The pcap data communicated when 5GC was just started can be decrypted using the SSL key.
However, the pcap data collected after starting 5GC and communicating many times cannot be decrypted with HTTP2 communication even using the SSL key stored in the directory.
Therefore, I restart 5GC, immediately take a packet capture, and the next time I want to collect pcap, I restart 5GC and collect it again.
Is everyone in the same situation?
Hi,
Although I did not encounter this issue, maybe these links can help
https://free5gc.org/guide/Trouble_Shooting/#9-decode-h2c-http2-clear-text-without-tls
https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/
Hi
I appreciate the responses received earlier, but it seems my issue is somewhat different.
Upon comparing two PCAP files containing TLS v1.3 communication, I noticed the following differences:
PCAP File-A:
Contains TLS handshake packets including the Key Exchange, and this file was successfully decrypted.
PCAP File-B:
Lacks the TLS Key Exchange, containing only Application Data and Continue messages, and could not be decrypted.
From these observations,
I concluded that the main reason I couldn’t decrypt the traffic was due to the absence of the complete TLS handshake in the files.
My question is,
does free5gc only perform the TLS handshake during the initial Registration of a location,
or are there other conditions under which a handshake might occur?
I would greatly appreciate any insights or information you can share on this matter.
Hi,
Do you mind providing those two pcap files?
Hi
Due to our project’s policy, I am unable to share the pcap data I am observing in its original form.
Therefore, I am providing data below that only includes the protocol and Info information extracted from it.
The data collected immediately after restarting the 5GC and performing the first Registration is referred to as pcap-A.
Subsequently, the data collected without restarting the 5GC is referred to as pcap-B. (Note: pcap-A and pcap-B were collected using different UEs.)
pcap-A includes a TLS handshake, which was possible to decrypt. However, pcap-B could not be decrypted.
Most importantly, regarding the pcap data merged from pcap-A and pcap-B, it was possible to decrypt all communications, including the HTTP/2 communications that could not be decrypted from pcap-B alone.
Based on the above, I have understood that the TLS handshake in 5GC occurs only during the first execution of HTTP/2 after startup.
Therefore, when analyzing packet data from subsequent tests, it is necessary to merge this data with the packet data from the first Registration after restarting the 5GC before proceeding with the analysis.
#########################
PCAP File-A:(Contains TLS handshake packets including the Key Exchange, and this file was successfully decrypted.)
NGAP NGSetupRequest
NGAP NGSetupResponse
NGAP/NAS-5GS InitialUEMessage, Registration request
TLSv1.2 Application Data
: :
TLSv1.2 Application Data
TLSv1.3 Client Hello
TLSv1.3 Server Hello, Change Cipher Spec, Application Data, Application Data, Application Data, Application Data
TLSv1.3 Change Cipher Spec, Application Data
TLSv1.3 Application Data
: :
TLSv1.3 Application Data
NGAP/NAS-5GS SACK (Ack=1, Arwnd=16777216) , DownlinkNASTransport, Authentication request
NGAP/NAS-5GS UplinkNASTransport, Authentication response
TLSv1.3 Application Data
: :
TLSv1.3 Application Data
NGAP/NAS-5GS SACK (Ack=2, Arwnd=16777216) DATA (TSN=1) (retransmission) , DownlinkNASTransport, Security mode command
NGAP/NAS-5GS SACK (Ack=2, Arwnd=12288000) , UplinkNASTransport
TLSv1.2 Application Data
: :
TLSv1.2 Application Data
TLSv1.3 Client Hello
TLSv1.3 Server Hello, Change Cipher Spec, Application Data, Application Data, Application Data, Application Data
TLSv1.3 Change Cipher Spec, Application Data
TLSv1.3 Application Data
: :
TLSv1.2 Application Data
TLSv1.3 Client Hello
TLSv1.3 Server Hello, Change Cipher Spec, Application Data, Application Data, Application Data, Application Data
TLSv1.3 Change Cipher Spec, Application Data
TLSv1.3 Application Data
: :
TLSv1.3 Application Data
TLSv1.3 Client Hello
TLSv1.3 Server Hello, Change Cipher Spec, Encrypted Extensions, Certificate, Certificate Verify, Finished
TLSv1.3 Change Cipher Spec, Finished
HTTP2 Magic, SETTINGS[0], WINDOW_UPDATE[0]
HTTP2 HEADERS[1]: POST /namf-comm/v1/subscriptions
HTTP2 SETTINGS[0]
HTTP2/JSON DATA[1], JSON (application/json)
HTTP2 SETTINGS[0]
HTTP2 SETTINGS[0], WINDOW_UPDATE[0]
HTTP2 WINDOW_UPDATE[0]
HTTP2 HEADERS[1]: 201 Created
HTTP2/JSON DATA[1], JSON (application/json)
HTTP2 RST_STREAM[1]
TLSv1.3 Application Data
TLSv1.3 Application Data
NGAP/NAS-5GS SACK (Ack=3, Arwnd=16777216) , InitialContextSetupRequest
NGAP SACK (Ack=3, Arwnd=12288000) , InitialContextSetupResponse
NGAP UERadioCapabilityInfoIndication
NGAP/NAS-5GS UplinkNASTransport
NGAP/NAS-5GS UplinkNASTransport
TLSv1.2 Application Data
: :
TLSv1.2 Application Data
TLSv1.3 Client Hello
TLSv1.3 Server Hello, Change Cipher Spec, Application Data, Application Data, Application Data, Application Data
TLSv1.3 Change Cipher Spec, Application Data
TLSv1.3 Application Data
: :
TLSv1.2 Application Data
TLSv1.3 Client Hello
TLSv1.3 Server Hello, Change Cipher Spec, Application Data, Application Data, Application Data, Application Data
TLSv1.3 Change Cipher Spec, Application Data
TLSv1.3 Application Data
: :
TLSv1.3 Application Data
TLSv1.3 Client Hello
TLSv1.3 Server Hello, Change Cipher Spec, Encrypted Extensions, Certificate, Certificate Verify, Finished
TLSv1.3 Change Cipher Spec, Finished
HTTP2 Magic, SETTINGS[0], WINDOW_UPDATE[0]
HTTP2 HEADERS[1]: POST /namf-comm/v1/ue-contexts/imsi-999002111100301/n1-n2-messages
HTTP2/JSON/NAS-5GS/NGAP DATA[1], JSON (application/json), PDU session establishment accept
HTTP2 SETTINGS[0]
HTTP2 SETTINGS[0], WINDOW_UPDATE[0]
HTTP2 WINDOW_UPDATE[0]
HTTP2 WINDOW_UPDATE[0]
HTTP2 SETTINGS[0]
NGAP/NAS-5GS PDUSessionResourceSetupRequest
HTTP2 HEADERS[1]: 200 OK
HTTP2/JSON DATA[1], JSON (application/json)
NGAP SACK (Ack=4, Arwnd=12288000) , PDUSessionResourceSetupResponse
HTTP2 RST_STREAM[1]
TLSv1.3 Application Data
: :
TLSv1.3 Application Data
NGAP/NAS-5GS UplinkNASTransport
TLSv1.3 Application Data
: :
TLSv1.3 Application Data
NGAP/NAS-5GS SACK (Ack=9, Arwnd=16777216) , PDUSessionResourceReleaseCommand
NGAP PDUSessionResourceReleaseResponse
NGAP/NAS-5GS UplinkNASTransport
NGAP/NAS-5GS UplinkNASTransport
TLSv1.3 Application Data
: :
TLSv1.3 Application Data
HTTP2 HEADERS[3]: POST /namf-callback/v1/smContextStatus/imsi-999002111100301/1
HTTP2/JSON DATA[3], JSON (application/json)
HTTP2 WINDOW_UPDATE[0]
HTTP2 HEADERS[3]: 204 No Content
TLSv1.3 Application Data
: :
TLSv1.3 Application Data
NGAP SACK (Ack=12, Arwnd=16777216) DATA (TSN=5) (retransmission) , UEContextReleaseCommand
NGAP SACK (Ack=6, Arwnd=12288000) , UEContextReleaseComplete
TLSv1.3 Application Data
: :
TLSv1.3 Application Data
#########################
#########################
PCAP File-B: (Lacks the TLS Key Exchange, containing only Application Data and Continue messages, and could not be decrypted.)
NGAP/NAS-5GS/NAS-5GS InitialUEMessage, Registration request, Registration request
NGAP/NAS-5GS SACK (Ack=0, Arwnd=16777216) , DownlinkNASTransport, Identity request
NGAP/NAS-5GS UplinkNASTransport, Identity response
TLSv1.2 Application Data
: :
TLSv1.2 Application Data
NGAP/NAS-5GS SACK (Ack=1, Arwnd=16777216) , DownlinkNASTransport, Authentication request
NGAP/NAS-5GS UplinkNASTransport, Authentication failure (ngKSI already in use)
NGAP/NAS-5GS SACK (Ack=2, Arwnd=16777216) , DownlinkNASTransport, Authentication request
NGAP/NAS-5GS UplinkNASTransport, Authentication response
TLSv1.2 Application Data
: :
TLSv1.2 Application Data
NGAP/NAS-5GS SACK (Ack=3, Arwnd=16777216) , DownlinkNASTransport, Security mode command
NGAP/NAS-5GS UplinkNASTransport
TLSv1.2 Application Data
: :
TLSv1.2 Application Data
NGAP/NAS-5GS SACK (Ack=4, Arwnd=16777216) , InitialContextSetupRequest
NGAP UERadioCapabilityInfoIndication
NGAP/NAS-5GS InitialContextSetupResponse, UplinkNASTransport
NGAP/NAS-5GS UplinkNASTransport
TLSv1.2 Application Data
: :
TLSv1.2 Application Data
NGAP/NAS-5GS SACK (Ack=8, Arwnd=16777216) , PDUSessionResourceSetupRequest
TLSv1.2 Application Data
: :
TLSv1.2 Application Data
NGAP PDUSessionResourceSetupResponse
TLSv1.2 Application Data
: :
TLSv1.2 Application Data
NGAP/NAS-5GS UplinkNASTransport
TLSv1.2 Application Data
: :
TLSv1.2 Application Data
NGAP/NAS-5GS SACK (Ack=10, Arwnd=16777216) , PDUSessionResourceReleaseCommand
NGAP/NAS-5GS UplinkNASTransport
TLSv1.2 Application Data
: :
TLSv1.2 Application Data
NGAP/NAS-5GS PDUSessionResourceReleaseResponse, UplinkNASTransport
TLSv1.2 Application Data
TLSv1.2 Application Data
NGAP SACK (Ack=13, Arwnd=16777216) , UEContextReleaseCommand
NGAP UEContextReleaseComplete
TLSv1.2 Application Data
: :
TLSv1.2 Application Data
#########################
Hi,
After tracing some source codes of AMF, I find that free5GC implements SBI message transfer with Golang standard library net/http, which support HTTP functionality along with TLS. Therefore, I would suggest you refer to official documents and source codes if this issue is caused by lack of TLS packets.
Also, to debug the TLS decryption problem, I recommend that you write the details of decryption process to a log file by adding TLS debug file in Edit->Preferences->Protocols->TLS in wireshark.
Lastly, if this issue does matter and the security for SBI message transfer is not your concern, you can configure NFs to transfer HTTP messages with clear text.
Hi,
Thank you for your input. As you pointed out, I have also been using Wireshark’s Edit->Preferences->Protocols->TLS feature to decode TLS into HTTP2 for debugging purposes. I was puzzled about the existence of pcap files that could be analyzed and those that could not.
Upon further investigation, I discovered that after restarting the 5GC, a TLS handshake is performed only during the first communication. Subsequent communications continue to use the same key, which is why pcap files from the second communication onwards could not be analyzed independently.
At this point, I do not consider this behavior of 5GC to be a problem. I understand that it is recommended to change keys after a certain period for security reasons, but my interest was not in this aspect.
Considering a commercial environment, 5GC should ideally operate in a mode with TLS. Therefore, I intend to use similar settings in the debugging environment, analyzing while decoding. If there were no means to decode, as you suggested, I would consider switching to HTTP messages. However, this investigation revealed that analysis is possible by merging the pcap of the initial communication’s TLS handshake. Thus, I plan to operate in TLS mode and merge the handshake part of the first communication for analysis when necessary.