Re: [Wireshark-dev] Trying to decode a TLS 1.3 with null cipher
Hi Peter, Unfortunately I am not privy to the reasons for choosing this particular cipher suite. Sorry if my questions sounds naive - I'm really not into the security domain. What would be the risks of using this implementation (with the nonce issue and half-size key)? Does it make it easier for an attacker to "fake" a certificate and impersonate the server? My next question would be, what other cipher suites would you suggest? I heard that TLS1.2 may get deprecated and so, not sure if that would be a good option. Regards, Ahmed On Mon, May 4, 2020 at 4:38 PM Peter Wu wrote: > Hi Ahmed, > > On Mon, May 04, 2020 at 03:12:50PM -0700, Ahmed Elsherbiny wrote: > > First of all, thank you again for creating the patch. I did test it and > was > > able to successfully decode some messages. > > My implementation uses WolfSSL v4.3.0. > > > > I hope the patch will be merged in, please let me know if there's any > more > > info you need from my end. > > At the moment the patch is unlikely going to be merged pending further > information from the relevant draft authors. Please be very careful with > deploying your information, WolfSSL appears to have a bug in the > implementation of the draft: > https://github.com/wolfSSL/wolfssl/issues/2945 > > Is your implementation actually going to be used in production? What are > the reasons behind choosing this draft proposal for TLS 1.3 null ciphers > if I may ask? > -- > Kind regards, > Peter Wu > https://lekensteyn.nl > ___ > Sent via:Wireshark-dev mailing list > Archives:https://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-requ...@wireshark.org > ?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list Archives:https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Trying to decode a TLS 1.3 with null cipher
Hello Peter, First of all, thank you again for creating the patch. I did test it and was able to successfully decode some messages. My implementation uses WolfSSL v4.3.0. I hope the patch will be merged in, please let me know if there's any more info you need from my end. Regards, Ahmed On Sat, May 2, 2020 at 3:21 PM Peter Wu wrote: > Hi Ahmed, > > I have posted a patch at https://code.wireshark.org/review/37034 which > should allow you to see the plaintext. However there is a big open > question about the draft specification. Can you share some more details > on your implementation, in particular which TLS library do you use? > > Without more answers, this patch will not be merged. > > Kind regards, > Peter > > On Sat, May 02, 2020 at 10:55:07AM -0700, Ahmed Elsherbiny wrote: > > Wow this is great news, thank you Peter! > > > > Regards, > > Ahmed > > > > On Sat, May 2, 2020 at 10:21 AM Peter Wu wrote: > > > > > Hi Ahmed, > > > > > > On Fri, May 01, 2020 at 02:10:01PM -0700, Ahmed Elsherbiny wrote: > > > > Hello, > > > > > > > > I've written a dissector for a custom protocol. The dissector works > well, > > > > and now I'm trying to run the protocol over TLS 1.3. > > > > > > > > The cipher suite being used is TLS_SHA256_SHA256 (Code: 0xC0B4). > This is > > > a > > > > new cipher suite, it is used for integrity and has a null cipher (The > > > > payload is actually plaintext). It is still in draft form, here is > the > > > > document that describes it: > > > > > https://www.ietf.org/id/draft-camwinget-tls-ts13-macciphersuites-05.txt > > > > > > > > Looking at the ServerHello packet, Wireshark shows the CipherSuite as > > > > Unknown (0xC0B4). Consequently, it does not provide a "Decrypted > > > > application data" tab and does not pass the data to my dissector. > > > > > > The new cipher name was added in the development build via commit > > > v3.3.0rc0-513-g3e2a837cc0 (https://code.wireshark.org/review/36052). > It > > > is not present in the stable build yet. > > > > > > > This is what the TLS debug log shows: > > > [..] > > > > I tried adding the cipher-suite to packet-tls-utils.c and recompiling > > > > Wireshark. This is the line that I added, since the document says > that > > > > Diffie-Helman is the only key exchange that can be used. I'm not > > > completely > > > > sure that I'm using the correct macros - I don't fully understand > TLS. > > > > > > > > {0xC0B4, KEX_DH_ANON, ENC_NULL, DIG_SHA256, MODE_GCM } > > > > > > This is not correct, TLS 1.3 has a different key exchange (KEX_TLS13) > > > and more changes are needed to ensure that existing TLS 1.3 ciphers do > > > not break while adding support for this new cipher. > > > > > > I've created a test samples for the two ciphers and posted these at > > > https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16543 > > > > > > I hope to have a patch available tomorrow. > > > -- > > > Kind regards, > > > Peter Wu > > > https://lekensteyn.nl > ___ > Sent via:Wireshark-dev mailing list > Archives:https://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-requ...@wireshark.org > ?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list Archives:https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Trying to decode a TLS 1.3 with null cipher
Wow this is great news, thank you Peter! Regards, Ahmed On Sat, May 2, 2020 at 10:21 AM Peter Wu wrote: > Hi Ahmed, > > On Fri, May 01, 2020 at 02:10:01PM -0700, Ahmed Elsherbiny wrote: > > Hello, > > > > I've written a dissector for a custom protocol. The dissector works well, > > and now I'm trying to run the protocol over TLS 1.3. > > > > The cipher suite being used is TLS_SHA256_SHA256 (Code: 0xC0B4). This is > a > > new cipher suite, it is used for integrity and has a null cipher (The > > payload is actually plaintext). It is still in draft form, here is the > > document that describes it: > > https://www.ietf.org/id/draft-camwinget-tls-ts13-macciphersuites-05.txt > > > > Looking at the ServerHello packet, Wireshark shows the CipherSuite as > > Unknown (0xC0B4). Consequently, it does not provide a "Decrypted > > application data" tab and does not pass the data to my dissector. > > The new cipher name was added in the development build via commit > v3.3.0rc0-513-g3e2a837cc0 (https://code.wireshark.org/review/36052). It > is not present in the stable build yet. > > > This is what the TLS debug log shows: > [..] > > I tried adding the cipher-suite to packet-tls-utils.c and recompiling > > Wireshark. This is the line that I added, since the document says that > > Diffie-Helman is the only key exchange that can be used. I'm not > completely > > sure that I'm using the correct macros - I don't fully understand TLS. > > > > {0xC0B4, KEX_DH_ANON, ENC_NULL, DIG_SHA256, MODE_GCM } > > This is not correct, TLS 1.3 has a different key exchange (KEX_TLS13) > and more changes are needed to ensure that existing TLS 1.3 ciphers do > not break while adding support for this new cipher. > > I've created a test samples for the two ciphers and posted these at > https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16543 > > I hope to have a patch available tomorrow. > -- > Kind regards, > Peter Wu > https://lekensteyn.nl > ___ > Sent via:Wireshark-dev mailing list > Archives:https://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-requ...@wireshark.org > ?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list Archives:https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] Trying to decode a TLS 1.3 with null cipher
Hello, I've written a dissector for a custom protocol. The dissector works well, and now I'm trying to run the protocol over TLS 1.3. The cipher suite being used is TLS_SHA256_SHA256 (Code: 0xC0B4). This is a new cipher suite, it is used for integrity and has a null cipher (The payload is actually plaintext). It is still in draft form, here is the document that describes it: https://www.ietf.org/id/draft-camwinget-tls-ts13-macciphersuites-05.txt Looking at the ServerHello packet, Wireshark shows the CipherSuite as Unknown (0xC0B4). Consequently, it does not provide a "Decrypted application data" tab and does not pass the data to my dissector. This is what the TLS debug log shows: *For the ServerHelloMessage:* dissect_ssl enter frame #2 (first time) packet_from_server: is from server - TRUE conversation = 025F9CC7D780, ssl_session = 025F9CC7DEF0 record: offset = 0, reported_length_remaining = 128 ssl_try_set_version found version 0x0303 -> state 0x91 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 123, ssl state 0x91 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 119 bytes, remaining 128 ssl_try_set_version found version 0x0304 -> state 0x91 ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x93 ssl_set_cipher can't find cipher suite 0xC0B4 ssl_load_keyfile dtls/tls.keylog_file is not configured! tls13_load_secret transitioning to new key, old state 0x93 tls13_load_secret Cannot find CLIENT_HANDSHAKE_TRAFFIC_SECRET, decryption impossible tls13_load_secret transitioning to new key, old state 0x93 tls13_load_secret Cannot find SERVER_HANDSHAKE_TRAFFIC_SECRET, decryption impossible *For the Application Message: * dissect_ssl enter frame #3 (first time) packet_from_server: is from server - TRUE conversation = 025F9CC7D780, ssl_session = 025F9CC7DEF0 record: offset = 0, reported_length_remaining = 44 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 39, ssl state 0x93 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available I tried adding the cipher-suite to packet-tls-utils.c and recompiling Wireshark. This is the line that I added, since the document says that Diffie-Helman is the only key exchange that can be used. I'm not completely sure that I'm using the correct macros - I don't fully understand TLS. {0xC0B4, KEX_DH_ANON, ENC_NULL, DIG_SHA256, MODE_GCM } After recompiling Wireshark with this line added, this is what I get: *For the ServerHelloMessage: * dissect_ssl enter frame #2 (first time) packet_from_server: is from server - TRUE conversation = 018ED3796780, ssl_session = 018ED3796EF0 record: offset = 0, reported_length_remaining = 128 ssl_try_set_version found version 0x0303 -> state 0x91 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 123, ssl state 0x91 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 119 bytes, remaining 128 ssl_try_set_version found version 0x0304 -> state 0x91 ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x93 ssl_set_cipher found CIPHER 0xC0B4 unknown -> state 0x97 ssl_load_keyfile dtls/tls.keylog_file is not configured! tls13_load_secret transitioning to new key, old state 0x97 tls13_load_secret Cannot find CLIENT_HANDSHAKE_TRAFFIC_SECRET, decryption impossible tls13_load_secret transitioning to new key, old state 0x97 tls13_load_secret Cannot find SERVER_HANDSHAKE_TRAFFIC_SECRET, decryption impossible *For the Application Message: * dissect_ssl enter frame #3 (first time) packet_from_server: is from server - TRUE conversation = 018ED3796780, ssl_session = 018ED3796EF0 record: offset = 0, reported_length_remaining = 44 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 39, ssl state 0x97 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available Notice the highlighted text. The message changed from "Can't find cipher suite" to "found CIPHER 0xC0B4 unknown". So I might be doing something right here. But it seems to still expect a key. I should be able to proceed without keys, since this particular cipher-suite does not encrypt the payload. Appreciate if someone could help me figure this out. Thanks in advance! Regards, Ahmed ElSherbiny ___ Sent via:Wireshark-dev mailing list Archives:https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe