Title: Turmoil VPN Processing

Release Date: 2014-12-28

Document Date: 2009-10-27

Description: This NSA presentation dated 27 October 2009 outlines the use of intercepted IPSec VPN data within the agency: see the Der Spiegel story Prying Eyes: Inside the NSA’s War on Internet Security, 28 December 2014.

Document: TURMOIL VPN PROCESSING

27 October 2009

The overall classification for this brief is:
[TOPSECRET//COMINT//REL TO USA, FVEY]

TOP SECRET//COMINT//REL TO USA FVEY

Agenda

• VPN Technology Overview

• Dataflows and Interfaces

• LPT Implementation

• Metrics

TOP SF
TOP SECRET//COMINT//REL TO USA FVEY

Overview - VPN Mission Opportunity

TOP FF
TOP SECRET//COMINT//REL TO USA FVEY

IKE-ISAKMP Protocol

UNCLASSIFIED

Internet Key Exchange (IKE - RFC 2409)
Internet Security Association and Key Management
Protocol (ISAKMP - RFC 2408)

0 1 2 3

01234567890123456789012345678901

Version

IHL

Type of Service

Identification

Tims lo Live

Protocoi = 17

Tola Length

Flags

Fragment Oftset

Header Checksum

Source Address

Destination Address

Source Port= 500

Length

Destination Port = 500

Checksum

Initiator Cookie

initiator Cookie

Responder Cookie

Responder Cookie

Next Payload

Mj Ver

Mn Ver

Exchange Type

Flags

Message ID

Length

Key Management Data

IP

Header

UDP

Header

IKE /

Y ISAKMP
Header

UNCLASSIFIED

TOP CF(~BFT//rnMINT//RFI TD I IRA FVFY

ESP Protocol

TOP SECRET//COMINT//REL TO USA FVEY

UNCLASSIFIED
f? Encapsulating Security Payload (ESP - RFC 2406)
0 1 2 3
01 2345678901 2345670901 2345678901
version IHL Type of Service Total Length
Identification Flags F ragm enl Offset , 'P Header
Time to Live Protocol = 50 Header Checksum
Source Address
Destination Address
Security Parameter Index (SPI) 1 ESP
Sequence Number J Header
Encrypted Data
J
UNCLASSIFIED

TOP FF
TOP SECRET//COMINT//REL TO USA FVEY

AH-ESP Protocol

UNCLASSIFIED

Authentication Header (AH - RFC 2402)
Encapsulating Security Payload (ESP - RFC 2406)

0 12 3

01234567890123456789012345678901

Version IHL Type of Service Total Length >
Identification Flag s Frag me nt Offset
Time to Live Protocol = 51 Header Checksum
Source Address
Destination Address
Next Header=5C Header Length Reserved >
Security Parameter Index (SPt)
Sequence Number
Integrity Check Value (ICV) ¡Variable length]
Security Parameter Index ($P|) }
Sequence Number
Encrypted Data

iP

Header

AH

Header

ESP

Header

UNCLASSIFIED

TOP FF(~RFT//rnMINT//RFI TD I IF!A FVFY

Overview

TOP SECRET//COMINT//REL TO USA FVEY

VPN IPsec Collection

oo:oa

Hours

*

L

r

Interna!

IP Addresses

(10.160.0.84 tc 10.131.27.ltd )

_______A__________

1 r

I dismal
IP Addresses

(10.16O.0.B41O 10,161.27.111 )

_____________A,

"Y

r

Interna
IP Addresses

(10.160.0.76 to 10.101.27 112 )

_______A________

1

Tunneled IP Sessions

Tunneled IP Sessions

IKE

Phase 2

Tunneled IP Sessions
AHÆSP

24:00

Hours

IKE

Phase

, p.',k,e. •>

V

vpn Tonnsi External ip Addresses ( 172.3.105.3 to 192,i6B.ioo.ee )

■ (TS//SI//REL) Collection requires dwell time to capture IKE associated with ESP

■ (TS//SI//REL) Collection requires link diversity to capture IKE associated with ESP

(S//SI//REL) There is no guarantee that IKE and ESP will use the same link.

■ (S//SI//REL) Collection requires multiple selectors to target external and tunneled sessions

(S//SI//REL) VPN Tunnel External IP Addresses - To Target Decryption
(S//SI//REL) Strong Selectors on Internal IP Links - To Target VPN Content

TOP FF(~BFT//rnMINT//RFI TD I IRA FVFY

TOP SECRET//COMINT//REL TO USA FVEY

Overview

Customer Needs

Customer

Functions

Needs

SIGINT Analyst
(TOPI)

•Target and Analyze Traffic
•Report SIGINT

•Target IDs, Target Links, Target Value
•Unencrypted Targeted Traffic

Network Analysis Center
(NAC)

•Identify target VPN’s

•Report VPN Target IDs and Links

Office of Target Pursuit
(OTP)

•Search and survey for VPN’s of interest
•Report VPN Traffic Intelligence Value

Systems Analysis Office
(SAO)

•Identify VPN Technologies
•Identify VPN Vulnerabilities
•Support VPN Exploitation

•VPN IKE and ESP Metadata

•VPN IKE and ESP Metadata
•VPN Encrypted Surveys
•VPN Unencrypted Surveys

•VPN IKE and ESP Metadata
•VPN Encrypted Surveys
•VPN Decryption Quality

TOP FF
TOP SECRET//COMINT//REL TO USA FVEY

Overview

VPN Products

f

Target Protocol

IP Security (IPsec)/

Internet Key Exchange (IKE) /

Internet Security Association Key Management Protocol (ISAKMP)

\

Products I Dataflows

I

t_____________

Target Protocol

IP Security (IPsec) /
Encapsulating Security Payload (ESP)

9_________________

6

Target Protocol

IP Security (IPsec)/
Authentication Header (AH) /
Encapsulating Security Payload (ESP)

*

*

i > ►
i » ►
TURBULENCE
VPN
i > ►
i » ►

VPN metadata with full-take IKE and sampled ESP
(Metadata Dataflow)

Selected application sessions recovered from
VPN sessions selected for decryption and re-injection
(Transform dataflow t

VPN sessions selected for decryption and survey
(Survey dataflow^

Encrypted VPN sessions selected for analysis
(Analyze Dataflow)

Encrypted VPN sessions selected for decryption
that fail to decrypt using VAO provided key
(TransformQA Dataflow!

*



IP Address Selector Actions

Transform

Transform & NcTransformQA
Transform & Survey
Transform & Survey & NoTransfomiQA
Analyze

Transform & Analyze
Transform & Analyze & NoTransformQA
Transform & Analyze & Survey
Transform & Analyze & NoTransformQA & Survey

____________________________________________________________________________________/

TOP RF
TOP SECRET//COMINT//REL TO USA FVEY

Overview

Needs and Products

Customer

Needs

Products

SIGINT Analyst
(TOPI)

•Target IDs, Target Links, Target Value -Transform Dataflow
•Unencrypted Targeted Traffic

Network Analysis Center -VPN IKE and ESP Metadata
(NAC)

Office of Target Pursuit -VPN IKE and ESP Metadata

(OTP)

•VPN Encrypted Surveys

•Metadata Dataflow - IKE Fulltake
•Metadata Dataflow - ESP Samples
•Metadata Dataflow - IKE Fulltake
•Metadata Dataflow - ESP Samples
•Analysis Dataflow

Systems Analysic Office
(SAO)

•VPN Unencrypted Surveys
•VPN IKE and ESP Metadata

•VPN Encrypted Surveys

•Survey Dataflow
•Metadata Dataflow - IKE Fulltake
•Metadata Dataflow - ESP Samples
•Analysis Dataflow

