Use a NSS Key Log file to decrypt a TLS session (secdev#3374)

* Use a NSS Key Log file to decrypt a TLS session

* Decrypting TLS 1.2 using a known master secret

* Test TLS 1.2 decryption using a NSS Key Log

Author: guedou

doc/notebooks/tls/notebook3_tls_compromised.ipynb

@@ -4,15 +4,17 @@
    "cell_type": "markdown",
    "metadata": {},
    "source": [
-    "# The lack of PFS: a danger to privacy"
+    "# The lack of PFS: a danger to privacy\n",
+    "\n",
+    "With TLS 1.2 and earlier, some cipher suites do not provide Perfect Forward Secrecy. Without this property, an attacker compromising the server private key can easily decrypt TLS traffic.\n",
+    "\n",
+    "In the following example, Scapy is used to decrypt a comunication made without PFS using the ciphersuite `TLS_RSA_WITH_AES_128_CBC_SHA`, giving the server private key stored in `raw_data/pki/srv_key.pem`."
    ]
   },
   {
    "cell_type": "code",
    "execution_count": null,
-   "metadata": {
-    "collapsed": true
-   },
+   "metadata": {},
    "outputs": [],
    "source": [
     "from scapy.all import *\n",
@@ -22,9 +24,7 @@
   {
    "cell_type": "code",
    "execution_count": null,
-   "metadata": {
-    "collapsed": false
-   },
+   "metadata": {},
    "outputs": [],
    "source": [
     "record1_str = open('raw_data/tls_session_compromised/01_cli.raw', 'rb').read()\n",
@@ -36,7 +36,6 @@
    "cell_type": "code",
    "execution_count": null,
    "metadata": {
-    "collapsed": false,
     "scrolled": true
    },
    "outputs": [],
@@ -49,23 +48,19 @@
   {
    "cell_type": "code",
    "execution_count": null,
-   "metadata": {
-    "collapsed": true
-   },
+   "metadata": {},
    "outputs": [],
    "source": [
-    "# Suppose we possess the private key of the server\n",
-    "# Try registering it to the session\n",
-    "#key = PrivKey('raw_data/pki/srv_key.pem')\n",
-    "#record2.tls_session.server_rsa_key = key"
+    "# Supposing that the private key of the server was stolen,\n",
+    "# the traffic can be decoded by registering it to the Scapy TLS session\n",
+    "key = PrivKey('raw_data/pki/srv_key.pem')\n",
+    "record2.tls_session.server_rsa_key = key"
    ]
   },
   {
    "cell_type": "code",
    "execution_count": null,
-   "metadata": {
-    "collapsed": false
-   },
+   "metadata": {},
    "outputs": [],
    "source": [
     "record3_str = open('raw_data/tls_session_compromised/03_cli.raw', 'rb').read()\n",
@@ -76,9 +71,7 @@
   {
    "cell_type": "code",
    "execution_count": null,
-   "metadata": {
-    "collapsed": false
-   },
+   "metadata": {},
    "outputs": [],
    "source": [
     "record4_str = open('raw_data/tls_session_compromised/04_srv.raw', 'rb').read()\n",
@@ -89,34 +82,163 @@
   {
    "cell_type": "code",
    "execution_count": null,
-   "metadata": {
-    "collapsed": false
-   },
+   "metadata": {},
    "outputs": [],
    "source": [
+    "# This is the first TLS Record containing user data. If decryption works,\n",
+    "# you should see the string \"To boldly go where no man has gone before...\" in plaintext.\n",
     "record5_str = open('raw_data/tls_session_compromised/05_cli.raw', 'rb').read()\n",
     "record5 = TLS(record5_str, tls_session=record4.tls_session.mirror())\n",
     "record5.show()"
    ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "# Decrypting TLS Traffic Protected with PFS\n",
+    "\n",
+    "When PFS is in action, the only way to break TLS 1.2 is to possess decryption keys. They can be retrieved by dumping the process memory, or making the TLS library to write then into a [NSS Key Log](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format) (as allowed by OpenSSL, Chrome or Firefox).\n",
+    "\n",
+    "The data used in the following examples was retrieved the following commands:\n",
