Extraction of TLS Master Secret Key in Windows

Hyoseok Lee Hyoung-kee Choi

College of Software College of Software
Sungkyunkwan University Sungkyunkwan University
Suwon, Republic of Korea Suwon, Republic of Korea
hslee@hit.skku.edu meosery@skku.edu

Abstract— Most programs related to security communicate with file as the file our tool creates when we set the environment
servers through encrypted channels, and sensitive data that are variable in Windows OS. We can then analyze the decrypted
transmitted should be encrypted using a suitable protocol. protocol by giving the key log file to Wireshark. Our tool can
Transport Layer Security (TLS) is a protocol that encrypts data decrypt every TLS client process in Windows OS, and it could
by exchanging key materials in a secure way. Protocol analyzers be a useful tool in network protocol analysis to reduce
in turn decrypt packets to see the raw protocols in plain text. unnecessary overhead.
Decryption is not a minor job, and most programs will not provide
users with decrypted data. Section II provides the background information to
understand the TLS Key Extractor. Section III describes how we
Here, we create a tool that can extract TLS session key information extract the key information from specific process. Section IV
in order to decrypt TLS packets. It extracts data by hooking TLS describes the strength against other tools. Section V concludes
functions in Windows DLL files. DLL injection is then used for the paper.
API hooking, and extracted data is used as input in a network
protocol analyzer, such as Wireshark. Our tools can be considered II. BACKGROUND
a Swiss army knife for the analysis of protocols that are encrypted
in a TLS session. A. TLS Handshake for generating key
When creating a TLS session, both the client and server
Keywords— TLS, Decryption, API hook, DLL injection exchange encryption keys without a leak of the key information.
TLS defines the handshake protocol to exchange the key
I. INTRODUCTION information in a secure way [1]. Fig. 1 depicts the generation of
It is not difficult to create a secure channel for data the session key in the TLS handshake. A client sends the
communication ever since the Transport Layer Security (TLS) Client_Hello packet that contains Client_Random. The Server
protocol was developed. Software developers can easily also sends a Server_Hello packet that contains Server_Random
implement TLS sessions by importing open source libraries, and the server’s certificate (server’s public key). These random
such as OpenSSL and CommonCrypto. As privacy issues come numbers are generated by client and server processes, and it
to the fore, data transmission with TLS has become very literally contains random bytes. After exchanging the first two
common in software development. TLS is a very secure and is packets, the Client process generates another random number
easy to use during software development. However, it can be a called the pre-master secret. The TLS session key is generated
vexing obstacle when analyzing the network protocol. with Client_Hello, Server_Hello and Pre-Master_Secret (PMS).
Unless the client sends PMS to the server, the server is not able
In other words, TLS is just a form of encryption to be to generate the TLS session key, which is also known as
overcome in the analysis of a network protocol, so the very first Master_Secret (MS). During the TLS handshake procedure,
task in network protocol analysis is to decrypt the TLS Session. every packet is sent in plain text. If the client process sends a
Unfortunately, TLS session decryption is not trivial. Despite the PMS in plain text, the Master Secret could be disclosed to an
fact that the program using the TLS channel has keys to decrypt attacker who eavesdrops the packets. To prevent session key
the TLS session, most program developers do not provide users disclosure, the client encrypts the PMS with the server’s public
with the TLS decryption keys. Several tools can decrypt TLS key from the server’s certificate. The client and server can then
sessions, but these existing tools cannot be used for decryption exchange their Master Secret securely since the server is the only
in a specific environment, the outputs for protocol analysis is not one that can decrypt the encrypted PMS data properly. Our tool
user friendly. will extract Client_Random and Master Secret from the client
For example, a tool creates a text file that contains decrypted process to decrypt the TLS session.
data, and this data cannot be analyzed using a protocol analysis B. Dynamic-Link Library(DLL)
tool such as Wireshark, Message analyzer. For this reason, we
implement the “TLS Key Extractor”. It extracts key bytes from In Windows OS, common libraries are shared by many
a specific process in the Windows OS by using a hooking-related programs for memory efficiency. Microsoft implements a shared
function. It generates a TLS session key log file for decrypting.
Since many researchers are already aware that Google Chrome
supports decryption functions for https, it creates the same log

