These parameters are available since NodeJs version 12 ! Note, you don’t need to use a weaker cipher suite and the tls-cipher-cipher argument, if you use the tls-keylog option. Afterward start listening with Wireshark to capture the traffic and start your code on the device with the following command. With tls-keylog=”” you specify the path for the keylog file. Now you pass the parameter tls-cipher-list=”” to select a supported cipher suite without ECDHE. NodeJs TLS keylog fileĪt first we assume iot-device.js is the file containing device logic. In the following step we look at the decryption process with NodeJs. This file is loaded later into Wireshark to decrypt traffic. This is possible by logging information about that key during communication in a keylog file. The next best thing is the session key used for encrypting the packets. How do we retrieve the decryption key now? If you get your hands on the private key used by Amazon or Microsoft, you are able to decrypt packets but that is rather unlikely. This option alone only works, when you are in possession of the used private key. Now choose one without ECDHE like AES128-SHA which uses RSA as Key Exchange Algorithm. On the official website of Amazon Web Services is a list of all supported Suites. This is because of the PFS feature stated here. In order to decrypt the packets with the private key, you need to downgrade the Cipher Suite to one, which doesn’t use ECDHE as Key Exchange Algorithm. Therefore, we need to ensure the use of a weaker Cipher Suite without PFS, if you have the private key. This means, that even with the private key, we are not able to see plain communication. Therefore, session keys will not be compromised even by capturing the private key because of a new set of Diffie-Hellmann parameters generated upon every session. Cipher Suites and Perfect Forward SecrecyĪWS recommends Cipher Suites like ECDHE-ECDSA-AES128-GCM-SHA256 with an ECDHE Key Exchange Algorithm which has the Perfect Forward Secrecy (PFS) feature. Both solutions use TLS to protect communication whereby this tutorial is applicable to every TLS connection initiated by NodeJs.
In this tutorial, I will show you exactly how to decrypt traffic between your IoT-device and a cloud solution like Azure IoT Hub or AWS IoT Core. But in some cases you want to debug your code and inspect network packets. Traffic between your device and your Cloud Solution is encrypted to protect your data during transport.