1

At the moment I have an EC private key in my possession and also some traffic that was encrypted using the aforementioned private key. I have been trying to use OpenSSL to turn the private key into something Wireshark can work with. For example, going from the original:

-----BEGIN EC PRIVATE KEY-----
/* BASE 64 ENCODED *\
-----END EC PRIVATE KEY-----

To the following:

-----BEGIN CERTIFICATE-----
/* BASE 64 ENCODED */
-----END CERTIFICATE-----

Via the command:

openssl req -new -x509 -key private_key.pem -out server.pem -days 730

However Wireshark doesn't seem to enjoy this either. Is there a way to decrypt ECDSA traffic using wireshark?

Alexander Craggs
  • 111
  • 3
  • 1
    Which cipher was used? If it is an ECDHE or DHE cipher then the private key of the certificate is not sufficient to decrypt the traffic because of [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy). – Steffen Ullrich Jun 25 '16 at 10:54
  • I'm afraid I'm rather new to this and don't entirely know how to work out what the type is. Could you shed some light on how to find out? I didn't generate the private key myself. @SteffenUllrich – Alexander Craggs Jun 25 '16 at 10:57
  • 2
    In this case I would recommend to first study [How does SSL/TLS work?](http://security.stackexchange.com/questions/20803/how-does-ssl-tls-work) because it contains the information you need to understand how encryption works and what is needed for decryption, the role of certificates and ciphers etc. – Steffen Ullrich Jun 25 '16 at 11:00
  • Aha, thank you for the reference, I'll look over that now @SteffenUllrich – Alexander Craggs Jun 25 '16 at 11:24
  • @SteffenUllrich Read both that article and most of the ones attached to that. Still not quite understanding how to get access to the key used via Wireshark. I can find the protocol is indeed TCP, but nothing else (I'm looking at the more indepth view of each packet of Wireshark, [picture](http://puu.sh/pFtq6/0da4ee1ee9.png). – Alexander Craggs Jun 25 '16 at 12:42
  • To find out the cipher used you need to check the TLS details of the ServerHello message. Looking at TCP level only will not help. – Steffen Ullrich Jun 25 '16 at 13:22
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/41655/discussion-between-popey-gilbert-and-steffen-ullrich). – Alexander Craggs Jun 25 '16 at 13:44

0 Answers0