Delivery-Date: Tue, 04 Aug 2015 11:00:03 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 115301E0189;
	Tue,  4 Aug 2015 11:00:01 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 2E57532F43;
	Tue,  4 Aug 2015 14:59:56 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id ABF0B32384
 for <tor-talk@lists.torproject.org>; Tue,  4 Aug 2015 14:59:52 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id mopL3R911it7 for <tor-talk@lists.torproject.org>;
 Tue,  4 Aug 2015 14:59:52 +0000 (UTC)
Received: from emea01-db3-obe.outbound.protection.outlook.com
 (mail-db3on0112.outbound.protection.outlook.com [157.55.234.112])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
 (Client CN "mail.protection.outlook.com",
 Issuer "MSIT Machine Auth CA 2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 52D8B2139C
 for <tor-talk@lists.torproject.org>; Tue,  4 Aug 2015 14:59:52 +0000 (UTC)
X-Greylist: delayed 942 seconds by postgrey-1.34 at eugeni;
 Tue, 04 Aug 2015 14:59:52 UTC
Received: from HE1PR01MB0780.eurprd01.prod.exchangelabs.com (10.162.22.147) by
 HE1PR01MB0779.eurprd01.prod.exchangelabs.com (10.162.22.146) with
 Microsoft
 SMTP Server (TLS) id 15.1.225.19; Tue, 4 Aug 2015 14:44:05 +0000
Received: from HE1PR01MB0780.eurprd01.prod.exchangelabs.com ([10.162.22.147])
 by HE1PR01MB0780.eurprd01.prod.exchangelabs.com ([10.162.22.147])
 with mapi id 15.01.0225.018; Tue, 4 Aug 2015 14:44:05 +0000
From: "Murdoch, Steven" <s.murdoch@ucl.ac.uk>
To: "tor-talk@lists.torproject.org" <tor-talk@lists.torproject.org>, "Patrick
 Schleizer" <patrick-mailinglists@whonix.org>
Thread-Topic: [tor-talk] Can TCP Sequence Numbers leak System Clock?
Thread-Index: AQHQxvntgw46sQMtd0OCf55x9e49u537+jEA
Date: Tue, 4 Aug 2015 14:44:05 +0000
Message-ID: <2C16B561-ADEA-476F-A745-4FBD23E31E0C@live.ucl.ac.uk>
References: <55B3BE1F.6000902@whonix.org>
In-Reply-To: <55B3BE1F.6000902@whonix.org>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=s.murdoch@ucl.ac.uk; 
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [62.254.144.133]
x-microsoft-exchange-diagnostics: 1; HE1PR01MB0779;
 5:wTMqnpZWopNruUt112lRhfj5iZjctBNgZ9ZCWdGiHs8vEZ7l3JFEJ0j9WWnrPgtTPHVVLg4LNzgsBx1QzD0ZryOaG4u3x9DKyTIvuCwkxkjFddblkAAf3eiRS0GRexszwrkOj5fS91j8ChVu6lkLoQ==;
 24:Q1u2aa26VTJp1uUbz+7TKHWeo1bsDN/2BzFaRDTZwA7OP5lSBqd1aLi0O/grKOftyQAEajqU8mc/Ccv7R7VnQjrRSC+AfWVGmva3qf1N/lo=;
 20:2F0BKBSSABY5r1Y1c6tnYrUpfCFP69Z89UNxQrUHp53qJqCpPXj8w9DRK3fR8D9TrvIrSO1F7U6xkNOjADtvvw==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:HE1PR01MB0779;
x-ucllive-sclrule: HASRUN
x-microsoft-antispam-prvs: <HE1PR01MB077916DCAC9B183471CE5962AB760@HE1PR01MB0779.eurprd01.prod.exchangelabs.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0;
 RULEID:(601004)(5005006)(3002001); SRVR:HE1PR01MB0779; BCL:0; PCL:0; RULEID:;
 SRVR:HE1PR01MB0779; 
x-forefront-prvs: 0658BAF71F
x-forefront-antispam-report: SFV:NSPM;
 SFS:(10019020)(6009001)(24454002)(199003)(189002)(50986999)(82746002)(189998001)(74482002)(2501003)(97736004)(2656002)(5001960100002)(46102003)(87936001)(64706001)(81156007)(5002640100001)(4001540100001)(76176999)(66066001)(54356999)(5001830100001)(5001770100001)(101416001)(33656002)(5001860100001)(2950100001)(106356001)(40100003)(86362001)(2900100001)(19580405001)(19580395003)(122556002)(77156002)(62966003)(83716003)(105586002)(68736005)(102836002)(92566002)(77096005)(106116001)(15975445007)(104396002);
 DIR:OUT; SFP:1102; SCL:1; SRVR:HE1PR01MB0779;
 H:HE1PR01MB0780.eurprd01.prod.exchangelabs.com; FPR:; SPF:None;
 PTR:InfoNoRecords; A:1; MX:1; LANG:en; 
received-spf: None (protection.outlook.com: ucl.ac.uk does not designate
 permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-ID: <99599502436DC243B893FF9FD01C2770@eurprd01.prod.exchangelabs.com>
MIME-Version: 1.0
X-OriginatorOrg: ucl.ac.uk
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Aug 2015 14:44:05.4926 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 1faf88fe-a998-4c5b-93c9-210a11d9a5c2
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR01MB0779
Cc: The Tails public development discussion list <tails-dev@boum.org>,
 Whonix-devel <whonix-devel@whonix.org>
Subject: Re: [tor-talk] Can TCP Sequence Numbers leak System Clock?
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On 25 Jul 2015, at 17:49, Patrick Schleizer <patrick-mailinglists@whonix.org> wrote:
> On the other hand, I've read the claim "The kernel embeds the system
> time in microseconds in TCP connections.", but I haven't found the code
> in question to confirm, that this is so. Any idea?

The code is here:
  http://lxr.free-electrons.com/source/net/core/secure_seq.c

In particular the seq_scale(u32 seq) function introduces the timestamp.

So if you see two initial sequence numbers for TCP streams between the same source/destination port/IP then you can work out the time difference (in units of 64 ns) according to the clock of the other end point.

Best wishes,
Steven
 
 

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

