research-article

Recent Trends on Privacy-Preserving Technologies under Standardization at the IETF

Authors:
Pratyush Dikshit

CISPA Helmholtz Center for Information Security, DE

CISPA Helmholtz Center for Information Security, DE
View Profile

,
Jayasree Sengupta

CISPA Helmholtz Center for Information Security, DE

CISPA Helmholtz Center for Information Security, DE
View Profile

,
Vaibhav Bajpai

CISPA Helmholtz Center for Information Security, DE

CISPA Helmholtz Center for Information Security, DE
View Profile

Authors Info & Claims

ACM SIGCOMM Computer Communication Review Volume 53 Issue 2April 2023pp 22–30https://doi.org/10.1145/3610381.3610385

Published:19 July 2023Publication History

ACM SIGCOMM Computer Communication Review

Abstract

End-users are concerned about protecting the privacy of their sensitive personal data that are generated while working on information systems. This extends to both the data they actively provide including personal identification in exchange for products and services as well as its related metadata such as unnecessary access to their location. This is when certain privacy-preserving technologies come into a place where Internet Engineering Task Force (IETF) plays a major role in incorporating such technologies at the fundamental level. Thus, this paper offers an overview of the privacy-preserving mechanisms for layer 3 (i.e. IP) and above that are currently under standardization at the IETF. This includes encrypted DNS at layer 5 classified as DNS-over-TLS (DoT), DNS-over-HTTPS (DoH), and DNS-over-QUIC (DoQ) where the underlying technologies like QUIC belong to layer 4. Followed by that, we discuss Privacy Pass Protocol and its application in generating Private Access Tokens and Passkeys to replace passwords for authentication at the application layer (i.e. end-user devices). Lastly, to protect user privacy at the IP level, Private Relays and MASQUE are discussed. This aims to make designers, implementers, and users of the Internet aware of privacy-related design choices.

