Ask Your Question
1

How to decrypt TLS 1.3 PSK sent by Zabbix?

asked 2020-02-20 16:25:15 +0000

Markku gravatar image

updated 2020-02-20 16:53:33 +0000

Hi, I'm trying to decrypt TLS 1.3 traffic, generated by Zabbix. This is configured with pre-shared key as described in the documentation in https://www.zabbix.com/documentation/... .

I have configured Wireshark 3.2.1 (or tshark 3.2.1) to use the configured TLS PSK. I'm not able to see the traffic unencrypted however. What am I missing here?

The example capture file is in https://my.syncplicity.com/share/daz6.... The PSK is "dac86d7afb589557e876f16b59b8b5b4". PSK Identity is "psk" in Zabbix but I don't think that's relevant for TLS decryption in Wireshark. (It is shown plaintext in frame 4 in tls.handshake.extensions.psk.identity.identity anyway)

For example:

tshark -r zabbix-tls-agent.pcap -Y "frame.number==28" -V -O tls -o tls.psk:dac86d7afb589557e876f16b59b8b5b4

Frame 28: 90 bytes on wire (720 bits), 90 bytes captured (720 bits)
Ethernet II, Src: VMware_fa:68:50 (00:0c:29:fa:68:50), Dst: VMware_3e:95:31 (00:0c:29:3e:95:31)
Internet Protocol Version 4, Src: 192.168.7.10, Dst: 192.168.7.12
Transmission Control Protocol, Src Port: 60130, Dst Port: 10050, Seq: 433, Ack: 407, Len: 24
Transport Layer Security
    TLSv1.3 Record Layer: Application Data Protocol: Application Data
        Opaque Type: Application Data (23)
        Version: TLS 1.2 (0x0303)
        Length: 19
        Encrypted Application Data: 6e493a8a471ddd55eb82d095f02d88e037db62

What puzzles me as well is the output of "tshark -G userprefs":

# Pre-Shared-Key as HEX string. Should be 0 to 16 bytes.
# A string
#tls.psk:

Where is that 16-byte limit coming from?

Update: TLS debug file (-o tls.debug_file:debug.txt) says:

dissect_ssl enter frame #4 (first time)
packet_from_server: is from server - FALSE
  conversation = 000002F97BB5FA40, ssl_session = 000002F97BB605E0
  record: offset = 0, reported_length_remaining = 312
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 307, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 303 bytes
Calculating hash with offset 5 307
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #6 (first time)
packet_from_server: is from server - TRUE
  conversation = 000002F97BB5FA40, ssl_session = 000002F97BB605E0
  record: offset = 0, reported_length_remaining = 258
ssl_try_set_version found version 0x0303 -> state 0x91
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 161, ssl state 0x91
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 157 bytes
ssl_try_set_version found version 0x0304 -> state 0x91
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x93
ssl_set_cipher found CIPHER 0x1303 TLS_CHACHA20_POLY1305_SHA256 -> state 0x97
ssl_load_keyfile dtls/tls.keylog_file is not configured!
tls13_load_secret transitioning to new key, old state 0x97
tls13_load_secret Cannot find CLIENT_HANDSHAKE_TRAFFIC_SECRET, decryption impossible
tls13_load_secret transitioning to new key, old state 0x97
tls13_load_secret Cannot find SERVER_HANDSHAKE_TRAFFIC_SECRET, decryption impossible
  record: offset = 166, reported_length_remaining = 92
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 172, reported_length_remaining = 86
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 23, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
  record: offset = 200, reported_length_remaining = 58
dissect_ssl3_record: content_type 23 Application ...
(more)
edit retag flag offensive close merge delete

Comments

TLS 1.3 doesn't require a PSK cipher (TLS_CHACHA20_POLY1305_SHA256 in this pcap). The pre-shared key is used to transfer the session keys which Wireshark needs to decrypt.

"If you plan to use pre-shared keys (PSK) consider using GnuTLS or mbed TLS libraries in Zabbix components using PSKs."
GnuTLS supports SSLKEYLOGFILE to get session keys:
https://gnutls.org/manual/html_node/D...

Sharkfest presentation on using secrets to decrypt TLS:
https://sharkfestasia.wireshark.org/a...

Chuckc gravatar imageChuckc ( 2020-02-21 06:19:38 +0000 )edit

Page 34 shows the various keys:
https://owasp.org/www-chapter-london/...

Chuckc gravatar imageChuckc ( 2020-02-21 06:32:09 +0000 )edit

Thanks Chuck for the information. I hoped that the PSK option in Wireshark/tshark would enable the decrypt. So I take it that since Zabbix pre-packaged components are built with openssl (which doesn't support saving the session keys), there is no way to decrypt the data, without distributing custom-built executables.

Any insight if the PSK option in Wireshark/tshark is useful in earlier TLS versions?

Markku gravatar imageMarkku ( 2020-02-21 15:16:51 +0000 )edit

Yes. There are test pcaps here:
https://code.wireshark.org/review/git...
Just ran test with tls12-aes128ccm.pcap using PSK ca19e028a8a372ad2d325f950fcaceed.
This is the test case (https://code.wireshark.org/review/git...):

def test_tls12_psk_aes128ccm(self, cmd_tshark, capture_file):
    '''TLS 1.2 with PSK, AES-128-CCM'''
    self.assertRun((cmd_tshark,
            '-r', capture_file('tls12-aes128ccm.pcap'),
            '-o', 'tls.psk:ca19e028a8a372ad2d325f950fcaceed',
            '-q',
            '-z', 'follow,tls,ascii,0',
        ))
    self.assertTrue(self.grepOutput('http://www.gnu.org/software/gnutls')
Chuckc gravatar imageChuckc ( 2020-02-21 15:45:47 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
1

answered 2020-02-22 00:14:26 +0000

Lekensteyn gravatar image

In TLS 1.2 and before, the PSK can be used with PSK cipher suites such as TLS_PSK_WITH_AES_128_CCM to decrypt sessions in Wireshark.

In TLS 1.3, whether decryption is possible depends on the psk_key_exchange_modes extension:

  • If it is psk_dhe_ke, then the PSK itself is no longer sufficient to decrypt the application traffic. In this case, an ephemeral Diffie-Hellman key exchange will be performed which requires additional secrets to allow Wireshark to decrypt the sessions.
  • If it is psk_ke, then the PSK should be sufficient to decrypt the session.

Your trace clearly advertises the former, psk_dhe_ke:

Transport Layer Security
    TLSv1.3 Record Layer: Handshake Protocol: Client Hello
    ...
            Extension: psk_key_exchange_modes (len=2)
                Type: psk_key_exchange_modes (45)
                Length: 2
                PSK Key Exchange Modes Length: 1
                PSK Key Exchange Mode: PSK with (EC)DHE key establishment (psk_dhe_ke) (1)

So you have to resort to techniques to extract the session secret. Since OpenSSL appears to be in use, have a look at this post. It describes how to use a LD_PRELOAD libsslkeylog.so library to extract the required secrets. If you want to skip the technical details, you can also just check the walkthrough linked on top of that post.

Note: in theory TLS 1.3 with psk_ke should allow decryption, but I have not verified that not considered that in the implementation. It might not be supported yet. In that case, feel free to open a bug with a capture file and PSK and ping me (and/or submit a patch).

edit flag offensive delete link more

Comments

Thank you Peter for a succinct answer and extra info on grabbing OpenSSL keys. :-)

Chuckc gravatar imageChuckc ( 2020-02-22 00:38:20 +0000 )edit

Well yes, what can I say, thanks a lot to both of you Peter and Chuck for these!

I just tried the Peter's instructions on Zabbix server on Debian Buster, worked brilliantly.

I guess I have to try adding TLS decrypt support in my Zabbix dissectors in https://github.com/markkuleinio/wires... some day :-D

Markku

Markku gravatar imageMarkku ( 2020-02-22 09:52:45 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-02-20 16:25:15 +0000

Seen: 3,541 times

Last updated: Feb 22 '20

Related questions

Accessing decrypted TLS data in Lua dissector

What is the best way to add protocols for TLS PSK decoding?

How to get TLSv1.2 to decode

How to verify what protocol was used in an encrypted file transfer?

SSL/TLS Handshake Immediately Fails

Can't capture TLS certificate

How can I extract parameters from pcap

Does Wireshark support TLS 1.3?

How can I decode TLS that uses DH?

Can Wireshark decode a LDAPs conversation?

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2