Wireshark · Wireshark-users: Re: [Wireshark-users] SSL decryption -- RSA Key format

["Baker, Brian" <brian@xxxxxxxxxxxxxxxxxxxxx>]

Hi Vijay,

 

I’m not using gnutls or libgcrypt – I’m just using the Win32 installer.  Here is a snippet from the log file (with the actual HTTP payload removed).

 

Brian

 

ssl_init keys string 10.231.4.61,443,http,d:\GR\temp\grhealth.pem

ssl_init found host entry 10.231.4.61,443,http,d:\GR\temp\grhealth.pem

ssl_init addr 10.231.4.61 port 443 filename d:\GR\temp\grhealth.pem

ssl_get_version: 1.5.1

ssl_init private key file d:\GR\temp\grhealth.pem successfully loaded

association_add TCP port 443 protocol http handle 05CBDE40

association_find: TCP port 443 found 0750D888

ssl_association_remove removing TCP 443 - http handle 05CBDE40

association_add TCP port 443 protocol http handle 05CBDE40

association_find: TCP port 636 found 040C75F0

ssl_association_remove removing TCP 636 - ldap handle 05CBCC48

association_add TCP port 636 protocol ldap handle 05CBCC48

association_find: TCP port 993 found 040BFF08

ssl_association_remove removing TCP 993 - imap handle 05CCE588

association_add TCP port 993 protocol imap handle 05CCE588

association_find: TCP port 995 found 040BF5D8

ssl_association_remove removing TCP 995 - pop handle 05E318D0

association_add TCP port 995 protocol pop handle 05E318D0

dissect_ssl enter frame #4

ssl_session_init: initializing ptr 07A71A18 size 568

association_find: TCP port 2796 found 00000000

packet_from_server: is from server 0

dissect_ssl server 10.231.4.61:443

client random len: 16 padded to 32

dissect_ssl enter frame #6

dissect_ssl enter frame #7

dissect_ssl3_record: content_type 22

decrypt_ssl3_record: app_data len 2231 ssl state 11

decrypt_ssl3_record: no session key

dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, remaining 2236

dissect_ssl3_hnd_hello_common found random state 13

dissect_ssl3_hnd_srv_hello found cipher 4, state 17

dissect_ssl3_hnd_srv_hello not enough data to generate key (required 37)

dissect_ssl3_handshake iteration 0 type 11 offset 79 length 2149 bytes, remaining 2236

dissect_ssl3_handshake iteration 0 type 14 offset 2232 length 0 bytes, remaining 2236

dissect_ssl enter frame #10

dissect_ssl3_record: content_type 22

decrypt_ssl3_record: app_data len 132 ssl state 17

decrypt_ssl3_record: no session key

dissect_ssl3_handshake iteration 1 type 16 offset 5 length 128 bytes, remaining 137

dissect_ssl3_handshake found SSL_HND_CLIENT_KEY_EXCHG state 17

pre master encrypted[128]:

4f b3 cd 50 86 26 45 b4 7d 02 2e e9 a8 64 eb 3d

0a 7d e7 3e 12 db 5f 46 75 61 10 e4 26 ce 91 b2

8a 49 59 b3 93 b1 4b 43 1b f4 1a 41 c2 8e 71 7b

bf a4 80 96 fb 28 00 95 4d cf bf 59 e7 45 bb b8

04 38 5b 3f 81 6c c1 c1 0e f7 a9 9d a4 df 22 bb

a1 81 98 e8 90 66 52 32 f3 24 4d 6a 8b 55 06 9f

c6 88 6e 2f 9c 43 6c b1 32 86 1f fe 8c 33 c1 d7

0a c1 24 7d 1e 2d 7e f6 8c 5e d1 26 ce c0 47 a5

ssl_decrypt_pre_master_secret:RSA_private_decrypt

pcry_private_decrypt: stripping 79 bytes, decr_len 127

decypted_unstrip_pre_master[127]:

02 b8 82 dd 86 82 01 6c df 8a ed 31 eb c9 4e d0

36 aa c2 b4 e1 74 4f 41 a1 a9 24 f8 1e ce d6 e6

e6 2d 34 94 7d d0 e9 1a e1 15 d8 d0 93 9b 3c a7

e0 eb a7 69 27 c3 d1 07 f1 96 06 e3 e1 13 7c 5f

88 26 42 49 a5 90 83 1f 8d a8 08 c8 63 8c 00 03

00 a3 8e 98 49 a5 4b 7b 7a 25 3a aa 64 61 42 38

d8 96 58 d2 df fc 11 82 61 69 65 27 9b 66 9d ef

d8 02 be 08 e2 56 af 98 ee f8 bc 37 64 db 6c

pre master secret[48]:

03 00 a3 8e 98 49 a5 4b 7b 7a 25 3a aa 64 61 42

38 d8 96 58 d2 df fc 11 82 61 69 65 27 9b 66 9d

ef d8 02 be 08 e2 56 af 98 ee f8 bc 37 64 db 6c

ssl_generate_keyring_material:PRF(pre_master_secret)

ssl3_prf: sha1_hash(1)

ssl3_prf: md5_hash(1) datalen 48

ssl3_prf: sha1_hash(2)

ssl3_prf: md5_hash(2) datalen 48

ssl3_prf: sha1_hash(3)

ssl3_prf: md5_hash(3) datalen 48

master secret[48]:

99 73 10 dc 57 ca 60 03 99 89 7c 94 43 bb e0 a6

8a 46 94 f8 a4 5c 33 ee e1 f8 8e 60 33 06 12 0f

bf 60 74 78 7a d5 9e 15 47 89 b2 26 de 91 7d fd

ssl_generate_keyring_material sess key generation

ssl3_prf: sha1_hash(1)

ssl3_prf: md5_hash(1) datalen 48

ssl3_prf: sha1_hash(2)

ssl3_prf: md5_hash(2) datalen 48

ssl3_prf: sha1_hash(3)

ssl3_prf: md5_hash(3) datalen 48

ssl3_prf: sha1_hash(4)

ssl3_prf: md5_hash(4) datalen 48

key expansion[64]:

36 ea ff a5 5f fd 34 e8 84 f5 05 13 b5 4f 09 23

a8 f2 d9 e5 79 84 00 89 b3 1a a6 e2 72 2d 6c 0d

d2 91 30 a0 94 90 20 81 72 65 60 c3 79 20 ff dc

3c d8 eb 05 2b 87 71 1c 9b 58 c0 a7 7d 6a 83 3f

Client MAC key[16]:

36 ea ff a5 5f fd 34 e8 84 f5 05 13 b5 4f 09 23

Server MAC key[16]:

a8 f2 d9 e5 79 84 00 89 b3 1a a6 e2 72 2d 6c 0d

Client Write key[16]:

d2 91 30 a0 94 90 20 81 72 65 60 c3 79 20 ff dc

Server Write key[16]:

3c d8 eb 05 2b 87 71 1c 9b 58 c0 a7 7d 6a 83 3f

Client Write IV[8]:

30 00 00 00 2c cc 12 00

Server Write IV[8]:

48 1d a7 07 30 00 00 00

ssl_generate_keyring_material ssl_create_decoder(client)

ssl_create_decoder CIPHER: ARCFOUR

decoder initialized (digest len 16)

ssl_generate_keyring_material ssl_create_decoder(server)

ssl_create_decoder CIPHER: ARCFOUR

decoder initialized (digest len 16)

ssl_generate_keyring_material client seq 0 server seq 0

ssl_save_session stored session id[32]:

ad 22 00 00 60 a9 d7 45 4d 4e 9d 01 41 f5 1d 80

82 87 24 0c 75 18 ba db 9d ab 86 e9 02 5a 05 22

ssl_save_session stored master secret[48]:

