Forum Discussion
Piotr_Lewandows
Altostratus
AltostratusResumed SSL session and decryption
Hi,
I tried to figure out if there is a way to decrypt resumed SSL session in Wireshark if first session with full SSL handshake (including pre-master key exchange) is not captured.
Seems t...
Hi Piotr,
Very good question. I've always been under the impression the pre-master secret is the 'key' to deriving the master as well. However, in looking at the way the master is generated, it seems the randoms from original client and server hellos are required as well:
master_secret = PRF(pre_master_secret, "master secret",
ClientHello.random + ServerHello.random)
https://tools.ietf.org/html/rfc5246section-8.1
Would be interesting to hear some additional thoughts.
Kevin
dragonflymr
Cirrostratus
CirrostratusStill when session is resumed I doubt there is any pre-master exchange (will have to verify using packet capture), sure for generating pre-master in full SSL handshake random number is used - I can clearly recall it.
But if for resumed session again random number is exchanged then it will force recalculation of master secret, so for me denying benefits of resume - which if I am not wrong is to avoid costly master secret calculation, but maybe I am wrong?
Anyway, from tests when pre-master is configured and trace contains full SSL handshake session all resumed sessions are ddecrypted.
If new trace is started, so not SSL full handshake in the trace then nothing can be decrypted.
If new random number would be used for resumed session then pre-master from full handshake should not change anything in decrypting trace - even containing full handshake - or I am wrong here?
Piotr