Wireshark mailing list archives
Re: [pcap-ng-format] Proposal for storing decryption secrets in a pcapng block
From: Peter Wu <peter () lekensteyn nl>
Date: Sat, 6 Oct 2018 10:51:13 +0200
On Thu, Oct 04, 2018 at 03:12:19PM -0700, Ben Higgins wrote:
On Sun, Sep 30, 2018 at 10:47 AM Peter Wu <peter () lekensteyn nl> wrote:Hi all, Earlier this year, Ben Higgins proposed a new pcapng block to store SSL/TLS session secrets that would allow users to enable decryption of packet traces without further configuration. I would like to solicit for some feedback on this proposed specification update: https://github.com/pcapng/pcapng/pull/54 Among the open spec issues: - Are you happy with the chosen identifiers (10 for block type and 0x544c534b ("TLSK") for the TLS key log secret type). - Rename the block from the original proposal (it seems based on "IDB", but "Decryption Secrets Block (DSB)" sounds better to me).Both these sound good to me. - Is there a use case for multiple secret blocks?Certainly if you have different secret block types (so you might need one of each).
Anders suggested having a TLV (which is present in the current proposal). If that was hypothetically extended with support for multiple TLVs, then multiple secrets could be stored in a single DSB. Though that brings more complexity for the consumer and might not be worth it.
Even for the same type it'd make it easier on producers that might not know the length of all secrets up front (i.e. it's filling up a buffer as it goes and spitting out a secret block once the buffer's full).
This is indeed a valid concern, and is a reason why the current spec text allows multiple blocks.
- For multiple secret blocks, is concatenation a good merge strategy?Concatenation should work fine among TLSK blocks assuming all blocks have a final newline (or one is inserted if missing during concat; perhaps that needs to be specified).
The newline requirement is specified in the current proposal https://github.com/pcapng/pcapng/pull/54/files#diff-83e833afc268a7be6b36d2b897656e28R1912 There is no explicit text on concatenation though. -- Kind regards, Peter Wu https://lekensteyn.nl ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Re: [pcap-ng-format] Proposal for storing decryption secrets in a pcapng block Ben Higgins (Oct 04)
- Re: [pcap-ng-format] Proposal for storing decryption secrets in a pcapng block Peter Wu (Oct 06)
- Re: [pcap-ng-format] Proposal for storing decryption secrets in a pcapng block Anders Broman (Oct 06)
- Re: [pcap-ng-format] Proposal for storing decryption secrets in a pcapng block Guy Harris (Oct 06)
- Re: [pcap-ng-format] Proposal for storing decryption secrets in a pcapng block Anders Broman (Oct 06)
- <Possible follow-ups>
- Re: [pcap-ng-format] Proposal for storing decryption secrets in a pcapng block Guy Harris (Oct 04)
- Re: [pcap-ng-format] Proposal for storing decryption secrets in a pcapng block Michael Richardson (Oct 05)
- Re: [pcap-ng-format] Proposal for storing decryption secrets in a pcapng block Guy Harris (Oct 06)
- Re: [pcap-ng-format] Proposal for storing decryption secrets in a pcapng block ronnie sahlberg (Oct 06)
- Re: [pcap-ng-format] Proposal for storing decryption secrets in a pcapng block Michael Richardson (Oct 05)
- Re: [pcap-ng-format] Proposal for storing decryption secrets in a pcapng block Peter Wu (Oct 06)