Forum Discussion
Piotr_Lewandows
Altostratus
AltostratusResumed SSL session and decryption
Hi,
I tried to figure out if there is a way to decrypt resumed SSL session in Wireshark if first session with full SSL handshake (including pre-master key exchange) is not captured.
Seems t...
Hi Piotr,
Very good question. I've always been under the impression the pre-master secret is the 'key' to deriving the master as well. However, in looking at the way the master is generated, it seems the randoms from original client and server hellos are required as well:
master_secret = PRF(pre_master_secret, "master secret",
ClientHello.random + ServerHello.random)
https://tools.ietf.org/html/rfc5246section-8.1
Would be interesting to hear some additional thoughts.
Kevin
dragonflymr
Cirrostratus
CirrostratusWell, so in short, it's only possible to decrypt resumed session when:
- There is full handshake session in the trace along with resumed sessions
- There is either private key or pre-master from full handshake configured in Wireshark
If trace does not contain full handshake session, resumed session are not possible to be decrypted even having private key or pre-master from original full handshake session.
Is above true?
Piotr