This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Decrypt packets (key encrypted with Blowfish)

0

I want to decrypt a few packets that a program on my computer is sending/receiving.
It uses Blowfish to encrypt the packets and I have the key which is necessary to decrypt it again.

Now, how can I set up Wireshark to use this key to decrypt incoming Blowfish packets?
And in case this isn't possible, do you know some application that would allow me to do that?

asked 06 May '14, 07:51

sookx's gravatar image

sookx
1111
accept rate: 0%

a few packets that a program on my computer is sending/receiving. It uses Blowfish to encrypt the packets

What is the protocol used to send the packets?

(06 May '14, 10:07) Kurt Knochner ♦

Are you using a 128-bit key?

Bruce Schneier of Counterpane Systems developed the Blowfish cipher algorithm. RFC 2451 shows that Blowfish uses key sizes from 40 to 448 bits. The Default size is 128 bits. We will only accept key sizes of 128 bits, because libgrypt only accept this key size. Have a look to http://www.schneier.com for more information. BLOWFISH-CBC uses an IV of 8 octets.

http://wiki.wireshark.org/ESP_Preferences

(06 May '14, 10:11) DDay

@Kurt Knochner It uses UDP.
@DDay Yes, it uses a 128-bit key.

(07 May '14, 01:20) sookx

If you have UDP packets with encrypted user data you would have to write your own dissector registering for an UDP port and do the decryption there.

(07 May '14, 01:53) Anders ♦

@Kurt Knochner It uses UDP.

Well, yes. Thanks.

But what I meant is this: what encryption protocol (or scheme) is being used, like HTTPS, IPSEC, OpenVPN, etc.

You can't just decrypt UDP without knowing the protocol being used, especially if you want Wireshark to do the decryption.

(07 May '14, 11:54) Kurt Knochner ♦

@Kurt Knochner As far as I know it uses a custom binary protocol and every packet is encrypted with Blowfish. SO I guess that you could basically just run the decryption algorithm on the contents of a packet.

(07 May '14, 17:27) sookx
showing 5 of 6 show 1 more comments

One Answer:

1

As far as I know it uses a custom binary protocol and every packet is encrypted with Blowfish.

well, if it's a custom binary protocol, you won't be able to do anything unless you know the protocol. I don't mean UDP, I mean the way the data is encoded in the UDP frame.

SO I guess that you could basically just run the decryption algorithm on the contents of a packet.

No, you can't, because without any knowledge about the parameters for encryption, you can't decrypt the data. What you need is:

  • key size (128, 256, 512 Bit)
  • key derivation function (how do they create the crypto key from the pass phrase)
  • is the Key salted: yes/no
  • Blowfish block size
  • padding methods
  • is each frame encrypted for itself, or do they encrypt a larger block of data and then send chunks in single UDP frames
  • etc.
  • etc.

Without that information, there is no way to decrypt the data, other than a brute force of all possible combinations, which is a totally pointless operation unless you are working for the NSA ;-).

So, if you want to decrypt those frames, you will need (at least):

  • all of the things mentioned above
  • somebody who writes a Wireshark dissector that takes all the information and does the actual decryption. You can use the https dissector as an example.

Regards
Kurt

answered 09 May '14, 08:51

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 09 May '14, 11:56