99 73 10 dc 57 ca 60 03 99 89 7c 94 43 bb e0 a6

8a 46 94 f8 a4 5c 33 ee e1 f8 8e 60 33 06 12 0f

bf 60 74 78 7a d5 9e 15 47 89 b2 26 de 91 7d fd

dissect_ssl3_handshake session keys succesfully generated

dissect_ssl3_record: content_type 20

dissect_ssl3_change_cipher_spec

dissect_ssl3_record: content_type 22

decrypt_ssl3_record: app_data len 56 ssl state 1F

association_find: TCP port 2796 found 00000000

packet_from_server: is from server 0

decrypt_ssl3_record: using client decoder

decrypt_ssl3_record: allocating 88 bytes for decrypt data (old len 32)

ssl_decrypt_record ciphertext len 56

Ciphertext[56]:

6d 7d f5 48 fa ba e7 ae 11 f5 87 c4 07 06 b7 47

3b 3c 8c 35 cc 54 29 12 dd 07 39 d6 da 2b a8 63

e0 99 c2 51 85 12 7a 2a c0 21 fb 48 1c c0 d5 12

c1 2b 50 03 59 f4 da d1

Plaintext[56]:

14 00 00 24 dc 2c 0c 06 84 49 7c 70 fa a8 8c 51

6e 37 1f 74 a7 d6 19 2d 2f 7e 8e 0b c1 d6 b8 20

46 7a 83 5e 22 22 ce 54 66 5d c3 99 2a ef a6 23

4e d1 ba 1e f8 fd aa f6

checking mac (len 40, version 300, ct 22 seq 0)

ssl_decrypt_record: mac ok

dissect_ssl3_handshake iteration 1 type 20 offset 0 length 36 bytes, remaining 40

dissect_ssl enter frame #12

dissect_ssl3_record: content_type 20

dissect_ssl3_change_cipher_spec

dissect_ssl3_record: content_type 22

decrypt_ssl3_record: app_data len 56 ssl state 1F

association_find: TCP port 443 found 0750D888

packet_from_server: is from server 1

decrypt_ssl3_record: using server decoder

ssl_decrypt_record ciphertext len 56

Ciphertext[56]:

bf be ec 8b fa 84 6d 27 a1 fb f0 f3 b2 d1 60 c2

23 58 8b 6e e5 06 b6 48 fb ca 4c d4 a7 f4 b3 1c

d6 8f 4d c9 93 52 d3 c9 50 9e 73 d0 d3 6b 18 3f

62 b3 61 6f a3 84 3d 56

Plaintext[56]:

14 00 00 24 7b 3e 3b db 1c 81 d7 4e 9b 62 60 df

c1 d2 16 15 04 1a 13 b5 77 c6 38 74 2a f1 bd c1

3b f8 88 cd 4f 09 6f 60 d2 b8 ea 8c c8 f8 57 fa

64 4b 2b 7c d5 22 46 50

checking mac (len 40, version 300, ct 22 seq 0)

ssl_decrypt_record: mac ok

dissect_ssl3_handshake iteration 1 type 20 offset 0 length 36 bytes, remaining 40

dissect_ssl enter frame #13

dissect_ssl3_record: content_type 23

decrypt_ssl3_record: app_data len 440 ssl state 1F

association_find: TCP port 2796 found 00000000

packet_from_server: is from server 0

decrypt_ssl3_record: using client decoder

decrypt_ssl3_record: allocating 472 bytes for decrypt data (old len 88)

ssl_decrypt_record ciphertext len 440

Ciphertext[440]:

9d fa 13 77 27 d9 1b eb 1a e1 21 d7 4f 18 96 78

07 54 37 12 44 c5 b4 fc b7 45 90 b5 4d e1 c6 36

3a 64 e8 f7 e9 86 3c a7 d0 55 cb 8a ce 07 c6 fb

b4 eb ab c1 90 20 31 09 9e 70 84 1a ff 9a d5 ea

46 da 37 9a 52 aa 4f 17 c3 cf dc cb e9 06 71 de

a3 9e 36 d4 b1 3e 1b b6 67 b4 8e e8 2f 6e 41 dd

e3 8f 48 2c a5 ba ee 7b af 08 82 2d 33 4e 48 c6

96 e2 be 23 1d aa 62 5a ff d5 12 e8 b1 da a4 4f

86 7f 5a c0 74 2a 8c 24 d6 46 9c 93 f1 09 89 a4

35 81 ee 53 94 c4 91 d9 c3 e1 0d 2e 72 02 0b a9

b6 30 35 a6 30 b6 10 f2 1e 99 63 27 cc 5f 43 8e

0b 2c 7f 04 ec 31 06 9e a5 34 fe a6 7c a4 0f 7e

51 c8 2a f3 bb fe 49 a6 28 15 0e 1d 7b 8d c1 48

33 a8 40 e7 d3 5e ec d4 70 1e 33 87 08 a3 b1 7f

0a 58 6d 92 cf 03 5b 35 05 f4 26 55 60 90 54 dc

4c 47 8d 9c b6 bb f5 db cc 9e 30 7b fc 23 42 8b

46 ff 53 be 8e 0f d8 95 f2 51 c2 88 18 b5 77 e2

b5 5b 57 00 0f c7 e4 33 18 f4 f7 d7 1f 06 5c a8

e4 76 52 ee f5 1b 44 42 2a 42 90 2e 13 15 f5 d4

4b b3 bc d2 1f 27 f9 d0 5b 6f 61 79 53 a6 26 a5

56 42 90 2c b2 38 9f e5 9e 09 ca 06 8e a1 b8 43

91 58 95 2f 5e 87 93 f5 a9 d0 0b be c0 5a b9 91

28 36 04 05 ac 55 5b 90 5e 51 28 c5 4f eb 95 36

f0 f9 36 b3 f1 c5 e4 1e 71 2f 5d 56 a2 1e 6a e4

07 9d 41 6f ef dc 9e 4f 91 f1 b6 21 69 9f 7d 00

36 47 75 08 cc 2f d3 a3 3b 19 d4 d5 9a a3 8c 0d

d3 34 8e d0 c3 78 2b 56 1c 13 27 35 d9 61 c6 32

0d dd 66 7d 5d 7d 74 38

Plaintext[440]:

47 45 54 20 2f 63 75 73 74 6f 6d 65 72 2f 44 65

66 61 75 6c 74 2e 61 73 70 78 3f 55 49 44 3d 32

38 35 31 31 30 34 20 48 54 54 50 2f 31 2e 31 0d

0a 41 63 63 65 70 74 3a 20 2a 2f 2a 0d 0a 52 65

66 65 72 65 72 3a 20 68 74 74 70 3a 2f 2f 77 65

62 6d 61 69 6c 2d 76 64 63 2e 77 65 62 6d 61 69

6c 2e 61 6f 6c 2e 63 6f 6d 2f 32 31 34 36 32 2f

61 6f 6c 2f 65 6e 2d 75 73 2f 52 50 43 2f 47 65

74 4d 65 73 73 61 67 65 2e 61 73 70 78 3f 66 6f

6c 64 65 72 3d 4e 65 77 25 32 30 4d 61 69 6c 26

75 69 64 3d 31 2e 31 35 31 36 33 30 35 32 26 76

65 72 73 69 6f 6e 3d 32 31 34 36 32 26 75 73 65

72 3d 54 59 51 44 54 31 42 76 5a 41 0d 0a 41 63

63 65 70 74 2d 4c 61 6e 67 75 61 67 65 3a 20 65

6e 2d 75 73 0d 0a 41 63 63 65 70 74 2d 45 6e 63

6f 64 69 6e 67 3a 20 67 7a 69 70 2c 20 64 65 66

6c 61 74 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74

3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63

6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20

36 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20

35 2e 31 3b 20 7b 45 42 44 37 37 32 42 41 2d 43

31 31 34 2d 43 30 37 43 2d 38 41 45 32 2d 32 44

43 37 30 36 41 36 43 37 35 42 7d 29 0d 0a 48 6f

73 74 3a 20 77 77 77 2e 67 6f 6c 64 65 6e 72 75

6c 65 68 65 61 6c 74 68 2e 63 6f 6d 0d 0a 43 6f

6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41

6c 69 76 65 0d 0a 0d 0a 6f a1 04 21 01 b9 40 a2

b6 00 4e 13 7e c9 96 1c

checking mac (len 424, version 300, ct 23 seq 1)

