TOP SECRETIICOMINTHREL TO USA, FVEY Cipher Detection, and You! . Mathematice Research Group 21 August 2008 TOP SECRETUCOMINTHREL TO USA, FVEY The Protocol Stack Application Layer (HTTP, FTP, etc.) Transport Layer (TCP, UDP) Network Layer Data Link Layer K/i? Physioai Layer (Copper, Fiber) TOP SECRETNCOMINTHREL TO USA, FVEY Data Sources . FORNSAT (downlink) Overhead (uplink) Special Source Tailored Access F6 1' FISA (limited) 3rd party TOP SECRETHCOMINTHREL TO USA, FVEY TO USA, FVEY Front-end Processing TURMOH. SECRETHCOMINTHREL TO USA, FVEY TO USA, What does .1 Selection of tanked UTT terms. Send hits; to PRESSUREWAVE. Tipping t0 TRAFFICTHIEF. Fingerprinting. SIGINT development using two roiling buffers: Metadata 1' Cnntent (data) SECRETHCOMINTHREL TO USA, TOP SECRETIICOMINTHREL TO USA, FVEY Retrospective Searching etad ata Centth Buffer Buffer 30 days ?t 7 days Searehable Retriesable data are stirred, net Archived just hits. database en disk Queries are distributed te entire netwe-Tk ei? sites. TOP SECRETHCOMINTHREL TO USA, FVEY Fingerprinting . Pattern matching against the data. Session is marked} but not sent to PINWALE. Fingerprint stored as metadata. 1* Have to search for it. 1' Rich set of patterns Strings have a minimum otithreeii? anchors (fixed bytes) Exception: Two bytes at the beginning session] Regular expressions allowed (require nonoptional string of three* bytes within regex) Context?dependent terms. reserves the right to in this to four. Examples - 7.0) I 3.0) and and (port(443) 0r port(80)); i 'helix stronghold file' I- Syntax Features 0 Case Sensitivity fingerprint certificate/digital_id' -BEGIN CERTIFICATE- 1' F1111 Boolean logic Granping with parantheses Operators: and, or, not Variables $udp $udp and 'openan_wera'c; Available Functions port first 'lbex pos pos('CPAD1'c) 4000; Distance (Similar to pos, but for distance between tokens) LpoS Spop_basie or First . ?rst('ehlo') and Last (Similar to first) Follows (one token after another) Between (one token between two others) Order Other Features . Fingerprint de?nitions updated hourly throughout the entire enterprise. Work?ows Submit through user interface. Standing queries that run like cron jobs. Limited follow?on processin?. 1' User interface For Fingerprint submission (coming soon). Currently done by XKS personnel. Plug?ins . Full power of for when pattern matching does not suffice. Usuall}I limited to certain file types II Huge volume from web surfing 1' Current steg/ plugins that fingerprint seSSions: PHOSPHORESSENCE library of? steg detectors Steg detection SEDENA indigenous software Drawbaek: Must wait for site upgrade to deploy. Trade?off . Fingerprints easily deployed, but limited to pattern matching. Plug?ins slow to deploy, but allow for complex testing. New compromise: Snippets of? code in fingerprint Deployed hourly like Fingerprint with most of the Flexibility of a full plug?in. Very eomplieated tests probabl}I still need to be plug?ins. Currently stood up at only a few sites. Example eenet uint8_t *ptr if (ptr NULL) return false; if 64) return false; if 0x04) return false; if 0380) return false; return true; Advanced Feature . Follow-0n Check with anchorless regexes: %dhcp_?heck regex 3.0) from;port(68) and te_Port(67) %dhcp_check; Releasability Issues . Nearly all XKS personnel have PICARESQUEI Those that don?t have PRIVAC. 1' XKS distribution comes in twe flavors 1* 1st 3i 2nd part}? 3rd party No NOFORN capabilities permitted. 1* Special dispensation from?fer some capabilities to SMOKYSIN K. Can keep PICARESQUE code running on R1 is rednet if absolutely necessary.