Title: Fielded Capability: End-to-End VPN SPIN 9 Design Review

Release Date: 2014-12-28

Description: This undated NSA presentation describes the Spin 9 system for decrypting VPN data: see the Der Spiegel story Prying Eyes: Inside the NSA’s War on Internet Security, 28 December 2014.

Document: The overall classification for this brief is:
TOPSECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

SPIN 9 Design Review

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

VPN Spin 9 Fielded Capability Upgrade

(U) Current Fielded Capability
■ (TS//SI//REL) All current TURMOIL Virtual Private Network (VPN) capabilities
are fielded as Spin 6 Red Architecture software running on Red Architecture
hardware.
VPN Metadata VPN Decryption
Red Red
TEC No capability after Blue transition No capability after Blue transition
on 17-Sep on 17-Sep
YRS No capability No capability
SSO No capability No capability
MHS Live Red Red
MHS Dev No capability No capability

top FiFr.RFT//r;OMiMT//RFi I ira ai JR (ram (RRR M7i //?n3?mna

2

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

VPN Spin 9 Fielded Capability Upgrade

(U) Spin 9 Objectives

■ (S//SI//REL) The Spin 9 Objective for the TURBULENCE (TU) VPN Private
capability is to transition to the Blue Architecture.

■ (S//SI//REL) Spin 9 VPN will implement a redesign of the decryption flow that
reallocates some functionality between TURMOIL, the VPN Attack Orchestrator
(VAO), and the VPN Metrics service.

■ (U) Deliver all capabilities as deployable at the end of Spin 9.

TOP FiFr.RFT//r;OMIMT//RFI I IRA Al JR (RAM (RRR N7I//?n3?DinR

3

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

VPN Spin 9 Fielded Capability Upgrade

(U) Capabilities

■ (TS//SI//REL) The TU VPN capability will implement an operational capability to
detect and decrypt selected communications that are encrypted using IP security
(iPsec) algorithms and protocols. It will forward the unencrypted content to follow-
on processing systems.

■ (TS//SI//REL) The TU VPN capability will collect metadata about IPsec Internet
Key Exchange (IKE) events and forward the metadata to follow-on SIGINT
Development (SIGDEV) systems.

TOP FiFr.RFT//r;OMIMT//RFI I IRA Al JR (RAM (RRR N7I//?n3?DinR

4

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

VPN Spin 9 Fielded Capability Upgrade

(U//FOUO) Exploited Protocols

(TS//SI//REL) IPsec automatic key management protocols establish security
associations between communicants. A security association (SA) is a relationship
between a source and a destination that includes a session key and other
parameters. The VPN capability exploits the following key management protocols:

■ (U) ISAKMP - Internet Security Association and Key Management Protocol
(RFC2407, RFC2408) provides the authentication and key exchange framework.

■ (U) IKE - Internet Key Exchange (RFC2409) provides the authentication and
key exchange mechanisms.

TOP FiFr.RFT//r;OMIMT//RFI I IRA Al JR (RAM (RRR N7I//?n3?DinR

5

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

VPN Spin 9 Fielded Capability Upgrade

(U//FOUO) Exploited Protocols (continued)

(TS//SI//REL) IPsec security protocols provide integrity, confidentiality, and
authentication for higher layer IP protocols. IPsec security protocols use security
associations previously established either manually or by automatic key
management protocols (IKE). The VPN capability targets SA’s that are established
by IKE. The VPN capability exploits the following security protocol:

■ (U) ESP - Encapsulating Security Payload (RFC2406) provides traffic
confidentiality (via encryption) and optionally provides authentication and
integrity protection.

TOP SFr.RFT//mMINT//RFI USA Al JR HAM f,RR N7I //?n3?mna

6

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

VPN Spin 9 Fielded Capability Upgrade

(U) IPsec Operation (Alices Bob)

■ (U) An SA is identified by a 4-tuple , where
the SPI (Security Parameter Index) is chosen by DstIP for SA uniqueness.

■ (U) The Bi-directional ISAKMP SA is negotiated in Phasel and protects the ESP
key negotiations in Phase2.

■ (U) A Uni-directional ESP SA is negotiated in Phase2 and is used to protect the
user’s cleartext.

■ (U) Reverse communication (Bob ■=> Alice) requires a separate ESP SA and is
negotiated using the same ISAKMP SA as used for (Alice ■=> Bob).

