From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: ephemeral key extraction
Date: Wed, 28 Feb 2018 21:11:41 +0100 [thread overview]
Message-ID: <CAHmME9pPRCTf1MyN9RgPKPYZ2Wscnvrgqq9b1gWhMg5ovTu9Xg@mail.gmail.com> (raw)
Hi list,
WireGuard does not provide a userspace interface for getting transport
data session keys, or ephemeral handshake keys. This is by design. No
backdoors!
However, Peter (CC'd) wants to write a Wireshark dissector, so we've
made a little kprobe-based utility to extract just the minimal amount
of cryptographic information from the kernel upon a certain event, and
then this information can be combined with information gathered over
the wire from packets in order to derive every secret used by the
system and decrypt all packets.
We first determine struct offsets using offset-finder [1]. This
exploit-trick is first compiled using the kernel toolchain, and then
compiled again using the normal toolchain, and then the two object
files are linked together [2] and the result prints the struct
offsets. Fortunately these will be stable offsets because they're not
dependent on kernel config values or weird types. Next we install
kprobes on one particular function using extract-handshakes.sh [3],
which then starts dumping output from that probe and writing it to
standard out in base64 format.
>From quick tests, this all is quite reliable.
For a few days, I'll run a simple netcat server on demo.wireguard.com.
Try typing `nc demo.wireguard.com 58812` and then connecting to the
demo box like usual. Basically, it's every cryptographer's girlfriend
Eve's wildest fantasy. All of the key compromises all of the time!
Code lives here:
https://git.zx2c4.com/WireGuard/tree/contrib/examples/extract-handshakes
Enjoy!
Jason
[1] https://git.zx2c4.com/WireGuard/tree/contrib/examples/extract-handshakes/offset-finder.c
[2] https://git.zx2c4.com/WireGuard/tree/contrib/examples/extract-handshakes/Makefile
[3] https://git.zx2c4.com/WireGuard/tree/contrib/examples/extract-handshakes/extract-handshakes.sh
next reply other threads:[~2018-02-28 20:03 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-28 20:11 Jason A. Donenfeld [this message]
2018-03-02 13:56 ` Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHmME9pPRCTf1MyN9RgPKPYZ2Wscnvrgqq9b1gWhMg5ovTu9Xg@mail.gmail.com \
--to=jason@zx2c4.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).