Jump to content
NotionCommotion

How to access symmetric key?

Recommended Posts

If a client connects to a ReactPHP TLS socket server, is it possible to obtain the symmetric key from within the PHP code?  Hoping it will allow me to decrypt  analysis traffic between two using Wireshark.

Share this post


Link to post
Share on other sites

With PHP? No. SSL stuff is all handled by OpenSSL (or whatever you have installed) which tends not to expose information like that.

You could allow unsecure connections when a development mode is active, and/or when the connection is local. To troubleshoot locally.

Share this post


Link to post
Share on other sites
1 hour ago, requinix said:

With PHP? No. SSL stuff is all handled by OpenSSL (or whatever you have installed) which tends not to expose information like that.

Was afraid of that.  Evidently,  Firefox and Chrome both support logging the symmetric session key used to encrypt TLS traffic to a file, and Wireshark is configured to use this file and then can decrypted TLS traffic.  See  https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/.  Well, I am not accessing the connection using FF or Chrome so that doesn't help me, but maybe there is a different way to do so with some Linux command? 

Share this post


Link to post
Share on other sites

The easiest solution if you need to view the traffic would be to either disable encryption or pass the traffic through a proxy that can log the traffic then pass it on.

Alternatively, modify your code to log traffic it sends/receives across the socket.  I usually include some sort of raw traffic logging ability in things I develop for easy debugging.

Share this post


Link to post
Share on other sites
15 hours ago, kicken said:

The easiest solution ... or pass the traffic through a proxy that can log the traffic then pass it on.

Can you elaborate?

15 hours ago, kicken said:

Alternatively, modify your code to log traffic it sends/receives across the socket.  I usually include some sort of raw traffic logging ability in things I develop for easy debugging.

I like it!  I take it you log the entire message with either deliminator or length prefix, right?  Have you ever used CBOR (which I am doing) or similar or compressed JSON?  With straight JSON, it should be easy enough to determine message breaks based on visually looking for known words, but not so if scrambled.  I probably need to log both the pre and post CBOR raw message, and maybe take other steps.  Any lessons learned would be appreciated.

Share this post


Link to post
Share on other sites
17 hours ago, NotionCommotion said:

I take it you log the entire message with either deliminator or length prefix, right? 

I'd log whatever I see across the socket.  For example:

public function read(){
    $data = fread($this->socket, 8192);
    $this->logger->debug('Socket data read: {data}', ['data' => $data]);

    return $data;
}

public function write($data){
    fwrite($this->socket, $data);
    $this->logger->debug('Socket data written: {data}', ['data' =>$data]);
}

The idea is just to have a record in case it is needed to debug a problem.  If the data being read/written was binary rather than plain text, then I'd either base64_encode or bin2hex it first.

Higher levels of the app  would have additional logging.  For example whatever code parses the raw data into some useful data structure may then log the result of that parsing.

18 hours ago, NotionCommotion said:

Have you ever used CBOR (which I am doing) or similar or compressed JSON?

I have not.   Like I mentioned above though, for non-string data you can always encode it before printing.    bin2hex is nice for as you can easily inspect and compare individual bytes of data.  it doubles the size of whatever data you're logging though.  base64_encode uses less space and can compare whole values easily, but requires decoding to do detailed comparisons.

 

Share this post


Link to post
Share on other sites
On 6/14/2019 at 1:06 AM, kicken said:

I'd log whatever I see across the socket.  For example:


public function read(){
    $data = fread($this->socket, 8192);
    $this->logger->debug('Socket data read: {data}', ['data' => $data]);

    return $data;
}

public function write($data){
    fwrite($this->socket, $data);
    $this->logger->debug('Socket data written: {data}', ['data' =>$data]);
}

 

Is your logger just a simple homespun write to a file or something more?  When monitoring  the server, how do you deal with keeping each client separate?

Thanks

PS.  Sorry for getting off topic.

Share this post


Link to post
Share on other sites
On 6/16/2019 at 9:17 AM, NotionCommotion said:

Is your logger just a simple homespun write to a file or something more?

Usually monolog.

On 6/16/2019 at 9:17 AM, NotionCommotion said:

When monitoring  the server, how do you deal with keeping each client separate?

Most of the time I'm just dealing with client side stuff, talking to a separate server.  However, the simple solution would be to just assign a unique identifier to each client and include that with each client's log messages.  I've done something like that with web applications before.  Each request generates a unique id and that ID is included in all the log messages.  That way when reviewing a log later I can easily find related log messages.

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.