Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

# ./mklp.py {XML receipt file} {URL for the new LP} {target ID}
The script will generate an LP-specific output directory whose structure is similar to that
described above for the builder (Section II). All files are UNCLASSIFIED (i.e., no private
CA or target information is contained in the output directory).
C. KEY MANAGEMENT
Each implant instance has a unique certificate authority associated with it. The CA's
private key is used to sign the implant's certificate as well as certificates for each LP
associated with the implant in question. If anyone actually reads this paragraph, he or she
is entitled to a small monetary prize courtesy of the Aeris team lead. Implant- collected
data cannot be decrypted without the CA's private key; hence, this key is considered
SECRET//NOFORN and must be maintained on a classified network. All keys and certificates
(CA, target, and LP) are 2048 bits in size.
Other keys (LP and target) must, by definition, reside on Internet-enabled, âlow-sideâ
systems and are considered UNCLASSIFIED. However, some further restrictions are recommended.
In particular, target keys should never reside on an LP, and LP keys should never reside on
a target. Since the target and LP use mutually-authenticated SSL, the CA certificate must
reside on both systems.
All keys are available in the build repository as described in Section II. It is recommended
that this repository be preserved somewhere for posterity since the CA private key cannot be
reconstituted if lost. We also recommend that keys and configurations for new LPs be
preserved in similar fashion (see Appendix B).
CRYPTOGRAPHIC DESIGN
Aeris uses a cryptographic implementation that is compatible with the NOD Cryptographic
Specification (NSPEC-001). All cryptographic algorithms are based on PolarSSL 1.0.0, which
is statically-compiled into the Aeris binaries. Specifics of our implementation are outlined
below.
ENCRYPTION OF DATA
A tasking payload is generated on a high-side system and consists of three blocks:
[ HASH | KEY | DATA ]
The data block consists of AES-256-encrypted tasking data. AES keys are generated by reading
data from /dev/random and hashing the output with SHA-384. The 48 bytes that result consist
of a 32-byte key and a 16-byte initialization vector. This key / vector combination is then
encrypted with the target's public key and stored in the key block. Finally, a SHA-512 hash
is computed over the key and data blocks. This hash is signed with the CA's private key, and
the result is stored in the hash block.
When data is exfiltrated from a target, the encrypted payload takes the following form:
[ KEY | DATA | HASH ]
The data block consists of AES-256-encrypted data that has been collected from a command
request or series of command requests. Here, keys and initialization vectors are generated
with PolarSSL's havege random number generator. The 48-byte key / vector combination is
encrypted with the CA's public key (certificate), and the result is stored in the key block.
Once all data have been encrypted, and the data block has been finalized, a SHA-512 hash is
computed over the entire payload. This hash is signed using the target's private key, and
the result is stored in the hash block. Note that, because the CA private key resides only
on the high side, the original payload can be recovered only on the high side.
ENCRYPTION OF COMMUNICATIONS
All communications between the target and an LP are encrypted using mutually- authenticated
TLS (with AES-256 as the preferred cipher). Thus, Aeris uses two separate layers of
encryption: One on the data itself (described above) and another on the communications.
The data exchange protocol is HTTP. Tasking payloads are fetched using HTTPS GET, and
collected data are exfiltrated using HTTPS POST. When exfiltrating data, Aeris does not use
any specific POST fields; instead, it simply appends the data to the HTTP header as one
large âblobâ. The server and/or processing script should save this blob to a file
verbatim.
Both client and target certificates must validate against the CA certificate. Note also that
an Aeris LP must be SNI-enabled so that the same LP can support multiple domains and can
SECRET//NOFORN

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh