ephemeral key extraction

Jason A. Donenfeld Jason at zx2c4.com
Wed Feb 28 21:11:41 CET 2018


Hi list,

WireGuard does not provide a userspace interface for getting transport
data session keys, or ephemeral handshake keys. This is by design. No
backdoors!

However, Peter (CC'd) wants to write a Wireshark dissector, so we've
made a little kprobe-based utility to extract just the minimal amount
of cryptographic information from the kernel upon a certain event, and
then this information can be combined with information gathered over
the wire from packets in order to derive every secret used by the
system and decrypt all packets.

We first determine struct offsets using offset-finder [1]. This
exploit-trick is first compiled using the kernel toolchain, and then
compiled again using the normal toolchain, and then the two object
files are linked together [2] and the result prints the struct
offsets. Fortunately these will be stable offsets because they're not
dependent on kernel config values or weird types. Next we install
kprobes on one particular function using extract-handshakes.sh [3],
which then starts dumping output from that probe and writing it to
standard out in base64 format.

>From quick tests, this all is quite reliable.

For a few days, I'll run a simple netcat server on demo.wireguard.com.
Try typing `nc demo.wireguard.com 58812` and then connecting to the
demo box like usual. Basically, it's every cryptographer's girlfriend
Eve's wildest fantasy. All of the key compromises all of the time!

Code lives here:
https://git.zx2c4.com/WireGuard/tree/contrib/examples/extract-handshakes

Enjoy!
Jason


[1] https://git.zx2c4.com/WireGuard/tree/contrib/examples/extract-handshakes/offset-finder.c
[2] https://git.zx2c4.com/WireGuard/tree/contrib/examples/extract-handshakes/Makefile
[3] https://git.zx2c4.com/WireGuard/tree/contrib/examples/extract-handshakes/extract-handshakes.sh


More information about the WireGuard mailing list