Title: XKEYSCORE, Cipher Detection, and You!

Description: This presentation from NSA’s Mathematics Research Group, dated 21 August 2008 provides an introduction to the XKeyScore system’s data sources and fingerprinting capabilities: see the SVT article FRA part of top-secret hacker project, 11 December 2013.

Document: xks-cipher-detection-and-you-p1-normal.gif:
TOP SECRET//COMINT//REL TO USA, FVEY

, Cipher Detection, and You!

Mathematics Research Group
21 August 2008

TOP SECRET//COMINT//REL TO USA, FVEYxks-cipher-detection-and-you-p2-normal.gif:
r

UNCLASSIFIED

The Protocol Stack

Application Layer (HTTP, FTP, etc.)

Transport Layer (TCP, LIDP)

Network Layer (IPv4, IPv6)

Data Link Layer (PPP)







Physical Layer (Copper, Fiber)

UNCLASSIFIEDxks-cipher-detection-and-you-p3-normal.gif:
r

TOP SECRET//COMINT//REL TO USA, FVEY

Data Sources

• FORNSAT (downlink)

• Overhead (uplink)

• Special Source

• Tailored Access

• F6

• FISA (limited)

• 3rd party

"\

V

TOP SECRET//COMINT//REL TO USA, FVEY

Jxks-cipher-detection-and-you-p4-normal.gif:
r

SECRET//COMINT//REL TO USA, FVEY

Front-end Processing



f WE A LTH Y CLU STER2 /

TURMOII.

Demodulate * Demultiplex * Packet ize * Scssionize

si V

Decrypt?

V

SECRET//COMINT//REL TO USA, FVEY

xks-cipher-detection-and-you-p5-normal.gif:
r

SECRET//COMINT//REL TO USA, FVEY

What does

do?

• Selection of tasked CADENCE/UTT terms.

• Send hits to PIN WALE/ PRESSURE'WAVE.

• Tipping to TRAFFICTHIEF.

• Fingerprinting.

• SIG1NT development using two rolling buffers:

• Metadata

• Content (data)

"\

V

SECRET//COMINT//REL TO USA, FVEY

xks-cipher-detection-and-you-p6-normal.gif:
r

TOP SECRET//COMINT//REL TO USA, FVEY

Retrospective Searching

• All data arc stored, not
just hits.

• Queries are distributed
to entire network of sites.

A
Metadata Buffer Content Buffer
~ 30 days ~-7 days
Searchable Retrievable
MySQL database Archived on disk R
¡?==3 U y

TOP SECRET//COMINT//REL TO USA, FVEYxks-cipher-detection-and-you-p7-normal.gif:
r

TOP SECRET//COMINT//REL TO USA, FVEY

A

Fingerprinting

• Pattern matching against the data.

• Session is marked, but not sent to PINWALE.

• Fingerprint stored as metadata.

• I lave to search for it.

• Rich set of patterns

• Strings have a minimum of three* anchors (fixed bytes).
[Exception: Two bytes at the beginning of a session]

• Regular expressions allowed (require nonoptional string of
three* bytes within regex)

• Context-dependent terms.

*XKS reserves the right to increase this to tour.

V

TOP SECRET//COMINT//REL TO USA, FVEY

xks-cipher-detection-and-you-p8-normal.gif:
r

TOP SECRET//COMINT//REL TO USA, FVEY

Examples

fingerprint('encryption/helixstronghold',

7.0) = 'helix stronghold encrypted file';

• fingerprint('encryption/wharfrat', 3.0) =
'\xd6\x56\x34\xb7\x80\x05\xfe\x8b'c and
'\xaf\x52\x72\x60\xdd\xfe\x72\xc2'c and
(port(443) or port(80)); •

• fingerprint('encryption/the_algorithm',

3.0) =

/-XYZ-.{0,30}mp[eg]/;

V

TOP SECRET//COMINT//REL TO USA, FVEY

Jxks-cipher-detection-and-you-p9-normal.gif:
r

TOP SECRET//COMINT//REL TO USA, FVEY

Syntax Features

• Case Sensitivity

fingerprint('certifica.te/digital_id') =

'-BEGIN CERTIFICATE-'c;

• Full Boolean logic

• Grouping with parentheses

• Operators: and, or, not

• Variables

$udp = protocol('udp');
fingerprint('vpn/openvpn/x509/wera')
$udp and 'openvpn_wera'c;

"\

V

TOP SECRET//COMINT//REL TO USA, FVEY

Jxks-cipher-detection-and-you-p10-normal.gif:
r

TOP SECRET//COMINT//REL TO USA, FVEY

Available Functions

a

• port

• first

• hex

fingerprint('encryption/kryptel') =
hex('E8E2454300040004635C4EE9A2F9D111A
489E498F70C0B43404F4BFA50F2D111A4898E6
30458E285');

• pos

fingerprint('encryption/cipherpad') =
pos (1CPADl'c)
V

TOP SECRET//COMINT//REL TO USA, FVEY

Jxks-cipher-detection-and-you-p11-normal.gif:
r

TOP SECRET//COMINT//REL TO USA, FVEY

• Distance (similar to pos, but for distance between tokens)

• I.pos

Sp°p_basic = lpos('+OK ’c) or '\nQLIIT';

• First

appid('mail/smtp/...) = lirst('elilo') and ;

• Last (similar to first)

• Follows (one token alter another)

• Between (one token between two others)

• Order

TOP SECRET//COMINT//REL TO USA, FVEYxks-cipher-detection-and-you-p12-normal.gif:
r

TOP SECRET//COMINT//REL TO USA, FVEY

Other Features

A

• Fingerprint definitions updated hourly throughout the entire
enterprise.

• Workflows

• Submit through user interface.

• Standing queries that run like cron jobs.

• Limited follow-on processing.

• User interface for fingerprint submission (coining soon).

• Currently done by XKS personnel.

V

TOP SECRET//COMINT//REL TO USA, FVEY

Jxks-cipher-detection-and-you-p13-normal.gif:
r

TOP SECRET//COMINT//REL TO USA, FVEY

Plug-ins

• Full power of C++ for when pattern matching does not
suffice.

• Usually limited to certain file types

• Huge JPF.G volume from web surfing

• Current steg/encryption plugins that fingerprint sessions:

• PHOSPHORESSENCE library of steg detectors

• SHF.LLLOCK steg detection

• SEDENA indigenous encryption software

• Drawback: Must wait for site upgrade to deploy.

A

V

TOP SECRET//COMINT//REL TO USA, FVEY

xks-cipher-detection-and-you-p14-normal.gif:
r

TOP SECRET//COMINT//REL TO USA, FVEY

Trade-off

a

• Fingerprints easily deployed, hut limited to pattern
matching.

• Plug-ins slow to deploy, but allow for complex testing.

• New compromise:

• Snippets of C+ + code in fingerprint

• Deployed hourly like fingerprint with most ol the flexibility ol a
full plug-in.

• Very complicated tests probably still need to be plug-ins.

• Currently stood up at only a few sites.

V

TOP SECRET//COMINT//REL TO USA, FVEY

Jxks-cipher-detection-and-you-p15-normal.gif:
r

TOP SECRET//COMINT//REL TO USA, FVEY

Example

a

fingerprint('encryption/archive/rar') =

'\x52\x61\x72\x21\xla\x07\x00'c

: C++ {{

const uint8_t *ptr =

find_first("\x52\x61\x72\x21\xla\x07\x00");
if (ptr == NULL)
return false;
if (end()-ptr return false;

if {(ptr[23]&0x04) != 0x04)
return false;

if ((ptr[10]&0x80) != 0x80)

return false;
return true;

}};

V

TOP SECRET//COMINT//REL TO USA, FVEY

Jxks-cipher-detection-and-you-p16-normal.gif:
r

TOP SECRET//COMINT//REL TO USA, FVEY

Advanced Feature

• Follow-on check with anchorless regexes:
%dhcp_check = regex {(

A[\x01\x02][\x01- ]\x06.*c\x82sc

}};

appid(’netmanagement/dhcp/client_to_server',

3.0) =

from_port(68) and to_port(67)

: %dhcp_check;

A

V

TOP SECRET//COMINT//REL TO USA, FVEY

Jxks-cipher-detection-and-you-p17-normal.gif:
TOP SECRET//COMINT//REL TO USA, FVEY

Releasability Issues

• Nearly all XKS personnel have PICARESQUE!

• Those that don’t have PR1VAC.

• XKS distribution comes in two flavors

• 1 st & 2nd party

• 3rd party

• No NOPORN capabilities permitted.

• Special dispensation from^^^^^^|for some capabilities to
SMOKYSINK.

• Can keep PICARESQUE code running on R1 ’s rednet if
absolutely necessary.

V

TOP SECRET//COMINT//REL TO USA, FVEY

J

Document Date: 2008-08-21

Release Date: 2013-12-11

Document Path: https://edwardsnowden.com/wp-content/uploads/2015/08/xks-cipher-detection-and-you-p1-normal.gif
https://edwardsnowden.com/wp-content/uploads/2015/08/xks-cipher-detection-and-you-p2-normal.gif
https://edwardsnowden.com/wp-content/uploads/2015/08/xks-cipher-detection-and-you-p3-normal.gif
https://edwardsnowden.com/wp-content/uploads/2015/08/xks-cipher-detection-and-you-p4-normal.gif
https://edwardsnowden.com/wp-content/uploads/2015/08/xks-cipher-detection-and-you-p5-normal.gif
https://edwardsnowden.com/wp-content/uploads/2015/08/xks-cipher-detection-and-you-p6-normal.gif
https://edwardsnowden.com/wp-content/uploads/2015/08/xks-cipher-detection-and-you-p7-normal.gif
https://edwardsnowden.com/wp-content/uploads/2015/08/xks-cipher-detection-and-you-p8-normal.gif
https://edwardsnowden.com/wp-content/uploads/2015/08/xks-cipher-detection-and-you-p9-normal.gif
https://edwardsnowden.com/wp-content/uploads/2015/08/xks-cipher-detection-and-you-p10-normal.gif
https://edwardsnowden.com/wp-content/uploads/2015/08/xks-cipher-detection-and-you-p11-normal.gif
https://edwardsnowden.com/wp-content/uploads/2015/08/xks-cipher-detection-and-you-p12-normal.gif
https://edwardsnowden.com/wp-content/uploads/2015/08/xks-cipher-detection-and-you-p13-normal.gif
https://edwardsnowden.com/wp-content/uploads/2015/08/xks-cipher-detection-and-you-p14-normal.gif
https://edwardsnowden.com/wp-content/uploads/2015/08/xks-cipher-detection-and-you-p15-normal.gif
https://edwardsnowden.com/wp-content/uploads/2015/08/xks-cipher-detection-and-you-p16-normal.gif
https://edwardsnowden.com/wp-content/uploads/2015/08/xks-cipher-detection-and-you-p17-normal.gif

Article Link: http://www.svt.se/ug/fra-part-of-top-secret-hacker-project

Links

#1 http://www.svt.se/ug/fra-part-of-top-secret-hacker-project Show in Doc Search Show in New Window

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh