Ask Your Question
0

How to decrypt WebRTC with Diffie-Hellman?

asked 2019-05-29 11:51:55 +0000

majgab8852 gravatar image

I originally asked this question on another forum, but was redirected here, maybe someone here can help me. Here is the original question, so that no need for me to retype it:

https://security.stackexchange.com/qu...

Please take a look, the currently one and only answer from 'blabla_trace' suggested I try my luck here as well.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-05-29 22:02:03 +0000

SYN-bit gravatar image

I see no problem with the decryption:

$ tshark -o tls.keylog_file:ssl-keys.log -r wireshark.pcapng -Y "tls.record.content_type in {20..22}" -T fields -e tcp.stream -e frame.number -e _ws.col.Info | sort -n
11  63  Client Hello
11  65  Server Hello, Change Cipher Spec, Encrypted Extensions, Finished
11  66  Change Cipher Spec, Finished
11  70  SETTINGS[0], WINDOW_UPDATE[0]
18  111 Client Hello
18  172 Server Hello, Certificate, Server Hello Done
18  182 Alert (Level: Fatal, Description: Certificate Unknown)
19  112 Client Hello
19  151 Server Hello, Certificate, Server Hello Done
19  162 Alert (Level: Fatal, Description: Certificate Unknown)
20  116 Client Hello
20  194 Server Hello, Certificate, Server Hello Done
20  209 Alert (Level: Fatal, Description: Certificate Unknown)
21  210 Client Hello
21  273 Server Hello, Certificate, Server Hello Done
21  276 Client Key Exchange, Change Cipher Spec, Finished
21  298 Change Cipher Spec
21  374 Finished
22  219 Client Hello
22  259 Server Hello, Certificate, Server Hello Done
22  260 Client Key Exchange, Change Cipher Spec, Finished
22  313 Change Cipher Spec
22  373 Finished
23  224 Client Hello
23  292 Server Hello, Certificate, Server Hello Done
23  294 Client Key Exchange, Change Cipher Spec, Finished
23  349 Change Cipher Spec
23  380 Finished
24  1923    Client Hello
24  1925    Server Hello
24  1926    Alert (Level: Fatal, Description: Certificate Unknown)
24  1930    Change Cipher Spec, Finished
25  1942    Client Hello
25  1947    Server Hello
25  2059    Change Cipher Spec, Finished
25  2060    Change Cipher Spec, Finished
25  4955    Alert (Level: Warning, Description: Close Notify)
34  2378    Client Hello
34  2381    Server Hello
34  2382    Alert (Level: Fatal, Description: Certificate Unknown)
34  2384    Change Cipher Spec, Finished
35  2389    Client Hello
35  2392    Server Hello
35  2398    Change Cipher Spec, Finished
35  2399    Change Cipher Spec, Finished
35  4936    Alert (Level: Warning, Description: Close Notify)
36  3053    Encrypted Alert
$

All TLS sessions that have a TLS handshake are decrypted, as can be seen by the "finished" handshake message at the end of each TLS handshake.

However, traffic on port 8443 is not automatically dissected as HTTP once it is decrypted. You need to add 8443 to the "SSL/TLS Ports" list in the HTTP protocol preferences.

edit flag offensive delete link more

Comments

After adding 8443 to HTTPS list, I am now able to decrypt HTTPS traffic between my laptop and the application server hosting the webpage which is used to launch WebRTC calls. So for TCP, it's all fine. I'm still not sure about UDP though. The logs you mention say it decrypts everything it can, but it seems it is unable to decrypt all. For my new capture, I can see this:

ssl_generate_pre_master_secret: found SSL_HND_CLIENT_KEY_EXCHG, state 97
ssl_restore_master_key can't find pre-master secret by Unencrypted pre-master secret
ssl_restore_master_key can't find pre-master secret by Encrypted pre-master secret
dissect_ssl3_handshake can't generate pre master secret

ssl_finalize_decryption state = 0x97
ssl_restore_master_key can't restore master secret using an empty Session ID
ssl_restore_master_key can't find master secret by Client Random

ssl_finalize_decryption state = 0x17
ssl_restore_master_key can't find master secret by Session ID
ssl_restore_master_key can't find master secret by Client Random

And ...(more)

majgab8852 gravatar imagemajgab8852 ( 2019-05-30 13:55:30 +0000 )edit

Do I understand your SE post correctly that you would like to decrypt the RTP session on UDP port 16004? The DTLS client-hello has a random value that is not listed in your ssl-keys.log file. Is the WebRTC played with a plugin in Chrome? If so, it might not support the SSLKEYLOGFILE variable to log pre-master secrets to.

You will need to fix the logging of the pre-master secret for the DTLS sessions of the WebRTC player first before Wireshark is able to decrypt anything for this session.

SYN-bit gravatar imageSYN-bit ( 2019-05-30 14:36:58 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-05-29 11:51:55 +0000

Seen: 2,194 times

Last updated: May 29 '19