References

Harald Tveit Alvestrand. A mission statement for the IETF. RFC, 3935:1--7, 2004. https://www.rfc-editor.org/rfc/pdfrfc/rfc3935.txt.pdf.Google Scholar
B. Detwiler B. Ledvina, Z. Eddinger and S. P. Polatkan. Detecting Unwanted Location Trackers. https://datatracker.ietf.org/doc/html/draft-detecting-unwanted-location-trackers-00, 2023.Google Scholar
Stephen Farrell and Hannes Tschofenig. Pervasive monitoring is an attack. RFC, 7258:1--6, 2014. https://www.rfc-editor.org/rfc/pdfrfc/rfc7258.txt.pdf.Google Scholar
Minzhao Lyu, Hassan Habibi Gharakheili, and Vijay Sivaraman. A survey on DNS encryption: Current development, malware misuse, and inference techniques. ACM Comput. Surv., 55(8):162:1--162:28, 2023.Google ScholarDigital Library
Rebekah Houser, Zhou Li, Chase Cotton, and Haining Wang. An Investigation on Information Leakage of DNS over TLS. In CoNEXT.Google Scholar
Levente Csikor, Himanshu Singh, Min Suk Kang, and Dinil Mon Divakaran. Privacy of DNS-over-HTTPS: Requiem for a Dream? In IEEE EuroS&P, pages 252--271, 2021.Google Scholar
Mike Kosek, Luca Schumann, Robin Marx, Trinh Viet Doan, and Vaibhav Bajpai. DNS Privacy with Speed? Evaluating DNS over QUIC and its Impact on Web Performance. In Proceedings of the 22nd ACM Internet Measurement Conference, IMC, pages 44--50.Google Scholar
Adam Langley, Alistair Riddoch, Alyssa Wilk, Antonio Vicente, Charles Krasic, Dan Zhang, Fan Yang, Fedor Kouranov, Ian Swett, Janardhan R. Iyengar, Jeff Bailey, Jeremy Dorfman, Jim Roskind, Joanna Kulik, Patrik Westin, Raman Tenneti, Robbie Shade, Ryan Hamilton, Victor Vasiliev, Wan-Teh Chang, and Zhongyi Shi. The QUIC Transport Protocol: Design and Internet-Scale Deployment. In SIGCOMM, 2017.Google ScholarDigital Library
Matthias Cäsar, Tobias Pawelke, Jan Steffan, and Gabriel Terhorst. A survey on bluetooth low energy security and privacy. Comput. Networks, 205:108712, 2022.Google ScholarDigital Library
Alissa Cooper, Hannes Tschofenig, Bernard Aboba, Jon Peterson, John B. Morris, Marit Hansen, and Rhys Smith. Privacy Considerations for Internet Protocols. RFC, 6973:1--36, 2013. Google ScholarDigital Library
Patrick Sattler, Juliane Aulbach, Johannes Zirngibl, and Georg Carle. Towards a tectonic traffic shift?: investigating apple's new relay network. In Proceedings of the 22nd ACM Internet Measurement Conference, IMC, pages 449--457.Google Scholar
Stephen McQuistin, Mladen Karan, Prashant Khare, Colin Perkins, Gareth Tyson, Matthew Purver, Patrick Healey, Waleed Iqbal, Junaid Qadir, and Ignacio Castro. Characterising the IETF through the lens of RFC deployment. In IMC '21: ACM Internet Measurement Conference, pages 137--149.Google Scholar
Scott Hendrickson, Jana Iyengar, Tommy Pauly, Steven Valdez, and Christopher A. Wood. Private Access Tokens. Internet-Draft draft-private-access-tokens-01, Internet Engineering Task Force, October 2021. Work in Progress.Google Scholar
Eric Rescorla, Kazuho Oku, Nick Sullivan, and Christopher A. Wood. TLS Encrypted Client Hello. Internet-Draft draft-ietf-tls-esni-15, Internet Engineering Task Force, October 2022. Work in Progress.Google Scholar
Tommy Pauly, Eric Kinnear, Christopher A. Wood, Patrick McManus, and Tommy Jensen. Discovery of Designated Resolvers. Internet-Draft draft-ietf-add-ddr-10, Internet Engineering Task Force, August 2022. Work in Progress.Google Scholar
Mohamed Boucadair, Tirumaleswar Reddy. K, Dan Wing, Neil Cook, and Tommy Jensen. DHCP and Router Advertisement Options for the Discovery of Network-designated Resolvers (DNR). Internet-Draft draft-ietf-add-dnr-15, Internet Engineering Task Force, April 2023. Work in Progress.Google Scholar
Benjamin M. Schwartz. Service Binding Mapping for DNS Servers. Internet-Draft draft-ietf-add-svcb-dns-08, Internet Engineering Task Force, March 2023. Work in Progress.Google Scholar
Alex Davidson, Jana Iyengar, and Christopher A. Wood. The Privacy Pass Architecture. Internet-Draft draft-ietf-privacypass-architecture-11, Internet Engineering Task Force, March 2023. Work in Progress.Google Scholar
Sofia Celi, Alex Davidson, Armando Faz-Hernandez, Steven Valdez, and Christopher A. Wood. Privacy Pass Issuance Protocol. Internet-Draft draft-ietf-privacypass-protocol-10, Internet Engineering Task Force, March 2023. Work in Progress.Google Scholar
