Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Capturing QUIC Keys #41

Open
SinghSek opened this issue Jan 23, 2025 · 2 comments
Open

Capturing QUIC Keys #41

SinghSek opened this issue Jan 23, 2025 · 2 comments

Comments

@SinghSek
Copy link

Hello! I posted a similar question on my previous issue, but have not been able to figure it out and was advised to make a separate post. I have successfully captured TLS keys using FriTap, but my ultimate goal is to decrypt QUIC packets. In wireshark, under QUIC Protocols, I noticed one of the fields is QUIC Ports, and was wondering if there is a way to capture what ports are used when running the FriTap Command.

Additionally, I've read that QUIC may have it's own keys on top of TLS, and would like to ask if anyone has had luck decrypting QUIC (maybe capturing the QUIC Keys) using this tool.

Any advice is greatly appreciated!
@SinghSek
Copy link
Author

For more context, I am trying to capture packets from the android Messages app to analyze RCS packets, which from what I can tell using a pixel 9 device, use either UDP or QUIC.

@monkeywave
Copy link
Collaborator

Hi @SinghSek

thank you for your detailed question and for providing additional context—it’s much appreciated :-)

QUIC and TLS Keys

QUIC derives its encryption keys from the secrets negotiated during the TLS 1.3 handshake. These derived keys are used to secure QUIC traffic (cf. Using Transport Layer Security (TLS) to Secure QUIC). The good news is that Wireshark doesn’t require the derived QUIC keys directly—it can compute them using the TLS secrets (e.g., keys.log) captured by friTap. See Wireshark source file.

However, there are some considerations:

  1. QUIC Ports:

    • Wireshark uses the QUIC port information to associate decrypted packets with the correct streams.
    • friTap doesn’t explicitly log the ports in use, but you can identify the ports by analyzing the packet capture (e.g., log.pcap) generated by friTap. Filter for UDP traffic in Wireshark to see the source and destination ports being used.

  2. Decrypting QUIC:

    • Ensure that Wireshark is configured correctly:
      • Set the SSLKEYLOGFILE environment variable to point to the keys.log file generated by friTap.
    • Once the correct TLS secrets are applied, Wireshark should be able to decrypt the QUIC packets as long as the packets and keys match.

In recent versions of friTap, including 1.2.8.5, we’ve introduced some minor improvements that might help with your use case. There was also a bug in previous versions that could have affected key extraction in certain scenarios. I recommend updating to the latest version and trying again. You can update friTap using:

pip install friTap --upgrade

RCS Packets and friTap

Since you’re analyzing RCS packets from the Android Messages app on a Pixel 9 device:

  • Protocol Insight: RCS typically uses QUIC or UDP for communication, as you noted. Capturing and decrypting QUIC packets with friTap should work as long as the keys are correctly extracted and applied.
  • If friTap does not detect and log the necessary keys, this could indicate that additional hooks are required for specific libraries or functions used by the Messages app. In that case I would suggest to run BoringSecretHunter against all modules being loaded.

All the best

Daniel

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@monkeywave @SinghSek