqueiden-tier,toassociateHTTPrequeststoaparticularrequester.Foreachrequester,therespondermaintainsper-requesterstate,includingwhichFSMstatetherequesterisin,themodulationfunctiontherequesterisusing,thesharedse-cretSKEY,andmessagefragmentsforpendingmessages.Figure9showstheheaderthattheresponderprependstoeachmessagefragment.VersionisaD-biteldthatspecieswhichversionoftheInfranettunnelprotocoltheresponderisrunning.Typespeciesthetypeofmessagethatthepay-loadcorrespondsto(e.g.,modulationfunctionupdate,re-questedhiddencontent,etc.).ZisaD-biteldthatindicateswhethertherequestedcontentinthepayloadiscompressedwithgzip(thisisthecaseforHTMLlesbutnotimages).FragmentLengthreferstothelengthofthemessagefrag-mentinthepayloadinbytes,andFragmentOffsetspeci-estheoffsetinbyteswherethisfragmentshouldbeplacedforreassemblyofthemessage.MessageLengthspeciesthetotallengthofthemessageinbytes.Becauseupstreambandwidthisscarceandtransmittingaheadermightcre-aterecognizablemodulationpatterns,therequesterdoesnotprependaheadertoitsmessages.6.3SteganographyandCompressionUponreceivingarequest,theresponderdetermineswhetheritcanembedhiddencontentintheresponse.Cur-rently,modinfranetonlyembedsdatainJPEGimages.Iftheresponderdeterminesthatitiscapableofhidinginfor-mationintherequesteddata,itusesoutguesstoembedthehiddeninformationusingSKEY.Toreducetheamountofdatathattherespondermustsendtotherequester,therespondercompressesHTMLleswithgzip[5]beforeembeddingthemintoimages.6.4CryptographyTheInfranetrequestergeneratesthe160-bitsharedse-cretSKEYusing/dev/random.SKEYisencryptedus-ingtheRSApublickeyencryptionimplementationintheOpenSSLlibrary[15].Thisciphertextis128bytes,whichimposesalargecommunicationoverhead.However,be-causetheciphertextisafunctionofthelengthofthere-quester'spublickey,itisdifculttomakethisciphertextshorter.Oneoptiontoamelioratethiswouldbetouseanimplementationofellipticcurvecryptography[13].7PerformanceEvaluationInthissection,weexamineInfranet'sperformance.Weevaluatetheoverheadofthetunnelsetupoperationandtheperformanceofupstreamanddownstreamcommuni-cation.Finally,weestimatetheoverheadimposedbymodinfranetonnormalWebserveroperations.AllofourperformancetestswererunusingApache1.3.22withmodinfranetona1.8GHzPentium4with1GBofRAM.Forallperformancetests,werananInfranetrequesterandaPerlscriptthatemulatesauser'sbrowserfromthesamemachine.7.1TunnelSetupTunnelsetupconsistsoftwooperations:upstreamtrans-missionofSKEYencryptedwiththeresponder'spublic-key,anddownstreamtransmissionofEGFHII'JK.Inourimplemen-tation,SKEYis160bitslongandthecorrespondingcipher-textis128bytes,proportionaltothelengthoftherespon-der'spublickey.TransmissionofEGFHII'JKisequivalenttoasingledocumenttransmission.Thetransmissionofanini-tialmodulationfunction,ifoneisused,requiresoneaddi-tionaldownstreamtransmission. 00.10.20.30.40.50.60.70.80.91012345678910Fraction of all hidden URLsNumber of requests to transmit hidden URLIgnoring traversal probabilities (mean: 5.9)Using traversal probabilities (mean: 6.4)Figure10.NumberofvisibleHTTPrequestsrequiredtomodulatehiddenURLswithandwithoutlinktraversalprobabilitiesforrange­mapping,assuming8linksperpage(LNMPO).TheexpectednumberofvisibleHTTPrequestsrequiredtomodulateamessageisindependentofwhetherthelinktraversalprobabilitiesareused.7.2UpstreamCommunicationAnimportantmeasureofupstreamcommunicationper-formanceishowmanyHTTPrequestsarerequiredtomod-ulateatypicalmessage.Wefocusourevaluationontherange-mappingschemedescribedinSection4.2.Weevaluatedtheperformanceofrange-mappingusingaWebproxytracecontaining174,100uniqueURLsfromthePaloAltoIRCache[8]proxyonJanuary27,2002.3WhenweweightURLsaccordingtopopularity,themostpopular10%ofURLsaccountforroughly90%ofthevisibleHTTPtrafc.Thisissignicant,sincemodulatingthemostpopu-lar10%ofURLsrequiresasmallnumberofvisibleHTTPrequests.Arequestercanachievestatisticaldeniabilitybypattern-ingsequencesofHTTPrequestsafterthoseofinnocuousWebclients.AsdescribedinSection4.2.3,thisisdonebyassigningsplit-stringrangesinQaccordingtothepairwiselinktraversalprobabilitiesR.Toevaluatetheeffectofus-ingthedistributionR,wemodulated1,740requestsfromQ,bothusingandignoringR,assuming8outgoinglinksperpage.Figure10showsthatassigningrangesbasedonlinktraversalprobabilitiesdoesnotaffecttheexpectednumberofvisibleHTTPrequestsrequiredtomodulateahiddenre-quest.Thisfollowsdirectlyfrompropertiesofarithmeticcodes[31].Inbothcases,overhalfofhiddenmessages3ThesetracesweremadeavailablebyNationalScienceFoundationgrantsNCR-9616602andNCR-9521745,andtheNationalLaboratoryforAppliedNetworkResearch.051015201248163264128Number of requestsNumber of possible next requests at each page90th percentile50th percentileFigure11.Themedianand90thpercentileofnumberofrequeststomodulateamessageisverysmallevenforsmallnumbersofoutgoinglinks(L)oneachpage.required4visibleHTTPrequests,andnomorethan10requestswereneededforanymessage.Therefore,usingtraversalprobabilitiestodeterminethesizeofrangesinQprovidesstatisticaldeniabilitywithouthurtingperformance.SettinglinktraversalprobabilitiestoDS'L,weevaluatedtheeffectofthenumberoflinksonapage,L,onupstreamcommunicationperformance.Figure11showsthat90%ofmessagesfromQcanbemodulatedin10visibleHTTPre-questsorfewer,evenforLassmallas4.Inthetraceweusedforourexperiments,thebinaryen-tropyofthefrequencydistributionofrequestedURLsis16.5bits.Therefore,theexpectednumberofrequestsre-quiredtotransmitaURLfromQisETUWVXLM�NAB.Theem-piricalresultsshowninFigure11agreewiththisanalyticalresult.Toevaluatetheperformanceofrange-mappingonrealsites,wemodulatedhiddenrequestswhilevaryingLandYaccordingtothebrowsingpatternsobservedonarealWebsite.WeanalyzedtheWebaccesslogsfornms.lcs.mit.eduandpdos.lcs.mit.edutogeneratevaluesforLandYforeachpageonthesesites.WethenobservedthenumberofvisibleHTTPrequestsrequiredtotransmit1,740messagesfromQ.Resultsfromthisexperimentareshowninthetablebelow.ThenumberofrequestsrequiredtomodulateahiddenmessageisslightlyhigherthaninFig-ure11,sinceLvariesforarealWebsite.SITEZavgMEDIAN90%nms.lcs.mit.edu[\$"(pdos.lcs.mit.edu$^]_\ 5101520253035404550556001000020000300004000050000600007000080000Number of requests to retrieve data`Size of requested data (bytes)Figure12.Numberofrequestsrequiredtoretrievedataofvarioussizes.EachvisibleHTTPrequestcontainsapproximately1kBofahiddenmessage.7.3DownstreamCommunicationFigure12showsthenumberofHTTPrequeststhatanInfranetrequestermustmaketoretrievehiddenmessagesofvarioussizes.EachvisibleHTTPresponsecontainsap-proximately1kBofahiddenmessage.TheamountofdatathatcanbeembeddedinonevisibleHTTPresponsedependsontwofactors—thecompressionratioofthemes-sageandtheamountofdatathatcanbesteganographicallyembeddedintoasingleimage.Thus,dependingonthere-questeddocumentandtheimagesusedtoembedthehiddenresponse,thenumberofvisibleHTTPrequestsrequiredtosendagivenamountofhiddendatamayvary.Wemicrobenchmarkedthemainoperationsinvolvedincontentpreparation.First,weranamicrobenchmarkofoutguessinanattempttodeterminetherateatwhichitcanembeddataintoimages.Ourmeasurementsindicatethatoutguessembedsdataintoanimageatarateof20kB/sec,andthatthetimethatoutguesstakestoembeddataisproportionaltothesizeofthecoverimage.Wealsoranmicrobenchmarksongziptodetermineitscomputationalrequirements,aswellasthecompressionra-tiositachievesontypicalHTMLles.Wefetchedthein-dex.htmlpagefrom100popularWebsitesthatwese-lectedfromNielsenNetratings[14]andIRCache[8];themedianlesizefortheseleswas10kB.gzipcompressedtheseHTMLlestoasmuchas12%oftheiroriginalsize;intheworstcase,gzipcompressedtheHTMLleto90%ofitsoriginalsize.Inallcases,compressionofanHTMLlenevertookmorethanBamilliseconds.1010010001000000.10.20.30.40.50.60.70.80.91Bandwidth (kB/s)Percentage of RequestsNo InfranetInfranetFigure13.TheoverheadofrunningInfranetonWebserverperformance.Fordiskboundworkloads,anIn­franetresponderperformscomparablytoanunmodiedApacheserver.7.4ServerOverheadToensureplausibledeniabilityforInfranetrequesters,Infranetrespondersalwaysembedrandomorrequesteddatainthecontenttheyserve.BecausetherespondermustmakenodistinctionbetweenInfranetrequestersandnormalWebclients,anInfranet-enabledWebserverincursadditionaloverheadinservingdatatoallclients.Therefore,todeterminetheperformanceimplicationsofrunninganInfranetresponder,wesubmittedanidenticalsequenceofrequeststoanInfranet-enabledApacheserverandanordinaryApacheserver.TherequesttracecontainsasequenceofvisibleHTTPrequeststhatweregeneratedbyusinganInfranetrequestertomodulatetherequestsinthesetof100popularWebsites.Figure13showstheadditionaloverheadofrunningIn-franet.Becausetheservermustembedeveryimagewithdata,regardlessofwhetheritisservinganInfranetrequestornot,runningInfranetincursanoticeableperformancepenalty.16%ofallrequestsservedonanInfranetresponderachieved300kB/sorless,and89%ofrequestsweretrans-ferredat1MB/sorless.Incontrast,62%ofrequestsonanormalApacheserverweredeliveredat1MB/sorgreater.Nevertheless,fordiskboundworkloads,anInfranetrespon-derperformscomparablytoaregularApacheserver.Band-widthachievedbyInfranetneverdropsbelow32%ofthatachievedbyanApacheserverrunningwithoutInfranet,andiswithin90%ofApachewithoutInfranetfor25%ofre-quests.Ourcurrentimplementationhasnotbeenoptimized,andwebelievewecanreducethisoverhead.Onewaytodosomightbetopre-fetchorcachecommonlyrequestedcen-soredcontent.Theoverheadofrunningoutguesscould Infranet\rRequester\rInfranet\rForwarder\rInfranet\rResponder\rCensor\rURL\rURL\rHidden\rcontent\rbHidden\rcontent\rb(UID, Link\rcnumber)\r(UID,\rcEncrypted\rcontent)\rbFigure14.Animprovedarchitectureseparatesthefor­wardinganddecodingofhiddenmessagesinbothdi­rections.Thisallowsapotentiallyuntrustedforwardertoservicerequestsandservehiddencontent.TheUIDservestodemultiplexrequesters.bereducedbypre-computingtheleast-signicantbitsoftheDCTforeachimageonthesite.8EnhancementsTothispoint,wehaveassumedthatInfranetrequestersoftwarecanbedistributedonaphysicalmedium,suchasaCD-ROM.However,thisdistributionmechanismisslow,providesevidenceforculpability,andismucheasierforop-pressivegovernmentstocontrolthanelectronicdistribution.Thus,afutureenhancementwouldallowclientstodown-loadtheInfranetrequestersoftwareoverInfranetitself,es-sentiallybootstrappingtheInfranetrequester.ThearchitecturewepresentedinSection3doesnotpro-tectagainstanimpersonationattackwherebyacensores