Encrypting any application with TCPCrypt

May 28th, 2012

For work, I have been looking into TCPCrypt. I had never heard of it before but knew exactly what it did by its name. After exploring it for a little bit, it is extremely handy, easy to deploy, and not much impact on your system. Here is how it works.

Once you install TCPCrypt, you setup iptables to forward specific traffic to TCPCrypt and if the other host is using TCPCrypt as well, then it will exchange encryption keys and start encrypting the payload of all the traffic on that session.

Hosts identify another TCPCrypt host by adding or looking for a 2 byte TCP option that TCPCrypt has enabled in the SYN. The TCP Option it sets is

0x45 0x02

The 0×45 indicates it is a TCPCrypt host and the 0×02 is the length of the TCPCrypt options in total (in this case 2 bytes). When the server sees the TCPCrypt option in the SYN, it will respond back with a standard SYN ACK except for some additional TCP options just like the original SYN. It will send back something like this

0x45 0x07 0x41 0x05 0x02 0x04 0x04

The second byte in the SYN ACK is, as always, length of the option, 0×41 shows that it is displaying what encryption algorithms it supports and the rest after that are codes for those algorithms.

At this point, the TCP session deviates from the standard 3 way handshake and turns into a 4 way handshake by exchanging INIT1 (0x45 0x03 0x06) and INIT2 (0x45 0x03 0x07) messages that contain keys and couple further bits needed. Once this is done, we should be good to start encrypting.

Now, to actually route traffic through TCPCrypt, you need to set up some iptables rules. The following rules send any traffic across port 23 (Telnet) to TCPCrypt.

iptables -I INPUT -p tcp --sport 23 -j NFQUEUE --queue-num 666
iptables -I INPUT -p tcp --dport 23 -j NFQUEUE --queue-num 666
iptables -I OUTPUT -p tcp --sport 23 -j NFQUEUE --queue-num 666
iptables -I OUTPUT -p tcp --dport 23 -j NFQUEUE --queue-num 666

And just like that…once TCPCrypt is running, all Telnet traffic will be encrypted with hardly any effort nor any knowledge of the actual telnet daemon itself. This works with any application and you just need to swap out port numbers in the iptables rules and you are good to go.

Link to the PCAP of TCPCrypt
Link to the IETF Standards Draft

); ?http://www.statcounter.com/free_hit_counter.html