Title: TLS Trends: A roundtable discussion on current usage and future directions

Release Date: 2014-12-28

Description: This CSEC presentation from 2012 outlines the agency’s capabilities against SSL encryption at that point: see the Der Spiegel story Prying Eyes: Inside the NSA’s War on Internet Security, 28 December 2014.

Document: TOP SECRET//SI//REL TO CAN, AUS, GBR, NZL, USA

rs

TLS Trends:

A roundtable discussion on current
usage and future directions

Communications Security Establishment Canada (CSEC)



Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

/H ll+l

Canada

TOP SECRET//SI//REL TO CAN, AUS, GBR, NZL, USA

1

■ ■ Communications Security

Establishment Canada

TOP SECRET//SI//REL TO CAN, AUS, GBR, NZL, USA

Centre de la sécurité

des télécommunications Canada



This presentation is up to

TOP SECRET//SI
//REL TO

CAN, AUS, GBR, NZL, USA

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

/H ll+l

Canada

TOP SECRET//SI//REL TO CAN, AUS, GBR, NZL, USA

2

■ ■ Communications Security

Establishment Canada

TOP SECRET//SI//REL TO CAN, AUS, GBR, NZL, USA

Centre de la sécurité

des télécommunications Canada

Outline

• Background

• Implementation

• Trend Report

• Success Stories

• Future Development

• Questions

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

/H ll+l

Canada

TOP SECRET//SI//REL TO CAN, AUS, GBR, NZL, USA

3

TOP SECRET//SI//REL TO CAN, AUS, GBR, NZL, USA

■ ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

Background

• Objectives:

- Identify capabilities in existing warranted SSL/TLS traffic

- Generate regular trend reports and analysis

- Identify abnormalities and technology changes

- Be proactive!

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

/O ll+l

Canada

TOP SECRET//SI//REL TO CAN, AUS, GBR, NZL, USA

4

TOP SECRET//SI//REL TO CAN, AUS, GBR, NZL, USA

l+l

Communications Security Centre de la sécurité
Establishment Canada des télécommunications Canada

Implementation - Warranted Collection

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

/H ll+l

Canada

TOP SECRET//SI//REL TO CAN, AUS, GBR, NZL, USA

5

TOP SECRET//SI//REL TO CAN, AUS, GBR, NZL, USA

■ ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

Implementation - Special Source

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

/H ll+l

Canada

TOP SECRET//SI//REL TO CAN, AUS, GBR, NZL, USA

6

TOP SECRET//SI//REL TO CAN, AUS, GBR, NZL, USA

l+l

Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

Trend Report - Warranted Collection

• Inspired by GCHQ weekly TLS Trend Reports

• What we’re tracking:

- Amount of SSL/TLS traffic seen

- Cipher Suite Breakdown (RSA vs EC vs DH)

- SSL/TLS Version Breakdown

- Top Certificates seen by Common Name

- Top RSA Certificate Moduli seen

- Top DH Moduli seen

- Percentage of Resumed Session

- Session Ticket Usage, Elliptic Curve Usage

- RSA & DH Modulus Size Breakdown

- New DH moduli

- Top new RSA moduli

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

/H ll+l

Canada

TOP SECRET//SI//REL TO CAN, AUS, GBR, NZL, USA

7

1*1

TOP SECRET//SI//REL TO CAN, AUS, GBR, NZL, USA

Communications Security Centre de la sécurité
Establishment Canada des télécommunications Canada

RSA Key Size Trends
(warranted only)

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

1024-bit

-■-2048-bit

-^4096-bit

/n ii+i

Canada

TOP SECRET//SI//REL TO CAN, AUS, GBR, NZL, USA

8

1*1

Communications Security
Establishment Canada

TOP SECRET//SI//REL TO CAN, AUS, GBR, NZL, USA

Centre de la sécurité

des télécommunications Canada

DH Modulus Trends
(warranted only)

T— T— T— T— T— T— T— T— CN CNI CN eg
TJ- T- T— t— T- t—
>* c —! Q_ -t—' o O 1 > Ô ¡z 1 _Q l!_ «ri l!_
03 =3 “5 f “D =3 < O CO o z
nginx

-■-Apache - current

-^-Apache - older
versions

^Java

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

/H ll+l

Canada

TOP SECRET//SI//REL TO CAN, AUS, GBR, NZL, USA

9

1*1

Communications Security
Establishment Canada

TOP SECRET//SI//REL TO CAN, AUS, GBR, NZL, USA

Centre de la sécurité

des télécommunications Canada



Public Key Exchange Methods
(warranted only)

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

/H ll+l

Canada

TOP SECRET//SI//REL TO CAN, AUS, GBR, NZL, USA

10

1*1

Communications Security
Establishment Canada

TOP SECRET//SI//REL TO CAN, AUS, GBR, NZL, USA

Centre de la sécurité

des télécommunications Canada

Target Specific reporting
(warranted only)

• Intended to engage analysts in identifying traffic of
interest

- Show the known services their target is using

- Ask them to help identify unknown services

- Identify changes in their target’s use of TLS

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

/H ll+l

Canada

TOP SECRET//SI//REL TO CAN, AUS, GBR, NZL, USA

11

TOP SECRET//SI//REL TO CAN, AUS, GBR, NZL, USA

■ ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

Sample Report

Trends Report for Canuckistan in the month of April

Table 1. Types of TLS traffic in working hours (7am to 6pm) and out of hours

WHO 1 - + OUT_HOURS 1 IN_H0URS -|- 1 TOTAL
Google 1 1479 1 2782 1 4261
Hotmail/Live 1 455 1 934 1 1389
Advertising 1 401 1 139 1 540
Foreign government sites 1 338 1 97 1 435
Canuckistan Social Media 1 59 1 90 1 149
Facebook 1 38 1 82 1 120
Apple 1 12 1 2 1 14
Banking 1 5 1 4 1 9
Transportation sites 1 3 1 Q 1 3
Microsoft 1 1 1 Q 1 1

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

/H ll+l

Canada

TOP SECRET//SI//REL TO CAN, AUS, GBR, NZL, USA

12

TOP SECRET//SI//REL TO CAN, AUS, GBR, NZL, USA

■ ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

Sample Report (cont’d)

Table 2. Sites visited from the Canuckistan Social Media group

WHO 1 SITES . -|- 1 OUT . _HOURS 1 -|- _ IN_HOURS 1 . TOTAL
hockeytalk 1 login.hockeytalk.com 1 3 1 10 1 13
hockeytalk 1 chat.hockeytalk.com 1 31 1 44 1 75
hockeytalk 1 mail.hockeytalk.com 1 25 1 36 1 61

Comments:

We have noticed a large increase in chat activity on the hockeytalk sites. This is
likely due to the beginning of playoff season.

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

/H ll+l

Canada

TOP SECRET//SI//REL TO CAN, AUS, GBR, NZL, USA

13

TOP SECRET//SI//REL TO CAN, AUS, GBR, NZL, USA

■ ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

Success Stories

• Easily identified current capabilities in warranted traffic

• Verified certificate being phased out and identified
possible replacements

• Corroborated with GCHQ on discovering frequent
Google moduli changes

• Currently pushing new moduli for testing against
publicly known weaknesses (PHOENIX)

• Identified use of Elliptic Curve Certificates

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

/O ll+l

Canada

TOP SECRET//SI//REL TO CAN, AUS, GBR, NZL, USA

14

TOP SECRET//SI//REL TO CAN, AUS, GBR, NZL, USA

■ ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

Future Development

• Trends reports on Special Source collection

• New types of metadata added to database

• Collaboration with CSEC’s Data Mining team

• Improve efficiency, stability of solutions

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

/H ll+l

Canada

TOP SECRET//SI//REL TO CAN, AUS, GBR, NZL, USA

15

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh