This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark Decryption

0

In almost every blog I read about ssl decryption with Wireshark, I found the following limitation:

Wireshark wont be able to decrypt ssl traffic if Diffie-Hellman Ephemeral (DHE) or RSA Ephemeral is negotiated between the two communication parties.

It seems that even ssl Wireshark's wiki supports that. I'm curious and wolud like to know why Wireshark has such that limitation?

Thank you!

asked 21 Oct '14, 03:27

flora's gravatar image

flora
156313338
accept rate: 100%

edited 10 Nov '14, 10:05


One Answer:

1

I'm curious and wolud like to know why Wireshark has such that limitation?

That's not a 'limititation' of Wireshark (in the sense, the developers are not able to implement it), it's the way how the Diffie Hellman algorithm works.

If you are using a SSL/TLS handshake without DH, the session key gets encrypted with the public (RSA) key of the server (more or less!!). So, if you have access to the private key of the server, you will be able to decrypt the session key and thus decrypt the whole SSL/TLS session.

With Diffie Hellman, the session key will never be transmitted (it's being calculated on both sides), so you won't be able to intercept it and use it for decryption of the session. That's what Diffie Hellman was developped for. Securely establishing a base crypto key that both parties can use, but nobody else. I recommend the book "Applied Cryptography" if you are interested in all the details.

Having said that, there is no technical way to decrypt an SSL/TLS session where DH was used, unless one of the parties (client or server) discloses the session key (not the DH key!!).

Regards
Kurt

answered 21 Oct '14, 04:31

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 21 Oct '14, 06:45