C
C#•4mo ago
Oliwer

HTTPS payload decryption using root authorized private key

How could one decrypt HTTPS payload using a root authorized private-key in a .NET application?
20 Replies
canton7
canton7•4mo ago
$details
MODiX
MODiX•4mo ago
When you ask a question, make sure you include as much detail as possible. Such as code, the issue you are facing, what you expect the result to be, what .NET version you are using and what platform/environment (if any) are relevant to your question. Upload code here https://paste.mod.gg/, save, and copy the link into chat for others to see your shared code! (see $code for more information on how to paste your code)
canton7
canton7•4mo ago
About the only thing I can say in response to a question that vague is ".NET provides classes to encrypt and decrypt data. Use them" Where did this encrypted payload come from? Why wasn't it decrypted automatically using TLS when you downloaded it? (For example, you rarely use asymmetric crypto to encrypt something big, like a HTTP payload. You use the asymmetric keys to share some private session-specific symmetric keys, and then use those, as symmetric crypto is a lot quicker. So the question itself doesn't really make sense anyway, as normally HTTPS payloads aren't encrypted with asymmetric keys)
Oliwer
OliwerOP•4mo ago
HTTPS payloads captured using sharppcap. I have the private key from a trusted root certificate, I am just not sure of how to decrypt the array of bytes appropriately. I've tried researching for quite a while, but to no avail.
canton7
canton7•4mo ago
You can't, AFAIK. Well, unless you capture the TLS handshake
Oliwer
OliwerOP•4mo ago
I got the handshake.
private static void Device_OnPacketArrival(object sender, PacketCapture e)
{
if (!next)
{
return;
}

var capture = e.GetPacket();
if (capture == null)
{
return;
}

var packet = capture.GetPacket();
if (packet is not EthernetPacket ethernetPacket || !packet.HasPayloadPacket)
{
return;
}

var payloadPacket = packet.PayloadPacket;
if (payloadPacket.PayloadPacket is TcpPacket tcp)
{
// HANDSHAKE
if (tcp.PayloadData.Length > 0 && tcp.PayloadData[0] == 0x16)
{
// TODO
}
}
}
private static void Device_OnPacketArrival(object sender, PacketCapture e)
{
if (!next)
{
return;
}

var capture = e.GetPacket();
if (capture == null)
{
return;
}

var packet = capture.GetPacket();
if (packet is not EthernetPacket ethernetPacket || !packet.HasPayloadPacket)
{
return;
}

var payloadPacket = packet.PayloadPacket;
if (payloadPacket.PayloadPacket is TcpPacket tcp)
{
// HANDSHAKE
if (tcp.PayloadData.Length > 0 && tcp.PayloadData[0] == 0x16)
{
// TODO
}
}
}
Here's my current situation. I'm assuming this (but a lot more complex) is how Fiddler does it, since they also use a trusted root certificate key.
canton7
canton7•4mo ago
IIRC fiddler MITM's the traffic?
Oliwer
OliwerOP•4mo ago
It seems it does.
canton7
canton7•4mo ago
I have the private key from a trusted root certificate
So you have the actual private key that the server used for the TLS connection? But you don't have the private key which the browser used?
Oliwer
OliwerOP•4mo ago
dangit I generated a self-signed one and added it to the trusted root certificates and do not have the browser one.
canton7
canton7•4mo ago
So the server was running on localhost, or...?
Oliwer
OliwerOP•4mo ago
Yes.
canton7
canton7•4mo ago
Googling around, it seems the normal wya to do this is to configure the browser to create a key log file, which contains the various TLS session keys that it used. Wireshark at least can then use those to decrypt the traffic
Oliwer
OliwerOP•4mo ago
I'll have a look at giving that a shot, thanks.
canton7
canton7•4mo ago
Information Security Stack Exchange
it is possible to decrypt HTTPS with the (private, public) pair if ...
Assuming you have a PCAP file with HTTPS traffic and having the key pair (private & public), it is possible to decrypt the traffic if it uses Diffie Hellman Ephemeral? Using openSSL lib for exa...
Oliwer
OliwerOP•4mo ago
Going out on a whim here, it's more or less the MITM route recommended? The only thing is, I can't do that cause it would slow down the networking so it wouldn't be able to run infinitely while doing other stuff. It's meant to be a user application.
canton7
canton7•4mo ago
I don't know if there is a "recommended" way to decrypt all encrypted traffic. That rather defeats the point of the encryption, no? 😛
Oliwer
OliwerOP•4mo ago
Of course.
canton7
canton7•4mo ago
It's explicitly meant to be hard to decrypt it, so it's likely that there are no "good" options
Oliwer
OliwerOP•4mo ago
That's unfortunate. I'll have to stick with the chrome extension route of capturing the requests. Thank you for your time once again, canton.
Want results from more Discord servers?
Add your server