TOP FiFr.RFT//r;OMIMT//RFI I IRA AI JR (RAM (RRR N71//?n.3?ninR

7

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

VPN Spin 9 Fielded Capability Upgrade

(U) IPsec Modes

IP Hdr: Src=A, Dst=B ESP Header Encrypted Data ESP Trailer

(U) Transport Mode

■ (U) Original IP Header is preserved

■ (U) ESP Header and Trailer encapsulate and encrypt remaining IP Packet

(U) Tunnel Mode

■ (U) Security Gateway at source encapsulates, encrypts, and adds new IP Header
to original packet,

■ (U) Security Gateway at destination recovers and forwards original packet.

■ (U) Identities of traffic source and destination is concealed

■ (U) Extra padding also may be added to hide packet size

TOP FiFr.RFT//r;OMIMT//RFI I IRA Al JR (RAM (RRR N71//?n.3?ninR

8

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

VPN Spin 9 Fielded Capability Upgrade

(S//SI//REL) TU VPN Products

X (TS//SI//REL) Bundled decrypt are the decrypted packets from an ESP Security
Association prior to any session or application processing.

■ (TS//SI//REL) Sessionized decrypted packets are the decrypted packets that
have been recursively processed by the TURMOIL Stage 1 sessionizer for
SIGDEV.

■ (S//SI//REL) Selected application sessions are the recursed TURMOIL
sessions that have been selected by KEYCARD strong selection and
subsequently processed by TURMOIL Stage 2 application processing.

■ (S//SI//REL) IPsec metadata are derived from IKE events for VPN SIGDEV.

■ (S//SI//REL) VPN metrics are produced by CES CA components for internal use.

TOP FiFr.RFT//r;OMIMT//RFI I IRA Al JR (RAM (RRR N7I//?n3?DinR

9

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

VPN Spin 9 Fielded Capability Upgrade

(S//SI//REL) TU VPN Product Dataflows

X (TS//SI//REL) Bundled decrypt are delivered directly to WEALTHYCLUSTER
2.0 (WC2.0) via TUBE from TURMOIL as packets for application processing that
is not available in TURMOIL.

■ (TS//SI//REL) Sessionized decrypted packets are delivered without selection
(full-take) to XKEYSCORE from TURMOIL for target SIGDEV.

■ (S//SI//REL) Selected application sessions are delivered to PRESSUREWAVE
via TUBE format conversion and EXOPUMP where data and metadata object are
created and inserted into PWV for legacy analytics and analysis tools.

■ (S//SI//REL) IPsec metadata are delivered to TOYGRIPPE via PWV where an
analytic converts IPsec metadata to TGIF format and pushes it to TOYGRIPPE.

■ (S//SI//REL) VPN metrics are delivered to CA Resources by the TURMOIL PIQ
blade via CES firewall.

Reference: VPN Spin 9 Dataflows

TOP SFP.RFT//rnMIMT//RFI I ISA AUS HAM (SRR N7I //?nS?mna

10

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

VPN Spin 9 Fielded Capability Upgrade

(S//SI//REL) TU VPN Product Retrieval Mechanisms

x (S//SI//REL) WC2.0

■ An analyst uses the AGILITY interface on WC2.0 to view selected traffic as
the intended recipient would see it.

■ (S//SI//REL) PRESSUREWAVE

■ The PRESSUREWAVE analytic and standing query pulls, reformats, and
pushes metadata objects to TOYGRIPPE.

■ (S//SI//REL) TOYGRIPPE

■ A SIGDEV analyst uses the TOYGRIPPE query interface to pull VPN
metadata.

TOP FiFr.RFT//r;OMIMT//RFI I IRA AI JR (RAM (RRR N71//?n.3?ninR

11

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

VPN Spin 9 Fielded Capability Upgrade

(U//FOUO) Selection Mechanisms

■ (S//SI//REL) Protocol Selection - Identify VPN traffic in IP traffic

■ IKE: version=4, 0x05
■ ESP: version=4, hdrl_en=5, nxtProtocol=50

■ (S//SI//REL) Session Selection - Identify session packets in VPN traffic

■ IKE: srclP, dstIP, srcPort, desPort, nxtProtocol (5-tuple)

■ ESP: srclP, dstIP, SPI

■ (TS//SI//REL) Target Selection - Identify, select, and task target in VPN sessions

■ KEYCARD performs target selection lookup with IP selectors

■ KEYCARD lookup result determines tasking disposition:

■ Not TRANSFORM (no action)

■ TRANSFORM (decrypt)