Tommy Pauly, Steven Valdez, and Christopher A. Wood. The Privacy Pass HTTP Authentication Scheme. Internet-Draft draft-ietf-privacypass-auth-scheme-09, Internet Engineering Task Force, March 2023. Work in Progress.Google Scholar
Scott Hendrickson, Jana Iyengar, Tommy Pauly, Steven Valdez, and Christopher A. Wood. Rate-Limited Token Issuance Protocol. Internet-Draft draft-ietf-privacypass-rate-limit-tokens-01, Internet Engineering Task Force, March 2023. Work in Progress.Google Scholar
Tommy Pauly, David Schinazi, Alex Chernyakhovsky, Mirja Kühlewind, and Magnus Westerlund. Proxying IP in HTTP. Internet-Draft draft-ietf-masque-connect-ip-08, Internet Engineering Task Force, March 2023. Work in Progress.Google Scholar
Chia-ling Chan, Romain Fontugne, Kenjiro Cho, and Shigeki Goto. Monitoring TLS adoption using backbone and edge traffic. In IEEE INFOCOM 2018 - IEEE Conference on Computer Communications Workshops, INFOCOM Workshops 2018, pages 208--213.Google Scholar
Sandra Siby, Marc Juárez, Claudia Díaz, Narseo Vallina-Rodriguez, and Carmela Troncoso. Encrypted DNS -> Privacy? A Traffic Analysis Perspective. In NDSS, 2020.Google Scholar
Dominik Herrmann, Christoph Gerber, Christian Banse, and Hannes Federrath. Analyzing characteristic host access patterns for re-identification of web user sessions. In Information Security Technology for Applications - 15th Nordic Conference on Secure IT Systems, NordSec 2010, volume 7127 of Lecture Notes in Computer Science, pages 136--154.Google Scholar
Giovane C. M. Moura, Sebastian Castro, Wes Hardaker, Maarten Wullink, and Cristian Hesselman. Clouding up the internet: how centralized is DNS traffic becoming? In IMC '20: ACM Internet Measurement Conference, pages 42--49.Google Scholar
Noah J. Apthorpe, Dillon Reisman, Srikanth Sundaresan, Arvind Narayanan, and Nick Feamster. Spying on the smart home: Privacy attacks and defenses on encrypted iot traffic. CoRR, abs/1708.05044, 2017.Google Scholar
Noah J. Apthorpe, Dillon Reisman, and Nick Feamster. A smart home is no castle: Privacy vulnerabilities of encrypted iot traffic. CoRR, abs/1705.06805, 2017.Google Scholar
Franck Le, Jorge Ortiz, Dinesh C. Verma, and Dilip D. Kandlur. Policy-based identification of iot devices' vendor and type by DNS traffic analysis. In Policy-Based Autonomic Data Governance, volume 11550 of Lecture Notes in Computer Science, pages 180--201, 2018.Google Scholar
Zi Hu, Liang Zhu, John S. Heidemann, Allison Mankin, Duane Wessels, and Paul E. Hoffman. Specification for DNS over transport layer security (TLS). RFC, 7858:1--19, 2016. https://www.rfc-editor.org/rfc/pdfrfc/rfc7858.txt.pdf.Google Scholar
Paul E. Hoffman and Patrick McManus. DNS queries over HTTPS (doh). RFC, 8484:1--21, 2018. https://www.rfc-editor.org/rfc/pdfrfc/rfc8484.txt.pdf.Google Scholar
Christian Huitema, Sara Dickinson, and Allison Mankin. DNS over dedicated QUIC connections. RFC, 9250:1--27, 2022. https://www.rfc-editor.org/rfc/rfc9250.pdf.Google Scholar
Mike Kosek, Trinh Viet Doan, Simon Huber, and Vaibhav Bajpai. Measuring DNS over TCP in the Era of Increasing DNS Response Sizes: A View from the Edge. Computer Communication Review, 52(2):44--55, 2022.Google ScholarDigital Library
P. Dikshit, M. Kosek, N. Faulhaber, J. Sengupta, and V. Bajpai. Evaluating DNS Resiliency with Truncation, Fragmentation and DoTCP Fallback. In IFIP Networking Conference, 2023.Google Scholar
Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cédric Fournet, Alfredo Pironti, and Pierre-Yves Strub. Triple handshakes and cookie cutters: Breaking and fixing authentication over TLS. In 2014 IEEE Symposium on Security and Privacy, SP 2014, Berkeley, CA, USA, May 18--21, 2014, pages 98--113. IEEE Computer Society, 2014.Google ScholarDigital Library
Hugo Krawczyk and Hoeteck Wee. The OPTLS protocol and TLS 1.3. In IEEE European Symposium on Security and Privacy, EuroS&P 2016, pages 81--96.Google ScholarCross Ref
Hyunwoo Lee, Doowon Kim, and Yonghwi Kwon. TLS 1.3 in practice: How TLS 1.3 contributes to the internet. In WWW '21: The Web Conference 2021, pages 70--79.Google ScholarDigital Library
Eric Kinnear, Patrick McManus, Tommy Pauly, Tanya Verma, and Christopher A. Wood. Oblivious DNS over HTTPS. RFC, 9230:1--19, 2022. https://www.rfc-editor.org/rfc/rfc9230.pdf.Google Scholar
Trinh Viet Doan, Roland van Rijswijk-Deij, Oliver Hohlfeld, and Vaibhav Bajpai. An Empirical View on Consolidation of the Web. ACM Transactions on Internet Technology, 22(3):70:1--70:30, 2022.Google ScholarDigital Library
Trinh Viet Doan, Justus Fries, and Vaibhav Bajpai. Evaluating Public DNS Services in the Wake of Increasing Centralization of DNS. In IFIP Networking Conference, pages 1--9. IEEE, 2021.Google Scholar
Jana Iyengar and Martin Thomson. QUIC: A udp-based multiplexed and secure transport. RFC, 9000:1--151, 2021. https://www.rfc-editor.org/rfc/rfc9000.pdf.Google Scholar
Mike Kosek, Tanya Shreedhar, and Vaibhav Bajpai. Beyond QUIC v1: A First Look at Recent Transport Layer IETF Standardization Efforts. IEEE Communications Magazine, 59(4):24--29, 2021.Google ScholarCross Ref
Tanya Shreedhar, Rohit Panda, Sergey Podanev, and Vaibhav Bajpai. Evaluating QUIC Performance Over Web, Cloud Storage, and Video Workloads. IEEE Transactions on Network and Service Management, 19(2):1366--1381, 2022.Google ScholarDigital Library
J. Sengupta, M. Kosek, J. Fries, P. Dikshit, and V. Bajpai. Web Privacy By Design: Evaluating Cross-layer Interactions of QUIC, DNS and H/3. In IFIP Networking Conference, 2023.Google Scholar
Kathrin Elmenhorst, Bertram Schütz, Nils Aschenbruck, and Simone Basso. Web censorship measurements of HTTP/3 over QUIC. In IMC. ACM, 2021.Google ScholarDigital Library
Mike Bishop. HTTP/3. RFC, 9114:1--57, 2022. https://www.rfc-editor.org/rfc/rfc9114.pdf.Google Scholar
Yoshimichi Nakatsuka, Ercan Ozturk, Andrew Paverd, and Gene Tsudik. CACTI: captcha avoidance via client-side TEE integration. In 30th USENIX Security Symposium, USENIX Security 2021, pages 2561--2578. USENIX Association.Google Scholar
Marti Motoyama, Kirill Levchenko, Chris Kanich, Damon McCoy, Geoffrey M. Voelker, and Stefan Savage. Re: Captchas-understanding captcha-solving services in an economic context. In 19th USENIX Security Symposium, pages 435--462, 2010.Google Scholar
Alex Davidson, Ian Goldberg, Nick Sullivan, George Tankersley, and Filippo Valsorda. Privacy pass: Bypassing internet challenges anonymously. Proc. Priv. Enhancing Technol., 2018(3):164--180, 2018.Google ScholarCross Ref
Nick Frymann, Daniel Gardham, Franziskus Kiefer, Emil Lundberg, Mark Manulis, and Dain Nilsson. Asynchronous remote key generation: An analysis of yubico's proposal for W3C webauthn. In CCS '20: 2020 ACM SIGSAC Conference on Computer and Communications Security, 2020, pages 939--954.Google ScholarDigital Library
Emil Lundberg Michael B Jones, Akshay Kumar. Web authentication: An api for accessing public key credentials level 3. https://w3c.github.io/webauthn/, 2022.Google Scholar
M. Thomson and C. A. Wood. Oblivious HTTP. https://www.ietf.org/archive/id/draft-ietf-ohai-ohttp-08.html, 2023.Google Scholar
Mirja Kühlewind, Matias Carlander-Reuterfelt, Marcus Ihlar, and Magnus Westerlund. Evaluation of QUIC-based MASQUE Proxying. In EPIQ 2021.Google Scholar
W3Tech. Usage statistics of HTTP/3 for websites. https://w3techs.com/technologies/details/ce-http3, 2023.Google Scholar
Sebastián García, Karel Hynek, Dmitrii Vekshin, Tomás Cejka, and Armin Wasicek. Large scale measurement on the adoption of encrypted DNS. CoRR, abs/2107.04436, 2021.Google Scholar
W3Tech. Usage statistics of QUIC for websites. https://w3techs.com/technologies/details/ce-quic, 2023.Google Scholar
Mike Kosek, Trinh Viet Doan, Malte Granderath, and Vaibhav Bajpai. One to Rule Them All? A First Look at DNS over QUIC. In Passive and Active Measurement Conference, PAM, volume 13210, pages 537--551. Springer, 2022.Google ScholarDigital Library
Stanislaw Jarecki, Aggelos Kiayias, and Hugo Krawczyk. Round-optimal password-protected secret sharing and T-PAKE in the password-only model. In Advances in Cryptology - ASIACRYPT 2014 - 20th International Conference on the Theory and Application of Cryptology and Information Security, volume 8874 of Lecture Notes in Computer Science, pages 233--253.Google Scholar
Google. Passkey support on Android and Chrome. https://developers.google.com/identity/passkeys/supported-environments, 2023.Google Scholar

