Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I extract the pre-master secret using an OpenSSL-based client?

I have an application I'm making that uses OpenSSL 1.0.2 and I'd like to examine the traffic with Wireshark. Wireshark can (allegedly) decrypt TLS conversations provided you give it the pre-master secret.

If I'm using a cipher suite like TLS_RSA_WITH_AES_256_CBC_SHA256; can anyone tell me how to get the pre-master secret out of an SSL or SSL_CTX struct? I'm OK with hacking opaque structures within the SSL object - this isn't for anything that would ship in a product; I just want to know how to populate a pre-master secret file for Wireshark.

like image 424
Ted Middleton Avatar asked Mar 26 '16 20:03

Ted Middleton


People also ask

How is pre-master secret generated in SSL?

The pre-master secret is created by the client (the method of creation depends on the cipher suite) and then shared with the server. Before sending the pre-master secret to the server, the client encrypts it using the server public key extracted from the certificate provided by the server.

What is pre-master secret in SSL?

The premaster secret: The client sends one more random string of bytes, the "premaster secret." The premaster secret is encrypted with the public key and can only be decrypted with the private key by the server. (The client gets the public key from the server's SSL certificate.)

What is OpenSSL S_client?

OpenSSL's s_client command can be used to analyze client-server communication, including whether a port is open and if that port is capable of accepting an SSL/TLS connection. It is a useful tool for investigating SSL/TLS certificate-based plugins, and for confirming that a line of secure communications is available.


1 Answers

I recommend using the master key, which is easier to get at. To the best of my knowledge the pre-master key only exists ephemerally on the stack in OpenSSL. The master key is available in ssl_session_st (defined in ssl.h in the 1.0.2 branch but moved to ssl_locl.h in a later version). The SSL member variable session is a pointer to its ssl_session_st (aka SSL_SESSION).

Wireshark can use the master key as well as the pre-master key to decrypt connections. Here are the formats that Wireshark supports as of this writing:

  • RSA xxxx yyyy Where xxxx are the first 8 bytes of the encrypted pre-master secret (hex-encoded) Where yyyy is the cleartext pre-master secret (hex-encoded) (this is the original format introduced with bug 4349)

  • RSA Session-ID:xxxx Master-Key:yyyy Where xxxx is the SSL session ID (hex-encoded) Where yyyy is the cleartext master secret (hex-encoded) (added to support openssl s_client Master-Key output) This is somewhat is a misnomer because there's nothing RSA specific about this.

  • PMS_CLIENT_RANDOM xxxx yyyy Where xxxx is the client_random from the ClientHello (hex-encoded) Where yyyy is the cleartext pre-master secret (hex-encoded) (This format allows SSL connections to be decrypted, if a user can capture the PMS but could not recover the MS for a specific session with a SSL Server.)

  • CLIENT_RANDOM xxxx yyyy Where xxxx is the client_random from the ClientHello (hex-encoded) Where yyyy is the cleartext master secret (hex-encoded) (This format allows non-RSA SSL connections to be decrypted, i.e. ECDHE-RSA.)

Note that neither the pre-master key nor the master key is the symmetric key (your question title implies that you may think it is). The symmetric key is derived from the master key and client/server random data.

like image 110
rhashimoto Avatar answered Oct 24 '22 01:10

rhashimoto