WireGuard - public-private key pair vs session keys

[OpenSource Ghost]

I want to dump my VPN app and just use the official WireGuard for Windows program, but what bothers me is that WireGuard for Windows vividly displays public and private key pair in its UI without any asterisks or attempts to hide it. Such key pair would not be enough to compromise or intercept WireGuard connection, would it? From what I understand, the session keys are the ones responsible for encrypting WireGuard traffic and such keys are rotated and not visible in WireGuard UI.

Edit: If anyone with NordVPN wants to get their WireGuard keys, then you can do it with either MacOS or Ubuntu. On MacOS you can get your keys via KeyChain Access and on Ubuntu you can do the same if you follow this guide - NordVPN WireGuard Details Extraction .

 

[Nobu]

I want to dump my VPN app and just use the official WireGuard for Windows program, but what bothers me is that WireGuard for Windows vividly displays public and private key pair in its UI without any asterisks or attempts to hide it. Such key pair would not be enough to compromise or intercept WireGuard connection, would it? From what I understand, the session keys are the ones responsible for encrypting WireGuard traffic and such keys are rotated and not visible in WireGuard UI.

It would make it easier -- instead of having to guess two keys, you only need to guess the session key.

Edit: Of course that assumes you were somehow able to scrape the screen in the first place, which is a bit problematic.

 

[MrGuvernment]

If someone can see the screen that shows this data, your device is already comprimised. You can also add an additional key for security, the pre-shared key, example
https://www.wundertech.net/how-to-set-up-wireguard-on-pfsense/

 

[OpenSource Ghost]

Hiding cleartext of passwords exists for a very good reason... The vast majority of login systems use it by default. SSH even takes it further and does not even display asterisks to hide the number of symbols of passwords.

I can't actually extract my keys. My VPN provider does not allow that. They hide them.

 

[SamirD]

Hiding cleartext of passwords exists for a very good reason... The vast majority of login systems use it by default. SSH even takes it further and does not even display asterisks to hide the number of symbols of passwords.

I can't actually extract my keys. My VPN provider does not allow that. They hide them.

But fwiw, keyloggers can still do their job, right?

 

[MrGuvernment]

But fwiw, keyloggers can still do their job, right?

Anything saved in the browser for that person logged in right, since the underlying OS (Windows at least) and how that all works to save creds and data in browsers...makes it all wide open to an infostealer.

 

[Nicklebon]

Hiding cleartext of passwords exists for a very good reason...

Yes, that reason is called shoulder surfing. For anything beyond that it is pointless and there are valid reasons for those keys to be visible at least some of the time. A key logger would parse keystrokes and a screen scraper would capture anything that ever appears that ever appears in the frame buffer in most circumstances. If either of those is present on the system you're using to access the config then any additional mechanism is just pissing in into wind.

 

[OpenSource Ghost]

Sometimes shoulder surfing is a part of threat model. SSH, OpenVPN, most reputable websites, and even Windows OS take that into consideration. There is no reason for official WireGuard application not to do the same. Home surveillance cameras with thermal imaging and LIDAR's are relatively cheap today and can see far more than a typical person expects...

FYI, NordVPN uses HTTPS to provide user with keys and then does the same to rotate them. I think doing so with a bloated app written in C++ taking up 500Mb of RAM defeats WireGuard's "small attack surface" quality. Then again, hiding key retrieval and rotating via HTTPS while hiding them from users does work well when shoulder surfacing is part of threat model. If anyone with NordVPN wants to get their WireGuard keys, then you can do it with either MacOS or Ubuntu. On MacOS you can get your keys via KeyChain Access and on Ubuntu you can do the same if you follow this guide - NordVPN WireGuard Key Extraction Guide .