+    "```\n",
+    "cd doc/notebooks/tls/raw_data/\n",
+    "\n",
+    "# Start a TLS 1.12 Server using the s_server\n",
+    "sudo openssl s_server -accept localhost:443 -cert pki/srv_cert.pem -key pki/srv_key.pem -WWW -tls1_2\n",
+    "\n",
+    "# Sniff the network and write packets to a file\n",
+    "sudo tcpdump -i lo -w tls_nss_example.pcap port 443\n",
+    "\n",
+    "# Connect to the server using s_client and retrieve the secrets.txt file\n",
+    "openssl s_client -connect localhost:443 -keylogfile tls_nss_example.keys.txt\n",
+    "```\n",
+    "\n",
+    "## Decrypt a PCAP files\n",
+    "\n",
+    "Scapy can parse NSS Key logs, and use the cryptographic material to decrypt TLS traffic from a pcap file."
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "load_layer(\"tls\")\n",
+    "\n",
+    "conf.tls_session_enable = True\n",
+    "conf.tls_nss_filename = \"raw_data/tls_nss_example.keys.txt\"\n",
+    "\n",
+    "packets = rdpcap(\"raw_data/tls_nss_example.pcap\")"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "# Display the HTTP GET query\n",
+    "packets[11][TLS].show()"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "# Display the answer containing the secret\n",
+    "packets[13][TLS].show()"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "## Decrypt Manually\n",
+    "\n",
+    "Internally, the `conf.tls_session_enable` parameter makes Scapy follows TCP records, such as Client Hello or Server Hello, and updates `tlsSession` objects.\n",
+    "\n",
+    "Scapy inner behavior is illustrated by the following example."
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "# Read packets from a pcap\n",
+    "load_layer(\"tls\")\n",
+    "\n",
+    "packets = rdpcap(\"raw_data/tls_nss_example.pcap\")\n",
+    "\n",
+    "# Load the keys from a NSS Key Log\n",
+    "nss_keys = load_nss_keys(\"raw_data/tls_nss_example.keys.txt\")"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "# Parse the Client Hello message from its raw bytes. This configures a new tlsSession object\n",
+    "client_hello = TLS(raw(packets[3][TLS]))\n",
+    "\n",
+    "# Parse the Server Hello message, using the mirrored client_hello tlsSession object\n",
+    "server_hello = TLS(raw(packets[5][TLS]), tls_session=client_hello.tls_session.mirror())\n",
+    "\n",
+    "# Configure the TLS master secret retrieved from the NSS Key Log\n",
+    "server_hello.tls_session.master_secret = nss_keys[\"CLIENT_RANDOM\"][\"Secret\"]\n",
+    "\n",
+    "# Parse remaining TLS messages\n",
+    "client_finished = TLS(raw(packets[7][TLS]), tls_session=server_hello.tls_session.mirror())\n",
+    "server_finished = TLS(raw(packets[9][TLS]), tls_session=client_finished.tls_session.mirror())"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "# Display the HTTP GET query\n",
+    "http_query = TLS(raw(packets[11][TLS]), tls_session=server_finished.tls_session.mirror())\n",
+    "http_query.show()"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "# Display the answer containing the secret\n",
+    "http_response = TLS(raw(packets[13][TLS]), tls_session=http_query.tls_session.mirror())\n",
+    "http_response.show()"
+   ]
   }
  ],
  "metadata": {
   "kernelspec": {
-   "display_name": "Python 2",
+   "display_name": "Python 3 (ipykernel)",
    "language": "python",
-   "name": "python2"
+   "name": "python3"
   },
   "language_info": {
    "codemirror_mode": {
     "name": "ipython",
-    "version": 2
+    "version": 3
    },
    "file_extension": ".py",
    "mimetype": "text/x-python",
    "name": "python",
    "nbconvert_exporter": "python",
-   "pygments_lexer": "ipython2",
-   "version": "2.7.13"
+   "pygments_lexer": "ipython3",
+   "version": "3.9.1"
   }
  },
  "nbformat": 4,

