Ponziani

Using Wireshark to verify encryption

https://sh.itjust.works/post/22796083

Using Wireshark to verify encryption - sh.itjust.works

I am trying to use wireshark to verify that my outgoing rsync is encrypted. I can easily see that the SSH protocol packets are reported as “Encrypted packet.” The other packets being exchanged are TCP packets, I am not sure how to actually verify if these are encrypted, and if not, if they contain anything sensitive. Should TCP be encrypted? Can they leak anything when facilitating the ssh connection? How can I tell?

Jul 26, 2024 at 2:53pmWeb
Show threadyggdarJul 26, 2024

TCP is on a lower level than SSH, usually SSH uses TCP as its underlying transport layer. TCP as such is not encrypted, but it can of course be used to transport encrypted data.

Are those packages not part of the same SSH connection according to Wireshark?

Show threadPonzianiJul 26, 2024
It looks like everything is in 1 stream, maybe that answers your question? I am capturing traffic only on port 22 briefly while the rsync is running to look at the packets
Show threadyggdarJul 26, 2024

If the timestamps line up, maybe Wireshark just doesn’t manage to understand the entire exchange. What could happen is that Wireshark sees the SSH handshake, and after that it might become just encrypted gibberish due to the encryption. In that case the SSH traffic could just show up as “some kind of TCP”.

Do you see an SSH handshake, followed by random crop on the same ports?

Show threadPonzianiJul 28, 2024

Im a little knowledgeable with this stuff but i do not know how to see the “handshake” itself, but maybe this is synonymous with what i am doing:

Right click any of the packets (TCP or SSH) > Follow > TCP stream

From there i can see some info about the ssh protocol and connection, as well as the 2 devices communicating (Operating systems used) followed by random gibberish which is the encrypted data.

When I analyze the TCP packet “frames”, they contain data including the motherboard manufacturer, but packets themselves look like its just gibberish.

Thanks by the way for trying to help me :)

Show threadyggdarJul 28, 2024

Well, if

  • Wireshark identifies it as a single stream
  • Wireshark sees gibberish “TCP” and not an SSH connection
  • The gibberish comes after the SSH stuff that you could see (the stuff in there is going to be the handshake, my bad, that is a bit of a technical term)

    • Then we can be quite confident that your connection is indeed encrypted!

    And of course, you’re welcome!

    Show threadPonzianiJul 29, 2024
    Ok thank you!
    Show threadv9CYKjLeia10dZpz88iUJul 28, 2024

    I think SSH almost always uses a cipher by default. If you’re concerned about the security of it, or really do want to check the bytes are encrypted, then I wrote more about it in my long spoiler.

    spoiler

    For your concerns, it sounds like the fear is that packets being sent may contain the exact bytes found in the files. This should be mostly easy to check, just sync a very small file with a set of bytes known, and if matching bytes are seen in the packets, it’s not encrypted. A goal of encryption is to have encrypted data appear as high entropy random data. As an example, a ceaser cipher does not look like random data and can easily be broken. In other words, if the cipher is good, the packets should look like they contain random bytes and not look related to the bytes in the file at all. The SSH protocol uses a set of ciphers, and it’s possible to specify which cipher should be used. In my opinion, I like cryptosystems that are being used on blockchains because they’re live proof that the cipher and implementation are secure enough to keep over a trillion dollars in value safe. Though, blockchains are commonly focussed on asymmetric key pairs that I think seem riskier when compared their symmetric counterparts. (Though, I don’t think there’s really evidence to support that they are riskier) I think SSH, and many protocols like https will commonly start with an asymmetric encryption method, then switch to a symmetric system. (for either security or performance reasons) There are technically methods to disable and not use encryption for SSH, but I don’t think these are included with clients, and are not defaults. Anyway, I think what you are trying to do, is take already encrypted files, and transfer them to a server for storage. SSH uses encryption in the transfer process, but that’s decrypted at the server side. If the server is being used for storage, then it sounds like you want the data to be encrypted for where it’s stored. This shouldn’t be difficult to verify, just check the files stored on the server are encrypted. (The bits and bytes of the files should not match the unencrypted version from the sending device.)

    Caesar cipher - Wikipedia