Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do you decrypt SSH .pcap file that uses Diffie Hellman encryption. With public and private keys

How do you decrypt SSH .pcap file that uses Diffie Hellman encryption. With public and private keys.

We are trying through Wireshark with no luck.

like image 569
cchang Avatar asked Oct 25 '09 23:10

cchang


2 Answers

One of the benefits of ephemeral Diffie-Hellman (the DHE ciphersuites of TLS) is that it provides perfect forward secrecy. This means that even if the private DSA key used to authenticate the server (and possibly client) are obtained by an attacker someday, she won't be able to go back and decrypt any sessions captured in the past.

In other words, you can't decrypt these captures unless you recorded the secret session key; there's no way to recover it afterward.

This is different than the RSA cipher suites, where knowledge of the server private key allows one to decrypt the session.

like image 137
erickson Avatar answered Sep 24 '22 00:09

erickson


Because the session is encrypted by a transient "session key", having the public/private keys of the server and/or client at the end is of no use to you. Those keys are only used to verify that there has been no man-in-the-middle attack.

In order to decrypt a SSH session, you must either somehow obtain the session key (perhaps by attaching a debugger to a client on either side) or perform a man-in-the-middle attack - this requires the private key of the server (and the client, if key authentication is being used). Some more info on the latter option can be found here: http://taosecurity.blogspot.com/2007/08/loving-ssh.html

like image 32
bdonlan Avatar answered Sep 26 '22 00:09

bdonlan