Index Terms

Recent Trends on Privacy-Preserving Technologies under Standardization at the IETF
1. Networks
  1. Network protocols
    1. Network layer protocols
      1. Routing protocols
2. Security and privacy
  1. Network security
    1. Security protocols

Recommendations

Multi-level privacy preserving data publishing

Policedata is an important source of social media data and can be regarded as a technical assistance to increase government accountability and transparency. Notably, it contains large amounts of personal private information that should be preserved ...
Read More
Privacy-Preserving Data Publishing: An Overview
Read More
Privacy-enhancing technologies: approaches and development

In this paper, we discuss privacy threats on the Internet and possible solutions to this problem. Examples of privacy threats in the communication networks are identity disclosure, linking data traffic with identity, location disclosure in connection ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM SIGCOMM Computer Communication Review Volume 53, Issue 2
April 2023
45 pages
ISSN:0146-4833
DOI:10.1145/3610381
Editor:
Steve Uhlig
Queen Mary, Univ. of London
Issue’s Table of Contents
Copyright © 2023 Copyright is held by the owner/author(s)
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 19 July 2023
Check for updates
Author Tags
DNS privacy
MASQUE
passkeys
privacy pass protocol
private access token
private relay
Qualifiers
- research-article
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 0
  Total Citations
  View Citations
- 83
  Total Downloads
- Downloads (Last 12 months)83
- Downloads (Last 6 weeks)21
Other Metrics
View Author Metrics
Cited By
This publication has not been cited yet

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Recent Trends on Privacy-Preserving Technologies under Standardization at the IETF

ACM SIGCOMM Computer Communication Review

Abstract

References

Cited By

Index Terms

Recommendations

Multi-level privacy preserving data publishing

Privacy-Preserving Data Publishing: An Overview

Privacy-enhancing technologies: approaches and development