Wireshark-users: Re: [Wireshark-users] CertificateRequestdoesn'tseemproperly displayed
From: "Ryerse, Mike (DIS)" <MikeRy@xxxxxxxxxx>
Date: Thu, 18 Sep 2008 12:05:56 -0700
Okay, that makes sense.  Thanks for clarifying.  I won't be able to
provide you the private key for this trace.  But I really appreciate the
time you took to explain.


Thanks,

Michael Ryerse

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok
Sent: Thursday, September 18, 2008 2:31 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users]CertificateRequestdoesn'tseemproperly
displayed

On Wed, Sep 17, 2008 at 04:48:50PM -0700, Ryerse, Mike (DIS) wrote:
> 
> I am thinking though, since the browser is able to decrypt the message
> without using the server's private key, shouldn't this theoretically
> also be possible with wireshark somehow?

Well, if that would be the case, there would be a real big problem ;-)
The purpose of SSL is to keep things secured. The flaw is your
reasoning is this: The client uses the public key from the server
certificate to encrypt the so called "pre-master-key". This key
is created by the client and then sent encrypted to the server.
Only the server has the private key and so it can decrypt it. Both
the client and the server then use this pre-master-key, combined 
with other exchanged (in the clear) data to create all the necessary
keys for the ssl-session. That's why supplying the private key of
the server makes it possible for wireshark to do decryption.

At least, that's the situation with the RSA key exchange, when 
Diffie Hellman is used in the key exchange, then the client and
server create key-pairs on the fly to exchange the "pre-master-key"
and therefor Wireshark will not be able to decrypt the session, as
it has no access to those temporary keys.

> Anyway, thanks for all your help.  Learned a lot today :)

Your welcome. Would it be possible for you to send the private key 
of this test-setup so I can add this ssl-session with renegotiaton
to my collection of traces? Or maybe it would be nice to have
the trace and key on the wiki for others to use as an example too?

Cheers,
    Sake
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users