16 November 2000
Wiretapping the internet Charles J. Antonelli, Asst. Director Center for Information Technology Integration The University of Michigan Ann Arbor Project Goals + Long-term storage of every network packet + Cryptographically secured + Evedentiary purposes + Rapid response to intrusion incident + Commodity + Completeness + Permanency + Security + Intrusion detection filters and sniffers [current offerings] + Many commercial products + Designed for triage + Not secure, not archival, not continuous Prototype Architecture ------------+------------- | Collector ######---###### MFS | Archiver ######---CD/Tape/Punchcards | | drives--+--drives Cryptographic Organization translation table symmetric key ------------------------------------------ Regents' public key ------------------------------------------ volume master symmetric key ------------------------------------------ Regents' public key ------------------------------------------ translation tables ------------------------------------------ translation table key ------------------------------------------ translated header | packet payload . . . ------------------------------------------ payload key Problem Space + The problem space is broad Systems Engineering + CPU clock + trhansfer rate, latency, size + System bus, memory bus, I/O controller, memory, disk drive, tape drive + Crypto software, hardware speed + Volume management and retrieval + Parallelism + Round-robin, packet content What do you do with all the data? A terabyte is about a broom closet of tapes. [really?] You're always going to be behind the curve in the storage game. Parallelism is necessary to have several vaults to watch the network and store data while keeping up on it. How long the data is kept determines how useful it is and is governed by what the goals of the vault are. Cryptographic Organization + Approach is sound + DES is weak + Rijnael + 3DES + DESX +Crypto hardware terabyte Storage Technoligies + Leverage Moore's law + Start small + mammoth2 w/ autoloader + 12 MB/s (9.6 MB/s), 60 GB/tape, 7 tapes + 10 mbps: 2 or 3 tapes/day, every day + Design large ... Legal and Regulatory Issues + Carrier-transport / ECPA + Student information / FERPA + Privacy / First amendment + Human subject guidelines + Ownership / copyright + Right to know / FOIA + Discovery / evidence + Search and seizure / Fourth amendment + Civil liability [most of this goes away when you change the scope from public institution to private] Evidence Handling + Rules for evidence gathering + Scene "frozen" + Continuity of evidence + Authenticated volume contents + Second factor might prove useful + Auditable procedures + Open source [the contents of the vault are being signed run two vaults to run in parallel or gather digests] Any questions? Visit http://www.citi.umich.edu/ for more info. [much applause from the gallery]
Presentation