Computer Science Department, Rhodes University b.irwin@ru.ac.za Rhodes University Box 94 Grahamstown 6140 South Africa ABSTRACT In the interests of maintaining end to end security, increasing volumes of information are being encrypted while in transit. Many organisations and users will make use of secure encrypted protocols for information interchange given an option. The very security that is provided by these transport protocols, such as IPSEC, HTTPS and SSH also acts against the security monitoring of an organisation’s traffic. Intrusion detection systems are no longer easily able to inspect the payload of encrypted protocols. Similarly these protocols can potentially be difficult for security and network administrators to debug, validate and analyse. This paper discusses the need for a means of a trusted third party being able to unpack encrypted data traversing a network and a proposes an architecture which would enable this to be achieved through the extraction and sharing of the appropriate encipherment tokens, based on the assumption that an organisation has legitimate access to one side of a communication entering or exiting its network. This problem also has particular relevance to honey-net research and for investigators trying to perform real-time monitoring of an intruder which is making use of such a protected protocol. A proof of concept implementation of the proposed architecture is also discussed. KEY WORDS Encrypted Traffic, Intrusion Detection, Traffic Analysis, Cryptography, Traffic Decryption
[1]
Paul E. Hoffman,et al.
SMTP Service Extension for Secure SMTP over Transport Layer Security
,
2002,
RFC.
[2]
G. G. Stokes.
"J."
,
1890,
The New Yale Book of Quotations.
[3]
Eric Rescorla,et al.
HTTP Over TLS
,
2000,
RFC.
[4]
Dario Forte.
The "Art" Of Log Correlation - Tools And Techniques For Correlating Events And Log Files
,
2004,
ISSA.
[5]
Niels Provos,et al.
Diffie-Hellman Group Exchange for the SSH Transport Layer Protocol
,
2000
.
[6]
Clifford Stoll,et al.
The Cuckoo's Egg
,
1989
.
[7]
Hugo Krawczyk,et al.
A Security Architecture for the Internet Protocol
,
1999,
IBM Syst. J..
[8]
Tim Wright,et al.
Transport Layer Security (TLS) Extensions
,
2003,
RFC.
[9]
Chris Newman,et al.
Using TLS with IMAP, POP3 and ACAP
,
1999,
RFC.
[10]
Stephen T. Kent,et al.
Security Architecture for the Internet Protocol
,
1998,
RFC.
[11]
Randall J. Atkinson,et al.
IP Encapsulating Security Payload (ESP)
,
1995,
RFC.
[12]
Michael S. Greenberg,et al.
Network Forensics Analysis
,
2002,
IEEE Internet Comput..
[13]
Tatu Ylonen,et al.
SSH: secure login connections over the internet
,
1996
.
[14]
염흥렬,et al.
[서평]「Applied Cryptography」
,
1997
.