ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
July 17th, 2024 | 10:00am-11:55am SGT (UTC+8) | Online
Wireshark logo

Wireshark-dev: [Wireshark-dev] Support for TLS1.2 decryption using derived keys

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: webpentest <webpentest@xxxxxxxxx>
Date: Thu, 30 Apr 2020 10:37:49 +0300
Hello list,

I'm currently working on implementing a SSLKEYLOGFILE-like functions for
TLS connections that use Windows SChannel APIs (e.g. IE/Edge, as well as
other windows apps such as RDP client). SChannel does not expose its
keys, though some research was done on recovering them (see [1] and [2]).


I won't describe here the inner workings of schannel and key isolation
in Windows, but the bottom line is as follows:

1. The master key is only available to the lsass.exe process and
accessing it thus requires elevated privileges. Furthermore, there might
be additional restrictions that prevent event admins from accessing the
memory of lsass.

2. The derived keys, however, are available to the actual process that
uses schannel. Notably, I can extract the client and server write keys
and IV's, as well as the client random (see section 6.1 of RFC 5246,
page 17).


This means that it is possible to decrypt schannel traffic without the
need for elevated privilege, by extracting and using those derived keys,
but wireshark currently lacks the ability to ingest these values from a
keylog file. Currently it can use derived keys for decryption only for
TLS1.3 connections (see [3]).

I've thrown together a quick and dirty implementation of using derived
keys to decrypt TLS1.2 (see [4]) and verified that it works: with the
keys that I extracted I was able to decrypt successfully the RDP
connection that I made from a windows client.

So, now my question is as follows:

1. Considering the limited use-case for this functionality (using
derived keys to decrypt TLS1.2), does it have a chance of being merged
into upstream?

2. If yes, is there a person familiar with wireshark's tls dissector,
who is willing to advise me on what is the best way to implement these
changes? I'm ready to spend time on reimplementing the patch, but I'll
need someone for guidance and review.


Regards,

George Noseevich.


[1]
https://www.blackhat.com/docs/us-16/materials/us-16-Kambic-Cunning-With-CNG-Soliciting-Secrets-From-SChannel.pdf

[2]
https://osqa-ask.wireshark.org/questions/61698/decrypting-website-accessed-through-internet-explorer


[3] https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12779#c17

[4]
https://github.com/ngo/wireshark/commit/1d86cc67fac2bff5a3ceb392e469b0d443cd9d22
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube