Title: TLS Trends at GCHQ

Release Date: 2014-12-28

Description: This undated GCHQ presentation explains the agency’s FLYING PIG database and its role in undermining SSL/TLS encryption: see the Der Spiegel story Prying Eyes: Inside the NSA’s War on Internet Security, 28 December 2014.

Document: TS//SI//REL

TLS trends at GCHQ

TS//S1//REL

TS//SI//REL

Source of data

Our TLS events come from our TLS app

- Runs on special source (approx. 200 x 10G) and
Comsat data

-Produces unselected events: about 10 billion Server
Hellos per week

Records details about the handshake: IPs, Hello
messages, Certificate, Key Exchanges

Events stored for 6 months in our clouds

TS//SI//REL

TS//SI//REL

Trends Reports

We summarise these events to produce weekly

trends reports, which record:

-Types of key exchange (RSA/DH/EC)

-"Top 40" TLS services in use, highlighting new
services and changes in existing services

- Details about the crypt (e.g. DH moduli)

-"Watchlist" to keep an eye on widely-used services
(Facebook, Gmail, Hotmail, etc)

TS//SI//REL

TS//SI//REL

Example: top 40 services

#1 Top Certificates seer by Common Name

common Name | Modulus

I ".facebook. com
I a248. e. akamai. net
I ww.facebook.com
I api.twitter.com
I ".hotmail.com
I urs.microsoft.com
I ". channel.facebook.com
I s-static.ak.fbcdn.net
I rn.facebook.com
I ". data, tool bar. yahoo, com
I iogin.yahoo.com
I I ". google, com
I ww.update.microsoft.com
I s-static.ak.facebook.com
I api. login, i cq. net
I imaç.gmai1.com
login.|]ive. com
pop3.live. com
twitter.com

http.mws.mobile.live.com
". ak.fbcdn. net
".facebook.com
". imap.mail.yahoo,com
I ". itunes. appl e. com
I Trustedsourceserver_iMQA01
I ww.google.com

I BDAF38FB408B8B337E1D.
I B40134F19ÛAEBE48066F.
I B87BD0B4783DF3CB4611.
I D8AECC5ÛA9C36696D9AB.
I 956f4c1d7b4904f9CAA6.
I A7182FC26B834C47BFBC.
I C5386d6248b91DE99A[>4.
I C8E627515E97A92B68EE.
I D1ÛFC5EBFC66EB82D938.
I AF227F382DE62FFA45EE.
I B4F12A8383C1D3CD6CCE.
I B9053E8992284Ü3B6457.
I A9619b9519b2AF7884a5.
I AC563853D7E933BD71F7.
I AD58EA4811ED7ÛEDFC21.
I C4B160ABD2B02 5383DF4.
I 9AFDA9BEF8573B238Q52.
C548d3d383 594EAC8b19.
A906AECB8EB6826C51BE.
9A21AA93ÛF4ÛAE99EFBD.
F8b16f57a4599c6f346F.
AB42786DB7E50E2EFEBF.
AE94B171E2DECCC1693E.
D4EBE5BEC7f392CC63e2.
I BE929951748692EDF512.
I DAB6BEB776DCFBED33ÛB.
I DEB72643A69985CD38A7.
I DA6Û40129F6D3C9ACE3D.
C83ÛF15AD53CE2589378.
D5A3EE989786818E9EC2.
CF2A282398ÛA14D7ÛD9F.
ACBEDF362314AÛ1EÛ35E.
AFD70CA3E329E37B15A6.
965A1B8QE8E656C1D69E.
93CD135CDÛDBDED56Û8C.
B612D697DQ571AFE9153.
DC1591DBÛB316C39526B.
978BÛ3F0D9C9E8B94415.
DASQ206Û6F8929E9S631.
CC785DBDA5E72ÛFE810B.
CÛ24E51Q1CAÛ4AAB04F7.

I ■".whatsapp.net

games.met as ervices.mi cr osoft.com
". cityville.zynga.com
". zynga.com
".twitter, com
".mail.ru
contacts.msn.com
". s3. amazonaws.com
I ".addons.mozilla.org
I ".securestudies.com
I sbOl.cysheiev.htit.prd.miyowa. net
I ".castle.zynga.com
I gs-1 oc.apple.com
I ".calendar.yahoo.com

I valid From | valid until | issuer org | Postion | % of Total

(1024) 13/01/10 11/04/13 Digicert Inc 1 CD 9.291 (10.205)
(1024) 01/09/11 31/08/12 GTE corporation 2 (2) 7. 695 (7.0464
(1024) 17/11/11 13/07/12 Verisign Trust Network 3 (3) 5.096 (5-443)
(20481 18/Û5/1Q 17/05/12 verisign, me. 4 (4) 4.440 (4.839)
(2048) 13/07/11 12/07/13 5 (5) 2.728 (2.624)
(1024) 16/05/11 15/05/12 6 (6) 2.656 (2-584)
(1024) 23/11/10 26/11/13 Digicert Ine 7 (7) 2.242 (2.4014
(1024) 01/08/11 01/08/12 Akamai Technologies Inc 8 (10) 2.180 (1.584)
(1024) 29/05/11 01/06/13 Equifax 9 (14) 2.046 (1. 520)
(1024) 24/06/10 25/08/13 Equifax 10 (11) 1.737 (1.5734
(1024) 21/12/10 03/01/13 DigiCert Inc 11 (17) 1.719 (1.409)
(2048) 02/06/11 02/08/13 Entrust, Inc. 12 (9) 1.714 (1.753)
(1024) 08/03/12 08/03/13 Google Inc 13 (12) 1.478 (1.5424
(2048) 19/04/11 18/04/13 14 (15) 1.296 (1.466)
(1024) 29/07/11 29/07/12 Akamai Technologies inc 15 (18) 1. 252 (1.354)
(2048) 30/06/11 16/08/17 Verisign, Inc. 16 (3 5) * 1.188 (0.4784
(1024.) 18/11/11 18/11/12 Google Inc 17 (2 5) " 1.160 (0.659)
(2048) 28/09/11 27/09/12 verisign, inc. 18 (21) 1.094 (0.960)
(2048) 24/03/11 23/03/13 19 (20) 1.048 (1.0244
(20481 07/07/11 27/07/12 Verisign, Inc. 20 (194 0.969 (1.128)
(1024) 12/08/10 30/09/14 Verisign Trust Network 21 (16) 0. 955 (1.450)
(1024) 13/01/12 13/01/13 Akamai Technologies Inc 22 (22) 0.931 (0.907)
(10241 14/07/11 13/07/12 Verisign Trust Network 23 (13) 0. 843 (1. 525)
(2048) 11/05/11 15/05/13 Digicert me 24 (29) 0. 702 (0. 584)
(1024) 23/06/09 22/06/14 Verisign, Inc. 25 (23) 0.688 (0.739)
(1024) 18/02/10 01/01/38 see 26 (28) 0.669 (0.614)
(1024) 26/10/11 30/09/13 Thawte Consulting (Pty) Ltd. 27 (24) 0.665 (0.738)
(2048) 31/12/09 31/12/12 GoDaddy.com, Inc. 28 (27) 0.627 (0.627)
(2048) 16/05/11 15/05/13 29 (26) 0.606 (0.6304
(2048) 29/06/11 28/06/12 Verisign, Inc. 30 (37) 0.583 (0.451)
(1024) 01/09/11 30/12/13 Digicert Inc 31 03) 0.569 (0.521)
(2048) 17/07/11 17/09/13 GeoTrust, inc. 32 (30) 0. 554 (0. 5754
(2048) 12/03/12 11/05/14 Thawte, Inc. 33 (42) 0.530 (0.425)
(2048) 12/05/11 11/05/13 34 (34) 0. 514 (0. 506)
(1024) 15/12/10 18/12/13 Digicert inc 3 5 (38) 0.509 (0.4504
(2048) 27/12/10 29/12/12 GeoTrust, Inc. 36 (31) 0.492 (0.550)
(2048) 02/03/12 19/03/13 COMODO ca Limited 37 (82) " 0.470 (0.143)
(2048) 19/04/11 20/04/13 The U5ERTRUST Network 38 (39) 0.444 (0.4474
(10241 01/09/11 30/12/13 Digicert Inc 39 (444 0.438 (0.396)
(2048) 04/10/10 01/10/12 Entrust, me. 40 (43) 0.419 (0.421)
(2048) 13/03/12 20/03/13 Digicert Inc 41 (63) * 0.405 (0.205)

