Ask Your Question
0

Decrypt DTLS packet

asked 2021-08-09 05:40:02 +0000

won gravatar image

Hi, I'm trying to decrypt DTLS packet, also used some other PSK's, but it doesn't work at all. Do you have any references for decrypting DTLS packet with version 3.4.7? I'm telling that i'm using the latest version of Wireshark.

edit retag flag offensive close merge delete

Comments

A PSK only works when using RSA ciphers, which are becoming less often used. Can you share a capture, or at least the output of the TLS debug log?

grahamb gravatar imagegrahamb ( 2021-08-09 07:36:54 +0000 )edit

This is the part of captured file that I've done.(Not sure the image shows well.) (+ I don't know how to upload the image file.) I've checked to "Edit -> Preferences -> Protocol -> DTLS", but it requires PSK to decrypt.link text

won gravatar imagewon ( 2021-08-09 08:01:45 +0000 )edit

An image of a capture doesn't really help, as noted above we need either the capture, or the TLS debug log (see the TLS dissector preferences).

Captures, logs, images etc. should be uploaded to an external public share and then a link to the item posted back here. Your image isn't publicly shared.

grahamb gravatar imagegrahamb ( 2021-08-09 08:59:12 +0000 )edit

1 Answer

Sort by » oldest newest most voted
0

answered 2021-08-09 18:06:28 +0000

Jaap gravatar image

updated 2021-08-09 19:36:09 +0000

Here's a working scenario on a Linux box,

Start Wireshark, set DTLS preferences Pre-Shared Key to 0102030405060708090a0b0c0d0e0f, and start the capture on the loopback interface.

As a server run this in a Linux console

$ PSK=0102030405060708090a0b0c0d0e0f
$ openssl s_server -dtls -psk $PSK -cipher PSK-AES128-CBC-SHA -nocert -accept 23000

As a client run this in another Linux console

$ PSK=0102030405060708090a0b0c0d0e0f
$ openssl s_client -psk $PSK -dtls -connect 127.0.0.1:23000

Type something in the client console and press enter, it should show up on the server console, and in Wireshark the DTLS packets should show this same data in an Application Data packet.

edit flag offensive delete link more

Comments

You might want to BOLD the first step to "Start Wireshark" capture before the dtls handshake.

Not sure if the original question was really for "decrypt DTLS packet" or a full dtls session.

Chuckc gravatar imageChuckc ( 2021-08-09 18:37:30 +0000 )edit

@Chuckc done, and, I don't know either but having an example is always a good start.

Jaap gravatar imageJaap ( 2021-08-09 19:37:30 +0000 )edit

@Jaap - yes, I tend to learn the hard way and it was useful to see that the startup is needed for decode.
Added it to the DTLS Wiki page

Chuckc gravatar imageChuckc ( 2021-08-09 19:51:20 +0000 )edit

So should I have to install openssl on Linux? Actually I tried once, I'm a little bit curious that should I have to write PSK = 0102030405060708090a0b0c0d0e0f on Linux console;it didn't worked.

won gravatar imagewon ( 2021-08-11 04:09:54 +0000 )edit

@won You asked about decrypting DTLS with Wireshark, and mentioned the use of PSK's. So I created a working example of creating such network traffic, capture and dissection of the DTLS packets and decryption of the payload.

This example uses the openssl command line program features to setup the server and client for the DTLS connection. It may be possible to do the same with other programs, this is just an example.

In the example the PSK is setup in an environment variable in the opened Bash-like shell. Other shell types may have different ways of setting environment variables. Copying the line after the '$' prompt should work fine.

Jaap gravatar imageJaap ( 2021-08-11 09:45:08 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2021-08-09 05:40:02 +0000

Seen: 4,609 times

Last updated: Aug 09 '21