This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Trying to decrypt messages to and from my chat client

0

Hello all,

I'm trying to decrypt traffic that is going from and coming into my chat client (tldr I want to forward it, unencrypted). I see from wireshark that it is using a TLSv1.1 style handshake to set up the encryption. I don't fully understand the process of what's going on here.

The overall question is, if the chat client can encode and decode information going to and coming from the server, why can't I? I would think this should be as easy as finding the RSA key file stored on my local machine.

asked 14 Mar '15, 17:03

Annomaly's gravatar image

Annomaly
6112
accept rate: 0%

edited 14 Mar '15, 17:27

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118


One Answer:

0

In an RSA handshake, the client uses the public key in the certificate from the server to encrypt the premaster secret. The server is able to use its private key to decrypt the encrypted premaster secret. Then both client and server are able to use the premaster secret to create a session key for the encryption/decryption of the data stream.

Wireshark also uses the private key from the server to decrypt the premaster secret (which is sent by the client in the ClientKeyExchange handshake message). But as said, it is stored on the server, not the client.

answered 15 Mar '15, 12:15

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Interesting. As far as I can tell the data is encrypted. To me that simply means: No text visible in any of the packets, I can't string.search(msg).

I can, however, view the premaster secret. I assume the private key is sent encrypted and session based, however, there must be a way to capture this. After all, I'm trying to "decrypt" my own messages.

  • The struggles of a novice.
(16 Mar '15, 05:40) Annomaly