I have implemented a Java network packet sniffer similar to that proposed by http://www.freeproject.co.in/source/Network-Packet-Sniffer.aspx?pf=Java&t=web or http://packetsnifferusingjpcap.blogspot.it/
Now I would like to decrypt the data stream coming from an https, in an attempt to do so I set the variable SSLKEYLOGFILE, in this way the browser will write the values used to generate TLS session keys out to a file indicated by this variable see https://isc.sans.edu/forums/diary/Psst+Your+Browser+Knows+All+Your+Secrets/16415/
As it is explained in https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format
The file indicated by SSLKEYLOGFILE is a series of lines. Comment lines begin with a sharp character ('#'). Otherwise the line takes one of these formats.
RSA <space> <16 bytes of hex encoded encrypted pre master secret> <space> <96 bytes of hex encoded pre master secret>
CLIENT_RANDOM <space> <64 bytes of hex encoded client_random> <space> <96 bytes of hex encoded master secret>
How can I use the SSL / TLS secrets log file in order to decrypt network packages in a java code ?
Since wireshark already implements all necessary logic, you could just pipe your captured data through tshark, and parse the output text back into your application.
You could possibly also do it on your own with the help of a crypto library like bouncycastle, but it would be a lot of effort, because you would still have to parse the handshake and everything (The SSLKEYLOGFILE contains just the really secret bits, a lot of context is still needed to successfully decrypt traffic!).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With