Going from an EC Private Key to Decrypting Traffic

Question

At the moment I have an EC private key in my possession and also some traffic that was encrypted using the aforementioned private key. I have been trying to use OpenSSL to turn the private key into something Wireshark can work with. For example, going from the original:

-----BEGIN EC PRIVATE KEY-----
/* BASE 64 ENCODED *\
-----END EC PRIVATE KEY-----

To the following:

-----BEGIN CERTIFICATE-----
/* BASE 64 ENCODED */
-----END CERTIFICATE-----

Via the command:

openssl req -new -x509 -key private_key.pem -out server.pem -days 730

However Wireshark doesn't seem to enjoy this either. Is there a way to decrypt ECDSA traffic using wireshark?

Which cipher was used? If it is an ECDHE or DHE cipher then the private key of the certificate is not sufficient to decrypt the traffic because of forward secrecy. — Steffen Ullrich, Jun 25 '16 at 10:54
I'm afraid I'm rather new to this and don't entirely know how to work out what the type is. Could you shed some light on how to find out? I didn't generate the private key myself. @SteffenUllrich — Alexander Craggs, Jun 25 '16 at 10:57
In this case I would recommend to first study How does SSL/TLS work? because it contains the information you need to understand how encryption works and what is needed for decryption, the role of certificates and ciphers etc. — Steffen Ullrich, Jun 25 '16 at 11:00
Aha, thank you for the reference, I'll look over that now @SteffenUllrich — Alexander Craggs, Jun 25 '16 at 11:24
@SteffenUllrich Read both that article and most of the ones attached to that. Still not quite understanding how to get access to the key used via Wireshark. I can find the protocol is indeed TCP, but nothing else (I'm looking at the more indepth view of each packet of Wireshark, picture. — Alexander Craggs, Jun 25 '16 at 12:42
To find out the cipher used you need to check the TLS details of the ServerHello message. Looking at TCP level only will not help. — Steffen Ullrich, Jun 25 '16 at 13:22

score 1 · Answer 1 · answered Jan 10 '23 at 22:12

1

ECDSA

You're out of luck, elliptic curve provides perfect forward security. this means that having the private key does not help.

answered Jan 10 '23 at 22:12

Jasen

1,216
8
10

score 0 · Answer 2 · answered Feb 05 '24 at 03:28

0

No isn’t.

Basically the private key is used to verify the identity of the server, but the encryption keys are independent and negotiated in a mathematical way such that nothing on the wire can be used to determine them.

The client and server throw them away after use. So unless you had logging of these ephemeral keys by the software in each end, there is no way to decrypt the traffic.

answered Feb 05 '24 at 03:28

Secto Kia

101

Logging at either end is sufficient, you don't need to log both ends. – Jasen Feb 07 '24 at 00:41

Going from an EC Private Key to Decrypting Traffic

2 Answers2