How would you know a certificate/private key if you extracted it from RAM? Or would you?
Yes. Most private keys have an easily identifiable format.
If its say an RSA private key generated with openssl, they have a specific format e.g., will always start with the same three bytes depending on key size:
30 82 01 (for 768 bit key or MIIB in base64)
30 82 02 (for 1024 bit key or MIIC in base64),
30 82 04 (for 2048 bit key or MIIE in base64),
30 82 09 (for 4096 bit key or MIIJ in base64).
There are some other types of formats that the private key can be stored in as well.
You can test this yourself with openssl using the commands: openssl genrsa 1024
(1024 means 1024 bit key to see the key in its base64 representation.
)
For more documentation on the format see this StackOverflow answer: Where can i find some documentation on the format of an RSA public key?
As an addendum to dr jimbob's answer:
There are utilities that look for these patterns and try to extract keys that way.
Disclaimer: I have not tried any of these utilities. This post is just a nicer version of the links posted by user "void-star" on HN. (See below.)
- Whitepapers about the general idea:
- Adi Shamir and Nicko van Someren, 1998-09-22, Playing hide and seek with stored keys
- Tobias Klein, 2006, SslKeyFinder
- Implementations:
- Yara ruleset that looks for the pattern:
https://github.com/SpiderLabs/yara-ruby/blob/master/samples/sslkeyfinder - Again Yara rules, but this time embedded in Python and usable as the "dumpcerts" plugin for the "Volatility" toolkit:
dumpcerts.py
. (And "Volatility", according to the Kali package description, seems to be a general framework for extracting all sorts of payloads from RAM dumps.)
- Yara ruleset that looks for the pattern:
Further reading
- Thread on Hacker News: 2014, Stealing unencrypted SSH-agent keys from memory
- And especially this answer by user "void-star"