■ TRANSFORM+SURVEY (decrvot and send to XKEYSCORE)

■ TRANSFORM+FORWAR^deaBSttHmi send to WC2.0)

■ TRANSFORM+SURVEY+FORWARD (decrypt and send to XKEY !£ WC2.0)

TOP FlFr.RFT//r;OMIMT//RFI IJRA Al JR HAM <3RR W7I 7/20320108

12

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

VPN Spin 9 Fielded Capability Upgrade

(U) Design Constraints
(TS//SI//REL) Spin 9 VPN will use the following components:
Capability Component Function Developer
PIQ-Blade Extends the CES enclave to TURMOIL for decryption and other CA processing CES/ESO
VPN Identification X WC2.0 Receive bundled decrypt for application processing TU
and Decryption VPN Attack Orchestrator (VAO) Provides IKE / ESP matching functionality. It communicates with the PIQ-Blade and is located behind the CES Firewall. CES/SAO/ Txx
VPN Metadata TOYGRIPPE Receives VPN SOTF Metadata via PRESSUREWAVE CES/ESO

top FiFr.RFT//r;OMiMT//RFi I Ira Ai JR (ram (RRR M7i //?n3?mna

13

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

VPN Spin 9 Fielded Capability Upgrade

(U) Delivery Constraints

(TS//SI//REL) Spin 9 VPN will use the following delivery mechanisms:

Capability Product Format Mechanism
VPN XBundled decrypt for WC2.0 SOTF MAILORDER
Identification and Sessionized decrypted packets
Ctl 1 u Decryption from TURMOIL Data Store to XKEYSCORE SOTF Socket
VPN IKE setup metadata SOTF Socket via TUBE
VPN for PRESSUREWAVE and EXOPUMP
Metadata VPN IKE setup metadata for TGIF MAILORDER via
TOYGRIPPE VPN Analytic

TOP SFPRFT//PPIMINT//RFI I ISA AI IS PAM PRR N7I 7/20320108

14

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

VPN Spin 9 Fielded Capability Upgrade

(U) Management Constraints

■ (S//SI//REL) All VPN deployments must be approved by Chief CES.

TOP RFPRFT//POMINT//RFI I IRA Al JR PAM PRR N7I //?n3?DinR

15

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

VPN Spin 9 Fielded Capability Upgrade

(U) Second and Third Party Constraints

■ (TS//SI//REL) Spin 9 VPN identification and decryption capability will not deploy
to Third Party TU Sites.

■ (U//FOUO) Spin 9 VPN metadata capability will deploy to all TU sites.

TOP FiFr.RFT//r;OMIMT//RFI I IRA Al JR (RAM (RRR N7I//?n3?DinR

16

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

VPN Spin 9 Fielded Capability Upgrade

(U) What Spin 9 VPN will do

■ (S//SI//REL) Packet Detection

■ Detect IKE exchanges

■ Detect ESP packets

■ (S//SI//REL) IPsec Metadata Flow

■ Bundle all detected IKE with SRI and send to PWV

Reference: VPN Spin 9 Sequence Diagram

TOP FiFr.RFT//r:OMIMT//RFI I IRA AI JR (RAM (RRR N71//?n.3?ninR

17

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

VPN Spin 9 Fielded Capability Upgrade

(U) What Spin 9 VPN will do (continued)

■ (TS//SI//REL) ESP Decryption Flow

■ When IKE exchange is observed, lookup IP addresses in KEYCARD. If
tasked for collection, forward to VAO.

■ When ESP is observed, lookup IP addresses in KEYCARD. If tasked for
collection, request key from VAO.

■ If decrypt key is provided by VAO, decrypt ESP packet.

■ Send VPN decrypt metrics to CES VPN Metrics Service in CA Enclave.

■ Recurse decrypted packets to find identifiers tasked for TURMOL processing.

■ Send selected sessions to PWV via TUBE and EXOPUMP.

■ Sessionize all decrypted packets and pass to XKEYSCORE for SIGDEV.

x- Forward all decrypted packets to WC2.0 for additional application processing.

■ Process only Tunnel mode ESP packets.

TOP SFr.RFT//mMINT//RFI USA Al JR HAM f,RR N7I //?n3?mna

18

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

VPN Spin 9 Fielded Capability Upgrade

(U) What Spin 9 VPN will not do

■ (S//SI//REL) Will not process IPsec in other protocol implementations

■ Will not perform pattern-based IKE / ESP detection.

■ Will not process TCP/500, UDP/4500, or TCP/4500 implementations.