-tablishesanInfranetresponderanddiscoversrequestersbyidentifyingtheWebclientsthatsendmeaningfulInfranetrequests.Figure14showsanimprovedsystemarchitec-ture,wherearequesterforwardsvisibleHTTPrequeststoatrustedresponderthroughapotentiallyuntrustedforwarder,suchthatonlytherespondercanrecoverthehiddenrequest.Respondersfetchandencryptrequestedcontentandreturnittotherequesterthroughaforwarder,whichhidestheencryptedcontentinimages.Thisschemeprovidessev-eralimprovements.First,blockingaccesstoInfranetbe-comesmoredifcult,becausearequestercancontactanyforwarder,trustedoruntrusted,togainaccess.Second,thecensorcanbecomeaforwarder,butitismuchmoredifcultforthecensortobecomeatrustedresponder.Inthecurrenttunnelcommunicationprotocol,anIn-franetrequesterandrespondertaketurnstransmittingmes-sages.ItisconceivablethataschemecouldbedevisedwherebytheHTTPrequestsusedtofetchtherequestedcon-tentcouldalsobeusedtotransmitthenexthiddenmessage,thusinterleavingtheretrievalofhiddeninformationwiththetransmissionofthenexthiddenmessage.Sincetherearemanyconceivablewaysofperformingmodulationandhiding,itislikelythattherewillbemanydifferentversionsofthetunnelcommunicationprotocol.Tunnelsetupshouldbeamendedtoincludeversionagree-ment,suchthatifsomeparticularaspectofthetunnelproto-colinagivenversionisfoundtobeinsecure,therequesterandrespondercaneasilyadapttorunadifferentversion.9ConclusionInfranetenablesuserstocircumventWebcensorshipandsurveillancebyestablishingcovertchannelswithaccessibleWebservers.Infranetrequesterscomposesecretmessagesusingsequencesofrequeststhatarehardforacensortodetect,andInfranetresponderscovertlyembeddataintheopenlyreturnedcontent.Theresultingtrafcresemblesthetrafcgeneratedbynormalbrowsing.Hence,Infranetpro-videsbothaccesstosensitivecontentandplausibledenia-bilityforusers.Infranetusesatunnelprotocolthatprovidesacovertcommunicationchannelbetweenrequestersandresponders,modulatedoverstandardHTTPtransactions.Intheup-streamdirection,InfranetrequesterssendcovertmessagestoInfranetrespondersbyassociatingadditionalsemanticstotheHTTPrequestsbeingmade.Inthedownstreamdi-rection,Infranetrespondersreturncontentbyhidingcen-soreddatainuncensoredimagesusingsteganographictech-niques.Whiledownstreamcondentialityisachievedusingasessionkey,upstreamcondentialityisachievedbycon-dentiallyexchangingamodulationfunction.Ourupstreamanddownstreamprotocolssolvetwoin-dependentproblems,andeachcanbetackledseparately.AlthoughourprotocolisoptimizedfordownloadingWebpages,itactuallyprovidesachannelforarbitrarytwo-waycommunication;forexample,Infranetcouldbeusedtocarryoutaremoteloginsession.OursecurityanalysisshowedthatInfranetcansuc-cessfullycircumventseveralsophisticatedcensoringtech-niques,rangingfromactiveattackstopassiveattackstoim-personation.OurperformanceanalysisshowedthatInfranetprovidesacceptablebandwidthforcovertWebbrowsing.Therange-mappingalgorithmforupstreamcommunicationallowstherequestertoinnocuouslytransmitahiddenre-questinanumberofvisibleHTTPrequeststhatispropor-tionaltothebinaryentropyofthehiddenrequestdistribu-tion.WebelievethatthewidespreaddeploymentofInfranetrespondersbundledwithWebserversoftwarehasthepo-tentialtoovercomevariousincreasinglyprevalentformsofcensorshipandsurveillanceontheWeb.AcknowledgmentsWethankSameerAjmaniandDaveAndersenforsev-eralhelpfuldiscussions,andFrankDabek,KevinFu,KyleJamieson,JaeyeonJung,DavidMartin,andRobertMorrisforusefulcommentsondraftsofthispaper. References[1]M.AdlerandB.Maggs.Protocolsforasymmetriccommunicationchannels.InProceedingsof39thIEEESymposiumonFoundationsofComputerScience(FOCS),PaloAlto,CA,1998.