Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Unable decode RSA

Hi guys,

Facing challenge in decrypt SSL packet which is using RSA cipher suite. For the same key and configuration, i able to decrypt another packet that capture using the same pcap filter, but for this pcap that is failed.

Any idea?

Wireshark SSL debug log

Wireshark version: 3.2.1 (v3.2.1-0-gbf38a67724d0) GnuTLS version: 3.6.3 Libgcrypt version: 1.8.3

KeyID[20]: | 93 4b 08 74 34 79 60 3b 3a 7b 98 0f 8c 1a 9d 93 |.K.t4y`;:{......| | 4d 86 8f f7 |M... | ssl_init private key file D:/xxx/xxx/Security/UAT.key successfully loaded. ssl_init port '9100' filename 'D:/xxx/xxx/Security/UAT.key' password(only for p12 file) '' association_add tls.port port 9100 handle 0000027873340110

dissect_ssl enter frame #4 (already visited) packet_from_server: is from server - FALSE conversation = 0000027873C51A40, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 31 dissect_ssl3_record: content_type 21 Alert

dissect_ssl enter frame #9 (already visited) packet_from_server: is from server - FALSE conversation = 0000027873C53370, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 31 dissect_ssl3_record: content_type 21 Alert

dissect_ssl enter frame #11 (already visited) packet_from_server: is from server - FALSE conversation = 0000027873C54010, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 31 dissect_ssl3_record: content_type 21 Alert

dissect_ssl enter frame #12 (already visited) packet_from_server: is from server - FALSE conversation = 0000027873C54A60, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 31 dissect_ssl3_record: content_type 21 Alert

dissect_ssl enter frame #14 (already visited) packet_from_server: is from server - FALSE conversation = 0000027873C55700, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 31 dissect_ssl3_record: content_type 21 Alert

dissect_ssl enter frame #1 (first time) packet_from_server: is from server - TRUE conversation = 000002780102AA40, ssl_session = 000002780102B170 record: offset = 0, reported_length_remaining = 1436 ssl_try_set_version found version 0x0303 -> state 0x10 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 1431, ssl state 0x10 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #21 (first time) packet_from_server: is from server - TRUE conversation = 000002780102F3A0, ssl_session = 000002780102FE60 record: offset = 0, reported_length_remaining = 137 ssl_try_set_version found version 0x0303 -> state 0x11 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 81, ssl state 0x11 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes ssl_try_set_version found version 0x0303 -> state 0x11 Calculating hash with offset 5 81 ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x13 ssl_set_cipher found CIPHER 0x009C TLS_RSA_WITH_AES_128_GCM_SHA256 -> state 0x17 ssl_load_keyfile dtls/tls.keylog_file is not configured! tls13_load_secret TLS version 0x303 is not 1.3 tls13_load_secret TLS version 0x303 is not 1.3 record: offset = 86, reported_length_remaining = 51 dissect_ssl3_record: content_type 20 Change Cipher Spec decrypt_ssl3_record: app_data len 1, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available ssl_dissect_change_cipher_spec Session resumption using Session ID ssl_load_keyfile dtls/tls.keylog_file is not configured! ssl_finalize_decryption state = 0x17 ssl_restore_master_key can't find master secret by Session ID ssl_restore_master_key can't restore master secret using an empty Session Ticket ssl_restore_master_key can't find master secret by Client Random Cannot find master secret packet_from_server: is from server - TRUE ssl_change_cipher SERVER record: offset = 92, reported_length_remaining = 45 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 40, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available

dissect_ssl enter frame #23 (first time) packet_from_server: is from server - FALSE conversation = 000002780102F3A0, ssl_session = 000002780102FE60 record: offset = 0, reported_length_remaining = 51 dissect_ssl3_record: content_type 20 Change Cipher Spec decrypt_ssl3_record: app_data len 1, ssl state 0x17 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available ssl_load_keyfile dtls/tls.keylog_file is not configured! ssl_finalize_decryption state = 0x17 ssl_restore_master_key can't find master secret by Session ID ssl_restore_master_key can't find master secret by Client Random Cannot find master secret packet_from_server: is from server - FALSE ssl_change_cipher CLIENT record: offset = 6, reported_length_remaining = 45 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 40, ssl state 0x17 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available

Thanks.

Regards GuoHan

Unable decode RSA

Hi guys,

Facing challenge in decrypt SSL packet which is using RSA cipher suite. For the same key and configuration, i able to decrypt another packet that capture using the same pcap filter, but for this pcap that is failed.

Any idea?

Wireshark SSL debug log

Wireshark version: 3.2.1 (v3.2.1-0-gbf38a67724d0)
GnuTLS version:    3.6.3
Libgcrypt version: 1.8.3

1.8.3 KeyID[20]: | 93 4b 08 74 34 79 60 3b 3a 7b 98 0f 8c 1a 9d 93 |.K.t4y`;:{......| | 4d 86 8f f7 |M... | ssl_init private key file D:/xxx/xxx/Security/UAT.key successfully loaded. ssl_init port '9100' filename 'D:/xxx/xxx/Security/UAT.key' password(only for p12 file) '' association_add tls.port port 9100 handle 0000027873340110

0000027873340110 dissect_ssl enter frame #4 (already visited) packet_from_server: is from server - FALSE conversation = 0000027873C51A40, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 31 dissect_ssl3_record: content_type 21 Alert

Alert dissect_ssl enter frame #9 (already visited) packet_from_server: is from server - FALSE conversation = 0000027873C53370, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 31 dissect_ssl3_record: content_type 21 Alert

Alert dissect_ssl enter frame #11 (already visited) packet_from_server: is from server - FALSE conversation = 0000027873C54010, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 31 dissect_ssl3_record: content_type 21 Alert

Alert dissect_ssl enter frame #12 (already visited) packet_from_server: is from server - FALSE conversation = 0000027873C54A60, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 31 dissect_ssl3_record: content_type 21 Alert

Alert dissect_ssl enter frame #14 (already visited) packet_from_server: is from server - FALSE conversation = 0000027873C55700, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 31 dissect_ssl3_record: content_type 21 Alert

Alert dissect_ssl enter frame #1 (first time) packet_from_server: is from server - TRUE conversation = 000002780102AA40, ssl_session = 000002780102B170 record: offset = 0, reported_length_remaining = 1436 ssl_try_set_version found version 0x0303 -> state 0x10 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 1431, ssl state 0x10 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available

available dissect_ssl enter frame #21 (first time) packet_from_server: is from server - TRUE conversation = 000002780102F3A0, ssl_session = 000002780102FE60 record: offset = 0, reported_length_remaining = 137 ssl_try_set_version found version 0x0303 -> state 0x11 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 81, ssl state 0x11 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes ssl_try_set_version found version 0x0303 -> state 0x11 Calculating hash with offset 5 81 ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x13 ssl_set_cipher found CIPHER 0x009C TLS_RSA_WITH_AES_128_GCM_SHA256 -> state 0x17 ssl_load_keyfile dtls/tls.keylog_file is not configured! tls13_load_secret TLS version 0x303 is not 1.3 tls13_load_secret TLS version 0x303 is not 1.3 record: offset = 86, reported_length_remaining = 51 dissect_ssl3_record: content_type 20 Change Cipher Spec decrypt_ssl3_record: app_data len 1, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available ssl_dissect_change_cipher_spec Session resumption using Session ID ssl_load_keyfile dtls/tls.keylog_file is not configured! ssl_finalize_decryption state = 0x17 ssl_restore_master_key can't find master secret by Session ID ssl_restore_master_key can't restore master secret using an empty Session Ticket ssl_restore_master_key can't find master secret by Client Random Cannot find master secret packet_from_server: is from server - TRUE ssl_change_cipher SERVER record: offset = 92, reported_length_remaining = 45 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 40, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available

available dissect_ssl enter frame #23 (first time) packet_from_server: is from server - FALSE conversation = 000002780102F3A0, ssl_session = 000002780102FE60 record: offset = 0, reported_length_remaining = 51 dissect_ssl3_record: content_type 20 Change Cipher Spec decrypt_ssl3_record: app_data len 1, ssl state 0x17 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available ssl_load_keyfile dtls/tls.keylog_file is not configured! ssl_finalize_decryption state = 0x17 ssl_restore_master_key can't find master secret by Session ID ssl_restore_master_key can't find master secret by Client Random Cannot find master secret packet_from_server: is from server - FALSE ssl_change_cipher CLIENT record: offset = 6, reported_length_remaining = 45 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 40, ssl state 0x17 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available

available

Thanks.

Regards GuoHan