Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Cunning With CNG - Soliciting Secrets From Schannel

Black Hat via YouTube

Overview

Explore the inner workings of Microsoft's Secure Channel (Schannel) SSL/TLS library in this 47-minute Black Hat conference talk. Delve into how Schannel utilizes CryptoAPI-NG (CNG) to cache various keys and session tickets for TLS/SSL connections. Examine the underlying data structures and learn techniques to extract keys and forensically relevant information about connections. Discover how to decrypt sessions using ephemeral key exchanges and understand the cache's longevity and capacity. Gain insights into Schannel's preferred cipher suites, key isolation mechanisms, and the role of the Norypt SSL Provider. Explore the decryption of persistent keys using DPAPI and session tickets, while also considering the inherent metadata TLS provides and the limitations of Schannel caching.

Syllabus

Intro
Black Hat Sound Bytes
Disclaimer
The infamous TLS Handshake
Perfect Forward Secrecy
Schannel & CNG
Schannel Prefered Cipher Suites
Microsoft's TLS/SSL Docs
Schannel Ops
CNG Key Isolation
Background Summary
What are we trying to accomplish?
The keys? What do they get us?
Session Keys
The Norypt SSL Provider (ncryptsslp.dll)
Pre-Master Secret (PMS)
Master Secret Mapped to Unique Identifier
Ephemeral & Persistent Private keys
9 Ephemeral Private Key
1 Persistent Private key
7 Decrypting Persistent Key - DPAPI
Session Ticket key
Decrypting Session Tickets
Inherent Metadata TLS Provides
Schannel Caching Parameters
This is your Schannel Cache (x64)
Limitations

Taught by

Black Hat

Reviews

Start your review of Cunning With CNG - Soliciting Secrets From Schannel

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.