Ask Your Question

Decrypting TLS traffic using RSA pre-master secret

asked 2018-04-24 19:37:55 +0000

Wayne gravatar image

updated 2018-04-24 19:39:31 +0000


I'm currently working on an exploit for the robot attack, which gives me the decrypted RSA pre-master secret. Now I would like to use Wireshark to decrypt the traffic. I know about the possibility to import the SSLKEYLOG file but I'm not sure about the format. I tried "RSA (first 8 hex-encoded bytes of encrypted pre-master secret) (decrypted hex-encoded pre-master secret)", which didn't work.

Does anyone know the correct format? Thanks in advance!

Cheers, Wayne

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2018-04-28 10:25:04 +0000

Wayne gravatar image

updated 2018-04-29 08:07:13 +0000

Ok, I found the solution. I had to read RFC 5246 to realize that the actual pre-master secret are only the last 48 bytes of the pre-master data. The rest is just padding and some format restrictions.

The correct format therefore is:

RSA "first 8 bytes of encrypted premaster-secret in hex" "the last 48 bytes of the decrypted pre-master data in hex"

edit flag offensive delete link more

answered 2018-04-25 19:53:47 +0000

Uli gravatar image

According to epan/dissectors/packet-ssl-utils.c:

/* The format of the file is a series of records with one of the following formats:
 *   - "RSA xxxx yyyy"
 *     Where xxxx are the first 8 bytes of the encrypted pre-master secret (hex-encoded)
 *     Where yyyy is the cleartext pre-master secret (hex-encoded)
 *     (this is the original format introduced with bug 4349)
 *   - "RSA Session-ID:xxxx Master-Key:yyyy"
 *     Where xxxx is the SSL session ID (hex-encoded)
 *     Where yyyy is the cleartext master secret (hex-encoded)
 *     (added to support openssl s_client Master-Key output)
 *     This is somewhat is a misnomer because there's nothing RSA specific
 *     about this.
 *   - "PMS_CLIENT_RANDOM xxxx yyyy"
 *     Where xxxx is the client_random from the ClientHello (hex-encoded)
 *     Where yyyy is the cleartext pre-master secret (hex-encoded)
 *     (This format allows SSL connections to be decrypted, if a user can
 *     capture the PMS but could not recover the MS for a specific session
 *     with a SSL Server.)
 *   - "CLIENT_RANDOM xxxx yyyy"
 *     Where xxxx is the client_random from the ClientHello (hex-encoded)
 *     Where yyyy is the cleartext master secret (hex-encoded)
 *     (This format allows non-RSA SSL connections to be decrypted, i.e.
 *     ECDHE-RSA.)
 *   - "CLIENT_TRAFFIC_SECRET_0 xxxx yyyy"
 *   - "SERVER_TRAFFIC_SECRET_0 xxxx yyyy"
 *   - "EARLY_EXPORTER_SECRET xxxx yyyy"
 *   - "EXPORTER_SECRET xxxx yyyy"
 *     Where xxxx is the client_random from the ClientHello (hex-encoded)
 *     Where yyyy is the secret (hex-encoded) derived from the early,
 *     handshake or master secrets. (This format is introduced with TLS 1.3
 *     and supported by BoringSSL, OpenSSL, etc. See bug 12779.)
edit flag offensive delete link more


Hi Uli! Thanks for your response! I've already tried the first format in your list and it's not working. Here is an example:

Encrypted pre-master secret: 1cc8de6a9aa34399c6d165fc295c420a7e6d91ac4f17713c31e48cfc59f940d3e44703b13f9692ceb34099b880f8bb9cfbdb3fcf67458b3b8d3dee6261c454f3c13a0682e90df2d619b2ed79cfbdce097e7d7318c538b0c4fe06be9aad223405814dff28d0d4c78ecfd52bd501efcdc4442fec258d05470f0c501846ca61020732304ae27e65636cca27d7309fded4a57e3d2f6c869864209a44310cbbea811ef5b2fe9186c41b4522effa7c1119d260b6160292d550af775935f3b045e28fe6c2ca3280b8598348a2e08f6442c239a168d9f1f4391ac8ad87a3fe7ec2a6ad0d902922a6fc49ef71986309c2ceaeb28150ddb8e63006bc07d0ed7e3150bb4a79

Decrypted pre-master secret: 2fb0bbc881fdb1f8a527d072c8a0b1b0e661f77637baec62ad863554c0c4ed33420b332506dd2cb4cad406adfcd9351a03e1eefba36400659b325589c4d0b6a7e459e39a6ef32a81d986d29afc33050440e1cc31f1e26cd47b57e20667a42c2e003e747234e8d7e4e03201212c19f04954fc7cb43e2458bebe9da312de0170638cf84770b365e13ded24b2c986d2d22030221610a35d0d505b8c3916fb81c7f8cc273b57534bf3580ed21ad6788990a52ca7e13c5b926ff876c9f5d6fd7d9b0adbd860507638f19c497344dfb1e0003010438e382e3a62ab92a174254bd57c0672470b2c27f3ffc4e37305a1247aa4284458b5383afc17558fe247b0acb92

sslkeylog file: RSA 1cc8de6a9aa34399 2fb0bbc881fdb1f8a527d072c8a0b1b0e661f77637baec62ad863554c0c4ed33420b332506dd2cb4cad406adfcd9351a03e1eefba36400659b325589c4d0b6a7e459e39a6ef32a81d986d29afc33050440e1cc31f1e26cd47b57e20667a42c2e003e747234e8d7e4e03201212c19f04954fc7cb43e2458bebe9da312de0170638cf84770b365e13ded24b2c986d2d22030221610a35d0d505b8c3916fb81c7f8cc273b57534bf3580ed21ad6788990a52ca7e13c5b926ff876c9f5d6fd7d9b0adbd860507638f19c497344dfb1e0003010438e382e3a62ab92a174254bd57c0672470b2c27f3ffc4e37305a1247aa4284458b5383afc17558fe247b0acb92

If I import this sslkeylog file, Wireshark doesn't decrypt the traffic that follows the handshake. Where is my mistake?

Wayne gravatar imageWayne ( 2018-04-27 08:12:09 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-04-24 19:37:55 +0000

Seen: 4,608 times

Last updated: Apr 29 '18