* ephemeral key extraction
@ 2018-02-28 20:11 Jason A. Donenfeld
2018-03-02 13:56 ` Jason A. Donenfeld
0 siblings, 1 reply; 2+ messages in thread
From: Jason A. Donenfeld @ 2018-02-28 20:11 UTC (permalink / raw)
To: WireGuard mailing list
Hi list,
WireGuard does not provide a userspace interface for getting transport
data session keys, or ephemeral handshake keys. This is by design. No
backdoors!
However, Peter (CC'd) wants to write a Wireshark dissector, so we've
made a little kprobe-based utility to extract just the minimal amount
of cryptographic information from the kernel upon a certain event, and
then this information can be combined with information gathered over
the wire from packets in order to derive every secret used by the
system and decrypt all packets.
We first determine struct offsets using offset-finder [1]. This
exploit-trick is first compiled using the kernel toolchain, and then
compiled again using the normal toolchain, and then the two object
files are linked together [2] and the result prints the struct
offsets. Fortunately these will be stable offsets because they're not
dependent on kernel config values or weird types. Next we install
kprobes on one particular function using extract-handshakes.sh [3],
which then starts dumping output from that probe and writing it to
standard out in base64 format.
>From quick tests, this all is quite reliable.
For a few days, I'll run a simple netcat server on demo.wireguard.com.
Try typing `nc demo.wireguard.com 58812` and then connecting to the
demo box like usual. Basically, it's every cryptographer's girlfriend
Eve's wildest fantasy. All of the key compromises all of the time!
Code lives here:
https://git.zx2c4.com/WireGuard/tree/contrib/examples/extract-handshakes
Enjoy!
Jason
[1] https://git.zx2c4.com/WireGuard/tree/contrib/examples/extract-handshakes/offset-finder.c
[2] https://git.zx2c4.com/WireGuard/tree/contrib/examples/extract-handshakes/Makefile
[3] https://git.zx2c4.com/WireGuard/tree/contrib/examples/extract-handshakes/extract-handshakes.sh
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: ephemeral key extraction
2018-02-28 20:11 ephemeral key extraction Jason A. Donenfeld
@ 2018-03-02 13:56 ` Jason A. Donenfeld
0 siblings, 0 replies; 2+ messages in thread
From: Jason A. Donenfeld @ 2018-03-02 13:56 UTC (permalink / raw)
To: WireGuard mailing list
On Wed, Feb 28, 2018 at 9:11 PM, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> For a few days, I'll run a simple netcat server on demo.wireguard.com.
> Try typing `nc demo.wireguard.com 58812` and then connecting to the
> demo box like usual. Basically, it's every cryptographer's girlfriend
> Eve's wildest fantasy. All of the key compromises all of the time!
By popular demand, for a limited time only, coming to a key compromise
situation near you, with no strings attached, in full bitstream
quality, now avid Eves can get a live pcap in addition to the stream
of ephemeral keys above:
Try running `nc demo.wireguard.com 37281`, and piping it to wireshark.
Happy decrypting!
Jason
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-03-02 13:47 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-02-28 20:11 ephemeral key extraction Jason A. Donenfeld
2018-03-02 13:56 ` Jason A. Donenfeld
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.