Observer Analyzer : Observer Analyzer : Decodes : Decoding network traffic : Decoding encrypted network traffic
Decoding encrypted network traffic
Observer can decode network traffic that is encapsulated within Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols, but the traffic must first be decrypted. (Supported Cipher Suites)
Prerequisite: Observer Expert or Observer Suite
This feature of Observer allows you to make meaningful interpretation of encrypted traffic that you are authorized to view. A private key is required; you cannot decrypt any traffic without having the private key, ensuring you are the facilitator of the encrypted traffic.
You can also choose whether and how to translate the SSL/TLS port number (443) in the output. For example, if decrypting encrypted HTTP, you may want to change the port number to 80.
You can also optionally strip all TCP flow control packets (the SYN requests and ACKs used to establish and maintain the connection) from the decrypted output.
Note: Decryption can only be performed post-capture, and the actual decryption process is performed locally. There is no central repository for private keys in either Observer or OMS (if you own it), so each Observer installation wanting to decrypt a stream must have a local copy of the private key.
Note: If you are decrypting network traffic using a private key via a SafeNet HSM card and that card is located on a OMS server, you must provide the slot number under “Use SSL RSA Private Key From SafeNet HSM Card on OMS” seen in Figure 28.
If you are concerned about security for the decoding of your encrypted traffic, there are three methods available to you:
Use SSL Private Key from File. Even though the private key provides a certain level of security, this is the least secure option because of access to the private key file itself may be compromised. Even this option though provides greater access control than not using any security at all.
Use SSL RSA Private Key from HSM. This is a more secure than the above option because the private key is managed by HSM. Since the HSM maintains the private key, more access control exists.
Use SSL RSA Private Key from HSM on OMS. This is the most secure option. OMS controls Observer's access. Additionally, a key must be issued by the HSM. To use the key, you must know the token name of the HSM and provide it to decrypt the conversation. It is not stored in Observer. Observer passes the token name to OMS, OMS compares the name that was passed to its list of names, if one matches, it is passed to HSM where access is granted or denied. No key itself is ever passed during this entire process. Most likely, a security team manages and maintains the HSM and is a separate group from the network administrators. Using the private key from HSM on OMS, Observer is only able to decrypt the selected client/server connection or port pair. If another client/server connection or port pair must be decrypted, then a new key must be obtained.
To decode encrypted network traffic, complete the following steps.
1. Click the File tab, and click Options > Fallback Instance.
2. Choose the probe instance with the settings you want to use to decode the buffer file. For more details about why this important, see Opening files from unknown locations.
3. Click the File tab, and click Open > Local Packet Captures > Load and Analyze.
4. Navigate to the capture file you want to load, and select it.
5. Click Open. The capture file loads into Observer and you arrive at the Decode and Analysis tool.
6. Do one of the following:
Click the Expert Analysis tab. Then, click the TCP Events or UDP Events group tab and select the target encrypted conversation.
Click the Decode tab. Then, select the target encrypted conversation.
7. Right-click the encrypted conversation and select Decrypt SSL Conversation. The SSL/TLS Decryption Parameters dialog appears.
Figure 28: Provide the location of your private key here
8. Provide the location of your private key file.
9. Further customize your decryption by changing the extra options, including if you use a SafeNet HSM card for FIPS 140-2 compliance. Contact your SafeNet HSM card administrator or your corporate key librarian for the specifics about the slot number, key name, and user PIN. See Security, privacy, and regulatory compliance for more information.
10. Click OK to begin decrypting a client-server connection only, all connections for the client-server pair, connections to the selected Server IP/Port, connections with selected Application, or all SSL/TLS Encrypted Packets. The length of time decryption requires is proportional to how many packets are processed.
You successfully decrypted the conversation and can now decode and analyze its contents.
After completing this task:
If you cannot locate the private key file used for SSL decryption or an error states “Error Loading the Private Key File!,” there are two possible reasons:
You cannot locate, or do not have access to, the private key file necessary for decryption. You must obtain it.
The private key file you do have is improperly formatted or encrypted, and will not work. You must decrypt it.
In either of these scenarios, you must find the location of the private key file to begin troubleshooting. The location differs for each web server application, so the following are instructions for Apache Web Server and Windows IIS Web Server. If you don’t use either of these web server applications, please refer to the documentation for your specific web server application.