[Oisf-users] Decrypt ssl sessions
Shane Anglin
Shane.Anglin at knology.com
Mon Nov 21 17:47:17 UTC 2011
In regards to outbound web SSL traffic:
For performance reasons, it is best to have a hardware SSL accelerator to do the MITM decrypting and encrypting... I am unaware of an open source project using a GPU for this (would like to hear if there is one though), but it should be feasible enough as some password cracker apps can use GPU computational power. There are approaches to doing the SSL interception with inline versus side-band (where data is duplicated to another path for investigation). What factors into much of this is if you need to make it transparent to the user or not. The only way to do this transparently is to have all the private keys for all the traffic being generated and load those onto the SSL interception device... depends on your environment, your access to your client's private key stores, internal policies & procedures, and whether you trust the SSL interception device with that critical data. Non-transparently, you could employ a proxy and force the users to go through it, but you then have to publish a SSL cert for the proxy and convince the users to trust that cert or forever receive SSL warnings... again, depends on your environment you are supporting and what policies you can enforce. Proxywise, the commercial ones I have used allow you to pass the traffic off to another device for investigation via PCAP, etc.
Overall, if you want to decrypt the SSL sessions, you need the private keys (a big can of worms) or the ability to intercept the sessions to decrypt and encrypt to destination (a proxy and user acceptance and maintenance).
Regards,
Shane Anglin GSEC, GCIH, GPEN
Knology Broadband, Inc.
-----Original Message-----
From: oisf-users-bounces at openinfosecfoundation.org [mailto:oisf-users-bounces at openinfosecfoundation.org] On Behalf Of Martin Holste
Sent: Monday, November 21, 2011 10:12 AM
To: Robert Vineyard
Cc: oisf-users at openinfosecfoundation.org
Subject: Re: [Oisf-users] Decrypt ssl sessions
Sounds like a great masters thesis for someone...
On Mon, Nov 21, 2011 at 8:49 AM, Robert Vineyard <robert.vineyard at oit.gatech.edu> wrote:
> On 11/21/2011 9:33 AM, carlopmart wrote:
>> Maybe it is an off-topic, but afaik suricata doesn't decrypts ssl
>> sessions, correct?? But, exists some opensource tool that can do it
>> and pass traffic to suricata to analyze it??
>
> I don't think it's off-topic at all, and in fact is a feature that
> would give Suricata a competitive advantage over many other IDS
> systems - including Snort.
>
> We've observed attackers utilizing encryption to mask their
> activities, often sending malicious traffic over legitimate HTTPS or
> SSH channels. This technique is generally successful in allowing them
> to bypass traditional signature-based IDS setups.
>
> There are some commercially-available products that either include SSL
> decryption or offer it as an add-on, including one from Sourcefire.
>
> I think a good first start if there's enough interest in pursuing this
> type of functionality would be real-time decryption of private
> key-escrowed legitimate traffic. A number of application-layer "next generation"
> firewalls can do this with minimal additional overhead, particularly
> considering some of the crypto-acceleration features built in to
> recent CPUs from Intel and others - never mind the ongoing Suricata CUDA development.
> GPU's could be leveraged for SSL decryption as well...
>
> Unfortunately I don't really have much in the way of development
> resources to offer here, but I may be able to provide testing
> facilities in our high-traffic university environment where such a
> feature would be heavily utilized.
>
> --
> Robert Vineyard, CISSP, RHCE
> Senior Information Security Engineer
> Georgia Tech Office of Information Technology
> 404.385.6900 (office/cell) / 404.894.9548 (fax)
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
_______________________________________________
Oisf-users mailing list
Oisf-users at openinfosecfoundation.org
http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
More information about the Oisf-users
mailing list