From the Client I am logging all the master secret key for all the sessions.Using that key how to generate the .key file and is that be possible to decrypt the DHE messages in wireshark using Master secret key? Wireshark will be able to understand the way of decrypting DHE? This question is marked "community wiki". asked 07 May '13, 21:28  Kalai |
One Answer:
While it is not possible to create the private key of the server from the master keys, you will be able to decrypt the sessions in the tracefile that correspond to the logged master keys. You will need to put the master keys in a file as follows (from the source code): So for example: You then point to the file in the SSL protocol preferences by using the "(Pre-)Master-secret log filename" setting. answered 07 May '13, 22:34  SYN-bit ♦♦ edited 07 May '13, 22:37 showing 5 of 13 show 8 more comments |
Hi.Thanks for the reply.Do I need Encrypted PMS and PMS keys? If so What are those keys? As Master secret is used to encrypt and decrypt the messages in DHE, only master secret and session Id's are not enough like in your example?
And also I used %02x format to print Master secret. Should I have to use the same format for session Id's also?
You will only need the SessionID/Master Secret combinations. The other format is for the export that Chrome/Firefox can make when compiled with a debug option.
Yes, the sessionID should also be in hexformat.
I provided the log file in Edit>preference>pre-master key log file tab (RSA Session-ID:9835348 Master-Key:EC6B8B3131B3842CCFB47308B73B31BB9F870E43B1FA26098064B2C724FA14E910D8F509676BA37D74F15AA6351EDBC0) But nothing is happening ... The ssl debug file is showing the following:
dissect_ssl enter frame #1 (first time) ssl_session_init: initializing ptr 056610A4 size 588 conversation = 05660E64, ssl_session = 056610A4 record: offset = 0, reported_length_remaining = 437 dissect_ssl3_record found version 0x0301(TLS 1.0) -> state 0x10 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 432, ssl state 0x10 association_find: TCP port 9970 found 00000000 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available association_find: TCP port 9970 found 00000000 association_find: TCP port 3456 found 00000000 association_find: TCP port 0 found 00000000What could be the issue?
The SSL SessionID is usually a 32 octet value. It's best to take it from the ServerHello:
The value listed by wireshark is truncated, but can be capied by rightclick -> copy -> bytes -> hex stream. This will result in:
Hi in the server hello the session ID length is 0, and also am getting the following lines in the debug file checking keylog line: RSA Session-ID:9E7D348s3 line does not match encrypted pre-master secret line does not match checking keylog line: Master-Key:530BAAC26D6D57CE75B1DF8284EA57291882F46BD337DC72171BFBC3201F8B263B0E98607C1F4F673E39052AC70FC23F line does not match
Is that the problem with the session-ID?
OK, if there is no session id, you will need to revert to the first method of logging the first 8 octets of the encrypted Pre-Mastersecret together with the Pre-Mastersecret. Both in hex notation.
This will need to look like this:
Hi my keylog file is looking like this:
Still I am getting,
Are you able to post the tracefile on www.cloudshark.org? If you are worried about the application data, only the SSL handshake is needed.
I have added the file in the link: http://cloudshark.org/captures/4161807df249 RSA Session-ID:8C8C348 Master-Key:3FB3843CDD2DC0FB7AD4C81B75A19C4434AEA0A5B977EB562BB2B099A180B0884CBFC380A03FA767AF01032601703C6B PreMaster key-C80D3BC9FD3654BC95A3E68124B747C6B581FD06EC427AEFAD871104F5C42DCFBBF237067FAABF11266A0D76B049CBC3CB68DFC3659736DABEE5CA092B5D05831498F6354EDE3A0CD65DFDA7701C1F4600834FFDE9AA9B5848437255F4391A78E779084ADD5D5F5FEA8E05E8E97F02BC5613C1B73082AF6EB3A0B52BDACBEBC8
I am having access to the client completely.Any other workaround which will decrypt the application data in wireshark?
I was looking at your trace and made a trace myself, but I need to look into the source code to see if it is a simple fix to be able to decrypt SSL sessions for which the key has been exchanged by DH. It does not seem to do that now, even though I believe that logging the (pre-)master secret would be enough to go on (as long as it can be indexed in some way to identify the session).
Unfortunately, I do not have the time at the moment to dive some deeper. So for now I'm afraid there is no decryption possible for DH sessions, not even with the session keys logged.
Hi The decryption of DHE session is working when I used CLIENT_RANDOM <hex clientrandom=""> <hex masterkey="">. When I used capital letters for hex it was not working and its working fine when I use small letters.Thanks for your help...