Decrypting Diffie Hellman Ephemeral with the Master Key

We’ve written how  EDH (Ephemeral Diffie Hellman) offers perfect forward secrecy in the sense that if even if you got your hands on some keying material such as a private key file, you cant decrypt past captured traffic. With DHE, what’s done is done, baby.


A post on the Wireshark Q&A site wondered if you controlled the client or the server and could output the so called master secret, can you then decrypt the SSL/TLS traffic? The answer is absolutely!

If you had the master secret, it does not matter what key exchange algorithm you use. The only question left is : Do you support decryption of the cipher!


Differences with Wireshark

Unsniff supports entering a master secret directly. Wireshark allows you to enter something called a ‘unencrypted pre master secret’, we think if you can instrument the client anyway – why not just print out the master secret. Unsniff also doesnt care about the session id as a way of mapping flows to keys – the mapping is much weaker. You can arrange to split your PCAPs into flows -> key mapping instead.

Sample run with ECDHE-RSA-RC4-128-SHA (what gmail prefers)

Use the s_client tool to generate a trace run by connecting and typing “GET /”

Notice that big string in bold. That is called the master secret. That’s all you need.

If you have Trisul running in your egress point, grab a PCAP of the above session. Or alternatively run a tcpdump before the s_client tool.

Enter the master secret

Self evident, just use the highlighted buttons.

Create a mapping for server ip/port to master key file.

 Run Unsniff on the PCAP

If you clicked on Pull Packets in Trisul, it will automatically open Unsniff the run the decryption for you. Alternately, load the PCAP into Unsniff via File -> Import -> From Libpcap


The place to observe the action in Unsniff is in the PDU tab. This may be a little confusing for folks familiar with Wireshark’s link packet based views. What Unsniff does it shows you complete SSL “records” – so an Application Data encrypted record maps cleanly into a “decrypted” record. This is shown with an icon on the left side.

Decrypted PDUs show up with ICON at left

 Stream based view

Switch to the streams tab for two extra streams generated from the SSL stream.

  1. Decrypted stream stopping at the TCP layer
  2. Decrypted stream going all the way to the HTTPS (or whatever else) layer
Streams tab show entire decrypted session data

Unsniff is still heavily developed

We’ve received a bunch of emails asking about Unsniff. We are still heavily improving it, unfortunately the documentation and new website is still some time off due to our big Trisul releases. The latest versions for example have top notch reconstruction – even of Video Chats with playback of VP8 and MPEG4-TS, unidirectional streams from satellite connections and more.  Check it out now.


Author: Vivek Rajagopalan

Vivek Rajagopalan is the a lead developer for Trisul Network Analytics. Prior products were Unsniff Network Analyzer and Unbrowse SNMP. Loves working with packets , very high speed networks, and helping track down the bad guys on the internet.

2 thoughts on “Decrypting Diffie Hellman Ephemeral with the Master Key”

  1. I did this exact same steps, nothing got decoded.
    – ran tcpdump
    – started s_client to (
    saw the master key in the output
    sent the request GET / HTTP/1.1
    got the HTML response
    – stopped s_client and tcpdump
    – create the master key in unsniff & imported the pcap file
    – nothing got decoded – still seeing as “application data”

Comments are closed.