978-1-5090-1325-8/16/$31.00 ©2016 IEEE 667 ICTC 2016

 Fig. 1. Procedure of generating Master Secret in TLS Handshake process

library with Dynamic-Link Library (DLL) files. DLL files also

contain executable code and frequently used functions. The Fig. 2. How to inject DLL file into remote process
main feature of a DLL files is to provide programs with
implemented functions. For example, programmers do not need LoadLibrary() and executing DLLMain(), which is implemented
to implement a pop-up messagebox. Instead, a programmer just in the injected DLL. For the second phases, as DLLMain() is
imports windows.h and calls a pre-implemented MessageBox() executed, the API hook is set to the target API. The Key
function from User32.dll. Providing DLL files to programmers Extractor could log the TLS session key information to then
results in a convenient development environment. decrypt data.
This is also useful for the operating system. The Windows III. IMPLEMENTATION
system is able to control programs in its policy. Most
programmers are likely to use pre-implemented System DLL Before we present the structure of the TLS Key Extractor,
files such as User32.dll and Schannel.dll that are provided by we clarify the goal of this paper. We should extract the proper
Microsoft. Since Microsoft only could modify these DLL files, Master Secret data for various environments to provide a
programs developed with the system DLL files will behave network protocol analyzer with a convenient decryption solution
following Microsoft’s policies. DLL files have another feature for TLS sessions. We will define the methods that are regarded
in that they can be loaded or unloaded during runtime. This as typical to decrypt the TLS sessions and the environments that
results in the system making more efficient use of memory the network protocol analyzer is likely to encounter. Depending
resources since programs can load DLL files when needed. Also, on the environment, some methods can decrypt the TLS session
unnecessary DLL files can be unloaded for memory efficiency. and others cannot decrypt TLS. As a result, we decided we
Our tool takes advantage of these two features of DLL files. would extract key data to ensure reliable TLS decryption. We
present the function that generates the TLS key materials and the
C. API Hooking process that generates the key materials in Windows OS.
API Hooking refers to a technique used to intercept or A. Defined methods and Environments
manipulate data between the function caller and the function
callee. If the API hook is set to function foo, we can execute In general, there are three methods that can be used to
some code before executing function foo or after executing decrypt TLS sessions. First, a web proxy, such as Fiddler,
function foo. There are several ways to accomplish API hooking, provides a TLS decrypt function only for https by using a Man-
and our tool adopts DLL injection. A process in the Windows in-the-Middle attack. It could be useful only when the protocol
system is able to load the DLL file into memory space during analyzer is conducting an experiment on https. Since it only
runtime. When a new DLL file is loaded into the process focuses on the specific situation, it is not reliable when
memory, DLLMain() which is implemented in the DLL, is decrypting a TLS session. The second and third methods use the
executed first. While DLLMain() is executed, some code is decrypt function in Wireshark. The difference between the
modified to take control of the execution flow in the target second and third methods is that data is extracted for decrypting.
functions. However, we need to make the target process load the The second method feeds the private key of the server’s
DLL we have made for API hooking. certificate to Wireshark. The server’s private key only exists in
the server machine, and in this, we should be able to take control
We adopt the method introduced in “Windows via C/C++” of the server machine. The last method is to provide the
by Jeffrey Richter [2]. A process can create a remote thread into Client_Random and Master Secret. To obtain Client_Random
another process by calling CreateRemoteThread(). Through the and Master Secret, we should be able to take control of either the
remote thread generated by CreateRemoteThread(), we can client machine or the server machine.
inject the DLL into the other process. In conclusion, the DLL
injection for API hooking needs two phases. Fig. 2 present the This can provide a more flexible way to decrypt the TLS
whole view of the API hooking process. In the first phase, the session. In summary, some methods are available and some
Key Extractor creates a remote thread into the target process by method are not, depending on the environment. If the protocol
calling CreateRemoteThread(). The remote thread that is analyzer is able to gain control of both the client machine and
generated loads the DLL into the target Process by calling

