Author: Vivek Rajagopalan

Vivek Rajagopalan is the a lead developer for Trisul Network Analytics. Prior products were Unsniff Network Analyzer and Unbrowse SNMP. Loves working with packets , very high speed networks, and helping track down the bad guys on the internet.

Ephemeral Diffie Hellman support – NOT !

You may be aware about the SSL/TLS decryption features of Unsniff (see article here on how to do it )

This past weekend we received an email asking whether there were plans for Unsniff to support decryption of TLS using the DHE-RSA-AES256-SHA cipher suite. We also find this same question repeated on many security forums. I thought this deserves a blog entry.

The letters “DHE” in a cipher suite name means that the Diffie Hellman Ephemeral mode is being used for key exchange. Contrast with plain or static “DH” (example DH_RSA_WITH_DES_CBC_SHA ). Unsniff might support static DH because the diffie hellman parameters can be found in the server certificate.

Unsniff has no plans to support ephemeral DH because it is impossible.

Why ?

Ephemeral DH is used to provide Perfect Forward Secrecy to a TLS connection. This means that even if you have obtained the server private key via admin help, theft, or court order – you cannot decrypt past captured traffic. The server key is of no use because it is only used to sign the DH parameters in the “Server Key Exchange” message in TLS. To decrypt DH-ephemeral in the way Unsniff (and other tools like Wireshark) do would be akin to breaking DH. That is not possible.

Is there really no way ?

I think there is only one way. If you can change the source code of the server (apache, etc) to write out the DH params to a log file for each session – we may be able to use that to compute the master secret and therefore decrypt the TLS session.

 

Two days at Proto

proto-extn1.gif 

Proto.in is an event that is loosely modelled on the DEMO conference. The idea is to showcase product companies from India. Out of hundreds, 30 companies were shortlisted and asked to demo their stuff. The event was organized by an energetic bunch of people led by Vijay Anand.

We are given 8 minutes (compare to 6 minutes in Demo) to showcase our product. The ground rule was no slides or PPT presentations. (we can all rock the slideshow routine, cant we ? ) Unfortunately, the 8 minute rule as well as the “no-slides” rule was followed by just a handful of companies.

I (netscript aka Vivek) was first on stage and demoed Unsniff Network Analyzer. I emphasised the extensibility aspect of Unsniff. I showed them the Ruby – iax voip analysis script written by our buddy Tim Vincent. I also hit up on the advantages of the visual breakout. 

It was really cool meeting some interesting folks, first Sujai Karampuri from Sloka Telecom. They are developing a low cost WiMAX base station as well as CPE node. I will explore the possibility of a tieup to support a radio module in 3.5G range for Unsniff with them.

I met Gokul who runs an excellent blog focussed on  VoIP, IMS, etc at http://tggokul.wordpress.com/ . He provided amazing live blog coverage of the event ( and I find it hard to blog once a week !) He has written about our talk here. I must sheepishly admit that I have not met him before this event even though Unleash works so much with VoIP and has great plans for IMS. We plan to meet soon.

The main organizer Vijay Anand is involved in a group called Tenet. They seem to involved in a lot of networking research. Unleash plans to work with them going forward. I see a great opportunity here to get support for new protocols and tools via access to that group.

There were a few VCs there too. My “skeptico-meter” for VCs is off the dial at this point. Nevertheless, it was interesting to meet and talk to them. It would be nice if they clearly articulated their long term vision and their ability to put up with long gestation products.

Overall, a couple of very interesting days.

[tags] startups, india, proto, proto.in, entrepreneurship [/tags]

SNMPv3 Chicken and Egg

SNMPv3 suffers from a unique chicken and egg problem. To configure SNMPv3 users you need to use SNMPv3. So how does the intial user get configured ?

ceg.jpg

The intial users are configured via CLI or via standard factory settings. The cable industry has successfully adopted Diffie Hellman to help configure the initial users. However, this method is part of the DOCSIS (cable) standard, not SNMPv3.

Once the initial user is up and running, we can let SNMPv3 take over the user and key management functions. 

Unbrowse SNMP is under heavy development to help with SNMPv3 user management for small and medium scale networks. The idea is :

  • Manage USM users like you would Unix users
  • Automatically prevent users from changing passwords of other users, to delete themselves, or to elevate their rights.
  • Hide gory details of Contexts, Groups, TreeFamilies
  • Tools to automatically propagate changes through network

We have beta builds available for anyone who would like to give it a spin. Please contact us via email for access to the beta.

 

[tags] snmpv3, USM, VACM [/tags]