Delivery-Date: Sat, 25 Jul 2015 12:49:56 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id D42151E06C6;
	Sat, 25 Jul 2015 12:49:53 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 0CA97367AF;
	Sat, 25 Jul 2015 16:49:48 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 5E41636786
 for <tor-talk@lists.torproject.org>; Sat, 25 Jul 2015 16:49:45 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id M9yEbbANhTib for <tor-talk@lists.torproject.org>;
 Sat, 25 Jul 2015 16:49:45 +0000 (UTC)
Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "*.riseup.net",
 Issuer "COMODO RSA Domain Validation Secure Server CA" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 3AB6F36737
 for <tor-talk@lists.torproject.org>; Sat, 25 Jul 2015 16:49:42 +0000 (UTC)
Received: from cotinga.riseup.net (unknown [10.0.1.161])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "*.riseup.net",
 Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK))
 by mx1.riseup.net (Postfix) with ESMTPS id 2EAB041E67;
 Sat, 25 Jul 2015 16:49:39 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (Authenticated sender: adrelanos) with ESMTPSA id B79EA1C0365
Message-ID: <55B3BE1F.6000902@whonix.org>
Date: Sat, 25 Jul 2015 16:49:35 +0000
From: Patrick Schleizer <patrick-mailinglists@whonix.org>
MIME-Version: 1.0
To: tor-talk@lists.torproject.org, szander@swin.edu.au, 
 s.murdoch@ucl.ac.uk
X-Virus-Scanned: clamav-milter 0.98.7 at mx1
X-Virus-Status: Clean
Cc: The Tails public development discussion list <tails-dev@boum.org>,
 Whonix-devel <whonix-devel@whonix.org>
Subject: [tor-talk] Can TCP Sequence Numbers leak System Clock?
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

Hi!

Is it possible to derive and/or estimate the system clock by observing
TCP sequence numbers?

Jacob Appelbaum [1]:
> In the Linux kernel, TCP Sequence numbers embed the system clock and
then hash it. Yet another way to leak the system clock to the network.

As I understand the paper 'An Improved Clock-skew Measurement Technique
for Revealing Hidden Services' [2] (6/23 = pdf page 3), it implies that
TCP sequence numbers can leak the system clock.

> Some clocks can be queried remotely:
> Clock: TCP sequence numbers
> Firewall: Cannot be blocked
> Other: Linux specific, very difficult to use

Is this the case or does that paper mean something else?

On the other hand, I've read the claim "The kernel embeds the system
time in microseconds in TCP connections.", but I haven't found the code
in question to confirm, that this is so. Any idea?

Was also recently raised on Tor's issue tracker. [3]

More resources: [4] [5]

Cheers,
Patrick

[1] https://twitter.com/ioerror/status/509159304323416064
[2] http://caia.swin.edu.au/talks/CAIA-TALK-080728A.pdf
[3] https://trac.torproject.org/projects/tor/ticket/16659
[4] http://lxr.free-electrons.com/source/net/ipv4/tcp_ipv4.c
[5]
http://stackoverflow.com/questions/12231623/initial-sequence-number-generation-in-linux-tcp-stack/12232126#12232126
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

