Hide it with encryption, display it with performance.

Presented at ToorCon San Diego 16 (2014), Oct. 25, 2014, 5 p.m. (50 minutes)

A network protocol has performance requirements. In order to address these requirements, many implementations will leak some side-channel information, indicating how a tunnel is being used. Particularly approximate packet sizes and timing can be tied to a particular use of an encrypted tunnel. Pacumen is an open-source tool which can learn what a specific application “looks like” over an encrypted tunnel and can be trained to recognize that application being used without decryption. We will go into a deep-dive about the algorithm used and how it works, as well as talk about how best to measure it’s performance and utilize it in the real world. Attendees will walk away from the talk with in-depth knowledge about how to analyze packet sizes and timing utilizing modest computational and labor resources. They can then often determine what type of traffic is likely being encrypted algorithmically as well as using the tool Pacumen.

Presenters:

• Brandon Niemczyk
  Brandon Niemczyk was born in Chicago. He has been writing code since he was a child with his first 386 modifying the QBASIC game gorillas.bas. He later moved on to write GIS software in Orlando, FL and then wandered into information security after a brief stint writing accounting software. His interests are machine learning, mathematics, motorcycles, games, reverse engineering, and family. Brandon has previously spoken at multiple conferences on machine learning and information security.

Similar Presentations:

• ToorCon San Diego 16 (2014) / Time Trial: Racing Towards Practical Timing Attacks
• Black Hat USA 2014 / Probabilistic Spying on Encrypted Tunnels
• Black Hat USA 2014 / Time Trial: Racing Towards Practical Timing Attacks