668
 Fig. 4. Instructions at the start address of SPNcryptDeriveKey()
Fig. 3. Procedure of generating TLS credentials in Windows OS
going to destination port 443, which is regarded as the
the server machine, all three methods would be available for well-known TLS port in the pcap file format. The
TLS decryption. If the protocol analyzer is able to gain control captured packets are not decrypted yet.
of only the client machine, such as when analyzing a cloud
 Injecting DLL file into lsass.exe: Our tool creates a
service, it would be impossible to feed the private key of the
remote thread by calling the CreateRemoteThread()
server’s certificate. Regardless of the environment, extracting
function. It needs administrative permission due to the
Client_Random and Master Secret from the client process is
fact that lsass.exe is a system process in Windows OS.
possible. Since we do not consider the environment that the
Once the remote thread is created at lsass.exe, the thread
analyzer loses control of both the server and client machine,
loads the DLL that we have made for the API hook with
extracting Client_Random and Master Secret is the most reliable
LoadLibrary(). When the DLL is loaded, the DLLMain()
method to decrypt the TLS session.
function is executed. Setting the API hook is
B. TLS in Windows OS implemented in DLLMain(), and it uses the technique
We decide to elicit Client_Random and Master_Secret to called hot fix. Microsoft implements their system DLL
develop a reliable decryption solution for TLS. To obtain files with an API hook in mind. In x86 systems, most of
Client_Random and Master Secret from the client process, we the functions in the system DLL files start with
should know how these data are generated. We conduct research meaningless instructions that are seven bytes long. Fig.
on DLL files related to the TLS Session to unveil the TLS 4 is the starting point of SPNcryptDeriveKey(). Calling
system in Windows OS. Microsoft implements its own version the address of SPNcryptDeriveKey() points to the “mov
of the TLS protocol with schannel.dll and ncrypt.dll. We can see edi, edi” instructions that are just two meaningless bytes.
the names of the implemented functions in the DLL files by This is the space for a short jump instruction that goes
using the Debugging tools. The NcryptDeriveKey() function in to the first NOP. Five NOPs are five bytes long and are
ncrypt.dll takes the Master Secret as an argument to generate a for the far jump instruction. The far jump instruction is
derivation key that is used for the actual data encryption. able to jump to any address in user space. That is, it can
NcryptDeriveKey() is the point for the API hook. The client jump to the injected DLL file for the API hook. In
process, such as Internet Explorer, Powershell for Azure has summary, functions start with meaningless instructions
both schannel.dll and ncrypt.dll. The client process is expected as the space for the short jump and far jump instructions.
to generate the Master Secret and the derivation key with We could set the API hook by changing the “mov edi,
NcryptDeriveKey(). However, this is not true. In Windows OS, edi” instructions into the short jump instruction that
the lsass.exe process takes charge of security matters. While the jumps to the first NOP and changing five NOPs into the
TLS handshake is in process, the TLS client process requests far jump instruction that jumps to the function in the
each data related to generating Master Secrets to lsass.exe, and injected DLL. This procedure is implemented in the
then info is relayed to the TLS server process. Fig. 3 shows the DLLMain() function of the Injected DLL, and it is
procedure used to generate the Master Secret in view of the TLS executed by loading the injected DLL.
client machine. The target process for DLL injection should be  DLL file for API hook: The DLL file is created for
lsass.exe instead of the TLS client process. hooking NcryptDeriveKey() to extract Master Secret
C. The Structure of TLS Key Extractor and SslGenerateMasterKey() to extract Client_Random.
DLLMain() is composed of instructions for setting the
Our tool is composed of three part for ease of use: capturing API hook instructions depicted in Fig. 5. As we
packets in the pcap file, injecting the DLL file, DLL file itself concluded the hook point in Section III,
for the API hook. NcryptDeriveKey() is the hook point for extracting
 Capturing packets in the pcap file: Once the TLS Key Master_Secret. However, NcryptDeriveKey() does not
Extractor is activated by user, it will capture packets support the Hot fix. It starts without the meaningless 7

669
 a time-consuming job. Fortunately, the Windows OS provides
users with a debugging interface that Windbg can attach to the
system processes [3]. Windbg is the debugger that Microsoft
implements to debug in Windows OS using kernel debugging.
We can verify any memory value and registers through kernel
debugging, and this reduces the analysis time for DLL files.
IV. CONTRIBUTIONS
Since program developers do not provide users with
functions to decrypt TLS sessions, decrypting TLS is a not trivial
job for protocol researchers. Our tool supports researchers in
decrypting TLS sessions via user-friendly output. We mainly
target processes that use DLL files, such as schannel.dll and
ncrypt.dll in Windows OS (32bit). Our tool extracts
Client_Random and Master_Secret from lsass.exe, not from the
target process. It can be used as a TLS decryption tool for
Fig. 5. Instructions at the start address of SPNcryptDeriveKey after API network protocol researchers in Windows OS. The main
hook is set contributions of this study are the following.
A. User-Friendly output
bytes-long instruction for the jump instructions.
NcryptDeriveKey() calls the SPNcryptDeriveKey() A decrypting tool called Netripper was presented at
function that actually derives the encryption keys from DEFCON 23 in 2015 [4]. It is very similar to our tool in terms
Master Secret. NcryptDeriveKey() in ncrypt.dll is the of the DLL Injection for the API hook. Netripper sets the API
wrapper function of SPNcryptDeriveKey(). hook into SslDecryptPacket() in the client process because it
NcryptDeriveKey() delivers the Master_Secret as fifth concentrates on decrypting data. The authors of Netripper state
argument of SPNcryptDeriveKey(), and it starts with a that it is a tool for post-exploitation. When an attacker
meaningless instruction for the hot fix. sucessfully exploits the target, Netripper allows the attacker to
SPNcryptDeriveKey() is the actual hooking point to be able to see the decrypted data in the target machine. Due to
obtain the Master_Secret. The DLLMain() function sets decrypted data being provided in the text file, it cannot be
the API hook in SPNcryptDeriveKey(). When the analyzed using Wireshark. However, our tool provides a more
SPNcryptDeriveKey() is called, the control flow goes to user-friendly output for protocol analysis. Since we utilize the
the injected DLL function before SPNcryptDeriveKey(). decrypt function of Wireshark by providing Master_Secret and
The injected DLL function creates a file to save the Client_Random, users are able to obtain the decrypted pcap file
Master Secrets and write the content of the fifth for the protocol analysis. In addition, it extracts the Master key
argument of SPNcryptDeriveKey() as the Master secret. and Client_Random from lsass.exe which is a system process in
Windows OS. Extracting the key is the best scenario for the
The instructions in the injected DLL file control the network analyzer, and it can be used not only to decrypt data but
execution flow on SPNcryptDeriveKey() after the API hook is also to encrypt data for various types of research with protocol
set by injecting the DLL into lsass.exe. Since reading a buffer analysis.
and logging into file are added into the normal flow, it would not
affect the functional behavior of NcryptDeriveKey(). Once B. Scalability & Simpleness
SPNcryptDeriveKey() is called in NcryptDeriveKey(), the Since security credentials are generated by lsass.exe, every
control flow goes to the starting point of the TLS client in Windows OS interacts with lsass.exe. Our tool
SPNcryptDeriveKey() function. Originally, the first instruction injects DLL into lsass.exe, which is a system process in
was “mov edi, edi”, but it is changed into the short jump Windows OS, and we could obtain Master_Secret and
instruction that jumps to five NOPs. The destination for the short Client_Random for all TLS clients. It can also extract
jump is also changed into the far jump instruction that jumps to Master_Secret simultaneously with a single DLL injection, even
the function in the injected DLL. Control flow goes to the though many TLS clients are activated at the same time. It also
Injected DLL before SPNcryptDeriveKey() is executed. After has a simple structure to understand the system. Injecting or
the injected DLL logs the Master Secret to a file, it calls ejecting the DLL is a normal operation that happens in runtime.
SPNcryptDeriveKey()+2 as the “push ebp” instruction and We do not need to implement an additional method to reduce the
finishes the rest of code. If it calls SPNcryptDeriveKey() without injecting delay. Injecting DLLs does not take long time or
plus two, control flow goes to the injected DLL again and again. require much in terms of resources, so it does not affect any
We need to conduct a dynamic analysis, such as debugging, processes in the system. This is the reason why our tool is a
to select the hooking function and fix the bugs existing in our reliable decrypting solution for TLS.
tool. Since lsass.exe is a system process, it is impossible to attach C. Lsass.exe
the process to a general debugger in user space. If we attach the
At the beginning of this study, we expected for TLS
system process to the debugger, the system is stopped entirely.
credentials to be created in each TLS process. We tried to trigger
The only way to repair the system is to restart the system.
the breakpoint at various functions related to the generation of
Analyzing the DLL files for API hooking without debugging is
TLS credentials in the client process. However, we could not

670
trigger the breakpoints because lsass.exe generates the security ACKNOWLEDGEMENT
credentials for TLS session. The fact that lsass.exe creates This research was supported by Next-Generation
security credentials can be useful to investigate the Windows Information Computing Development Program through the
system. It executes a security policy in Windows OS as well as National Research Foundation of Korea(NRF) funded by the
generates security credentials. Lsass.exe can be a decisive Ministry of Science, ICT & Future Planning (No. NRF-
process for researchers who analyze the security of Windows 2014M3C4A7030648)
systems.
REFERENCES
V. CONCLUSION
We present a decryption tool for a TLS session in Windows [1] W. Stalling , “Cryptography and network security”,fifth edition, pp. 513–
OS (32bit). We show that lsass.exe generates TLS security 530
credentials, such as Client_Random and Master_Secret. We [2] J. Richter and C. Nasarre, “Windows via C/C++”,fifth edition, pp. 605–
demonstrate how to extract information to decrypt TLS sessions. 639
We use the API hook to extract data from lsass.exe. We conclude [3] A. Borges, “Configuring kernel debugging on Windows 7 with VMWare
that extracting Client_Random and Master_Secret from virtual machine”, versoin A, 2014
lsass.exe is the most efficient way by comparing various [4] I. Popescu, “NetRipper”, DEFCON 23, 2014
environments that the protocol analyzer is likely to encounter.

671