This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have a PCAP that includes SSL traffic that I would like to decrypt in order to retrieve a flag. I was able to find the server certificate which I exported into a .der file. I am able to convert from .der to .pem and am able to view the .pem which resembles a public key. If I attempt to use this to decrypt the traffic it does not. So I believe that I need to move to another step but am unable to find that step. I believe the next step involves using the random bytes value from the handshake within the SSL section of the server hello packet. I just do not know how to perform this task. I am hoping someone can shed some light.

asked 29 Sep '16, 10:46

jdpadro's gravatar image

jdpadro
6223
accept rate: 0%

Check that: (1) RSA private keys can only decrypt sessions which use RSA for key exchange, (EC)DHE cipher suites do not qualify. (2) does the private key really match the server certificate? Furthermore, you cannot just pick random bytes from the handshake and calculate the (pre-)master secret, for that you would need more data (which is RSA-encrypted in the case of a RSA key exchange, or the private DH exponents which you are unlikely to have in possession).

(29 Sep '16, 11:05) Lekensteyn
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×165
×56
×11

question asked: 29 Sep '16, 10:46

question was seen: 1,681 times

last updated: 29 Sep '16, 11:05

p​o​w​e​r​e​d by O​S​Q​A