-1

To follow decryption example from wireshark:I download the capture file but didn't see the key in the comments of that capture file:

On the wireshark website, it says the SSL keys are in the comment but I just didn't see it. Is there another way to view the comments? Can anyone try the linked file:

https://wiki.wireshark.org/uploads/__moin_import__/attachments/SampleCaptures/http2-16-ssl.pcapng

from https://wiki.wireshark.org/SampleCaptures

File: http2-16-ssl.pcapng (HTTP2 with ALPN h2-16 extension) (5.1 KB, from https://git.lekensteyn.nl/peter/wireshark-notes/commit/tls/http2-16-ssl.pcapng?id=a24c03ce96e383faf2a624bfabd5cc843e78ab2a, SSL keys in capture file comments)

I am doing this is because I have used keytool to generate the key/cert and run a small http2 server with this cert/key:

keytool -genkey -alias undertow -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore keystore.p12 -dname "CN=localhost, OU=localhost, O=localhost, L=Zhengzhou, ST=Henan, C=CN"

However when capturing the packet using wireshark, it is encrypted but I really don't know how to use the cert to decrypt it. So I follow the example with ssl on the website but the key is not showing up lol

Stan
  • 602
  • 6
  • 23
  • Communication is symmetrically encrypted with a randomly generated key agreed upon during the handshake. Having access to the certificate won't help you in this case. – mr mcwolf Aug 18 '22 at 09:42
  • @mrmcwolf Ah I forgot about that. Client use public key to encrypt a rand key and sent to the server, which they agree on. Then where can we get this symmetric key? But still it doesn't explain why the comment doesn't contain anything. it is a example file from wireshark – Stan Aug 18 '22 at 09:50
  • 1
    You can't get it from anywhere (you need the server's private key), that's the point anyway. However, different clients (e.g. browsers) allow various debug options where they log the keys they generate. So you can take the key from the logs and use it to decrypt the traffic. – mr mcwolf Aug 18 '22 at 09:54
  • @mrmcwolf but I thought the random key is sent in the client hello and we can use the .pk12 file to decrypt it . isn't it? – Stan Aug 18 '22 at 09:56
  • @mrmcwolf isn't keystore.p12 containing the private key already – Stan Aug 18 '22 at 09:57
  • @mrmcwolf so can curl log the key ? – Stan Aug 18 '22 at 09:59
  • When sending asymmetric encrypted data to the server, the client encrypts with the server's public key. An exception is made only for the "proof" that the client owns the private key of the certificate it uses. – mr mcwolf Aug 18 '22 at 10:01
  • @mrmcwolf yes I own the key. The server runs locally and key/cert generated by myself – Stan Aug 18 '22 at 10:23
  • 2
    **DO NOT post images of code, data, error messages, etc.** - copy or type the text into the question. [ask] – Rob Aug 18 '22 at 14:02

1 Answers1

2

I think I figure out the answer on my own: First, as @mrmcwolf point out, the key is generated by the client and then is safely encrypted using public key and sent to the server. Therefore we need to log this key which is allowed for debugging purposes:

Steps:

First step:
Config the keylog file for Wireshark: enter image description here here tlskey.log is just an empty file created by myself

Second step
The second step is to just enable logging for your client which can be curl utility or browser. I use curl and it is simple. We just need to put SSLKEYLOGFILE=[file location I set up in wireshark] at the very beginning of the curl command I am gonna run:

SSLKEYLOGFILE=[file location I set up in wireshark] curl --http2 -v -k -X POST https://localhost:8443/log/synk -H "Content-Type: application/json" -d '{"value":200}'

if you use a browser, you just need to export the env var in the terminal or shell: export SSLKEYLOGFILE=[path you set up in wireshark]

Then we can view decrypted data directly in wireshark: enter image description here

I am so happy I figured this out so that I learn about how http2 encoding the body message and Wireshark usage, and verify json is still being sent in ASCII rather than binary. wish everyone can solve the challenge they encounter while learning.

-----------------Update----------------------------

I guess another way is to extract the private key from pkcs12 file and then add it as RSA key in wireshark. I shouldn't have used the pkcs12 file directly in the wireshark

KS explorer in intellj enter image description here

Extract public/private key from PKCS12 file for later use in SSH-PK-Authentication

Stan
  • 602
  • 6
  • 23
  • "I guess another way is to extract the private key from pkcs12 file and then add it as RSA key in wireshark. " It is not the private key associated to the certificate that is used to encrypt all the TLS handshakes. A key is generated at random as part of the initial phases of the handshake. There are tons of resources online already explaining how to make decryption work in wireshark. Example: https://www.trickster.dev/post/decrypting-your-own-https-traffic-with-wireshark/ and including on Wireshark own website: https://wiki.wireshark.org/TLS – Patrick Mevzek Aug 18 '22 at 14:35
  • @PatrickMevzek You are right but it depends on what handshake it is. RSA or ECDHE. Nowdays we don't use RSA. Traditionally in RSA, we use Public key to encrypt the random secret generated by client. By using private key, we can decrypt the secret, therefore using secret to decrypt the message further. – Stan Aug 18 '22 at 16:47
  • 1
    "You are right but it depends on what handshake it is." No, not with TLS1.3 anymore where ephemeral keys are mandatory, as it should be. – Patrick Mevzek Aug 18 '22 at 16:48