Network traffic analysis for Incident Response (IR): TLS decryption

Introduction to TLS

When the internet was being created, security wasn’t much of an issue. The internet (and the Arpanet before it) was primarily being used by trusted parties and hacking wasn’t really a thing yet. As a result, many of the protocols used today weren’t developed for security. Potentially sensitive data was sent in plaintext over the wire and no mechanism existed for authenticating the server to the client.

The Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS), are designed to fix this. They sit between a high-level protocol (like HTTP) and a low-level protocol (like TCP) in the network stack and provide the necessary encryption and authentication functionality.

Over the years, the use of TLS has grown dramatically, with over half of websites using HTTPS by default. However, situations exist where it is useful to be able to decrypt this traffic. For example, many organizations perform deep packet inspection (DPI) in order to detect and block potentially malicious traffic.

TLS decryption

When performing incident response activities, it may be necessary to decrypt TLS traffic in order to examine the contents of potentially malicious traffic. In this section, we’ll discuss how Wireshark and web proxies can be used to for TLS decryption.

Wireshark

Wireshark is probably the most commonly used tool for network traffic analysis. It has a great deal of functionality built in for examining network traffic and is freely available from the Wireshark website.

One of the useful features of Wireshark is built-in support for decryption of TLS traffic. Depending on the details of the SSL/TLS implementation, two different options exist for decryption.

RSA keys

In the past, it was common to use RSA to protect the confidentiality of the process of setting up a shared secret key between the client and the server. (Read more...)