Hi All,
I am doing a packet monitoring using WFP driver. But i am not able to see the HTTPS packets as these are SSL encrypted. How i will decrypt it.
Rajendra
You need to have the private key to the https site you’re connecting to, which you can feed to a couple of different https trace programs and they will decode your encrypted traffic. I if you have control over the https site, for development, you might be able to configure a non-encrypted https connection. Https has a negotiation at the beginning on what algorithms everybody prefers, and a common set is agreed on. You could certainly hack Apache and SSLeay to negotiate null encryption, although you might need to also adjust the local SSL client. SSL without encryption still does run the message digest, so it can have valid uses.
If you want to decode arbitrary SSL to sites you don’t have the private key to, that’s a little harder, by design.
Jan
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Tuesday, July 23, 2013 10:48 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to decode SSL in case of HTTPS packets
Hi All,
I am doing a packet monitoring using WFP driver. But i am not able to see the HTTPS packets as these are SSL encrypted. How i will decrypt it.
Rajendra
Thanks Jan.
I am implementing a network packet monitoring platform for my project. Only I am not able to monitor HTTPS packets(i.e SSL decryption). I really need solution for this. Please suggest me some solution.
Rajendra.
> I really need solution for this. Please suggest me some solution.
I think you are missing a fundamental point.
Transport Layer Security (TLS) / Secure Sockets Layer (SSL) negotiates an
encrypted ‘tunnel’ to assure the privacy and integrity of the application
data conveyed across the connection. The very purpose of this protocol
family is to ensure that intermediaries like your proposed packet filter
cannot decipher the contents of that application layer exchange.
The only way to decode the TLS/SSL or other encrypted protocol layer traffic
is to have access to the key(s) that governed the initial handshake and
observe that handshake or to be told explicitly by one end or the other the
session key(s) in use.
If what you were proposing were possible, TLS/SSL would be useless and
pointless.
By ‘project’ I am assuming you mean a student project at university or some
such. If the scope of your project included decoding the contents of
third-party secure transmissions and you advisor agreed to this, your
advisor is either cruel or not paying attention. If you did not explicitly
propose doing such a thing then I will charitably assume your advisor is not
expecting you to accomplish this [by design nearly impossible] feat.
You should [have] explicitly define the capabilities, protocols, and
scenarios that your packet monitor will ‘monitor’ and clearly state that it
is not possible to decode encrypted protocol layers. Others include IPSec,
ISAKAMP (IKE), etc.
There are good texts available on network security and SSL/TLS. You might
want to consult the introductory material in one of them.
Good Luck,
Dave Cattley
Impossible, this is what SSL is about.
WFP is like on-the-wire stuff. And SSL guarantees crypto strength for on-the-wire data.
You can only do user-mode hooks - different for each popular browser, and one more for OpenSSL based software - to see SSL stuff in cleartext.
–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com
wrote in message news:xxxxx@ntdev…
> Hi All,
> I am doing a packet monitoring using WFP driver. But i am not able to see the HTTPS packets as these are SSL encrypted. How i will decrypt it.
>
>
> Rajendra
>
>HTTPS packets(i.e SSL decryption). I really need solution for this. Please suggest me some solution.
Impossible by very definition of SSL - SSL protects against traffic monitors seeing the data.
–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com
Hi Maxim,
If it’s impossible, how wireshark is doing? I checked the wireshark source code, it’s doing the same thing what i implemented still now. They have also a WFP driver + SSL/TLS decoding as per .pem file. But i am little bit confused and only little bit concerned about packet loss. So any idea on this.
Rajendra
Hi David,
It’s a project for my college and they want to maximize their bandwidth with this. They are not pressurizing me on this. They just suggesting me on this. Please help me. I checked on some of open source project like wireshark, openssl etc. but little bit lost.
Rajendra.
Do they decrypt SSL? with the help of some additional software module maybe?
wrote in message news:xxxxx@ntdev…
> Hi Maxim,
> If it’s impossible, how wireshark is doing? I checked the wireshark source code, it’s doing the same thing what i implemented still now. They have also a WFP driver + SSL/TLS decoding as per .pem file. But i am little bit confused and only little bit concerned about packet loss. So any idea on this.
>
> Rajendra
>
This problem has exactly three solutions:
- implement a successful man in the middle attack against the SSL traffic
(computationally prohibitive unless you know something about the specific
connection) - capture traffic on either the client or server and hook or otherwise hack
into the server or client to obtain the encryption keys (malware technique) - exploit a weakness in the encryption protocol for either key (preferably)
or data exchange and decrypt the data with out the keys (unless the protocol
is something like DES, you will need a heretofore unpublished / unknown
exploit for this to be successful in a reasonable time. Brute force attacks
on AES variants are prohibitive and statistical analysis greatly retarded by
the use of salt in initialization vectors. SSL does have the weakness that
it is generally only secure from the point of view of the client (as client
certificates are generally ignored due to lack of universal PKI), but that
only helps you if you are the client (see #2)
If you are not an expert in cryptography, your best bets are
- don’t try to decrypt arbitrary encrypted data; or
- ask the user to provide the certificate used for key transfer. I they
have it, then there were entitled to see the data in the first place;
otherwise, just show an indicator that the data is encrypted
IIRC no packet sniffer does any better than that. If one did, I would not
call it a sniffer; I would call it a virus
wrote in message news:xxxxx@ntdev…
Hi David,
It’s a project for my college and they want to maximize their
bandwidth with this. They are not pressurizing me on this. They just
suggesting me on this. Please help me. I checked on some of open source
project like wireshark, openssl etc. but little bit lost.
Rajendra.
What does “SSL” stand for? Seriously, dude, if you could decrypt an SSL
packet using a packet monitoring system, it would be called “ISL”. I
leave it as an Exercise For The Reader to determine what “I” means.
joe
Hi All,
I am doing a packet monitoring using WFP driver. But i am not able to
see the HTTPS packets as these are SSL encrypted. How i will decrypt
it.Rajendra
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Hi all,
Thanks for your reply. But if you want to create a firewall type of project, you should filter all type of traffics ( includes HTTPS also). So for me gaining knowledge on this type of project is more important. So please give me some solution rather than advise.
Thanks
Rajendra.
> Hi all,
Thanks for your reply. But if you want to create a firewall type of
project, you should filter all type of traffics ( includes HTTPS also).
So for me gaining knowledge on this type of project is more important.
So please give me some solution rather than advise.Thanks
Rajendra.
You simply cannot create a firewall that filters encrypted packets by
looking at their payload. The idea makes no sense at all. It is
impossible. It is nonsensical. It can never happen. ONLY the recipient
of the packet can decode the payload. Now, you can work on the header
information, which must be in plaintext, but you cannot, under any
possible conditions, decrypt the payload and inspect it. This violates
the basic characteristics of a secure communication channel. You can’t
handle VPN traffic, or anything else that uses any kind of encrypted
payload. Anyone who expects you to do this is a fool. In fact, I have
written apps which use plaintext packets, and there is absolutely nothing
at all that a firewall could do even if it inspected the plaintext
payload, because the information is intelligible ONLY to the receiving
program. Perhaps you have misunderstood either “stateful packet
inspection” or the “Secure” part of SSL, but in either case, the payload
of the packet is out-of-bounds for anything you are doing.
joe
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
>
Hi all,
Thanks for your reply. But if you want to create a firewall type of project,
you should filter all type of traffics ( includes HTTPS also). So for me gaining
knowledge on this type of project is more important. So please give me
some solution rather than advise.
To decode SSL you need to construct a man-in-the-middle attack.
Firstly you need to brute force the private key of Verisign’s CA certificate. This will likely take more time than your users are prepared to wait though, so instead create your own CA root certificate and force the client to accept your root certificate into their list of trusted certificates.
Then when the client connects to their bank via your firewall, you construct a certificate for their bank’s domain name (and store it for future use), signed with your trusted root certificate (or forge a certificate signed by verisign etc, but that will likely take longer than your users are prepared to wait ;). Then you can intercept all their traffic.
There are some technical problems with this approach, in particular what do you do about the situation where the banks certificate is expired or invalid? The client can no longer see this because they have accepted your certificate already and you would have to notify them out-of-band.
There are many other problems with this too. If you do this without the clients knowledge then you may be committing a crime. If a client uses your firewall knowingly then may be operating against the terms of their agreement with their bank (effectively revealing their details to you, which is never acceptable).
Google for squid ssl intercept for lengthy discussions on why this is almost certainly a really bad idea, and for some of the very limited situations where it may be warranted.
Forcing the clients to use a proxy is probably the best way, as you can then intercept the target host name choose to allow or block on that basis.
And for anyone who is unsure, yes there is lots of sarcasm here.
James
As was pointed out, if you are not concerned about little details like
legality, criminal prosecution, and taking relaxing vacations at private
resorts run by the state or federal governments (in the U.S.) or various
hell-holes (for many other countries), then, by all means, implement the
man-in-the-middle attack. But note that not only are you in violation of
the laws about improper use of confidential information, if that
information is leaked as a consequence of your illegal activity, you can
be liable for massive civil prosectution in the U.S. for damages, which
will almost certainly involve numbers best expressed with large exponents,
such as small multiples of US$1E7. If I declare that the information in
the packets represents copyrighted information, you enter whole new
versions of hell, since such an attack would be a violation of the DMCA
(Disney Must Conquer All) legislation. In the list of really stupid
ideas, this would rank fairly high in the list of ways to screw yourself.
(In case you didn’t get the sarcasm part of the other message, “longer
than your users would care to wait” involves durations approximating the
life of the Sun, such as a brute-force attack on RSA-4096)
joe
> Hi all,
> Thanks for your reply. But if you want to create a firewall type of
> project, you should filter all type of traffics ( includes HTTPS also).
> So for me gaining knowledge on this type of project is more important.
> So please give me some solution rather than advise.
>
> Thanks
> Rajendra.You simply cannot create a firewall that filters encrypted packets by
looking at their payload. The idea makes no sense at all. It is
impossible. It is nonsensical. It can never happen. ONLY the recipient
of the packet can decode the payload. Now, you can work on the header
information, which must be in plaintext, but you cannot, under any
possible conditions, decrypt the payload and inspect it. This violates
the basic characteristics of a secure communication channel. You can’t
handle VPN traffic, or anything else that uses any kind of encrypted
payload. Anyone who expects you to do this is a fool. In fact, I have
written apps which use plaintext packets, and there is absolutely nothing
at all that a firewall could do even if it inspected the plaintext
payload, because the information is intelligible ONLY to the receiving
program. Perhaps you have misunderstood either “stateful packet
inspection” or the “Secure” part of SSL, but in either case, the payload
of the packet is out-of-bounds for anything you are doing.
joe>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Hi,
I think u all are thinking so much. If wireshark, netfilter and antivirus software have done these things in their product, then why i cant do this for my project. If it is a crime in U.S,then why U.S is not banning these software products. Please think logical, I am not not telling u all are wrong. I just implement for my current project, so that i can build a firewall project.
Thanks
Rajendra
> Hi,
I think u all are thinking so much.
Or maybe you are not thinking enough?
If wireshark,
“This only works for RSA key exchange if the RSA keys can be provided.”
netfilter
Nope
and antivirus
If you can hook into IE/FF/Safari/etc then you can analyse traffic before encrypt and after decrypt. Antivirus is not looking at HTTPS packets.
software have done these things in their product, then why i cant do this for
my project. If it is a crime in U.S,then why U.S is not banning these software
products. Please think logical, I am not not telling u all are wrong. I just
implement for my current project, so that i can build a firewall project.
If you understood SSL and the associated encryption algorithms you would understand why this is not possible.
If you “think logical” for a minute, if you could decrypt SSL without knowing the keys then do you think banks would use it? The whole point is that you can’t decrypt it unless you have the encryption keys.
please read this link http://wiki.squid-cache.org/Features/HTTPS and this one http://wiki.squid-cache.org/Features/SslBump (and pages linked from there) which explains how squid web proxy does pretty much exactly what you are asking. Understand the way it is done, the technical limitations of doing so, and the ethical considerations.
If you google further for squid ssl interception you’ll find more and more articles about how to do it, and why you shouldn’t in most situations.
James
Once again: Wireshark decrypts SSL? then they have installed some hooks to SSL client DLLs, which are browser-dependent BTW - Mozilla and Opera will use their own ones, not MS’s SECURITY.DLL/SCHANNEL.DLL.
Also, lots of https:// enabled software use their own local copy of OpenSSL’s dlls (libeay/ssleay) in their personal directory, like Atlassian SourceTree git version control client.
Decrypting SSL from non-endpoint machine (by listening the network), as also decrypting SSL based on traffic alone at filter driver level, is just plain impossible.
–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com
wrote in message news:xxxxx@ntdev…
> Hi,
> I think u all are thinking so much. If wireshark, netfilter and antivirus software have done these things in their product, then why i cant do this for my project. If it is a crime in U.S,then why U.S is not banning these software products. Please think logical, I am not not telling u all are wrong. I just implement for my current project, so that i can build a firewall project.
>
>
> Thanks
> Rajendra
>
No, we are thinking correctly. You seem to not be thinking at all. There
are no packet inspectors that can inspect https packets unless you have
provided them with the ability to do so, which generally means you have
provided them with the necessary private key if PKI is used. And tell
them which algorithm is being used. Since the products you mention are
not attacking the encryption, they are not illegal, and your project is no
different. You are asking to do the impossible, and seem disappointed and
resentful that it is impossible. Get over it.
You will also be more credible if you don’t sound like a 12-year-old. “u”
is a texting abbreviation favored by 12-year-olds.
As far as logical thinking:
Only packets not secured by encryption can be displayed in plaintext
All SSL packets are secured by encryption
Therefore, no SSL packet can be displayed in plaintext*
* Only packets to which you have the decryption key can be displayed in
plaintext
All SSL packets are encrypted
Therefore, you cannot display an SSL packet in plaintext unless you
have the key**
** Decrypting information for which you do not have a legitimate key is
illegal
Assume you have successfully decrypted a packet for which you do not
have legitimate access to the key
Therefore, you have committed a crime***
*** All people who are convicted of crimes can go to jail
Assume you are convicted of comitting a crime
Therefore, you go to jail
Now, given all this information, why do you think your project is going to
be able to do something that cannot be done?
Note that the earlier description of using proxies to fake the
communication and handle the key request can be built, but as far as I
know, using them would be illegal.
What do you think you are going to learn by inspecting payloads? Note
that if I were trying to attack your machine, I would encrypt the payload
before sending it through SSL, so after you crack the SLL encryption, you
are faced with an encrypted packet. Which only my malware can decrypt,
but you don’t know what algorithm I am using, so you now have to crack
that encryption. Good luck.
joe
Stop whining
Hi,
I think u all are thinking so much. If wireshark, netfilter and
antivirus software have done these things in their product, then why i
cant do this for my project. If it is a crime in U.S,then why U.S is
not banning these software products. Please think logical, I am not not
telling u all are wrong. I just implement for my current project, so
that i can build a firewall project.Thanks
Rajendra
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
xxxxx@gmail.com wrote:
Thanks for your reply. But if you want to create a firewall type of project, you should filter all type of traffics ( includes HTTPS also). So for me gaining knowledge on this type of project is more important. So please give me some solution rather than advise.
There is no solution. The entire POINT of an encrypted connection is
that no entity in the path except for the originating application and
the destination application can read the contents. If encrypted
connections could be read that easily, no human would ever send credit
card numbers over the web.
You cannot filter SSL connections by content. It’s just that simple.
Stop asking.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.