I am working on a Java program to decrypt a TLS 1.2 session that uses a cipher TLS_RSA_WITH_AES_128_GCM_SHA256. I recorded a test session using wirehark. The master secret is known.
No. Time Protocol Length Info
4 0.000124000 TLSv1.2 166 Client Hello
6 0.000202000 TLSv1.2 1074 Server Hello, Certificate, Server Hello Done
8 0.001071000 TLSv1.2 393 Client Key Exchange, Change Cipher Spec, Finished
9 0.003714000 TLSv1.2 301 New Session Ticket, Change Cipher Spec, Finished
11 6.443056000 TLSv1.2 116 Application Data
12 6.443245000 TLSv1.2 765 Application Data
15 6.443390000 TLSv1.2 103 Alert (Level: Warning, Description: Close Notify)
Packet 11Contains HTTP GET Requestwhich I am trying to decrypt.
Confirmation Data:
Cipher: TLS_RSA_WITH_AES_128_GCM_SHA256
Client Random: 375f5632ba9075b88dd83eeeed4adb427d4011298efb79fb2bf78f4a4b7d9d95
Server Random: 5a1b3957e3bd1644e7083e25c64f137ed2803b680e43395a82e5b302b64ba763
Master Secret: 2FB179AB70CD4CA2C1285B4B1E294F8F44B7E8DA26B62D00EE35181575EAB04C
4FA11C0DA3ABABB4AF8D09ACB4CCC3CD
Package 11 data:
Direction is Client -> Server.
Secure Sockets Layer
TLSv1.2 Record Layer: Application Data Protocol: Application Data
Content Type: Application Data (23)
Version: TLS 1.2 (0x0303)
Length: 45
Encrypted Application Data: c91de005e2ae50a8a57abee55c183667b136343feef4a387cb7cf83030a47e230af268378c4f33c8b5bab3d26d
What i have done so far:
Key Output:
I only need client keys, since I want to decrypt the Client-> Server package. I have expanded the server and client keys and IV in accordance with the RFC.
Client Write Key: 4B119DFBFC930ABE130030BD53C3BF78
Client Write IV: 2029CAE2
Nons:
I create AES-GCM nonce from salt (= Client Write IV) and explicit nonce (= first 8 bytes of encrypted data).
Salt: 2029CAE2
explicitNonce: C91DE005E2AE50A8
Nonce: 2029CAE2C91DE005E2AE50A8
Additional Authentication Data (AAD):
This is where I am obviously stuck. RFC5246 says:
_ = seq_num + TLSCompressed.type + TLSCompressed.version + TLSCompressed.length; "+" .
, :
byte[] aad = {0, 0, 0, 0, 0, 0, 0, 1,
0x17,
0x03, 0x03,
0, 45};
, seq_no 1. reset , Change Cipher Spec. (Packet #8) Finished seq_no = 0. - Packet #11 seq_no = 1.
:
BouncyCastle:
AEADParameters parameters = new AEADParameters(new KeyParameter(clientWriteKey), 128, nonce, aad);
GCMBlockCipher gcmBlockCipher = new GCMBlockCipher(new AESFastEngine());
gcmBlockCipher.init(false, parameters);
byte[] plainText = new byte[gcmBlockCipher.getOutputSize(cipherText.length)];
try {
int decLen = gcmBlockCipher.processBytes(cipherText, 0, cipherText.length, plainText, 0);
decLen += gcmBlockCipher.doFinal(plainText, decLen);
} catch (InvalidCipherTextException e) {
System.out.println("MAC failed: " + e.getMessage());
}
MAC: GC GCM. :
byte[] decomp = decompress(plainText);
System.out.println(new String(decomp, "UTF-8"));
GET / HTTP/1.0\n.
:
public static byte[] decompress(byte[] data) throws IOException, DataFormatException {
Inflater inflater = new Inflater(true);
inflater.setInput(data);
ByteArrayOutputStream outputStream = new ByteArrayOutputStream(data.length);
byte[] buffer = new byte[1024];
while (inflater.getRemaining() > 0) {
int count = inflater.inflate(buffer);
outputStream.write(buffer, 0, count);
}
outputStream.close();
byte[] output = outputStream.toByteArray();
inflater.end();
return output;
}
:
, , . . , , , - (AAD).
:
(AAD)?
!