How do you decrypt SSH .pcap file that uses Diffie Hellman encryption. With public and private keys

Question

How do you decrypt SSH .pcap file that uses Diffie Hellman encryption. With public and private keys.

We are trying through Wireshark with no luck.

Answer 1

One of the benefits of ephemeral Diffie-Hellman (the DHE ciphersuites of TLS) is that it provides perfect forward secrecy. This means that even if the private DSA key used to authenticate the server (and possibly client) are obtained by an attacker someday, she won't be able to go back and decrypt any sessions captured in the past.

In other words, you can't decrypt these captures unless you recorded the secret session key; there's no way to recover it afterward.

This is different than the RSA cipher suites, where knowledge of the server private key allows one to decrypt the session.

Answer 2

Because the session is encrypted by a transient "session key", having the public/private keys of the server and/or client at the end is of no use to you. Those keys are only used to verify that there has been no man-in-the-middle attack.

In order to decrypt a SSH session, you must either somehow obtain the session key (perhaps by attaching a debugger to a client on either side) or perform a man-in-the-middle attack - this requires the private key of the server (and the client, if key authentication is being used). Some more info on the latter option can be found here: http://taosecurity.blogspot.com/2007/08/loving-ssh.html