[2]Anonymizer.http://www.anonymizer.com/.[3]I.Clarke,O.Sandbert,B.Wiley,andT.Hong.Freenet:Adistributedanonymousinformationstorageandretrievalsystem.InProceedingsoftheWorkshoponDesignIssuesinAnonymityandUnobservability,Berkeley,CA,July2000.[4]R.Dingledine,M.Freedman,andD.Molnar.TheFreeHavenProject:Distributedanonymousstorageservice.InProceedingsoftheWorkshoponDesignIssuesinAnonymityandUnobservability,Berkeley,CA,July2000.[5]gzip.http://www.gzip.org/.[6]F.HartungandB.Girod.Digitalwatermarkingofrawandcom-pressedvideo.InProc.EuropeanEOS/SPIESymposiumonAd-vancedImagingandNetworkTechnologies,pages205–213,Berlin,Germany,October1996.[7]A.Hintz.Fingerprintingwebsitesusingtrafcanalysis.InWorkshoponPrivacyEnhancingTechnologies,SanFrancisco,CA,April2002.[8]IRCache.http://www.ircache.net/.[9]B.W.Lampson.Anoteontheconnementproblem.Communica-tionsoftheACM,16(10):613–615,October1973.[10]J.Lee.CompaniescompetetoprovideSaudiInternetveil,Novem-ber19,2001.http://www.nytimes.com/2001/11/19/technology/19SAUD.html.[11]D.MartinandA.Schulman.DeanonymizingusersoftheSafeWebanonymizingservice.InProc.11thUSENIXSecuritySymposium,SanFrancisco,CA,August2002.[12]P.Meller.EuropemovingtowardbanonInternethatespeech,November10,2001.http://www.nytimes.com/2001/11/10/technology/10CYBE.html.[13]A.J.Menezes.EllipticCurvePublicKeyCryptosystems.KluwerAcademicPublishers,Boston,MA,1993.[14]NielsenNetratings'Top25.http://pm.netratings.com/nnpm/owa/NRpublicreports.toppropertiesweekly,November25,2001.[15]OpenSSL.http://www.openssl.org/.[16]Outguess.http://www.outguess.org/.[17]N.Provos.Defendingagainststatisticalsteganalysis.InProc.10thUSENIXSecuritySymposium,Washington,D.C.,August2001.[18]M.ReiterandA.Rubin.Crowds:Anonymityforwebtrans-actions.ACMTransactionsonInformationandSystemSecurity(TISSEC),1:66–92,November1998.http://www.research.att.com/projects/crowds/.[19]SafeWeb.http://www.safeweb.com/.[20]L.J.SchulmanandD.Zuckerman.Asymptoticallygoodcodescor-rectinginsertions,deletions,andtranspositions.InSymposiumonDiscreteAlgorithms,pages669–674,1997.[21]SquidWebProxyCache.http://www.squid-cache.org/.[22]L.Steinetal.WritingApacheModuleswithPerlandC:TheApacheAPIandmodperl.O'ReillyandAssociates,Sebastopol,CA,March1999.[23]Stunnel—universalSSLwrapper.http://www.stunnel.org/.[24]Zero-KnowledgeSystems.FreedomWebSecure.http://www.freedom.net/products/websecure/.[25]P.Syverson,M.Reed,andD.Goldschlag.Onionroutingaccesscongurations.InDARPAInformationSurvivabilityConferenceandExposition,pages34–40,HiltonHeadIsland,SC,January2000.http://www.onion-router.net.[26]TheCultoftheDeadCow(cDc).Peekabooty.http://www-peek-a-booty.org.[27]TriangleBoy.http://fugu.safeweb.com/sjws/solutions/triangle_boy.html.[28]VoiceofAmerica.http://www.voa.gov/.[29]M.WaldmanandD.Mazieres.Tangler:Acensorship-resistantpub-lishingsystembasedondocumententanglements.InProceedingsofthe8thACMConferenceonComputerandCommunicationsSecu-rity,Philadelphia,PA,November2001.[30]M.Waldman,A.Rubin,andL.Cranor.Publius:Arobust,tamper-evident,censorship-resistant,webpublishingsystem.InProc.9thUSENIXSecuritySymposium,pages59–72,Denver,CO,August2000.[31]I.H.Witten,R.M.Neal,andJ.G.Cleary.Arithmeticcodingfordatacompression.CommunicationsoftheACM,30(6):520–540,Febru-ary1987.