# Official LSV Web Site

# Net-Entropy

An entropy checker for ciphered network connections
- Check that statistical entropy property of ciphered data seems correct
- Detect attacks on cryptographic software that create low entropy network traffic (e.g. a shellcode)
- Reports low entropy alarms via syslog
- Configurable entropy threshold
- Configurable verification method (cumulative / packet entropy, server side, client side, or cumulative client+server)
- Very small resources requirment, can run on routers, ids hosts, etc... (< 1% CPU on 100 Mbps Ethernet, < 5 Mo RAM)
- Can verify various kind of cryptocraphic layers: SSH, all SSL secured protocols, IPSec/ESP (in future version)
- Net-Entropy requires
libpcap for network frame capture,
Libnet and
libnids for IP defragmentation and TCP stream assembly

See

http://juju.sh/net-entropy/ for updates and downloads.

## Sample figures:

The principle of functioning of Net-Entropy relies on the randomness property
of cryptographic algorithms.
A perfectly random infinite Byte string have
a statistical entropy that tends to 8 bits per Byte.
The figure 1 shows the average estimated statistical entropy computed from
small size random messages.

Figure 1: Average statistical entropy estimated from small random messages
The perfect case shown in the figure 1 is not quitely exact in real
world cryptographic applications. This is essentially due to
cryptographic protocols, which insert plain text messages for
connection setup and key establishment. These messages insert a bias in the
Byte distribution of the whole exchanged data, so which decrease the entropy.
The figure 2 shows the entropy of a HTTPS connection (HTTP secured with SSL/

TLS).
The key establishment explains the initial low entropy, and the slower growth,
once the content data are ciphered.

Figure 2: Statistical entropy for a HTTPS connection
The figure 3 shows the entropy of a HTTPS connection attacked with an
exploitation of an

OpenSSL flaw (

BugTraq ID 5363). Data generated by
the attack reduces the connection entropy.

Figure 3: Statistical entropy for an Apache/SSL attack connection
For additional information, the figure 4 shows the entropy of a connection of
plain text protocols such as

HTTP,

SMTP and

TELNET.

Figure 4: Statistical entropy plain data (http, smtp, telnet)