Is it possible to store / record HTTPS client auth traffic as a signed document?

No.

There is an even simpler scenario for this question, without the client certificate.

You ask, given pcapng / tcpdump / wireshark file of the entire communication session between client and server and an SSLKEYLOGFILE dump in NSS Key Log format so you could decrypt the stored traffic, is that proof that the server sent whatever the file says the server sent?

And the answer is no, it is not.

TLS does not provide non-repudiation. The signature is proof that you communicated with the other party, but it is not proof of when the communication took place (because gmt_unix_time is deprecated) and it is not proof of what was communicated, only that the communication took place (possibly without any application data being sent).

After the handshake, both sides have the same symmetric keys for both sides. Both sides can generate a transcript that shows the other side sent, encrypted and authenticated with the expected keys, any data. There is no way to know whether that is true or not.

To achieve non-repudiation, you would need to add a digital signature at the end of the connection, signing a hash of the entire connection until the disconnect message was received. But there is no such feature in TLS.

Alternatively, you would need your friendly local sigint intelligence agency to provide a packet capture file that they certify is authentic, and one of the sides of the communication to provide SSLKEYLOGFILE dump, and then you would know that some packets were really sent in that direction and the cleartext data.


The certificate of the client is only used to authenticate the client. It is not used in key exchange which happens before the client even sends the certificate and proves ownership of the private key. The client certificates is thus neither directly nor indirectly included in the traffic encryption or MAC. This means that capturing the TLS traffic can not be used to proof later that the client has send specific data.

See also a similar question which is about proofing that the server has send something: How to prove some server sent some file over HTTPS. The basic answer is the same: no site is signing the application traffic with their own private key but encryption and MAC are only based on a shared secret created during the key exchange.


See answer by Thomas Pornin at https://crypto.stackexchange.com/questions/5455/does-a-trace-of-ssl-packets-provide-a-proof-of-data-authenticity. Like the other answers here, Thomas Pornin explains that the signature by the client cannot be used to prove anything about the information that the client sent to the server during the session. However, the server may be able to use the signature by the client to prove that the client connected to the server at a specific time.

Tags:

Client

Tls

Related

Does the saying "physical access = game over" apply to smartphones, too? Where to store private and public keys? As a company, how can we prevent penetration testers from compromising our system? After changing Microsoft password, one can still login to previously authenticated Windows devices with old password indefinitely. Why? Should I be using ECDSA keys instead of RSA? How secure is this hash-based personal password scheme? Are password managers more secure than a slightly different password for each website? Security risks of fetching user-supplied URLs Can the Host Header be used to hide the existence of a service? How do unzip programs check if the password is correct? How did the brute-forcers get my IP address so quickly? Does knowing the file type of an encrypted file make it easier to decrypt?

Recent Posts