Decrypting Client Authenticated SSL sessions?
I have been using netmon3.3 to manage & observe network traffic within my test environment. Recently for a project, client authenticated SSL sessions have been cropping up in the captures. I would really like to be able to see what is happening within those packets, and have direct access to the keys & certs on the two systems involved in the communications. I had stumbled upon the NetmonDecryptionExpert_x64, but unforunately it reads that it does not decrypt scenarios where client authentication is involved. Is there any suggestions on what sort of solution / setup I should be looking at to allow that level of decryption / packet inspection? Thank you, -Aaron
April 27th, 2010 9:59pm

You would need access to the client's private key in order to authenticate to the destination website. Since this is normally a singing certificate it should not normally be archived, and may often be an externally issued card (e.g. from a bank). Even if you do have the private key, I'm honestly not sure what products (if any) actually support doing that kind of replay - as far as I am aware, even the big names have issues with this subject. Generally, if there is a client authentication cert required there is probably a legitimate reason why - if it is internally issued for an internal site - if their cert is valid then their traffic should be considered legitimate. If this is an external partner connecting to an internal resource, have them use the client cert to access the VPN and then restrict usage by policy for using client certs in areas that need to be monitored by cannot. If it is an external site then either block it or add an exception, based on your policy of acceptable use and how well you can determine what kind of risk the traffic actually is.
Free Windows Admin Tool Kit Click here and download it now
April 30th, 2010 7:52pm

This is a test setup and I control all devices, configurations, and network segments. If need be I can configure the group policy to mandate that the computer cert the client has be exportable (seeing as the SSL cert on the hosting server is not capable of decrypting the SSL session). But as the configuration is a bit different, I wasn't sure if just having the correct key would infact allow me to sniff the wireshark/netmon captured traffic or not, or if there was any additional configurations required. (like using multiple certs?) Thank you for the feedback.
April 30th, 2010 11:02pm

Sorry for the delay on getting back to you, been a little busy lately. If you have full control, this should be technically possible. You would need the client's private key and basically do a replay attack. Have the client authenticate to the middleman server, then the middleman server would need to use the same certificate/private key to authenticate to the real server (so the credentials would be valid to access the data), then just pass the data back and forth re-encrypting like an SSL offloader and have it scan the data on the middleman box or pass it off to a scanning server out of band, as well as to the client/real server.
Free Windows Admin Tool Kit Click here and download it now
May 14th, 2010 12:26am

Mm, interesting indeed, Still quite a farbit removed from being able to do it natively (an inconvenience), But certainly good news on the whole. Thank you!
May 14th, 2010 2:01am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics