I am trying to view the excrypted key during ssl key exchange process. But I am not able to view the encrypted keys. Surely it must be possible to view the keys ni their encrypted form, but how?
asked 19 Apr '12, 23:45
If all is well, you should see a "ClientKeyExchange" SSL handshake message. If you are using a DH cipher, you should also see a "ServerKeyExchange" SSL handshake message.
If you don't see those, you might not have the right protocol preferences. FIrst of all, check in the TCP protocol preferences that you have "Allow subdissector to reassembly TCP streams" enabled. Then check in the SSL protocol preferences if all reassembly options are enabled.
BTW, I assume you are seeing your SSL conversations dissected as SSL...
answered 20 Apr '12, 03:50
Unlike the simple PKI-based encryption process which uses a symmetric key which is transmitted along with the document, encrypted with the recipients public key, SSL/TLS encryption uses a more complicated process.
Instead of one participant making up a symmetric key and sending in encrypted form in a packet the handshake process will implement an algorithm by which the two ends agree on a "master secret" which is then used by both ends to independently construct the same symmetric session key. Parts of the pre-master secret are sent encrypted, but never the entire symmetric key. The exact details will vary depending on whether SSLv2, SSLv3 or TLS is used and will also vary basedd on the encryption suite which client and server agree upon.
Wireshark can calculate the same symmetric key if it sees both sides of the handshake and knows the private key of the server certificate.
answered 20 Apr '12, 01:19