ssl_decrypt_record: mac ok

decrypt_ssl3_record: allocating app_data 424 bytes for app data

decrypt_ssl3_record: setting decrypted app_data ptr 07A71FC0

association_find: TCP port 2796 found 00000000

association_find: TCP port 443 found 0750D888

association_find: TCP port 2796 found 00000000

association_find: TCP port 443 found 0750D888

dissect_ssl3_record decrypted len 424

dissect_ssl3_record found association 0750D888

decrypted app data: <HTTP request was here>

 

 

 

dissect_ssl enter frame #15

dissect_ssl3_record: content_type 23

decrypt_ssl3_record: app_data len 299 ssl state 1F

association_find: TCP port 443 found 0750D888

packet_from_server: is from server 1

decrypt_ssl3_record: using server decoder

ssl_decrypt_record ciphertext len 299

Ciphertext[299]:

20 a0 b4 b8 6c cb bc 27 3d 33 2d cf ad e2 bb d7

ef 21 98 c5 11 da a5 a1 95 d6 23 15 30 0b bb 3c

1b 71 d3 72 77 10 35 8c a4 14 98 eb 26 ba c4 e1

7d 73 6d ad d0 12 d2 97 85 6f be b8 28 bd 0e ae

4b 33 a5 2b a7 04 2d cb b4 d8 5b bb d2 75 a0 62

a7 1a 16 ad fb da 01 bc fe e9 cc 27 f0 65 80 d4

13 18 a3 19 0f ef 2d 46 c3 60 48 aa 04 32 ad 8b

2d f1 c3 11 23 74 ab 92 2d 3d f2 54 58 34 34 16

d6 5e a6 47 e7 f0 92 42 4e c5 62 7d f5 f8 a5 c9

c6 58 ce 2c c7 ba 1b d7 05 09 0b fe 5d a3 97 16

3d 52 ab 63 6d 06 7c 95 be 87 6a 6f ba dd 7a 89

b0 3c d6 57 6f a2 f8 54 02 91 1f 8a 06 74 cd 0e

9e 84 5f fc fc 4c b0 d7 18 3a 83 96 ca ee 11 09

1e 75 6f d3 bd d3 81 c0 36 1f f5 19 48 55 33 c7

09 5f 4a 88 21 17 66 f3 6b 22 73 ec 6c c2 39 ef

a0 ae 2f 3b 2c fe da e4 c9 33 dd 34 51 85 2a 8f

f2 d2 80 d0 b8 7b 2a 5a 9c f4 f6 4b e3 e3 0e 99

5a 12 06 c5 8d b2 10 b9 75 e1 26 f1 b6 c8 63 5d

05 b6 f2 03 6f 5d 6b d1 6d 51 a7

Plaintext[299]:

48 54 54 50 2f 31 2e 31 20 33 30 32 20 46 6f 75

6e 64 0d 0a 53 65 72 76 65 72 3a 20 4d 69 63 72

6f 73 6f 66 74 2d 49 49 53 2f 35 2e 30 0d 0a 44

61 74 65 3a 20 54 75 65 2c 20 33 31 20 4f 63 74

20 32 30 30 36 20 31 35 3a 34 30 3a 32 38 20 47

4d 54 0d 0a 58 2d 50 6f 77 65 72 65 64 2d 42 79

3a 20 41 53 50 2e 4e 45 54 0d 0a 58 2d 41 73 70

4e 65 74 2d 56 65 72 73 69 6f 6e 3a 20 32 2e 30

2e 35 30 37 32 37 0d 0a 4c 6f 63 61 74 69 6f 6e

3a 20 2f 63 75 73 74 6f 6d 65 72 2f 43 75 73 74

6f 6d 65 72 4c 6f 67 6f 6e 2f 44 65 66 61 75 6c

74 2e 61 73 70 78 3f 55 49 44 3d 32 38 35 31 31

30 34 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f

6c 3a 20 70 72 69 76 61 74 65 0d 0a 43 6f 6e 74

65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68

74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66

2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67

74 68 3a 20 31 36 35 0d 0a 0d 0a 52 b2 c7 93 9b

cc a5 4f bd 3a 45 26 4a 7d 11 78

checking mac (len 283, version 300, ct 23 seq 1)

ssl_decrypt_record: mac ok

decrypt_ssl3_record: allocating app_data 283 bytes for app data

decrypt_ssl3_record: setting decrypted app_data ptr 07A722D0

association_find: TCP port 443 found 0750D888

association_find: TCP port 443 found 0750D888

dissect_ssl enter frame #17

dissect_ssl3_record: content_type 23

decrypt_ssl3_record: app_data len 181 ssl state 1F

association_find: TCP port 443 found 0750D888

packet_from_server: is from server 1

decrypt_ssl3_record: using server decoder

ssl_decrypt_record ciphertext len 181

Ciphertext[181]:

84 d9 3c 38 1c a5 f8 14 86 19 08 a6 76 df 9e de

65 3c c0 0f ad 53 77 5f 10 d1 7e c4 38 fc 97 42

7e 6d 34 2f d7 90 50 5c 59 32 a6 01 97 87 02 14

03 e4 46 28 24 17 12 53 09 42 f5 f8 ad 6d b3 c7

11 a0 03 25 f8 a8 3f f8 48 d8 7a 76 b3 8a c0 84

f5 cd 33 05 91 33 fa dc a7 5f dd 1e de e9 e6 f4

19 1a d4 11 79 bd 80 30 09 33 c8 47 0a e2 b6 34

f9 27 86 60 18 68 43 f2 b4 b5 d2 86 7c 96 90 fe

05 c5 dc 9a 02 02 42 1d 93 5a 53 02 19 ec 14 41

91 4e 98 66 6d 8f 44 5c d2 81 42 b4 64 3b 36 2e

0f b8 dc 94 dd 8c fd 5d 05 5e a3 1a 7b 84 a5 b5

5d 30 65 72 c6

Plaintext[181]:

3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74

6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c

2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62

6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74

20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65

66 3d 22 2f 63 75 73 74 6f 6d 65 72 2f 43 75 73

74 6f 6d 65 72 4c 6f 67 6f 6e 2f 44 65 66 61 75

6c 74 2e 61 73 70 78 3f 55 49 44 3d 32 38 35 31

31 30 34 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f

68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74

6d 6c 3e 0d 0a 2e 10 ba 50 29 90 92 77 40 83 74

41 c9 2c 9f 67

checking mac (len 165, version 300, ct 23 seq 2)

ssl_decrypt_record: mac ok

decrypt_ssl3_record: allocating app_data 165 bytes for app data

decrypt_ssl3_record: setting decrypted app_data ptr 07A724C0

association_find: TCP port 443 found 0750D888

association_find: TCP port 443 found 0750D888

dissect_ssl3_record decrypted len 448

dissect_ssl3_record found association 0750D888

decrypted app data: <HTTP response here>

 

From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Vijay Sitaram
Sent: Wednesday, November 01, 2006 10:24 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] SSL decryption -- RSA Key format

 

Hi Brian,

 

     Thanks for confirming that SSL decryption worked.  So far I have not been able to get the decryption working on my end.

 

    Can you please confirm the version of gnutls and libgcrypt that you are using?  Also, it would be great if you can copy and paste the output from ssldebug.txt.

 

     Kind regards,

 

Vijay