Ask Your Question
0

Decrypting TLS traffic using RSA pre-master secret

asked 2018-04-24 19:37:55 +0000

Wayne gravatar image

updated 2018-04-24 19:39:31 +0000

Hello,

I'm currently working on an exploit for the robot attack, which gives me the decrypted RSA pre-master secret. Now I would like to use Wireshark to decrypt the traffic. I know about the possibility to import the SSLKEYLOG file but I'm not sure about the format. I tried "RSA (first 8 hex-encoded bytes of encrypted pre-master secret) (decrypted hex-encoded pre-master secret)", which didn't work.

Does anyone know the correct format? Thanks in advance!

Cheers, Wayne

edit retag flag offensive close merge delete
add a comment

2 Answers

Sort by ยป oldest newest most voted
0

answered 2018-04-28 10:25:04 +0000

Wayne gravatar image

updated 2018-04-29 08:07:13 +0000

Ok, I found the solution. I had to read RFC 5246 to realize that the actual pre-master secret are only the last 48 bytes of the pre-master data. The rest is just padding and some format restrictions.

The correct format therefore is:

RSA "first 8 bytes of encrypted premaster-secret in hex" "the last 48 bytes of the decrypted pre-master data in hex"

edit flag offensive delete link more
add a comment
0

answered 2018-04-25 19:53:47 +0000

Uli gravatar image

According to epan/dissectors/packet-ssl-utils.c:

/* The format of the file is a series of records with one of the following formats:
 *   - "RSA xxxx yyyy"
 *     Where xxxx are the first 8 bytes of the encrypted pre-master secret (hex-encoded)
 *     Where yyyy is the cleartext pre-master secret (hex-encoded)
 *     (this is the original format introduced with bug 4349)
 *
 *   - "RSA Session-ID:xxxx Master-Key:yyyy"
 *     Where xxxx is the SSL session ID (hex-encoded)
 *     Where yyyy is the cleartext master secret (hex-encoded)
 *     (added to support openssl s_client Master-Key output)
 *     This is somewhat is a misnomer because there's nothing RSA specific
 *     about this.
 *
 *   - "PMS_CLIENT_RANDOM xxxx yyyy"
 *     Where xxxx is the client_random from the ClientHello (hex-encoded)
 *     Where yyyy is the cleartext pre-master secret (hex-encoded)
 *     (This format allows SSL connections to be decrypted, if a user can
 *     capture the PMS but could not recover the MS for a specific session
 *     with a SSL Server.)
 *
 *   - "CLIENT_RANDOM xxxx yyyy"
 *     Where xxxx is the client_random from the ClientHello (hex-encoded)
 *     Where yyyy is the cleartext master secret (hex-encoded)
 *     (This format allows non-RSA SSL connections to be decrypted, i.e.
 *     ECDHE-RSA.)
 *
 *   - "CLIENT_EARLY_TRAFFIC_SECRET xxxx yyyy"
 *   - "CLIENT_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
 *   - "SERVER_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
 *   - "CLIENT_TRAFFIC_SECRET_0 xxxx yyyy"
 *   - "SERVER_TRAFFIC_SECRET_0 xxxx yyyy"
 *   - "EARLY_EXPORTER_SECRET xxxx yyyy"
 *   - "EXPORTER_SECRET xxxx yyyy"
 *     Where xxxx is the client_random from the ClientHello (hex-encoded)
 *     Where yyyy is the secret (hex-encoded) derived from the early,
 *     handshake or master secrets. (This format is introduced with TLS 1.3
 *     and supported by BoringSSL, OpenSSL, etc. See bug 12779.)
 */
edit flag offensive delete link more

Comments

Hi Uli! Thanks for your response! I've already tried the first format in your list and it's not working. Here is an example:

Encrypted pre-master secret: 1cc8de6a9aa34399c6d165fc295c420a7e6d91ac4f17713c31e48cfc59f940d3e44703b13f9692ceb34099b880f8bb9cfbdb3fcf67458b3b8d3dee6261c454f3c13a0682e90df2d619b2ed79cfbdce097e7d7318c538b0c4fe06be9aad223405814dff28d0d4c78ecfd52bd501efcdc4442fec258d05470f0c501846ca61020732304ae27e65636cca27d7309fded4a57e3d2f6c869864209a44310cbbea811ef5b2fe9186c41b4522effa7c1119d260b6160292d550af775935f3b045e28fe6c2ca3280b8598348a2e08f6442c239a168d9f1f4391ac8ad87a3fe7ec2a6ad0d902922a6fc49ef71986309c2ceaeb28150ddb8e63006bc07d0ed7e3150bb4a79

Decrypted pre-master secret: 2fb0bbc881fdb1f8a527d072c8a0b1b0e661f77637baec62ad863554c0c4ed33420b332506dd2cb4cad406adfcd9351a03e1eefba36400659b325589c4d0b6a7e459e39a6ef32a81d986d29afc33050440e1cc31f1e26cd47b57e20667a42c2e003e747234e8d7e4e03201212c19f04954fc7cb43e2458bebe9da312de0170638cf84770b365e13ded24b2c986d2d22030221610a35d0d505b8c3916fb81c7f8cc273b57534bf3580ed21ad6788990a52ca7e13c5b926ff876c9f5d6fd7d9b0adbd860507638f19c497344dfb1e0003010438e382e3a62ab92a174254bd57c0672470b2c27f3ffc4e37305a1247aa4284458b5383afc17558fe247b0acb92

sslkeylog file: RSA 1cc8de6a9aa34399 2fb0bbc881fdb1f8a527d072c8a0b1b0e661f77637baec62ad863554c0c4ed33420b332506dd2cb4cad406adfcd9351a03e1eefba36400659b325589c4d0b6a7e459e39a6ef32a81d986d29afc33050440e1cc31f1e26cd47b57e20667a42c2e003e747234e8d7e4e03201212c19f04954fc7cb43e2458bebe9da312de0170638cf84770b365e13ded24b2c986d2d22030221610a35d0d505b8c3916fb81c7f8cc273b57534bf3580ed21ad6788990a52ca7e13c5b926ff876c9f5d6fd7d9b0adbd860507638f19c497344dfb1e0003010438e382e3a62ab92a174254bd57c0672470b2c27f3ffc4e37305a1247aa4284458b5383afc17558fe247b0acb92

If I import this sslkeylog file, Wireshark doesn't decrypt the traffic that follows the handshake. Where is my mistake?

Wayne gravatar imageWayne ( 2018-04-27 08:12:09 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2018-04-24 19:37:55 +0000

Seen: 4,804 times

Last updated: Apr 29 '18