TOP FF
TOP SECRET//COMINT//REL TO USA FVEY

Dataflows and Interfaces - Metadata

(Classic)

■ (S//SI//REL) VPN IKE/ISAKMP Metadata in TOYGRIPPE is full-take

■ (S//SI//REL) VPN ESP Metadata Sessions in PRESSUREWAVE is sampled (l/16th)

■ (S//SI//REL) VPN AH/ESP Metadata Sessions in PRESSUREWAVE is sampled (l/16th)

TOP FF
TOP SECRET//COMINT//REL TO USA FVEY

Dataflows and Interfaces - IKE Metadata
_____________(New and Improved!)_____________________________________

SECRET//COMINT//REL TO USA, FVEY

Internet Key Exchange (IKE) / Internet Security Association Key Management Protocol (ISAKMP)

VS-IKE-MD2

T: MAILORDER |

C: P sec/IKE Metadata ,
F: ASDF

______ TUBE

VS-IKE-MD1

T Socket Connection
C: Psec/IKE Records
F: SOTF

TURMOIL

Interface Key
T - Transport
C = Content
F - Format



FALLOUT

VS-IKE-MP3

T: MAILORDER
C: IPsec/IKE Metadata
F: ASDF

TOYGRIPPE

■ (S//SI//REL) VPN IKE/ISAKMP Metadata in TOYGRIPPE is full-take

■ (S//SI//REL) VPN ESP Metadata Sessions in PRESSUREWAVE is sampled (l/16th)

■ (S//SI//REL) VPN AH/ESP Metadata Sessions in PRESSUREWAVE is sampled (l/16th)

TOP RF
TOP SECRET//COMINT//REL TO USA FVEY

Dataflows and Interfaces - ESP Metadata

TOP FF
TOP SECRET//COMINT//REL TO USA FVEY

Dataflows and Interfaces - Analyze

Internet Key Exchange (IKE) ! Internet Security Association Key Management Protocol (ISAKMP)

< • »

VPN6

T: Socket Connection

C: IKE & ESP Sessions selected for Analysis

TUBE

Encapsulating Security Payload (ESP)

J1-. SOTF

VPN1

T: Socket Connection
C1 Selector Hit Qcery/Response

■ TURMOIL ..............► KEYCARD

VPN9

T: MAILORDER

C: IKE & ESP Sessions Selected for Analysis
F: SOTF

EXOPUMP

VPN11

T: JTx (JMS)

Or IKE & ESP Sessions Selected tor Analysis
F: XMLiSOTF

PRESSURE-
WAVE

Interface Key
T “ Transport
C = Content
F = Format

■ (U//FOUO) KEYCARD IP Target Action must be ANALYZE

■ (U//FOUO) Full-take of IKE/ESP Sessions.

■ (U//FOUO) No Analytic at this time

TOP CF
TOP SECRET//COMINT//REL TO USA FVEY

Dataflows and Interfaces - Survey



◄-

TOP SECRET//COMIIMT//REL TO USA, FVEY

Internet Key Exchange (IKE) / Internet Security Association Key Management Protocol

Authentication Header (AH) / Encapsulating Security Payload (ESP)

VPN7

T: Socket Connection
C: Encrypted and Decrypted
Application Sessions
F: SQTF

XKEYSCORE

(ISAKIVP)^

VPN1

T: Socket Connection
C Selector H it Query/Response
F: Binary.................

VPN1B

T: Secure Socket (SSL)

C: PIQ Blade Management
F: WebSA

KEYCARD

Interface Key
T = Transport
C = Content
F _ Format

DOC/CES


VPN4 T: IT* 03 i (t3
C: IKE Messages a: £
F IH(SOAP) O (]> l_
_i LL
VPNS 5 to
T: ITx X LU
C: ESP Key Req/Res F: IH(SOAP) ír.) LU O o


VPN

Metrics

i— D o
Z "5
Z o 03 « O
o CD <
to o Cl < JZ c 1— O

Grid

Resource

Allocation

Manager

(GRAM)

HIPC

Resources

Cryptovariables

CORAL

REEF

■ (U//FOUO) KEYCARD IP Target Action must be TRANSFORM & SURVEY

■ (TS//SI//REL) Candidate Sessions for Decryption include BME:

vpnID = “08000000-0000-0000-0000-000000000001”

■ (TS//SI//REL) Decrypted Sessions include BME:

vpnID * “08000000-0000-0000-0000-000000000001”

TOP SF
TOP SECRET//COMINT//REL TO USA FVEY

Dataflows and Interfaces - Transform

◄-

TOP SECRET//CQMINT//REL TO USA, FVEY

internet Key Exchange (IKEU internet SecurityAssociation Key Management Protocol (ISAKMP1

TUBE

VPN6

T: Socket Connector
C Selected Application Sessions'
F SOTF

Note

* Selected Application Sessions
are identified and selected from
the decrypted packets extracted
Irom Ihe VPN tunnel and inserted
into the TURMOIL input stream

VPNS

T: MAILORDER

C: Selected Application Bessons’
Ft SOTF

EXOPUMP

VPN11

T: ITx (JMS)

C: Selected Appl Sessions’
F XMUSOTF

PRESSURE-
WAVE „

AutHentication Header (AH) / Encapsulating SecurityPayload [ESP),

VPN1

T Socket Connection
C: Selector Hit Query/Response
F: Binaiy

VPN18

T: Secure Socket (SSL)

C: PIQ Blade Management
F: WeOSA

KEYCARD

Interface Key
T = Transport
C s Content
F = Format

DOC/CES

VPN4

T: ITx (JMS)

C: IKE Messages
___F HfSQAP)_________

VPNS

T: ITx (JMS)

C: ESP Key Req/Res
F: IH(SOAP)

>1
CB
$

o 0 i_
—1 L_
2 (O
X LU
CO O
LU
o

Grid

Resource

Allocation

Manager

(GRAM)

H PC

Resources

Cryptovariables

CORAL

REEF

■ (TS//SI//REL) PIQ Blade provides PIQ-Services, PICARESQUE ECI Compartmented

■ (TS//SI//REL) Transform is Sanitization of Decrypt

■ (S//SI//REL) VPN AH/ESP Session Transform capability is not available in Spin 12

■ (U//FOUO) KEYCARD IP Target Action must be TRANSFORM

■ (TS//SI//REL) Decrypted sessions have BME vpnID t “08000000-0000-0000-0000-000000000001”

TOP FFFBFT//mMINT//RFI TD I IF A FVFY

TOP FF
TOP FF
TOP SECRET//COMINT//REL TO USA FVEY

Sample stats : 14-22 Oct 2009

System KeyRequests KeyResponses KeyNotRecovered Packets Decrypted
MHS_DEV 8076 0 0 0
MHS_LIVE 26501 12200 0 8041883
MHS_LPT 1725 0 0 0
SMK6 43087 4755 0 1413532

TOP FF
TOP SECRET//COMINT//REL TO USA FVEY

IKE Metadata Sequence

TOP SECRET//COMINT//REL TO FVEY

Stags Q

FSPr

IKE Packets

-0



Matched IKE packets

----------t>

AEG

Keyword

ppf ^ents

ASQF events

SOTF

A5DF

DFID AI ocator

IKE EvoniTcBME

IKE SMG

ASDF Recruiter

IKE Metadata



I

SRI & Application M/D

------------------->

I I

I

IKE Metadata Bundles

IKE Mdslata Sasetoh;

>' o

TUBE

ASDF Bundles

FALLOUT

TQVGRtPPE

ASDF Bundles

IKE ASDF Metadata

4>

TDP FF(~RFT//rnMINT//RFI TD I IF!A FVFY

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh