Score:1

Read ECDHE traffic with Wireshark or the like

us flag

There is some https traffic from a specific server (which I have the certificate and private key) that I need legitimately be able to read.

This traffic doesn’t come via browser so besides the ephemeral protocol being used using a pre-master secret key is not an option.

Is there any way it is possible to decrypt and analyze the traffic without downgrading the cypher suite to some deprecated RSA non ephemeral one?

Ideally using wireshark, but open to something else as well.

Vadym Fedyukovych avatar
in flag
So what kind of "legitimacy" it is?
Nacionarte avatar
us flag
Legitimacy meaning we have done tests with http and now https testing is needed so we need to be able to read the traffic. The other side ask for it and provided us the certificate and private key.
Score:2
ru flag

There's nothing that you can do from a purely passive point of view. The private information relating to the certificate does not directly provide any information about the ephemeral keys used in the ECDHE exchange. This is part of the promise of forward security that ephemeral schemes provide.

You can actively set up a man-in-the-middle gateway that intercepts all incoming requests and responds to the handshake as the server would (using the certificate and private keys). You can then set up your own connection with the server and relay information between client and server. The this would then provide you with access to all of the decrypted information.

Note that this advice is purely technical. There may be legal restrictions according to your jurisdiction and obviously you are beholden to your own ethical code as to whether this is appropriate handling of information.

Nacionarte avatar
us flag
Thanks for the information Daniel. Can you point me as to how to actively set up the Mitm gw? This is work, nothing ilegal here; it is just I’m the person assigned to accomplish this task. The client asked for this and it is already informed of the implications of a infrastructure of this kind.
Nacionarte avatar
us flag
Currently RTFM SSLsplit as my hopes of doing it with wireshark are done. Open to suggestions about the most simple way of accomplish this tasks.
Daniel S avatar
ru flag
A quick google threw up this website: https://mitmproxy.org I have no experience of this product nor this vendor.
fgrieu avatar
ng flag
Addition: an alternative to an active MitM attack is to instrument the software at one of the end to output something that should otherwise remain secret, therefore allowing decryption of a passive intercept. If interested in the DHE exchange, that can be the private ephemeral secret generated by that software. If interested only in later data, that can be the shared secret before or even after it goes thru the KDF.
Nacionarte avatar
us flag
Thanks fgrieu. It looks this the way will follow. Thankyou.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.