Cunning With CNG: Soliciting Secrets From Schannel

by Jake Kambic
Sept. 15, 2017 1 comment belen_caty Encryption & Authentication cng

This talk looks at how Schannel leverages Microsoft's CryptoAPI-NG (CNG) to cache the master keys, session keys, private and ephemeral keys, and session tickets used in TLS/SSL connections. It discusses the underlying data structures, and how to extract both the keys and other useful information that provides forensic context about connection. This information is then leveraged to decrypt a session that uses ephemeral key exchanges. Information in the cache lives for at least 10 hours by default on modern configurations, storing up to 20,000 entries for client and server each. This makes it forensically relevant in cases where other evidence of the connection may have dissipated.

Steven Ulm 5 months, 4 weeks ago

Technical but very specific. I am glad you uploaded your BlackHat presentation here! :)