All of lore.kernel.org
 help / color / mirror / Atom feed
* [WireGuard] Session Key Extraction & Request for Dissector
@ 2016-08-24 22:40 Jason A. Donenfeld
  2016-08-24 22:51 ` Jason A. Donenfeld
  0 siblings, 1 reply; 2+ messages in thread
From: Jason A. Donenfeld @ 2016-08-24 22:40 UTC (permalink / raw)
  To: WireGuard mailing list

Hi folks,

WireGuard symmetric encryption keys are ephemeral, changing quite
frequently to ensure perfect forward secrecy. However, some folks
would like to be able to decrypt WireGuard packets inside of tcpdump
or WireGuard. I didn't want to compromise the integrity of the
ephemeral nature of the session keys by exposing them directly to
userspace, in any direct way at all, so instead I wrote a quick tool
that uses /dev/kmem to extract the session keys:

https://git.zx2c4.com/WireGuard/tree/contrib/examples/extract-keys

    # cd contrib/examples/extract-keys
    # make
    # ./extract-keys wg0
    0x57b56068 tMT...a1rQ= xvQ...KmY=
    0x01662508 LbM...osTs= 4VA...OYI=

The first value is the index, which should match against the index in
the transport packet. Then, the first key is the key used for sending,
and the second key is the key used for receiving. The ciphertext will
decrypt with standard ChaCha20Poly1305, and if you take a look at
wireguard.io/protocol/ you'll see that the nonce is prepended.

In my testing, this method turns out to be quite reliable.

I'm wondering: would anybody be interested in writing a wireshark
dissector to WireGuard packets? You can use the extract-keys/ code as
a jumping off point.

Thanks,
Jason

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: [WireGuard] Session Key Extraction & Request for Dissector
  2016-08-24 22:40 [WireGuard] Session Key Extraction & Request for Dissector Jason A. Donenfeld
@ 2016-08-24 22:51 ` Jason A. Donenfeld
  0 siblings, 0 replies; 2+ messages in thread
From: Jason A. Donenfeld @ 2016-08-24 22:51 UTC (permalink / raw)
  To: WireGuard mailing list

On Thu, Aug 25, 2016 at 12:40 AM, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> The first value is the index, which should...

Small improvement:

# ./extract-keys wg0
0xe25d9516 IHHXzJVLOm2fw6J4dGsVDNUH4l6plYw70b0IozmH8KQ=
0xd29e7538 D7ZiiRXaVA+UXNT3FBoAiKCu+3eSrp/fHCz0KisxaVk=
0x90c99abb EI33BYVaI0rziFUxvLBsVM8z6glhW7tLWR7+MTAe43s=
0x9540a866 yAjjnONW6TGrZm/tdrg7KIAZ2ipxn/YqWSba4lh377U=

The first field is the index. The second field is the key. If you see
a packet with the index, decrypt it with the key. Plain and simple.
This actually amounts to printing out:

    REMOTE_KEY_ID SENDING_KEY
    LOCAL_KEY_ID RECEIVING_KEY

But from the point of view of a dissector it doesn't really matter.
See a packet, match the index, decrypt the payload.

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-08-24 22:45 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-08-24 22:40 [WireGuard] Session Key Extraction & Request for Dissector Jason A. Donenfeld
2016-08-24 22:51 ` Jason A. Donenfeld

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.