Ask Your Question

TLS RSA Key Extraction (Help/Hint Wanted)

asked 2020-08-04 10:42:29 +0000

CWatson gravatar image

updated 2020-08-04 14:15:20 +0000

grahamb gravatar image

HI all,

Hope you are all safe!!

I need some help with an exercise I have if anyone can help?

The task is, given a PCAP file, I believe I need to extract a private key from within the PCAP, and then re-apply said key to the same PCAP file via WSharks preferences > SSL > etc... to decrypt the traffic.

I am pretty certain I have found the Private Key, and have extracted and saved it to a text file.

"-----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAg....etc..etc..."

I then try to reapply the key in the aforementioned preferences, but it doesn't work.

I have been trying this for about 2 weeks now, and have probably watched half of youtube and read 2 dozen articles of the on-the-line content on the webznet. I have also now started to doubt myself and think i need to use PreMasters etc.. which I have also located.

Could someone please point me in the right direction? Please don't give the answer. A document or youtube, or anything I can use to move forwards would be great.

Thanks. C.

edit retag flag offensive close merge delete


If you've read this much already you should know that it comes down to the details. Of these you provide little, so it's then hard to point to 'the right article'. For starters, what did you learn about the TLS connection so far?

Jaap gravatar imageJaap ( 2020-08-04 11:01:07 +0000 )edit

So I know that during a TLS connection being established there is a handshake and things go on, but most importantly they exchange keys. I believe it is these keys that I need to identify, and extract, which again I have done so I think, identifying the "Server Hello, Certificate" packet in the PCAP. ( I was going to upload a screen shot but the system wont let me until i have 60 points so I put it here instead : )

I then need to tell Wireshark to use this key to decrypt any encrypted traffic within the PCAP file, thus revealing the SSL traffic in plain text.

I am stuck at knowing that I have the right pieces or not. Once I know I have the right pieces, I can probably move on from there.

Thanks. C.

CWatson gravatar imageCWatson ( 2020-08-04 11:19:14 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2020-08-04 11:13:42 +0000

grahamb gravatar image

As you haven't mentioned it yet, the Wireshark Wiki page on TLS has info about the keying material required to decrypt and the type of TLS encryption each keying material can be used with.

edit flag offensive delete link more


Ok thanks to grahamb for pointing out a sily mistake and having read and watched everything EXCEPT the wireshark manual itself. d'oh!

Hint to anyone else doing this in the future:

So basically I was ALMOST there! You don't need to fill in all the boxes when applying the RSA Key in the preferences. Just the file containing the extracted key, and the IP address of the box. Job done!

Exercise completed!

CWatson gravatar imageCWatson ( 2020-08-04 14:01:53 +0000 )edit

It's an area that has changed a bit recently and so a lot of third party tutorials and examples are out of date.

grahamb gravatar imagegrahamb ( 2020-08-04 14:14:41 +0000 )edit

Thanks. Once i get enough points to do so, i will upvote.

CWatson gravatar imageCWatson ( 2020-08-04 14:43:43 +0000 )edit

No need, accepting the answer is what we like folks to do here and you've done that so job done.

grahamb gravatar imagegrahamb ( 2020-08-04 14:52:20 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2020-08-04 10:42:29 +0000

Seen: 3,716 times

Last updated: Aug 04 '20