Saturday, September 15, 2018

No Private Key, No Problem. How to Decrypt SSL/TLS traffic with Session Keys.

The purpose of the paper is to provide a guide on how to decrypt SSL/TLS traffic without a private key.

There are many times when IT admins need to utilize a packet inspection such as Wireshark. When the application data is encrypted however, troubleshooting application data becomes more of a challenge. The easiest way to decrypt data is to use the private key for the corresponding public key. Wireshark provides another means for decrypting data as well by using the pre-master secret. I will not dive into the intricacies of why this can be used to decrypt data because that part of cryptology is an entirely separate topic. For an in-depth explanation see http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html. Now let’s dive in.

Step 1.

The first thing you will need to do is configure an environment variable (Windows 7). Right click on My Computer –> Properties –> Advanced System Settings. In the Advanced Tab click Environment Variables.

wiresharkdecrypt_01  

Step 2.

Under the System variables, click New. You will add the System variable SSLKEYLOGFILE. Create a path from the variable ending with premaster.txt. See the image below for more details.

wiresharkdecrypt_02

Step 3.

Once this is set, we will point Wireshark to the premaster file by navigating to Edit –> Preferences –> Protocols –>SSL(Pre)-Master-Secret log filename. Click browse and select the premaster.txt file we created earlier. You will need to generate some encrypted traffic via Firefox or Chrome before the file will show up. Internet Explorer will not work for decrypting data using this method.

  wiresharkdecrypt_03

Step 4.

Any new network traces taken through Wireshark while navigating SSL/TLS encrypted sites that leverage a premaster secret and RSA will now be decrypted. A trace can also be taken from a NetScaler appliance, and then decrypted for a specific client utilizing the SSLKEYLOGFILE Environment Variable. For information on sharing a trace without distributing a private key, please see http://support.citrix.com/article/CTX135889.

wiresharkdecrypt_04

I’d like to give special credit to the author of the article below for inspiring this article.

http://www.root9.net/2012/11/ssl-decryption-with-wireshark-private.html

Happy Decrypting!

BC

1 comment: