Decrypting Secure PCAPs


Diffusion 5.9

Diffusion 6.0

Diffusion 6.1

Diffusion 6.2

Diffusion 6.3

Diffusion Cloud


The following article is provided on an advice basis only. This article references 3rd party software that may require licensing. When using SSL/TLS to communicate with Diffusion, it is required that the PCAP is decrypted before it is possible to view the traffic. This guide outlines the procedures required to decrypt an encrypted PCAP. DH (Diffie–Hellman) based key exchanges cannot be decrypted. An RSA based encryption should be used instead.

Problem

When using PCAPs to diagnose communication issues over HTTPS, or other secure protocols, you are required to decrypt the PCAP before you can view the secure packets. Before the decryption the data in each packet appears scrambled and cannot be interpreted by Wireshark. It is possible to use the following filter term to filter your PCAP to just traffic to and from a Diffusion server (in most cases). The port number may be different if you have configured your Diffusion server to route secure traffic to another port.

tcp.srcport == 8443 || tcp.dstport == 8443

Resolution

Determine Cipher Suite

Filter the PCAP using the filter term above. You should now only see packets to and from Diffusion. This should look something like the screenshot below. As these packets are still encrypted you will not be able to view the data within each packet. Wireshark Right-click on any packet and click Decode As. Then choose SSL and press OK. This will allow you to see the ‘Client Hello’ and ‘Server Hello’ packets. You will not be able to see any more data, as this is still encrypted. Click the ‘Server Hello’ packet and expand the ‘Secure Sockets Layer’ section. Find the Cipher Suite record. Wireshark In this case the cipher suite used is as follows.

TLS_RSA_WITH_AES_128_CBC_SHA

If in your case the cipher suite used contains either ECDHE, DHE you are required to modify the available ciphers on the server before continuing. ECDHE or DHE based ciphers cannot be decrypted, even when using a private key. If your cipher does not contain this, skip the next section.

Change Cipher Suite

To disable ciphers that are available for use it is required that the java.security file on the server is modified. The location of this file varies depending on the operating system that you are using. However it is usually in the following sub-directory from the location of your JVM.

<JVM Location>/jre/lib/security/

Scroll to the bottom of this file. Decrypt PCAP The example line shows how to disable ciphers on the server. Add the following line and save the file.

jdk.tls.disabledAlgorithms= ECDHE, DHE

The chosen ciphers will now be disabled. It may be necessary to restart Diffusion for these changes to take effect.

Obtain Private Key

It is now necessary to extract the private key out of your Diffusion keystore. This will allow future traffic from this server to be decrypted. The keystore is within the /etc folder on your server. A new keystore should have been generated before production release. The original keystore supplied with Diffusion is not suitable for production environments. To extract the private key the keytool command can be used. However 3rd party the KeyStore Explorer (external site) application makes this process extremely simple. Once running, click ‘Open an existing KeyStore’. KeyStore Explorer Browse to the location of your keystore. Change the File Format to ‘All Files’. Click Open. KeyStore Explorer You will be prompted for your password. If you are using the Diffusion default keystore (not recommended in production) please contact support for the password. You will then be shown the contents of the keystore. This should look as follows. KeyStore Explorer Right click on the key pair within the keystore and click Export > Export Private Key. Choose PKCS #8 and click OK. Do not enter a password. Choose the location to export the file to and click Export. You have now extracted the private key from your keystore. Export Private Key

Add Private Key to Wireshark

It is now required that the private key is accessible by Wireshark. To do this go to Edit > Preferences > Protocols > SSL. screen-shot-2015-01-27-at-14-51-20 Click Edit on the RSA keys list section. SSL Decrypt Click New. Enter the following information and click OK. SSL Decrypt You will now be able to decrypt the whole PCAP. To do this repeat the step from earlier, right click on a packet and click Decode As… > SSL. It will be clear that you have successfully decrypted the PCAP as you should now see Diffusion traffic clearly. An example is shown below. Wireshark