| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by gnomewascool 1060 days ago

> with keys that are in memory on the same system

I'm not sure that actually holds — the encryption keys are in memory, but the decryption keys don't necessarily have to be.

The pre-encrypted payloads definitely are in memory at some point; however snatching them probably involves larger-scale reverse-engineering.

1 comments

heinrich5991 1060 days ago

If they're using standard TLS, the actual data encryption is symmetric, so the encryption keys are the decryption keys and must be in memory during the encryption process.

link

jborean93 1060 days ago

If it is TLS you can get the keys used in the session from lsass’ memory. I’ve even written a tool to do so in PowerShell https://gist.github.com/jborean93/6c1f1b3130f2675f1618da5663.... This will generate a log file that contains the keys needed for Wireshark to decrypt TLS traffic.

link

pieter_mj 1060 days ago

My claim is it's not standard TLS or there's an additional layer (external encryption key) because an actual decryption of telemetry traffic has never been demonstrated.

link