This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to find the symmetric key generated by the browser

0

Hi folks,

During an Https connection,our browser will encrypt the randomly generated number with the public key of a website to have an encrypted communication.I just want to know is there any method to find out the randomy generated number of our browser using wireshark. I would also like to know can we sniff https connection to see the payload?I heard there are some tools available in market to find what are the datas send via HTTPS.

Regards, Bluebird

asked 07 Jun '12, 22:19

bluebird77's gravatar image

bluebird77
1112
accept rate: 0%


4 Answers:

1

I just want to know is there any method to find out the randomy generated number of our browser using wireshark.
I would also like to know can we sniff https connection to see the payload?

No, wireshark can't "find" the key for you (e.g. by searching the computer memory).

However, you can decrypt an SSL session, if you give wireshark the private key of the webserver (only possible if you have access to that key!). By sniffing the SSL handshake, wireshark is able to extract the session key. See here:

http://wiki.wireshark.org/SSL

Follow the instructions and you will be able to decrypt a SSL connection.

I heard there are some tools available in market to find what are the datas send via HTTPS.

That's most certainly plugins for a browser, that are able to capture data in the browser before it gets encrypted. Like these:

http://www.httpwatch.com/
http://www.iewatch.com/

My preferred tool for web debugging is a proxy that is able to do SSL "decryption".

http://www.fiddler2.com/fiddler2/

Fiddler is a good companion to wireshark if you don't have access to the web server's private key and you need to "see" the decrypted communication (URLs, error messages, etc.).

Regards
Kurt

answered 08 Jun '12, 01:30

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 08 Jun '12, 02:04

thanks Kurt.....

(13 Jun '12, 21:34) bluebird77

0

Should the question be about how to find the random number (32 bytes) which client's browser sends to web server and what number (along with server's random number (32 bytes)) is employed to generate the session key (the length depends on cipher suit, which code is not encrypted within the handshake) then this random number (server's random number as well) is sent in unencrypted form too.

answered 31 Jan '14, 12:59

Buktop's gravatar image

Buktop
112
accept rate: 0%

edited 31 Jan '14, 13:16

0

Actually to be more precise the https site visited gives the browser a certificate which has its public key in it (this can be seen in the certificate). The browser in return makes a pseudo-randomly generated symmetric from mouse clicks a key presses and encrypts the public key with it. On the other side, the site upon receiving the encrypted public key, uses its private key to decrypt it.

So here the question is on being able to read the symetric key generated by the browser to encrypt the https public key.

answered 13 Jul '17, 19:24

nassim's gravatar image

nassim
61
accept rate: 0%

You are trying to describe a key exchange based on a RSA cipher suite, but some details are misleading:

  1. The RSA public key encrypts a randomly generated premaster secret. Not the other way round. The server decrypts the encrypted premaster secret with its private RSA key and obtains the same premaster secret.
  2. This premaster secret is not generated from just mouse clicks and key presses. It is taken from a (pseudo)random number generator which could (but does not have to) incorporate things like mouse clicks.

If you provide the private RSA key file to Wireshark and such a RSA key exchange is in use, then Wireshark can decrypt packets on the fly. If a Diffie-Hellman key exchange is in use, then it becomes a different story.

(14 Jul '17, 07:45) Lekensteyn

0

If you use Chrome or Firefox as your browser, you can set an environment variable, "SSLKEYLOGFILE".

If that environment variable is set, the browsers will append to the file every time they create a new SSL session key. You can instruct Wireshark to import those keys and it will then decrypt any SSL sessions that match those keys.

This website gives a good description and "how to" do this.

https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/

Of course, you can only set this up on a user PC (Windows or Linux) that you have control over and are able to set the variable then extract the keyfiles from.

The capture doesn't have to be taken on the PC though.

answered 31 Aug '17, 03:22

Philst's gravatar image

Philst
4311616
accept rate: 27%

Or you can go direct to the Wireshark Wiki for information on how to decrypt a TLS\SSL session rather than a 2 year old blog post that will never be updated.

The Wiki page is here and the section discussing the Pre-Master Secret is here.

(31 Aug '17, 03:52) grahamb ♦

The Wiki page actually includes a link to the page I referenced. I just saved a step.

(31 Aug '17, 05:22) Philst