Without going deeper in the cryptographic process, Wireshark can decrypt the SSL communication using the Master Key exchanged during the handshake. Steps two and three are limited to PSK and RSA key-exchange algorithms, which also require keys from the remote server (hard to capture in the context of vulnerability scanning). Step one is mostly an internal Wireshark process and only possible if a previous session with the correct key material has been cached. Finally, you can provide a key log file that contains a list of Master Keys and/or Pre-Master Keys (used to calculate the Master Key - the same way explained above).If successful, it uses the decrypted Pre-Master Key to calculate the Master Key. Wireshark will try to decrypt the encrypted Pre-Master Key, which is retrieved from the Client Key Exchange handshake message. If the key exchange algorithm is RSA, you can provide the server Private Key (in PEM format) that was used for encryption during the key exchange step.Wireshark will use it to calculate the Master Key. If the key exchange algorithm is PSK, you can setup the path to the clear text Pre-Shared Key that was used during the key exchange.If so, it retrieves the Master Key from the cached session. First, Wireshark checks whether any cached session matches the Session ID or the Session Ticket from the Server Hello handshake message.Here is a high level explanation of how Wireshark can retrieve this key: All it needs is the Master Key used in encrypting the data. Wireshark is one of the more famous packet analyzers out there, and it's capable of decrypting SSL/TLS communications. Instead, it's about how to retrieve key material for decryption. Please note that the topic of this post is not methods for breaking crypto-systems. I will focus on Ruby and the binding for OpenSSL. In this blog post, I will explain how to decrypt SSL/TLS communications to allow for the analysis of that traffic with Wireshark. Our team, responsible for the Trustwave network vulnerability scanning system, regularly encounters this situation - especially when scanning systems we don't control (mostly those of customers). However, this process can be tricky when the communication is encrypted. A common method is capturing the traffic using a packet analyzer tool such as tcpdump or Wireshark. Debugging a program that communicates with a remote endpoint usually involves analyzing the network communications.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |