traffic analysis

Traffic analysis is a means of gleaning useful information from a message without knowledge of the conent of the message itself. Various bits of information about the sender, reciever, mode, frequency, timing, and length of the message in question are used in traffic analysis.

Because traffic analysis does not rely on knowledge of the actual content of a given message it is especially useful getting around the obstacle posed by encrypted communication.


An example of traffic analysis used on a simple encrypted conversation:

Alice, a human rights activist regularly under surveillance by the totalitarian regime which grips her country, encrypts a message containing an account of a human rights violation to Bob, a newspaper reporter, and sends it to Bob via email.

If alice has never sent an encrypted message before then it can be inferred that this message is important. If the message was send soon after Alice was seen to have witnessed the human rights violation in question then it can be inferred that the message concerns this particular human rights violation.

Without even trying to crack the encryption traffic analysis has been successfully applied to infer meaning from the frequency and timing of Alice's message.

The totalitarian regime now has probable cause to arrest Alice and use Rubber-Hose cryptanalysis to find out the content of the message or otherwise compromise the communication channel.


Traffic analysis becomes even more useful as a means of circumventing the various safeguards offered by primitive anonymous remailers.

An example of traffic analysis used on a simple anonymous remailer communication:

Alice wants to contact Bob again to report another human rights violation. She has learned from her past run in with the totalitarian regime and now decided to send her encrypted message via an anonymous remailer. Thus, even if it is obvious that Alice has sent a message the totalitarian regime will not know its destination, and even if it is obvious that Bob has recieved a message the regime won't know who sent it. However, by carefully monitoring all of the messages going through every remailer it is possible to apply traffic analysis to find out that Alice sent an encrypted message to Bob.

First one could note the size of the message. If the message is unusually sized, perhaps very large or very small in relation to other messages, then that size anomaly could be used to infer the orgin and destination, so that if Bob recieves the largest message going through the remailer and Alice had sent the largest message then it can be inferred that Alice sent a message to Bob.

A stream of very small messages might artificially be sent through the remailer by the totalitarian regime itself to flush out Alice's message (it will stand out by size and by the simple fact that hers will be the only one that isn't theirs).

Yet another piece of information can be gleaned from a message going through a chain of usually idle remailers. If Alice sent a message in to a remailer chain and Bob recieves it without other messages going through the idle chain then it must be Alice's message to Bob. Once it has been established that this is Alice's encrypted message to Bob then Alice is no better off than in the first example.


Mixmaster remailers were invented to address these and other weakensses of the simple, Cypherpunk remailers. The most notable traffic analysis resisting feature of Mixmasters is that they split all messages in to small, equal-sized chunks. Thus every message going through a Mixmaster looks like every other message as far as traffic analysis is concerned. Some other tricks mixmasters use to thwart traffic analysis include injecting spurious data in to the communication stream and sending out packets at random intervals and in random order. These techniques make the flushing out technique described above ineffective.

There are many other, simpler, uses for traffic analysis. For example, an employer only needs to know that you've been surfing pr0n in order to be displeased without having to see the content of the web sites him/herself. Also, encryption is completely illegal in some countries and Alice, our poor human rights activist, will be thrown in jail or worse for just sending an encrypted message whether to Bob or a remailer chain. This is where Steganography becomes useful.

Here's a military viewpoint to add to sgoldgaber's excellent wu, as the world of signals intelligence (SIGINT) and electronic warfare (EW) is another important arena where traffic analysis (TA) is employed.

In a tactical environment, knowing as much about the enemy as possible is often the key to winning or losing. How an enemy uses their radios, how many and what kind of radios there are, and the order they are used can be combined with radio direction-finding RDF and other EW techniques to learn about the foe. For example, the act of communication itself tells the analyst of the organizational structure of the enemy. Who talks to who and in what sequence tells the trained listener a great deal. Without even understanding what is being said, using RDF to determine the location of the radios and TA to plot the order and volume of communications will expose the command structure of the target group. If one has the ability to determine transmitter strength, the task is even easier, as vehicle-mounted radios are more powerful than carried devices, and radios powered from an external generator more powerful than those powered by a vehicle.

The number of radios is also an important piece of information on the battlefield. A cluster of radios usually designates either a command post, a group of vehicles, or a unit of elite troops, as even the equipment-heavy US has yet to outfit every single foot soldier with a radio. This information combined with RDF and TA will usually determine the type of unit, as movement direction and speed are also important puzzle pieces to be incorporated into the big picture. This tactic can be extended even further in some cases into considering the number of radios equipped with scramblers, as many forces do not have the money needed to outfit every radio-carrying unit with encrypted comms.