doc/notebooks/tls/raw_data/tls_nss_example.keys.txt

@@ -0,0 +1,2 @@
+# SSL/TLS secrets log file, generated by OpenSSL
+CLIENT_RANDOM c43c799f04ad31e397ee4fe14c8819a19bf5951bbc545cada407c6c7589e60ab b599798159244555ddd10d80b5552a37d327fd6e661f3520194c28ef6e8bb0af6e3fb4d4f9945a61e83a41f2345fa27a

doc/notebooks/tls/raw_data/tls_nss_example.pcap

@@ -8,6 +8,7 @@
 TLS session handler.
 """
 
+import binascii
 import socket
 import struct
 
@@ -24,6 +25,53 @@
 from scapy.layers.tls.crypto.hkdf import TLS13_HKDF
 from scapy.layers.tls.crypto.prf import PRF
 
+# Typing imports
+from scapy.compat import Dict
+
+
+def load_nss_keys(filename):
+    # type: (str) -> Dict[str, bytes]
+    """
+    Parses a NSS Keys log and returns unpacked keys in a dictionary.
+    """
+    keys = {}
+    try:
+        fd = open(filename)
+    except FileNotFoundError:
+        warning("Cannot open NSS Key Log: %s", filename)
+        return {}
+    else:
+        with open(filename) as fd:
+            for line in fd:
+                if line.startswith("#"):
+                    continue
+                data = line.strip().split(" ")
+                if len(data) != 3 or data[0] != data[0].upper():
+                    warning("Invalid NSS Key Log Entry: %s", line.strip())
+                    return {}
+
+                try:
+                    client_random = binascii.unhexlify(data[1])
+                except binascii.Error:
+                    warning("Invalid ClientRandom: %s", data[1])
+                    return {}
+
+                try:
+                    secret = binascii.unhexlify(data[2])
+                except binascii.Error:
+                    warning("Invalid Secret: %s", data[2])
+                    return {}
+
+                # Warn that a duplicated entry was detected. The latest one
+                # will be kept in the resulting dictionary.
+                if data[0] in keys:
+                    warning("Duplicated entry for %s !", data[0])
+
+                keys[data[0]] = {"ClientRandom": client_random,
+                                 "Secret": secret}
+        return keys
+
+
 # Note the following import may happen inside connState.__init__()
 # in order to avoid to avoid cyclical dependencies.
 # from scapy.layers.tls.crypto.suites import TLS_NULL_WITH_NULL_NULL
@@ -366,6 +414,10 @@ def __init__(self,
         self.server_rsa_key = None
         # self.server_ecdsa_key = None
 
+        # A dictionary containing keys extracted from a NSS Keys Log using
+        # the load_nss_keys() function.
+        self.nss_keys = None
+
         # Back in the dreadful EXPORT days, US servers were forbidden to use
         # RSA keys longer than 512 bits for RSAkx. When their usual RSA key
         # was longer than this, they had to create a new key and send it via
@@ -546,7 +598,14 @@ def compute_master_secret(self):
             log_runtime.debug("TLS: master secret: %s", repr_hex(ms))
 
     def compute_ms_and_derive_keys(self):
-        self.compute_master_secret()
+        # Load the master secret from an NSS Key dictionary
+        if self.nss_keys and self.nss_keys.get("CLIENT_RANDOM", False) and \
+           self.nss_keys["CLIENT_RANDOM"].get("Secret", False):
+            self.master_secret = self.nss_keys["CLIENT_RANDOM"]["Secret"]
+
+        if not self.master_secret:
+            self.compute_master_secret()
+
         self.prcs.derive_keys(client_random=self.client_random,
                               server_random=self.server_random,
                               master_secret=self.master_secret)
@@ -894,15 +953,25 @@ def __init__(self, _pkt="", post_transform=None, _internal=0,
                 self.tls_session.ipdst = tcp.underlayer.dst
             except AttributeError:
                 pass
+
+            # Load a NSS Key Log file
+            if conf.tls_nss_filename is not None:
+                if conf.tls_nss_keys is None:
+                    conf.tls_nss_keys = load_nss_keys(conf.tls_nss_filename)
+
             if conf.tls_session_enable:
                 if newses:
                     s = conf.tls_sessions.find(self.tls_session)
                     if s:
+                        if conf.tls_nss_keys is not None:
+                            s.nss_keys = conf.tls_nss_keys
                         if s.dport == self.tls_session.dport:
                             self.tls_session = s
                         else:
                             self.tls_session = s.mirror()
                     else:
+                        if conf.tls_nss_keys is not None:
+                            self.tls_session.nss_keys = conf.tls_nss_keys
                         conf.tls_sessions.add(self.tls_session)
             if self.tls_session.connection_end == "server":
                 srk = conf.tls_sessions.server_rsa_key
@@ -1110,3 +1179,7 @@ def toPacketList(self):
 conf.tls_sessions = _tls_sessions()
 conf.tls_session_enable = False
 conf.tls_verbose = False
+# Filename containing NSS Keys Log
+conf.tls_nss_filename = None
+# Dictionary containing parsed NSS Keys
+conf.tls_nss_keys = None

scapy/layers/tls/session.py

@@ -1565,3 +1565,16 @@ assert [type(x) for x in pkt.msg] == [TLSServerHello, TLSCertificate, TLSCertifi
 # see test/tls/tests_tls_netaccess.uts
 
 
+###############################################################################
+####################### Decrypt packets from a pcap ##########################
+###############################################################################
+
+bck_conf = conf
+conf.tls_session_enable = True
+conf.tls_nss_filename = scapy_path("doc/notebooks/tls/raw_data/tls_nss_example.keys.txt")
+
+packets = rdpcap(scapy_path("doc/notebooks/tls/raw_data/tls_nss_example.pcap"))
+assert b"GET /secret.txt HTTP/1.0\n" in packets[11].msg[0].data
+assert b"z2|gxarIKOxt,G1d>.Q2MzGY[k@" in packets[13].msg[0].data
+
+conf = bck_conf