First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

decrypt saved capture with private key

  • retag add tags

I am using wireshark 64 bit. version 3.0.2. I am trying to decrypt an https capture file that is using port 8443 for https. I have the private key. I can't seem to get a straight answer on how this works despite multiple posts. First, there is no SSL so I have selected TLS in the Protocols section of Preferences. Just below that is RSA Keys. I assume that is where I put the location of the key file. (with .key extension) I also put in the following information in the TLS Decrypt under protocols:

IP address: source IP listed in the capture
Port: 8443
Protocol: http
Key File: same private key located on desktop that I listed under RSA Keys.

Clicked on OK, OK. but nothing happens. What did I miss?

notquitestr8t's avatar
1
notquitestr8t
asked 2019-07-16 15:44:58 +0000
grahamb's avatar
23.8k
grahamb
updated 2019-07-16 15:51:14 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Firstly, the SSL dissector has been renamed to TLS, so everything else, e.g. preferences, has been adjusted accordingly.

Secondly, the configuration is slightly simpler now if using a private RSA server key, only the RSA Keys entry is listed. The key file should be in PEM format, i.e. it should be text and has "-----BEGIN RSA PRIVATE KEY-----", or a PKCS#12 store, i.e. a pfx file.

Thirdly, a private RSA key can only be used to decrypt the traffic if the following are true:

  • The cipher suite selected by the server is not using (EC)DHE.
  • The protocol version is SSLv3, (D)TLS 1.0-1.2. It does not work with TLS 1.3.
  • The private key matches the server certificate. It does not work with the client certificate, nor the Certificate Authority (CA) certificate.
  • The session has not been resumed. The handshake must include the ClientKeyExchange handshake message.

See the wiki TLS page for more info.

grahamb's avatar
23.8k
grahamb
answered 2019-07-16 16:03:46 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thank you very much for the clarification. Since this capture is using TLS1.2 and all our cipher suites are TLS_DHE_RSA or TLS_ECDHE_RSA than I guess I am SOL. At least I know why. Thanks again for the link and the information.

notquitestr8t's avatar notquitestr8t (2019-07-16 16:26:14 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer