Ask Your Question
1

How to decrypt TLS 1.3 PSK sent by Zabbix?

asked 2020-02-20 16:25:15 +0000

Markku gravatar image

updated 2020-02-20 16:53:33 +0000

Hi, I'm trying to decrypt TLS 1.3 traffic, generated by Zabbix. This is configured with pre-shared key as described in the documentation in https://www.zabbix.com/documentation/... .

I have configured Wireshark 3.2.1 (or tshark 3.2.1) to use the configured TLS PSK. I'm not able to see the traffic unencrypted however. What am I missing here?

The example capture file is in https://my.syncplicity.com/share/daz6.... The PSK is "dac86d7afb589557e876f16b59b8b5b4". PSK Identity is "psk" in Zabbix but I don't think that's relevant for TLS decryption in Wireshark. (It is shown plaintext in frame 4 in tls.handshake.extensions.psk.identity.identity anyway)

For example:

tshark -r zabbix-tls-agent.pcap -Y "frame.number==28" -V -O tls -o tls.psk:dac86d7afb589557e876f16b59b8b5b4

Frame 28: 90 bytes on wire (720 bits), 90 bytes captured (720 bits)
Ethernet II, Src: VMware_fa:68:50 (00:0c:29:fa:68:50), Dst: VMware_3e:95:31 (00:0c:29:3e:95:31)
Internet Protocol Version 4, Src: 192.168.7.10, Dst: 192.168.7.12
Transmission Control Protocol, Src Port: 60130, Dst Port: 10050, Seq: 433, Ack: 407, Len: 24
Transport Layer Security
    TLSv1.3 Record Layer: Application Data Protocol: Application Data
        Opaque Type: Application Data (23)
        Version: TLS 1.2 (0x0303)
        Length: 19
        Encrypted Application Data: 6e493a8a471ddd55eb82d095f02d88e037db62

What puzzles me as well is the output of "tshark -G userprefs":

# Pre-Shared-Key as HEX string. Should be 0 to 16 bytes.
# A string
#tls.psk:

Where is that 16-byte limit coming from?

Update: TLS debug file (-o tls.debug_file:debug.txt) says:

dissect_ssl enter frame #4 (first time)
packet_from_server: is from server - FALSE
  conversation = 000002F97BB5FA40, ssl_session = 000002F97BB605E0
  record: offset = 0, reported_length_remaining = 312
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 307, ssl state 0x00
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 303 bytes
Calculating hash with offset 5 307
ssl_dissect_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #6 (first time)
packet_from_server: is from server - TRUE
  conversation = 000002F97BB5FA40, ssl_session = 000002F97BB605E0
  record: offset = 0, reported_length_remaining = 258
ssl_try_set_version found version 0x0303 -> state 0x91
dissect_ssl3_record: content_type 22 Handshake
decrypt_ssl3_record: app_data len 161, ssl state 0x91
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 157 bytes
ssl_try_set_version found version 0x0304 -> state 0x91
ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x93
ssl_set_cipher found CIPHER 0x1303 TLS_CHACHA20_POLY1305_SHA256 -> state 0x97
ssl_load_keyfile dtls/tls.keylog_file is not configured!
tls13_load_secret transitioning to new key, old state 0x97
tls13_load_secret Cannot find CLIENT_HANDSHAKE_TRAFFIC_SECRET, decryption impossible
tls13_load_secret transitioning to new key, old state 0x97
tls13_load_secret Cannot find SERVER_HANDSHAKE_TRAFFIC_SECRET, decryption impossible
  record: offset = 166, reported_length_remaining = 92
dissect_ssl3_record: content_type 20 Change Cipher Spec
  record: offset = 172, reported_length_remaining = 86
dissect_ssl3_record: content_type 23 Application Data
decrypt_ssl3_record: app_data len 23, ssl state 0x97
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
  record: offset = 200, reported_length_remaining = 58
dissect_ssl3_record: content_type 23 Application ...
(more)
edit retag flag offensive close merge delete

Comments

TLS 1.3 doesn't require a PSK cipher (TLS_CHACHA20_POLY1305_SHA256 in this pcap). The pre-shared key is used to transfer the session keys which Wireshark needs to decrypt.

