Ephemeral Diffie Hellman support – NOT !

You may be aware about the SSL/TLS decryption features of Unsniff (see article here on how to do it )

This past weekend we received an email asking whether there were plans for Unsniff to support decryption of TLS using the DHE-RSA-AES256-SHA cipher suite. We also find this same question repeated on many security forums. I thought this deserves a blog entry.

The letters “DHE” in a cipher suite name means that the Diffie Hellman Ephemeral mode is being used for key exchange. Contrast with plain or static “DH” (example DH_RSA_WITH_DES_CBC_SHA ). Unsniff might support static DH because the diffie hellman parameters can be found in the server certificate.

Unsniff has no plans to support ephemeral DH because it is impossible.

Why ?

Ephemeral DH is used to provide Perfect Forward Secrecy to a TLS connection. This means that even if you have obtained the server private key via admin help, theft, or court order – you cannot decrypt past captured traffic. The server key is of no use because it is only used to sign the DH parameters in the “Server Key Exchange” message in TLS. To decrypt DH-ephemeral in the way Unsniff (and other tools like Wireshark) do would be akin to breaking DH. That is not possible.

Is there really no way ?

I think there is only one way. If you can change the source code of the server (apache, etc) to write out the DH params to a log file for each session – we may be able to use that to compute the master secret and therefore decrypt the TLS session.

 

Author: Vivek Rajagopalan

Vivek Rajagopalan is the a lead developer for Trisul Network Analytics. Prior products were Unsniff Network Analyzer and Unbrowse SNMP. Loves working with packets , very high speed networks, and helping track down the bad guys on the internet.

3 thoughts on “Ephemeral Diffie Hellman support – NOT !”

  1. Maybe stolen servers keys are useless with ephemeral mode. There are other ways to do it if you can have access to server.

  2. SERGEY,

    There may be other ways such as exploiting bad random number generators or some implementation weaknesses. Maybe you have something else in mind.

    This feature of Unsniff as well as those of open source tools like wireshark are to legally help admins decrypt tunneled traffic. It is easy to confuse the functionality offered with that typically found in a hackers toolbox.

    To give you an insight into Unsniff.

    Our main driving force was not HTTPS but STUNNEL. One of our early users used STUNNEL to carry all their custom protocols. Without this functionality they cannot perform any network analysis even if they have the server key.

    The DHE mode throws a spanner in the works for decryption in the manner Unsniff does (via presenting the server key material).

    You may ask, if DHE is so cool, why doesnt everyone simply use it ? Why do almost all ecommerce sites amazon, ebay, etc – use lesser ciphers ? I just checked that google adwords prefers RSA-RC4-128-SHA with my IE and Firefox.

    Can you guess the answer ?

Comments are closed.