HTTPS (SSL) protocol and Wireshark grasping packet analysis and decryption

Based on the previous security protocol analysis of the SSL protocol, first review the content of the SSL protocol and then use Wireshark to grasp the contents of the specific flow of packets.

The SSL protocol stack is located between the TCP and the application layer, and is divided into the SSL record protocol layer and the SSL handshake protocol layer. The SSL handshake protocol layer is divided into SSL handshake protocol, SSL key change protocol and SSL warning protocol. The purpose of the SSL handshake protocol is to negotiate the key between the two sides of the communication, and the function of the SSL recording layer is to define how to encapsulate the upper layer protocol. The SSL recording protocol splits the data block, computes the message authentication code, encrypts, encapsulates the header and transmits it.

SSL Handshake:

1, initialization phase. The client creates a random number, sending ClientHello to the server with its own supported protocol version, encryption algorithm, and compression algorithm. The server replies Serverhello to the client with the selected protocol version, encryption algorithm, and compression algorithm for the generated random number.

2, the certification phase. When the server sends Serverhello, it may send a certificate containing its own public key to the client (certificate) and request the client's certificate (certificate requests).

3, the key negotiation phase. The client verifies the certificate, and if received certificate request sends a certificate containing its own public key, hashing all previous handshake messages and sending it to the server using the encryption algorithm. At the same time, create random number Pre-master-secret and use the server public key to send encrypted. The server receives the Clientkeyexchange and decrypts the Pre-master-secret. The server and client take advantage of the 1-phase random number to calculate the Master-secret.

4, the handshake terminated. The server and the client are notified by CHANGECIPHERSPEC messages to use Master-secret to encrypt and decrypt the connection and send a termination message (finished) to the other.

HTTPS (hypertext Transferprotocol over Secure Socket Layer, SSL based HTTP protocol), port 443, need to request a certificate from the CA, the SSL handshake to establish a secure channel, The data is symmetric encrypted by using the negotiation key.

Using Wireshark to filter SSL traffic, you can see several obvious SSL session creation packages, such as client hello,server hello;

First send ClientHello the random number along with its own supported protocol version, encryption algorithm and compression algorithm sent to the server, traffic packets can also see the client sent support encryption algorithm

In the server Hello package, you can see the cryptographic algorithms chosen by the service side.

When the server sends Serverhello, it may send a certificate containing its own public key to the client (certificate);

The client verifies the certificate, if receives certificate request then sends the certificate which contains own public key, simultaneously carries on the hashing operation to all previous handshake messages, and uses the encryption algorithm to encrypt sends to the server;

Wireshark caught HTTPS traffic packets are SSL encrypted, so how can we view the decrypted data. Both Firefox and Chrome browsers support journaling files to encrypt the symmetric session secret of the TLS packet, which can be sslkeyfile by configuring the link of the Wireshark to point to the file. environment variable in the new user variable Sslkeylogfile=/sslkey.log file, and then Wireshark in the SSL configuration in the development of the file location can be specific configuration please refer to:

Configure decryption SSL Reference link--http://www.2cto.com/article/201502/377678.html

Configuration complete, restart the browser, you will find that wireshark more than a decrypted SSL data option, click to view the decrypted plaintext information;