"If you plan to use pre-shared keys (PSK) consider using GnuTLS or mbed TLS libraries in Zabbix components using PSKs."
GnuTLS supports SSLKEYLOGFILE to get session keys:
https://gnutls.org/manual/html_node/D...

Sharkfest presentation on using secrets to decrypt TLS:
https://sharkfestasia.wireshark.org/a...

Chuckc gravatar imageChuckc ( 2020-02-21 06:19:38 +0000 )edit

Page 34 shows the various keys:
https://owasp.org/www-chapter-london/...

Chuckc gravatar imageChuckc ( 2020-02-21 06:32:09 +0000 )edit

Thanks Chuck for the information. I hoped that the PSK option in Wireshark/tshark would enable the decrypt. So I take it that since Zabbix pre-packaged components are built with openssl (which doesn't support saving the session keys), there is no way to decrypt the data, without distributing custom-built executables.

Any insight if the PSK option in Wireshark/tshark is useful in earlier TLS versions?

Markku gravatar imageMarkku ( 2020-02-21 15:16:51 +0000 )edit

Yes. There are test pcaps here:
https://code.wireshark.org/review/git...
Just ran test with tls12-aes128ccm.pcap using PSK ca19e028a8a372ad2d325f950fcaceed.
This is the test case (https://code.wireshark.org/review/git...):

def test_tls12_psk_aes128ccm(self, cmd_tshark, capture_file):
    '''TLS 1.2 with PSK, AES-128-CCM'''
    self.assertRun((cmd_tshark,
            '-r', capture_file('tls12-aes128ccm.pcap'),
            '-o', 'tls.psk:ca19e028a8a372ad2d325f950fcaceed',
            '-q',
            '-z', 'follow,tls,ascii,0',
        ))
    self.assertTrue(self.grepOutput('http://www.gnu.org/software/gnutls')
Chuckc gravatar imageChuckc ( 2020-02-21 15:45:47 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
1

answered 2020-02-22 00:14:26 +0000

Lekensteyn gravatar image

In TLS 1.2 and before, the PSK can be used with PSK cipher suites such as TLS_PSK_WITH_AES_128_CCM to decrypt sessions in Wireshark.

In TLS 1.3, whether decryption is possible depends on the psk_key_exchange_modes extension:

  • If it is psk_dhe_ke, then the PSK itself is no longer sufficient to decrypt the application traffic. In this case, an ephemeral Diffie-Hellman key exchange will be performed which requires additional secrets to allow Wireshark to decrypt the sessions.
  • If it is psk_ke, then the PSK should be sufficient to decrypt the session.

Your trace clearly advertises the former, psk_dhe_ke:

Transport Layer Security
    TLSv1.3 Record Layer: Handshake Protocol: Client Hello
    ...
            Extension: psk_key_exchange_modes (len=2)
                Type: psk_key_exchange_modes (45)
                Length: 2
                PSK Key Exchange Modes Length: 1
                PSK Key Exchange Mode: PSK with (EC)DHE key establishment (psk_dhe_ke) (1)

So you have to resort to techniques to extract the session secret. Since OpenSSL appears to be in use, have a look at this post. It describes how to use a LD_PRELOAD libsslkeylog.so library to extract the required secrets. If you want to skip the technical details, you can also just check the walkthrough linked on top of that post.

Note: in theory TLS 1.3 with psk_ke should allow decryption, but I have not verified that not considered that in the implementation. It might not be supported yet. In that case, feel free to open a bug with a capture file and PSK and ping me (and/or submit a patch).

edit flag offensive delete link more

Comments

Thank you Peter for a succinct answer and extra info on grabbing OpenSSL keys. :-)

Chuckc gravatar imageChuckc ( 2020-02-22 00:38:20 +0000 )edit

Well yes, what can I say, thanks a lot to both of you Peter and Chuck for these!

I just tried the Peter's instructions on Zabbix server on Debian Buster, worked brilliantly.

I guess I have to try adding TLS decrypt support in my Zabbix dissectors in https://github.com/markkuleinio/wires... some day :-D

Markku

Markku gravatar imageMarkku ( 2020-02-22 09:52:45 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-02-20 16:25:15 +0000

Seen: 692 times

Last updated: Feb 22