IKEInternet Key Exchange (IKE) is the main key es-tablishment protocol used for IPsec VPNs. There are twoversions, IKEv1  and IKEv2 , which differ in mes-sage structure but are conceptually similar. For the sake ofbrevity, we will use IKEv1 terminology.Each IKE session begins with a Phase 1 handshake, inwhich the client and server select a Diffie-Hellman groupfrom a small set of standardized parameters and perform akey exchange to establish a shared secret. The shared secretis combined with other cleartext values transmitted by eachside, such as nonces and cookies, to derive a value calledSKEYID. IKE provides several authentication mechanisms,including symmetric pre-shared keys (PSK); when IKEv1 isauthenticated with a PSK, this value is incorporated intothe derivation ofSKEYID.The resultingSKEYIDis used to encrypt and authenticatea Phase 2 handshake. Phase 2 establishes the parametersand key material,KEYMAT, for a cryptographic transportprotocol used to protect subsequent traffic, such as Encapsu-lating Security Payload (ESP)  or Authenticated Header(AH) . In some circumstances, this phase includes anadditional round of Diffie-Hellman. Ultimately,KEYMATisderived fromSKEYID, additional nonces, and the result ofthe optional Phase 2 Diffie-Hellman exchange.NSA’s VPN exploitation processThe documents pub-lished by Der Spiegel describe a system named TURMOILthat is used to collect and decrypt VPN traffic. The evidenceindicates that this decryption is performed using passiveeavesdropping and does not require message injection orman-in-the-middle attacks on IPsec or IKE. Figure 4, anexcerpt from one of the documents , illustrates the flowof information through the TURMOIL systemThe initial phases of the attack involve collecting IKE andESP payloads and determining whether the traffic matchesany tasked selector .If so, TURMOIL transmits thecomplete IKE handshake and may transmit a small amountof ESP ciphertext to NSA’s Cryptanalysis and ExploitationServices (CES) [56,65] via a secure tunnel. Within CES, aspecialized VPN Attack Orchestrator (VAO) system managesa collection of high-performance grid computing resourceslocated at NSA Headquarters and in a data center at OakRidge National Laboratory, which perform the computationrequired to generate the ESP session key [61,62,67]. VAOalso maintains a database, CORALREEF, that stores cryp-tographic values, including a set of known PSKs and theresulting “recovered” ESP session keys [60,61,67].The ESP traffic itself is buffered for up to 15 minutes ,until CES can respond with the recovered ESP keys if theywere generated correctly. Once keys have been returned, theESP traffic is decrypted via hardware accelerators  orin software [68,69]. From this point, decrypted VPN trafficis reinjected into TURMOIL processing infrastructure andpassed to other systems for storage and analysis . Thedocuments indicate that NSA is recovering ESP keys at largescale, with a target of 100,000 per hour .
You've reached the end of your free preview.
Want to read all 13 pages?
Cryptography, Real World Cryto, Prime number, Logarithm, Transport Layer Security, Integer factorization, discrete log