How do you decrypt SSH .pcap file that uses Diffie Hellman encryption. With public and private keys

ssl networking ssh wireshark pcap
cchang picture cchang · Oct 26, 2009 · Viewed 24.5k times · Source

How do you decrypt SSH .pcap file that uses Diffie Hellman encryption. With public and private keys.

We are trying through Wireshark with no luck.

Answer

erickson picture erickson · Oct 26, 2009

One of the benefits of ephemeral Diffie-Hellman (the DHE ciphersuites of TLS) is that it provides perfect forward secrecy. This means that even if the private DSA key used to authenticate the server (and possibly client) are obtained by an attacker someday, she won't be able to go back and decrypt any sessions captured in the past.

In other words, you can't decrypt these captures unless you recorded the secret session key; there's no way to recover it afterward.

This is different than the RSA cipher suites, where knowledge of the server private key allows one to decrypt the session.

Related questions

Capture only ssl handshake with tcpdump

I have a server to which many clients connect using SSL. Recently I'm observing SSL handshake errors in the server logs (ex SSL MAC error). The error itself is not important, but I want to see why some clients are …

Read More
How to create a secured TCP connection via TLS v.1.2 in Java

I want to create commnicate between two systems via TLS v1.2. The information it contains is confidential. I want to avoid an https web service call and diectly want to perform message exchange at the TCP layer. Can you suggest …

Read More
tcpdump to filter ssl packets

I need to filter out all SSL packets using tcpdump. I know that only the first packet can be recognized as being ssl. Is it possible to match against the first packet and then filter out the rest of the …

Read More