Decrypt TLS in Wireshark with (pre-)master key - tls1.2

I have been following the documentation about decrypting TLS using (pre-master) key, stored in (the RSA Session-ID:xxxx Master-Key:yyyy format) but it still won't decrypt it properly. I am using TLSv1.2 with TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 but that shouldn't be the problem with master key (contrary to RSA private key). Here is the debug log:
https://gist.github.com/rvansa/a75479dabac23b4435eacef91c185fd4
Regrettably I am not sure which of the error-ey messages are red herrings and where the problem is. AFAIU the master key is loaded correctly...

Related

Correct key exchange procedure for hybrid encryption using Pycryptodome

I'm writing a module that creates a secure communication channel using ZeroMQ sockets and Pycryptodome.
The initial handshake between client and server would follow these steps :
Both parties send their public RSA key to each other.
The server generates an AES session key and a signature for that key.
The server RSA-encrypts the session key and the signature before sending it to the client. (*)
The client verifies the signature and stores the session key.
The client generates a token, generates its signature and sends both AES-encrypted to the server.
The server verifies the signature and echoes back the token.
If the token received matches the one sent, the handshake is considered successful.
I found on this thread that it was preferable to sign the message then encrypt it, rather than encrypting then signing it.
The problem is that the signature, for a 2048 bits RSA key, is 256 bytes long. The maximum encryption size for the same key is 190 bytes. This means I can't encrypt the signature as suggested in the thread.
Should I encrypt the signature with the AES session key ? Should I proceed another way ?
I know there are "standardized" key exchange protocols (ECDH for example) but they are not available in Pycryptodome yet.
Cipher: RSA PKCS1 OAEP
Signing : PKCS1 PSS w/ BLAKE2b hash

TLS handshake - Symmetric scheme

From what I can tell TLS works using both symmetric and assymmetric encryption.
The assymmetric schemes are used to exchange keys but when and what symmetric schemes are used?
The asymmetric schemes are used to exchange keys
and digital-signatures.
The symmetric schemes are used to data transfer with the agreed symnetric key during the key-exchange.
This is called Hybrid cryptosystem.
Yes you are right. Asymmetric algorithms are usually slower than the symmetric algorithms. However, symmetric algorithms require a shared secret key to encrypt and decrypt messages. Therefore, TLS allows the client and the server exchange a shared secret key using the asymmetric mechanism. Without an asymmetric algorithm, there is no way the shared secret can be exchanged between the two parties in a secured way. Once both the parties have the shared secret key, all subsequent communication between the client and the server are encrypted using the symmetric algorithm which is much faster than the asymmetric algorithm.
At a very high level, the steps in establishing a TLS connection looks like this:
Client -> Requests for secured session
Server -> Sends certificate & chain certificates
Client -> Verifies certificate
Client -> Generate random key for symmetric encryption
Client -> Encrypts the generated key with the server public key and sends the encrypted value to the server
Server -> Decrypt the client sent key with its own private key
Here onwards all subsequent communications between the server and the client will be encrypted using a symmetric algorithm.
Which specific algorithm will be used is determined by the cipher suites supported by the server and the client. During the connection setup, the cipher suite to be used is determined by the client preference.
A typical cipher suite name looks like this:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Here
ECDHE - Key exchange algorithm
ECDSA - Digital Signature algorithm used for signing the key
AES_128_GCM - Block cipher and mode with 128 bit key
ECDHE stands for Elliptic Curve Diffie Hellman Ephemeral. The Elliptic variant (the first E) is used for performance, whereas the Ephemeral variant (the last E) is for forward secrecy. Forward secrecy means that if an attacker keeps recording all the communications over TLS and at a later point of time somehow gets hold of the private key, he/she cannot decrypt the past recorded communications.
ECDSA is used for authenticating (verifying the integrity of) the shared secret. ECDSA is weaker and slower than the other authentication algorithms like HMAC. Yet it is used for shared key authentication because it does not need the verifier know the secret key used to create the authentication tag. The server can very well use its private key to verify the integrity of the message.
AES_128_GCM - Once a common secret key is shared between both the parties (usually a browser and a web server), a symmetric block cipher algorithm is used to encrypt the message exchanges between the parties. In this particular case, the block cipher AES with 128 bit key and GCM authentication mode is used.
If you open a HTTPS website in a browser, you can see the cipher suite used using the browser utilities. For e,g, in Firefox you can see the details under the Security tab in the Page Info, as shown below:

how to encrypt tls 1.0 record layer application data?

I am using TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite, and I have sucessfully finished the handshake process, so i should have the correct KEYS for the server side and client side, but when i use the server write key and iv to encrypt the data and put under record layer(applicaiton type) send to client, but when i use wireshark ssl debug, i found out that wireshark didn't decrypt the application data correctly, wonder is the application data use a different key to do the encryption and decryption? Thanks
I have finally found the problem, TLS 1.0 used the last block of encrypted data as new IV to encrypt the data. its a little surprised, the encrypted data is visible on the network, so anyone capture that data can find out the IV.

Encryption in Wireshark (HTTP, AES, JSON)

I got a HTTP-Post in Wireshark with a encrypted payload.
Where can I add the Key for decrypting the content?
The Content should be JSON and the encryption is AES 128 bit. I got the Key in HEX.
There was no success using several online decryption tools.
Wireshark accepts keys in PEM format. They usually look like this:
-----BEGIN ENCRYPTED PRIVATE KEY-----
Mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END ENCRYPTED PRIVATE KEY-----
To enter the key in Wireshark, you need to go to Edit-> Preferences -> Protocols -> SSL
Note that the ability of any tool to decipher the encrypted stream depends on the key-exchange mechanism. If the client and server use, for example, a variation of the Diffie-Hellman algorithm for key exchange, it would be impossible to decrypt the stream.

Send AES Key and IV to client

Is it safe to send a mobile client an AES Key and IV from the server to use for encrypting sensitive data? The key and IV would be sent using TLS. This key would be used for encrypting data from end to end.
Update:
My requirements have actually changed, so I don't need to do this, but the solution I came up with was actually to have the client send a public key to the server over tls. Then the server could encrypt the keys with that public key and send them back to the client.
It would be as secure as any data in TLS. It also depends on how much your client trusts this TLS, which may not have two sided authentication.
But basically sending the key this way doesn't add much to using TLS. If TLS is insecure then the AES key is insecure. If it isn't then the AES key is secure...but TLS was already secure. There might be a slight advantage if you'd use a ciphersuite that provides forward security (DHE_ or ECDHE_).
But mostly, if you send anything, you'd send a public key such as a PGP key. The person on the other hand still has to trust the sender of course (i.e. by validating the fingerprint) but if the TLS connection is insecure then leaking the public key would at least not break anything encrypted using it.

Resources