■ Will not process IKEv2 (RFC4306).

■ (S//SI//REL) Will not process non-IPsec based VPNs

■ TU VPN capability will only process IPsec based VPNs.

TOP FiFr.RFT//r;OMIMT//RFI I IRA AI JR (RAM (RRR N7I//?n3?DinR

19

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

VPN Spin 9 Fielded Capability Upgrade

(U) End-to-end test

■ (TS//SI//REL) IKE and ESP test packets must use coordinated security
associations

■ (S//SI//REL) Use both synthetic (lab generated) and live collect test data

■ (S//SI//REL) Live test data may only be processed through PIQ blade

■ (TS//SI//REL) Test data characterization must include:

■ 5-tuples (sourcelP, destinationIP, protocol, sourcePort, destinationPort)

■ Number of IKE packets

■ Number of ESP packets

■ Unencrypted ESP payload content

TOP FiFr.RFT//r;OMIMT//RFI I IRA Al JR (RAM (RRR N7I//?n3?DinR

20

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

VPN Spin 9 Fielded Capability Upgrade

(U) Test Scenarios

■(S//SI//REL) “Sunny Day” Scenarios. Single VPN with all IKE/ESP packets
available and VPN Match. Exercise KEYCARD tasking option combinations.

■ (TS//SI//REL) Transform - Decrypt to PRESSUREWAVE; IKE to TOYGRIPPE

■ (TS//SI//REL) Transform & Survey - Decrypt to PRESSUREWAVE &
XKEYSCORE; IKE to TOYGRIPPE

■ (TS//SI//REL) Transform & Forward - Decrypt to PRESSUREWAVE &

XWEALTHYCLUSTER 2.0; IKE to TOYGRIPPE

■ (TS//SI//REL) Transform & Survey & Forward - Decrypt to PRESSUREWAVE,
XKEYSCORE, XWEALTHYCLUSTER 2.0; IKE to TOYGRIPPE

■ (S//SI//REL) Not Transform - IKE to TOYGRIPPE

TOP SFP.RFT//rnMIMT//RFI I IRA Al JR (RAM GRR N7I 7/20320108

21

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

VPN Spin 9 Fielded Capability Upgrade

(U) Test Scenarios (continued)

■ (U) Failure Scenarios.

■ (TS//SI//REL) ESP Decryption fails because bad key is returned by VAO.

■ (S//SI//REL) VAO responds with no key recovered.

■ (S//SI//REL) VAO key response timeout.

■ (S//SI//REL) VAO key response received after response timeout.

■ (S//SI//REL) VAO response received after TDS hold time expires and ESP is
not available.

■ (S//SI//REL) Phase 1 and Phase 2 IKE is complete, but no ESP is collected.

■ (S//SI//REL) ESP is collected, but no IKE is collected.

TOP FiFr.RFT//r;OMIMT//RFI I IRA Al JR (RAM (RRR N7I//?n3?DinR

22

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

VPN Spin 9 Fielded Capability Upgrade

(U) Test Scenarios (continued)

■ (S//SI//REL) Miscellaneous Scenarios.

■ (S//SI//REL) Multiple, rapid (< 30 second) Phase 2 re-keys for same initiator/
responder pair.

■ (S//SI//REL) Two VPN sessions collected concurrently for same IP source.

■ (TS//SI//REL) Decryption flow can be disabled.

■ (S//SI//REL) IKE Metadata flow can be disabled.

TOP FiFr.RFT//r;OMIMT//RFI I IRA Al JR (RAM (RRR N7I//?n3?DinR

23

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

VPN Spin 9
Development & Integration Activities

Metadata Flow

Decryption Subflow: IKE & ESP Sessions to TDS Decryption FlOW

TDS (TML)

top SFnRFT//mMiNT//RFi I ira ai JR (ram (RRR M7i //?n3?mna ¡Bridge (TML)

TMI IÄT fTMl + APP1

24

TOP SECRET//COMINT//20320108

VPN SPIN 9 Dataflows

o

XKEYSCORE

Internet Key Exchange (IKE)

TUBE

_VPN7

T: Socket Connection
C: Sessionized Decrypted Packets
F: SOTF

_VPN5 _____ _______

T: Socket Connection
C: IKE Records
F: SOTF

VPNS

pa

T: Socket Connection
C: Selected Application Sessions*
F: SOTF

VPN9

T: MAILORDER

C: Selected Application Sessons*

F: SOTF

VPN8

T: MAILORDER
C: IKE Records
F: SOTF

4

t

EXOPUMP

Note

* Selected Application Sessions
are identified and selected from
the decrypted packets extracted
from the VPN tunnel and inserted
into the TURMOIL input stream.