I Past %





I l~lt





= 7

7

>>

Raw count

968772690 (1127419008)
802295227 (778458790)
531368555 (6Q1326Q37)
463021773 45346577171
284430903 (289947972)
276995437 (28551Q9Û9)
233793675 (265316019)
227382435 (175019929)
213407210 (167941977)
181117743 (173876822)
179230294 (155713115)
178784944 (193662902)

1 54111639 (17044 5646)
135141462 (161960265)
130543626 (149630545)
123931507 (52863604)
120963041 672889992)
114138558 (106107395)
109361276 (113150224)
101088158 61246472480
99584853 (160275556)
97155933 (100210124)
87967311 (168474280)
73246541 (64522656)
71781445 (81745924)
69784882 (67857652)
69403948 (81563480)
65465951 (69350595)
63213853 (696066261
50885889 (49891288)
59409296 (57599432)
57778165 (636235771
55267751 (46962081)
53694286 (55968833)
53084116 (497203391
51395280 (60762021)
49056755 (15851007)
46338349 (493949881
45721029 (43761752)
43766504 (46590125)
42323610 (22677002)

TS//S1//REL

TS//SI//REL

Trends Reports: Findings

RSA:DH:EC ratio roughly constant (90:5:5)

_ EC almost entirely Google (plus a bit of whatsapp)

New certificates mostly use 2048-bit RSA keys

We've seen new services jump up the list:

-Summer 2011: Google's switch to Elliptic Curves

_Autumn 2011: Apple's ¡Cloud service

-Spring 2012: Increase in mobile Facebook encryption

TS//SI//REL

TS//SI//REL

TLS and targets

Trends reports not based on targeted data

How do we judge interest in TLS services,
and get analysts involved? Two ways
we've tried:

-Associate TLS events with targets, and inform
the relevant analysts (TargeTLS)

- Put TLS data out there for analysts to search
(FLYING PIG)

TS//SI//REL

TS//SI//REL

TargeTLS reports

BROAD OAK: GCHQ's repository of target info

We match TLS events against this:

- Is the server IP in BROAD OAK?

- Does the certificate's domain match a URL selector,
or a number of email selectors?

Email the relevant POC to ask if the traffic is of
interest

About 15% of the services we've identified in
this way have been worth looking into further

TS//SI//REL

TS//SI//REL

FLYING PIG

TLS knowledge base. Summarises all
TLS events to answer multiple
questions, e.g.:

-What certificates are present on a given
IP?

-Which client IPs access a given service?

-Which TDIs can be associated with a
given service?

TS//SI//REL

TS//SI//REL

Example: search by domain

FLYING PIG

TLS/SSL Knowledge Base

HRA Justification
Query FLYING PIG

[P / network / certificate field |%mail.m

Run Query!

[Certificate field search: °/omail.ru|

Query FLYING PIG - general SSL toolkit Query QUICK ANT - Tor events QFD

Server certificate fields to search within:

Subject common name [/]

Subject organisation name
Issuer common name [/]

Issuer organisation name



Prototype owner: I

J

Query as: Q Client IP Q Server IP Q Both
or: O Network [e.g. 1.2.3.0/24]

or: g) Server Certificate [e.g. %example,cem (use % for wildcards)]

RSA modulus

All HTTP requests matching your query ( ? )

1 - 5 of 500 items ID 1 25 1 50 1 100 12 3 4 5 6 7 ► H +
Server IP Host name First seen Last seen Count vv/e 25th Nov Count all time
,184,105 swa.mail.ru 2011-10-13 16:05:53.0 2011-11-25 21 11 59.0 6085663 42640739
,184.104 swa.mail.ru 2011-10-13 17:29:13.0 2011-11-25 21 11 55.0 6073183 36825411
.134.201 fc.ef.d4.cf.bd.al.top.rnail.ru 2011-10-13 21:43:10.0 2011-11-25 21 10 49.0 4049743 19360920
.135.13 top5.mail.ru 2011-10-14 20:00:00.0 2011-11-25 21 12 05.0 3006868 14160963
.135,12 top3.mail.ru 2011-10-14 20:00:00.0 2011-11-25 21 10 43.0 2480950 12386999

Server IPs ( ? |Wj):

All certificates matching your query ( ? i, )

Tip 1: Right click on a row to find all server IPs that serve that certificate!

Tip 2: Click on the disk icon in the title bar to download data in CSV format!

Tip 3: Double-click on a field to enable copy and paste!

Tip 4: Change displayed columns ('Basic' is default! 'Advanced' adds RSA Modulus and cipher suite distribution columns): Basic columns Advanced columns

Tip 1: Right click on a -server IP to
explore it further!

1 -25 of 50Ü

Items

1 - 10 of 70 items ID 1 25 1 5C 1 100 12 3 4 5 6 7 ► M *■
Full First seen Certificate Last seen Count w/e 25th Nov Count all time Valid from Valid to Subject common name Subject country Subject nrg name Issuer common name Issuer country Issuer org name Self signe
308203CD30B2I2011-09-22 13:17:32 2011-11-25 19:01:59 2952729 16638958 2011-01-31 00:00:00 2012-03-27 23:59:59 * .mail.ru ru lie mail.ru thawte ssl ca us thawte, Inc. N
3Q8203613Q82C2Ü11-09-22 14:05:50 2011-11-25 18:50:32 249926 1085232 2010-01-21 00:00:00 2011-02-20 23:59:59 *,mail.ru ru lie mall.ru thawte premium sarver ca 23 thawte consulting cc N
303203 03308212011-10-07 20:29:55 2011-11-25 18:53:40 10059 30520 2011-09-25 00:00:00 2013-11-23 23:59:59 * .money.mail.ru ru lie mail.ru thawte ssl ca US thawte, Inc. N
303203 513 0 8 2 C 2011-0 9 -23 17:01:53 2011-11-25 15:40:05 976 8517 2010-01-25 15:42:05 2012-01-27 18:12:59 mail.ru.is is mail.ru.is US equifax N
303202 C83082C2011-08-22 03:14:21 2011-09-06 06:15:36 0 1482 2011-03-04 06:42:12 2012-03-03 06:42:12 mail.ru-sib.ru us mail.ru-sib.ru US Y
3082043B3082C2011-10-17 14:09:52 2011-11-25 10:50:10 22 1236 2011-05-27 00:00:00 2012-07-25 23:59:59 mail.ru-com.ru mail.ru-com.ru thawte dv ssl ca US thawte, inc. N
308203 C 43082Í 2011-10 -08 00:05:24 2011-11-25 17:04:02 301 1150 2010-02-13 14:19:06 2012-11-08 14:19:06 mxl.shogo-mail.ru ru shogo shogo.ru ru shogo N
308204153082C2011-11-01 □7:36:53 2011-11-25 14:26:29 246 693 2011-09-15 11:47:51 2012-09-14 11:47:51 limgs.mail.ru ru isp.cegedim.fr fr cegedim N
308202E430B2C2011-10-14 18:20:34 2011-11-21 05:13:34 201 306 2011-10-05 08:07:34 2014-10-04 08:07:34 moder,foto.mail.ru ru mail.ru modBr.foto.mail.ru ru rnail.ru Y
308204153082C2011-10-31 2011-11-25 99 259 2011-09-15 2012-09-14 auth.mail.ru ru isp.cegedim.fr fr cegedim N

■ IP ; Cert count w/e 25th Nov Cert count oil time
1P* I *
n Explore this server IP further!
177.1 333592 1052618
191.213 330212 1388617
184.16 308599 2496916
184.17 297282 2226133
134.15 294437 2395012
189.160 168414 659037
184.77 120533 560336
184.74 113555 515169
184.75 112574 538512
184.76 110325 690098
135.55 3779 6023
135.56 3740 7358
134.151 3564 8498
63.121 2532 4887
136.43 2523 9226
134.98 2360 9165
179.89 2227 7600
179.90 2051 7320
136.84 1981 8442

TS//S1//REL

TS//SI//REL

Example: search by server

FLYING PIG

TLS/SSL KNOWLEDGE BASE

HRA Justification Query FLYING PIG - general SSL toolkit
Query FLYING PIG



i n

Query QUICK ANT - Tor events QFD

Prototype owner:

Server IP-specific panels

IP / network J certificate field ______,184,14

Query as O Client IP (S) Server IP 0 Both
or: O Network [e.g, 1,2,3,0/24]

or: 0 Server Certificate [e.g, %example .corn (use % for wildcards)]
Run Query!

[Certificate field search: %mail.ru|

General IP info for server IP

General IP info r SSL Server certificates seen en this IP /
Top 10 SSL client geos r SSL Pattern of life 0
Top 10 SSL server ports 2 FlTTP requests to this IP 2
Top 10 SSL case notations 2 Top 100 SSL clients 2
SSL Traffic stats 2

.184.141 G

164.14

Geolocation ( ? ):

Country: RU (M)
City: MOSCOW (Li

WHOIS info f ? ):

Network: _____176.0/20, Network type: No results.

Company: Mail.Ru. Domain: mail.ru.

AS info ( 2 ):

Advertised by AS: 47764, Found within network:
.76.0/20,

AS name: MAILRU-AS Limited liability company Mail

DNS ( ? ):

No results

Tor node { ? ):

No matches

Top 10 SSL client geos (?)

Top ID SSL server ports (?)

Top 10 SSL case notations (?)

SSL Traffic stats C ?

Overall

Paired (approximate)

:

-tr

For week ending 2011-12-23:

No. unique clients = 104317.

% client-server IPs with traffic seen in both directions =

^(Unique clients with client-s
traffic only

:r ^Unique clients with s
traffic only

: Unique clients with

bidiractioral traffic

SSL Certificates seen on this IP f ? >

Tip 1: Right dick on a certificate to explore it further!

1 - 3 of 3 items 1C 1 25 50 1 00 1
First seen on this IP Last seen on this IP Count w/e 25th Nov Count all time Valid from Valid to Subject caminan name Issuer common name
2011-09-22 13:31:06 2011-11-25 19:01:47 357643 2359179 2011-01-31 00:00:00 2012-03-27 23:59:59 * .mail.ru thawte ssl ca
2011-08-08 12:23:45 2011-11-25 07:50:07 1441 1447304 2011-01-31 00:00:00 2012-03-27 23:59:59 * .mail.ru thawte ssl ca
2011-11-16 14:13:03 2011-11-16 14:13:03 0 1 2011-08-05 18:34:19 2014-08-05 18:34:19 * .vkontakte.ru go daddy secure certification authority

Average pattern of life for a client (seeded around SSL events to this server IP) (?(§]) HTTP requests to this IP (top 100) ( ? [^j)
Tip 1: Filter by min. % occurrences of eventual =il% Apply filtering Tip 1: Right dick on a server IP to explore it as an SSL server!
1 - 8 of 233 items 10 | 25 | 50 1 2 3 4 5 6 7 ► H * 1 -10 of 226 items 10 1 25 1 50 1 100 12 3 4 5 6 7 b H *
Correlated event Event IP Event Percentage Server IP FIost name requested First seen Last seen Count last Count all time
port occurrences week
of event ,134,14 e,rnail.ru 2011-10-14 2011-11-25 1989215 13992636
GET request to top3.mail.ru .135.12 80 28.1 ,184.14 m.mail.ru 2011-10-14 2011-11-25 89268 664189
GET request to top5.mail.ru .135,13 80 15,1 .134.14 1.184.14 2011-10-14 2011-11-25 17426 108536
GET request to do,cl.bf.al.top,mail.ru ,134,253 80 14,2 ,184.14 auth.mail.ru 2011-10-14 2011-11-25 11738 70020
GET renuesttn now.mail.ru .164 4fl 8FI 13.? 1 Öd. 1 d tel m nil n i on-i -i _1 n_i d on-i 1 _11 -0's QOOd fS^^dn

TS//SI//REL

TS//SI//REL

Contacts

TLS trends: Crypt Operations
BULLRUN team

-9 c h

FLYING PIG: ICTR Network
Exploitation

- g c q

TS//SI//REL

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh