3 Things You Should Know About HTTPS, SSL/TLS Traffic with Wireshark!
top of page
Search

3 Things You Should Know About HTTPS, SSL/TLS Traffic with Wireshark!


If you analyze trace files captured on your network as a way to troubleshoot performance issues, you certainly face challenges with encrypted traffic. To understand how to manage that, let’s start with SSL (Secure Socket Layer) and TLS (Transport Layer Security).

Note** For the second blog in our SSL/TLS series,

Here are a few things you need to know before you open a trace file of HTTPS traffic with Wireshark:

1. SSL/TLS: A short history

Since Netscape’s never released SSL v1.0, multiple versions of SSL and subsequently TLS have been released to increase security capabilities.

Figure 1: Timeline for SSL and TLS versions

  • In 1999, TLS replaced SSL

  • These versions drove the ability to decrypt HTTPS traffic (or not)!

  • Newer versions of SSL/TLS have been adopted over time

Here are the encryption protocols used over the Internet as of 2018:

Figure 2: Commonly used encryption protocols

2. Let’s start from the beginning:

SSL = Secure Socket Layer & TLS = Transport Layer Security

When you connect to a web application using HTTPS, what happens? Usually over TCP, your browser will set up an SSL or a TLS session which is the primary way to secure network traffic today.

In 1998, 50% of Internet traffic was encrypted. That figure is expected to climb to 75% by 2019.

2.1 TLS security capabilities

TLS provides you with 3 security capabilities:

As a network troubleshooter, the first thing you will see is encrypted data.

Figure 3: How Wireshark shows encrypted SSL/TLS traffic

2.2 CONFIDENTIALITY – Cryptography to encrypt traffic

SSL and TLS use several mechanisms, including Asymmetric and Symmetric Cryptography:

Asymmetric Cryptography requires two keys per party: a private and a public, one for each party, client and server

Figure 4: Asymmetric cryptography – how it works

The main advantages of asymmetric key cryptography:

  • Only n x 2 keys are needed for n participants in a secure communication

  • Users can be removed easily by simply revoking one keypair

  • The key distribution is a simple process

  • No pre-existing communication link needs to exist

  • Provides confidentiality, integrity, authentication, and non-repudiation

The main challenges using asymmetric cryptography are:

  • Keeping the private key in a safe location. In the example above, anyone with Alice’s private key would be able to decrypt the data

  • Performance: asymmetric cryptography process is slow compared to other techniques like symmetric key cryptography

Symmetric Cryptography requires one shared key.

Figure 5: Symmetric cryptography – how it works

In symmetric key cryptography, the same shared key is used to encrypt and decrypt the traffic.

The main advantage of using symmetric key cryptography is:

  • Performance – Symmetric key cryptography can be 1,000 to 10,000 faster than asymmetric key cryptography.

The main challenges of symmetric key cryptography:

  • Key distribution

  • Not scalable [n x (n-1)/2 keys required for n participants]

  • Keys must be generated frequently (ie. when a user leaves)

  • Does not provide valuable features like non-repudiation

In order to take advantage of the cryptographic system strengths of each, TLS offers two protocols:

  • Handshake protocol uses public key cryptography to establish a shared secret key between the client and the server

  • Record protocol uses the secret key established in the handshake protocol to protect communication between the client and the server

The handshake protocol is established in 2 steps:

  1. Define the encryption protocol, key length used for confidentiality, hash algorithm used for integrity that both parties can use, and the exchange of public keys.

Figure 6: How 2 hosts define the encryption protocol, key length and hash algorithm used in SSL/TLS

  1. Exchange a shared secret-

Figure 7: How 2 hosts exchange a shared secret in SSL/TLS

2.3 AUTHENTICATION: How SSL/TLS manages identities

SSL/TLS validates the identity of the parties using certificates which is an electronic document linking a public key to an identity. These certificates are delivered and validated by Certification Authorities (CA).

CAs are in a pyramid structured where the Root Certification Authority (RCA) is at the top with a cascade of lower level CAs that can sign and provide reference for certificates in lower CAs.

Your operating system and browser include a store of Root Certification Authorities’ certificate.

2.4 INTEGRITY: How to check identity with hash function?

Figure 8: Identity check

3. So, how do we establish an SSL/TLS session?

Figure 9: Summary of an SSL/TLS session setup:

1 & 2: Client and Server define the encryption protocol, key length and hash mechanism to be used

3. Server forwards its public key signed by CA

4. Client OS/browser validates the certificate with the public key of the root CA

5. Client computes a Pre-Master key secret and encrypts it with server public key and sends to the server which decrypts using its private key

In conclusion, in order to analyze trace files captured on your network as a way to troubleshoot performance, you need to understand SSL and TLS to mitigate issues.

Note** For the second blog in our SSL/TLS series,

Author - Boris Rogier - Director of SkyLIGHT PVX Product Line and Business Development, Boris is responsible for leading innovation around Accedian’s network and application performance solutions for enterprise IT. He applies more than 15 years of IT operations, network, and application development experience to advise organizations across all verticals on best practices to optimize performance in multi-cloud, virtualized, and software as-a-service (SaaS) infrastructure environments. Boris holds business law and economy & finance degrees from EDHEC Business School and Institut d’Etudes politiques de Bordeaux.

6,844 views
bottom of page