~r

Encapsulating Security Payload (ESP)1

TURMOIL

KEYCARD

Interface Key

T = Transport
C = Content
F = Format

VPN1

T: Socket Connection
C: Selector Hit Query/Response
F: Binary

Dataflow Key

Selector Lookup

VPN Metrics

PIQ Blade Monitoring

ESP Key Request/Response

IKE Messages

Selected Application Sessions
IKE Records

Sessionized Decrypted Packets

VPN2
*T: Secure Socket (SSL)™
C: VPN Metrics
F: SOAP
CO
VPN 18 =
T: Secure Socket (SSL) -t—' C\3 (Ü
PIQ C: PIQ Blade Monitoring o £
Blade F: WebSA _i LL w
^ VPN 3 m i • m X co LU • • O
T: Secure Socket (SSL) LLI
C: ESP Key Requet/Response O
F: SOAP
VPN4
T: Secure Socket (SSL)

VPN Metrics

CES Watch

VAO

VPN11

"T: ITx (JMS)

C: Selected Appl Sessions*
F: XMUSOTF

_VPN10

T: ITx (JMS)

C: IKE Records

PRESSURE-

WAVE

F: SOAP

VPN12

T: ITx (JMS)

C: IKE Records
F: SOTF

METROTUBE

P

VPN Analytic

TOYGRIPPE

VPN13

T: MAILORDER
C: IKE Records
F: TGIF

TOP SECRET//COMINT//20320108

25

TOP SECRET//COMINT//20320108

VPN SPIN 9 Metadata Dataflows

o

Internet Key Exchange (IKE)

VPN8

T: MAILORDER
C: IKE Records
F: SOTF

L

EXOPUMP

TURMOIL

Interface Key

T = Transport
C = Content
F = Format

Dataflow Key

IKE Records

VPN10

T: ITx (JMS)

C: IKE Records
F: XML/SOTF

PRESSURE^

WAVE

METROTUBE

VPN12

T: ITx (JMS)

C: IKE Records
F: SOTF

VPN Analytic

TOYGRIPPE,

VPN13

T: MAILORDER
C: IKE Records
F: TGIF

TOP SECRET//COMINT//20320108

26

TOP SECRET//COMINT//20320108

VPN SPIN 9 Decrypt Dataflows

Internet Key Exchange (IKE)
Encapsulating Security Payload (ESP)1

XKEYSCORE

_VPN7

T: Socket Connection
C: Sessionized Decrypted Packets
F: SOTF

VPN6

1 T: Socket Connection

C: Selected Application Sessions’'
F: SOTF

VPN9

T: MAILORDER

C: Selected Application Sessons*

F: SOTF

Note

* Selected Application Sessions
are identified and selected from
the decrypted packets extracted
from the VPN tunnel and inserted
into the TURMOiL Input stream.

EXOPUMP

i

i

KEYCARD

£

Interface Key
T = Transport
C = Content
F = Format

VPN1

T: Socket Connection
C: Selector Hit Query/Response
F: Binary

Dataflow Key

Selector Lookup

VPN Metrics

PIQ Blade Monitoring

ESP Key Request/Response

IKE Messages

Selected Application Sessions
Sessionized Decrypted Packets

VPN2
"T: Secure Socket (SSL)
C: VPN Metrics
F: SOAP
CO
VPN18 5 0 -t—' CD =
T: Secure Socket (SSL) CD 5
PIQ C: PIQ Blade Monitoring CD o
Blade F: WebSA _j 2 u_ w
^ VPN3 •qM • a • im • X CO • LU o
T: Secure Socket (SSL) LU
C: ESP Key Requet/Response F: SOAP o
VPN4
T: Secure Socket (SSL)

VPN Metrics

CES Watch

F: SOAP

VPN11

T: ITx (JMS)

