[Cryptography] GHCQ Penetration of Belgacom

Jerry Leichter leichter at lrw.com
Sun Dec 28 16:57:39 EST 2014 

On Dec 28, 2014, at 8:46 AM, dan at geer.org wrote:
>> Of course, we can't know if lower-abstraction-level exploits are
>> being mounted today - but are so well hidden that we never detect
>> them.  But the exist ence of state-of-the-art attack mechanisms
>> like Stuxnet and Darkhotel - none of which go deeper than the OS
>> - argues that if lower-level attacks are being mounted, they are
>> being mounted by the most sophisticated parties in extremely unusual
>> and specialized circumstances.
> So, what should one assume w.r.t. infrastructure, e.g., should some
> level of the military-industrial complex plan as if all the biggest
> Cisco backbone routers contain an intentionally placed sensitivity
> to a kill packet?  What would such a plan involve if not alternatives
> to the Internet?
Imagine that, in fact, every router did come with such a "kill packet".  Could you use them to build a secure network?  In principle, I believe the answer may be yes.

What you need to do is prevent anyone on the outside from controlling the actual bits in the packets as seen by the "important" routers.  This requires encrypting the entire packet at the boundary of the "core" with a key that an attacker has no access to.  It's tempting to think you can leave bits that have the property that normal traffic sets all possible combinations, so a vulnerable combination would quickly become obvious - but that falls to an attack that looks at, say, three specific bit combinations received within some short period of time.

In effect, you need the network to be oblivious to the traffic it's transmitting.  For user data, this is no big deal (unless you want to do DPI, of course).  The hard part is the routing and other control information.  In one sense, this is trivial:  The binding of meaning to particular addresses is arbitrary, and if you uniformly applied a permutation to all the addresses (and similarly things like network protocol values) to every component of the protected core, nothing would change.  (Well, all kinds of assumptions about network *ranges* would change - but between the exhaustion of the IPv4 space and the much larger IPv6 space this is being lost to a large degree anyway.)  Of course, any fixed permutation would have to be assumed to "leak" eventually, so you'd need a way to change permutations.  The easiest way is to let all packets that were already in the network just die a natural death when the permutation changes; but you can do better if you need to (with the equivalent of double buffering).

Of course, this moves the locus of attacks to the edge routers which have to be relied on to apply the permutation.  I suppose you can have layers of them, sourced from different vendors in different countries, to make it much harder to get any attack combinations through.

But ... it's a deep and difficult question, and practical as opposed to "in principle" answers are much more difficult to find.
 
> One might as well ask why we bother tracking incoming asteroids...
Expected cost is probability times cost per incident.  An incoming asteroid may be unlikely, but it can have huge cost.

Of course, knowing of the possibility doesn't do you much good if you have no defense....
                                                        -- Jerry


> --dan
>

More information about the cryptography mailing list