HTTPS Wireshark grab packet--to decrypt the original data light with an SSL certificate, but also to have the browser pre-master-secret (in memory)

The analysis based on Wireshark grasping packet

First use Wireshark and open the browser, open Baidu (Baidu uses HTTPS encryption), random input keyword browsing.

I'm going to filter the bag I caught here. The filter rules are as follows

ip.addr == 115.239.210.27 && ssl

• 1

Here is a diagram to describe the process of grasping the package as seen above.

1. Client Hello

Open the details of the grab bag, as follows.

It is not difficult to see that this handshake process, the client transmits the following information in clear text:

1. Version information (TLS 1.2)
2. Random number
3. Session ID (for faster handshake, refer to TLS session multiplexing)
4. Encryption sleeve
5. Compression algorithm
6. Some other extended (Extension), such as the signature algorithm, the server name (in this case, sp1.baidu.com);

Server Hello

At this stage, the server returns the selected protocol version, the encryption sleeve, the compression algorithm, the random number, the Session ID, etc.

from:78989931

Data transmission

After the SSL handshake, the service side of the authentication succeeds, negotiated the encryption algorithm for AES, the key is xxxxx (the client and the server to take three random values calculated using the same algorithm, and no plaintext transmission). Everything is ready.

The SSL handshake is successful, the next data can already be encrypted, and then the various application layer protocols can be encrypted for transmission.

Application Data

Apply the data transfer message. Because this is HTTPS, the HTTP application protocol data can be encrypted and then transferred.

SecureSocketsLayerTLSv1.2 record  Layer: application data protocol: http  Content type: application data (
                   
                    version: 
                    TLS 1.2 (0x0303) Length: 1072 encrypted application data:6d9b3c9089271630c33506fe28cd6a61fed1f4bd2808f537 ... 
                    

From here, do not know the key is unable to know what data is transmitted here, even the content of what protocol is transmitted is not known .

So before creating an SSL tunnel, let proxy server blind to HTTPS data, you have to pass the Connect method to tell the proxy server to connect which host, which port number, or proxy server is also a face.

So the SSL protocol is independent, where HTTP is encrypted, and other protocols can be encrypted. It is like the middle tier of the TCP and application layer protocols, which provides encrypted data transfer for the upper layer protocol.

Encryted Alert

The SSL warning message, because it is encrypted content, does not see the contents of the alert from Wireshark.

secure sockets  Layer tlsv1.2  Record layer: encrypted alert content  Type: alert (+) version: tls 1.2 (0x0303) length:48 alert Message: Span class= "Hljs-selector-tag" >encrypted alert      

But because the alert message is often just the client used to prompt the end of the service-side SSL transfer, it is true that the control grabbed the packet. So here is just a signal to end the SSL transmission.

After sending the encryted alert, the client data transfer is complete, ready to enter four waves to disconnect the TCP connection.

from:https://www.jianshu.com/p/cf8c2f2cd18a

Why Wireshark cannot decrypt HTTPS dataKey Exchange Algorithm

The key exchange algorithm is commonly used in RSA and Diffie-hellman.
For key exchange using the RSA algorithm, Pre-master-secret is generated by the client and transmitted to the server using public key cryptography.
For key exchange using the Diffie-hellman algorithm, Pre-master-secret calculates the pre-master-secret by each of the information exchanged during the key exchange phase. So the Pre-master-secret does not save to the hard disk, also does not transmit on the network, Wireshark cannot obtain session key, also cannot decrypt the application data. Can we calculate the Pre-master-secret in reverse? Theoretically possible, but very difficult.
Interested in the Diffie-hellman algorithm can be referenced Https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange

Workaround

Having said so much, what is the way to let Wireshark decrypt the data? There are several ways to enable Wireshark to decrypt HTTPS packets.
1. Man-in-the-middle attack;
2. Set up the Web server to use RSA as the Exchange key algorithm;
3. If you are using Chrome,firefox, you can set the export Pre-master-secret log, and then Wireshark set the Pre-master-secret log path so that it can be decrypted .

HTTPS Wireshark grab packet--to decrypt the original data light with an SSL certificate, but also to have the browser pre-master-secret (in memory)