• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar
OpenTechTips

OpenTechTips

Comprehensive IT Guides for Pros and Enthusiasts

MENUMENU
  • HOME
  • ALL TOPICS
    • Exchange
    • InfoSec
    • Linux
    • Networking
    • Scripting
      • PowerShell
    • SSL
    • Tools
    • Virtualization
    • Web
    • Windows
  • ABOUT
  • SUBSCRIBE
Home » Following the SSL Key Exchange with WireShark

Following the SSL Key Exchange with WireShark

April 14, 2020 - by Zsolt Agoston - last edited on May 20, 2020

We established in part1 why the key exchange takes place, if you missed that part click HERE to check it out.

Basically the client and the server agree on a key that they can use to encrypt the rest of their communication. Let’s see how that key exchange happens exactly.

Step 1: Client Hello

After establishing the TCP connection, the client initiates the TLS channel by sending the TLS cipher suites it supports. In our case it supports six

Following the SSL Key Exchange with WireShark

2. Server Hello

In response, the server greets the client back and picks up one cipher suite to be used later.

Following the SSL Key Exchange with WireShark

The suites describe three main protocols, aspects. Here the server picked RSA for key exchange - to negotiate the secret key for the next part – the second is the symmetric encryption algorithm for the rest of the messages, AES256. The third one is the hashing algorithm for ensuring the messages were not tampered with.

3. Certificate is Sent (from server to client)

Next, the server sends its SSL certificate that contains the public key together with the signing CA’s signature to the client and the rest of the certificate chain. That contains the Root CA certificate, in this example it is "Let’s Encrypt Authority X3"

Following the SSL Key Exchange with WireShark

4. Secret Key (or session key) Exchange

This is the key step. The client uses the private key to encrypt a 256bit long secret key (for the AES256 protocol to be used later) which the server decrypts with the private key. Now they both know the secret session key.

Following the SSL Key Exchange with WireShark

After acknowledging and confirming the key, now they are communicating using AES256 encrypting-decrypting with the same secret they share now.

Reader Interactions

Comments Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Tools

Secondary Sidebar

CONTENTS

  • Step 1: Client Hello
  • 2. Server Hello
  • 3. Certificate is Sent (from server to client)
  • 4. Secret Key (or session key) Exchange

  • Terms of Use
  • Disclaimer
  • Privacy Policy
Manage your privacy

To provide the best experiences, we and our partners use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us and our partners to process personal data such as browsing behavior or unique IDs on this site and show (non-) personalized ads. Not consenting or withdrawing consent, may adversely affect certain features and functions.

Click below to consent to the above or make granular choices. Your choices will be applied to this site only. You can change your settings at any time, including withdrawing your consent, by using the toggles on the Cookie Policy, or by clicking on the manage consent button at the bottom of the screen.

Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}
Manage your privacy
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}