Decrypting live SSH traffic in virtual environments

Abstract Decrypting and inspecting encrypted malicious communications may assist crime detection and prevention. Access to client or server memory enables the discovery of artefacts required for decrypting secure communications. This paper develops the MemDecrypt framework to investigate the discovery of encrypted artefacts in memory and applies the methodology to decrypting the secure communications of virtual machines. For Secure Shell, used for secure remote server management, file transfer, and tunnelling inter alia, MemDecrypt experiments rapidly yield AES-encrypted details for a live secure file transfer including remote user credentials, transmitted file name and file contents. Thus, MemDecrypt discovers cryptographic artefacts and quickly decrypts live SSH malicious communications including the detection and interception of data exfiltration of confidential data.

[1]  Tatu Ylönen,et al.  The Secure Shell (SSH) Authentication Protocol , 2006, RFC.

[2]  Sadie Creese,et al.  An overview of insider attacks in cloud computing , 2015, Concurr. Comput. Pract. Exp..

[3]  Tatu Ylönen,et al.  The Secure Shell (ssh) Transport Layer Protocol , 2006 .

[4]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[5]  Sushil Jajodia,et al.  Memory Forensic Challenges Under Misused Architectural Features , 2018, IEEE Transactions on Information Forensics and Security.

[6]  Tilo Müller,et al.  Advances in Forensic Data Acquisition , 2018, IEEE Design & Test.

[7]  Jinjun Chen,et al.  A dynamic prime number based efficient security mechanism for big sensing data streams , 2017, J. Comput. Syst. Sci..

[8]  Bruce Schneier,et al.  Cryptography Engineering - Design Principles and Practical Applications , 2010 .

[9]  Stefan Vömel,et al.  An evaluation platform for forensic memory acquisition software , 2013 .

[10]  Christian Cachin,et al.  Entropy measures and unconditional security in cryptography , 1997 .

[11]  Tatu Ylönen,et al.  The Secure Shell (SSH) Protocol Architecture , 2006, RFC.

[12]  Chanathip Namprempre,et al.  The Secure Shell (SSH) Transport Layer Encryption Modes , 2006, RFC.

[13]  Carsten Maartmann-Moe,et al.  The persistence of memory: Forensic identification and extraction of cryptographic keys , 2009, Digit. Investig..

[14]  Anirban Basu,et al.  Key Extraction Attack Using Statistical Analysis of Memory Dump Data , 2014, CRiSIS.

[15]  Nhien-An Le-Khac,et al.  Internet of Things Forensics - Challenges and a Case Study , 2018, IFIP Int. Conf. Digital Forensics.

[16]  Yuewu Wang,et al.  Reliable and Trustworthy Memory Acquisition on Smartphones , 2015, IEEE Transactions on Information Forensics and Security.

[17]  Adam Langley,et al.  ChaCha20 and Poly1305 for IETF Protocols , 2018, RFC.

[18]  Kara L. Nance,et al.  Circumventing cryptography in virtualized environments , 2012, 2012 7th International Conference on Malicious and Unwanted Software.

[19]  Tatu Ylönen,et al.  The Secure Shell (SSH) Connection Protocol , 2006, RFC.

[20]  Oskari Saarenmaa,et al.  SSH File Transfer Protocol , 2006 .

[21]  Golden G. Richard,et al.  Memory forensics: The path forward , 2017, Digit. Investig..

[22]  Adam Langley,et al.  ChaCha20 and Poly1305 for IETF Protocols , 2018, RFC.

[23]  Daniel J. Barrett,et al.  SSH, The Secure Shell: The Definitive Guide , 2001 .

[24]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[25]  Wei Liu,et al.  A Tool for Volatile Memory Acquisition from Android Devices , 2016, IFIP Int. Conf. Digital Forensics.

[26]  Joseph Galbraith,et al.  The Secure Shell (SSH) Public Key File Format , 2006, RFC.

[27]  Rohit Bhatia,et al.  Live acquisition of main memory data from Android smartphones and smartwatches , 2017, Digit. Investig..

[28]  Felix C. Freiling,et al.  A survey of main memory acquisition and analysis techniques for the windows operating system , 2011, Digit. Investig..

[29]  Hans P. Reiser,et al.  Virtual Machine Introspection Based SSH Honeypot , 2017, SHCIS '17.

[30]  Morris J. Dworkin,et al.  Recommendation for Block Cipher Modes of Operation: Methods and Techniques , 2001 .

[31]  Hans P. Reiser,et al.  TLSkex: Harnessing virtual machine introspection for decrypting TLS communication , 2016 .

[32]  Karen A. Scarfone,et al.  Security of Interactive and Automated Access Management Using Secure Shell (SSH) , 2015 .

[33]  Tuomas Aura,et al.  Strategies against replay attacks , 1997, Proceedings 10th Computer Security Foundations Workshop.