C: Selected Appl Sessions*
F: XML/SOTF

PRESSURE-

WAVE

TOP SECRET//COMINT//20320108

27

TOP SECRET//COMINT//20320108

TOP SECRET//COMINT//20320108

28

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

VPN Spin 9 Metadata Design Details

top FiFr.RFT//r;OMiMT//RFi i Ira ai jr (ram (RRR M7i //?n3?mna

29

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

VPN Spin 9 Decryption Design Details

top FiFr.RFT//r;OMiMT//RFi i Ira Ai jr (ram (RRR M7i //?n3?mna

30

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

VPN Spin 9 Interfaces

l/F Source Destination Content Format Schema / ICD Changes Transport
VPN1 TURMOIL KEYCARD Selector Query/Response Binary cns.xsd No Socket
VPN2 PIQ Blade CES VPN Metrics SOAP/HTTPS VPNMetrics.xsd Yes Socket (SSL)
VPN3 PIQ Blade CES VAO ESP Crypto-variable Request/Response SOAP/HTTPS VAOESP.xsd Yes Socket (SSL)
VPN4 PIQ Blade CES VAO IKE Message SOAP/HTTPS VAOIKE.xsd Yes Socket (SSL)
VPN5 TMLHome TUBE IKE Data/Metadata SOTF DataBundleOutput.xsd VPNDataBundle.xsd Yes Socket
VPN6 TML Home TUBE Selected Session, Decrypted & Recursively Processed SOTF TURMOIL/core VPNDecrypt.xsd Yes Socket
VPN 7 TMLHome XKEYSCORE Decrypted Session SOTF TURMOIL/core VPNDecrypt.xsd Yes Socket
VPN8 TUBE EXOPUMP IKE Data/Metadata SOTF DataBundleOutput.xsd VPNDataBundle.xsd Yes MAILORDER
VPN9 TUBE EXOPUMP Selected Session, Decrypted & Recursively Processed SOTF TURMOIL/core VPNDecrypt.xsd Yes MAILORDER
VPN 10 EXOPUMP PWV IKE Data/Metadata SOTF DataBundleOutput.xsd VPNDataBundle.xsd PWV Schema Yes ITx
VPN11 EXOPUMP PWV Selected Session, Decrypted & Recursively Processed SOTF TURMOIL/core VPNDecrypt.xsd PWV Schema Yes ITx
VPN12 PWV VPN Analytic IKE Data/Metadata SOTF DataBundleOutput.xsd VPNDataBundle.xsd PWV Schema Yes ITx
VPN13 VPN Analytic TOYGRIPPE IKE Data/Metadata TGIF TGIF ICD No MAILORDER
VPN 14 TML Home TEC WC2.0 Bundled Decrypt SOTF TURMOIL/core VPNDecrypt.xsd Yes MAILORDER

31

TOP RFr.RFT//r.DMIMT//RFI IJRA Al JR HAM GRR N7I //?n3?mnR

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

VPN Specific BME

Tag ID Type Value Context Description
vpnlD 900791 string xxxxxxxx-xxxx- xxxx-xxxx- xxxxxxxxxxxx • Recursed packets ■ XKEYSCORE session • WC2.0 decrypt 16-byte Universally Unique ID that associates IPsec packets in processing history
protocolNamespace 900667 string ‘ipsec/ike’ • PWV Metadata Identify IPsec as transport protocol layer
keyExchange 600533 string ‘IKE’ • PWV Metadata Flags IPsec IKE event
espspi 55002 uint32 xxxxxxxx ■ XKEYSCORE session • WC2.0 decrypt 4-byte SPI from ESP packet
nextProtocol 37007 uintS IPTUNNEL=4 ■ XKEYSCORE session • WC2.0 decrypt Identifies IP Tunnel in processing history
appID 114000 string ‘vpn/esp’ ■ XKEYSCORE session • WC2.0 decrypt Identifies VPN/ESP in XKEYSCORE Session
ikeCookie 900683 string 8 chars • PWV Metadata Destination cookie from IKE packet
ike Pay load 900682 string 68 chars • PWV Metadata Raw payload extracted from IKE packet
survey 900790 string ‘vpn/esp’ ■ XKEYSCORE session Identifies VPN/ESP in protocol history as weakly selected indicating session should not be forwarded to PRESSUREWAVE.
protocol 2001 String ‘vpn/esp’ • Recursed packets ■ XKEYSCORE session • WC2.0 decrypt Identifies VPN in processing history

TOP FiFr.RFT//r;OMIMT//RFI I IRA Al JR (RAM (RRR M7I 7/30320108

32

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

Questions?

top FiFr.RFT//r;OMiMT//RFi i ira ai jr (ram (RRR M7i //?n3?mna

33

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

Background

top FiFr.RFT//r;OMiMT//RFi i Ira Ai jr (ram (RRR M7i //?n3?mna

34

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

KEYCARD

(U) Inputs

• (U) Application ID: VPN

• (U//FOUO) Raw Selectors: IP addresses of sessions carrying the IKE exchange

• (U) Context: Packet IP addresses both source and destination (properly identified)
with realm derived from network universe

(U) Processing

• (S//SI//REL) Lookup raw selectors and report hit/no-hit results.

• (S//SI//REL) Return tasking for hits.

(U) Outputs

• (U//FOUO) Evaluated Selectors:

• Hit or No-Hit indicators

• Target match data if necessary

TOP FiFr.RFT//r;OMIMT//RFI I IRA Al JR (RAM (RRR N71//?n.3?ninR

35

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

TURMOIL VPN Metadata Processing

(U) Inputs

• (U) Raw packets

(U) Processing

• (S//SI//REL) Detect IKE exchanges at UDP source and destination ports 500

• (S//SI//REL) Extract IP addresses, responder cookie, message ID, ISAKMP
payload

• (S//SI//REL) Bundle all IKE detect messages with SRI

(U) Outputs

• (S//SI//REL) SOTF object containing metadata and IKE packets

TOP FiFr.RFT//r;OMIMT//RFI I IRA Al JR (RAM (RRR N7I//?n3?DinR

36

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

TURMOIL VPN Decrypt Processing

(U) Inputs

• (U) Raw packets

• (U) Selection results from KEYCARD

(U) Processing

• (S//SI//REL) Detect ESP packets and extract IP addresses and SPI

• (S//SI//REL) Match tasked IKE exchange packets with an ESP packet stream

• (S//SI//REL) Generate UUID and assign to VPNID for unique exchange ID

• (S//SI//REL) Send Crypto-variable Request to the CES VAO

• (TS//SI//REL) If the key is returned, decrypt the ESP packets

• (TS//SI//REL) Send decrypt metrics to the CES VPN Metrics service

• (TS//SI//REL) Recurse all decrypted packets from the VPN.

• (TS//SI//REL) Sessionize all decrypted packets, pass sessions to XKEYSCORE

X (TS//SI//REL) Forward all decrypted packets to a WC2.0 for application processing.

(U) Outputs

X (TS//SI//REL) Decrypted packets to a WC2.0

• (TS//SI//REL) Decrypt metrics to VAO

• (TS//SI//REL) Sessionized decrypted packets to XKEYSCORE

• (S//SI//REL) Selected application SOTF

TOP FiFr.RFT//r;OMIMT//RFI I IRA Al JR (RAM (RRR N71//?n.3?ninR

37

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

XKEYSCORE

(U) Inputs

• (S//SI//REL) Sessionized collect in SOTF format.

(U) Processing

• (S//SI//REL) Recovers and archives session content. Databases metadata for
query by analysts. XKEYSCORE can also perform keyword scanning and optionally
forward selected data back to PINWALE. Presence tips can also be sent to
TRAFFICTHIEF.

TOP FiFr.RFT//r;OMIMT//RFI I IRA Al JR (RAM (RRR N71//?n.3?ninR

38

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

TUBE (ID and Decryption)

(U) Inputs

• (U) SOTF objects.

(U) Processing

• (C//SI//REL) Defragments fragmented sessions, creating an SOTF object with the
complete session.

• (C//SI//REL) Examines the BME to determine if the session should go to PWV.

• (C//SI//REL) Creates a new SOTF object, placing the received or defragged
SOTF object into the data section. The BME of the newly created object contains
classification metadata*, as well as certain fields such as sessionID and
signalllpTime replicated from the BME of the original received SOTF object.

* NOTE: Classification metadata needs more discussion to determine appropriate
origination. TURMOIL may assume some responsibilities.

• (U) Determines appropriate routing (MAILORDER FDI) and forwards the new
SOTF object to EXOPUMP via MAILORDER.

• (U) Optionally (configurable) wrap multiple objects destined for EXOPUMP/PWV
into one MAILORDER file to reduce the number of individual files transmitted.

(U) Outputs

• (U) SOTF objects.

TOP SFr.RFT//mMINT//RFI USA Al JR HAM f,RR N7I //?n3?mnR

39

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

TUBE (Metadata)

(U) Inputs

• (U) SOTF objects.

(U) Processing

• (C//SI//REL) Examines the BME to determine if the session should go to PWV.

• (U) Determines appropriate routing (MAILORDER FDI) and forwards the new
SOTF object to EXOPUMP via MAILORDER.

• (U) Optionally (configurable) wrap multiple objects destined for EXOPUMP/PWV
into one MAILORDER file to reduce the number of individual files transmitted.

(U) Outputs

• (U) SOTF objects.

TOP FiFr.RFT//r;OMIMT//RFI I IRA Al JR (RAM (RRR N71//?n.3?ninR

40

EXOPUMP

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

(U) Inputs

• (U) SOTF object from TUBE via MAILORDER.

(U) Processing

• (U) Extracts metadata from SOTF records for PWV XML metadata.

• (U) Inserts SOTF objects and XML metadata into PWV.

(U) Outputs

• (U) PRESSUREWAVE metadata object.

TOP SFPRFT//POMINT//RFI I ISA AIJS PAM PRR N7I //?n3?mnfi

41

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

PRESSUREWAVE

(U) Inputs

• (S//SI//REL) VPN metadata including IKE payload objects with associated
metadata represented in XML.

• (U//FOUO) Selected application data objects with associated metadata
represented in xml.

(U) Processing

• (S//SI//REL) PWV hosts a persistent (or standing) query created by the VPN
analytic. When new metadata arrives that matches the query, the VPN analytic
is notified and pulls the associated metadata and IKE packets for further
processing.

• (U//FOUO) PWV serves as data store for TU analytics

(U) Outputs

• (S//SI//REL) The metadata and IKE packets are forwarded to VPN analytic via
ITx (JMS messaging service).

TOP FiFr.RFT//r;OMIMT//RFI I IRA Al JR (RAM (RRR N71//?n.3?ninR

42

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

VPN Analytic

(U) Inputs

• (S//SI//REL) Persistent query to detect VPN metadata/IKE packets in
PRESSUREWAVE

• (S//SI//REL) SOTF files containing IKE packets

(U) Processing

• (U//FOUO) Convert SOTF to TGIF records

(U) Outputs

• (S//SI//REL) MAILORDER files with TGIF records containing intercepted IKE
packets

TOP FiFr.RFT//r;OMIMT//RFI I IRA Al JR (RAM (RRR N71//?n.3?ninR

43

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

TOYGRIPPE

(U) Inputs

• (U//FOUO) TGIF (“The Grand Input Format”) records based on TML collected
metadata.

(U) Processing

• (U//FOUO) TOYGRIPPE 3.2 system accepts TGIF files sent by MAILORDER as
bundled “tar” files.

• (TS//SI//REL) TOYGRIPPE unbundles, validates, and stores the VPN metadata
from the TGIF files into a database for later access by Analysts primarily through a
web browser interface. TOYGRIPPE supports data processing and storage for
PPTP and IPSec VPN metadata records.

TOP FiFr.RFT//r;OMIMT//RFI I IRA Al JR (RAM (RRR N71//?n.3?ninR

44

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

VAO

(U) Inputs

• (S//SI//REL) IKE packets

• (S//SI//REL) ESP Crypto-variable (CV) Requests

(U) Processing

• (S//SI//REL) Generates ESP SA CV’s from IKE packets

• (S//SI//REL) Matches ESP SA CV requests with generated CV’s

• (S//SI//REL) Responds to ESP SA CV requests
(U) Outputs*

• (S//SI//REL) ESP Crypto-variable Response

* Note: VAO requests that multiple ESP packets also be sent for each session

TOP FiFr.RFT//r;OMIMT//RFI I IRA Al JR (RAM (RRR N71//?n.3?ninR

45

VPN Metrics

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

(U) Inputs

• (S//SI//REL) PIQ Blade VPN Processing Metrics

(U) Processing

• (S//SI//REL) Internal to CES/CA Enclave

top p;Fr.RFT//r;OMiMT//RFi iira aijr HAM nRR N7i //?n3?nina

46

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

WEALTHYCLUSTER 2.0

(U) Inputs

• (S//SI//REL) Bundled decrypted packets in SOTF format via MAILORDER.

(U) Processing

• (U) Signal identification

• (S//SI//REL) Protocol recognition, processing and sessionization

• (C//SI//REL) Application identification and processing

• (C//SI//REL) Link characterization aggregation

• (U//FOUO) Filtering, selection, and forwarding

• (U//FOUO) Strong selection

• (S//SI//REL) Persona session association

• (S//SI//REL) Session association

• (S//SI//REL) IP Decompression

• (S//SI//REL) Contact chaining

TOP FiFr.RFT//r;OMIMT//RFI I IRA Al JR (RAM (RRR N71//?n3?mnR

47


e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh