Does Bro make the server's prime it sent to a client in the diffie
hellman key exchange visible?
For example, if a client on my network is talking to an apache server,
would I be able to print the prime the server sends to the client?
I don’t think you mean to ask what you are asking. In regular DH over a finite field, the prime that determines the group is not even secret or terribly interesting.
Stepping back a bit, what are you trying to accomplish?
:Adam
Right, but the server and client do have to agree on one of the primes
the will end up using right? I was under the impression that there were
different primes the client and server could decide to use to make a
shared secret.
I am trying to determine if the prime being used is from apache's
mod_ssl. I didn't know if it was possible to use some field available in
the Cert record or another record to determine the prime implicitly
since they are public.
The server message sent to the client, including p, g, and Ys is available in the event ssl_dh_server_params: https://www.bro.org/sphinx/scripts/base/bif/plugins/Bro_SSL.events.bif.bro.html#id-ssl_dh_server_params
I hope this helps,
Johanna
Maybe a better question is, are the parameters negotiated in the client
and server hello available directly in Bro through the SSL::Info record,
X509::Info record, or some other record? Or are the not directly available?
I am trying to determine if a specific prime is being used.
Awesome that is exactly what I was looking for. Sorry if my question
wasn't clear, I only understand DH at a high level so my terminology
might not have been consistent with convention.