CloudShark allows users to decrypt SSL traffic within a capture file. RSA keys must be added and managed by an Admin user, and can be shared with other users or groups on a per key basis.
Admin users can manage RSA keys by visiting the RSA Keys page within the Administration menu. This page displays all of the active RSA keys on the system, and allows Admin users to add, delete, and edit RSA keys.
Adding RSA keys
Any RSA keys can be added to CloudShark in unencrypted PEM format or encrypted PKCS#12 format. To add a new RSA key, click the Add RSA Key and click the Keyfile button to select a key to upload. Select the Format of the key and if you are uploading a PKCS#12 format key enter the encryption password. This key is stored in plaintext on disk. For more information on how CloudShark stores PKCS#12 keys please contact firstname.lastname@example.org They key must be a given a name and optionally a description. In addition, the key must be made accessible to a single user or to a group.
Using an RSA Key
Once an RSA key has been added, it will be available to those users that have access either by belonging to a group or by themselves owning the key. Read more about how to Decrypt Traffic with CloudShark.
CloudShark provides a central repository for RSA keys for the exclusive purpose of viewing encrypted capture data. RSA Keys may not be downloaded through CloudShark once they have been added. Admin users can choose to make RSA keys accessible for decryption to individual users or groups. An RSA key can only be applied by the users and groups that have been explicitly granted access to that key. Any users with permission to view that capture file can view the decrypted traffic.
This first of it’s kind system allows Admin users to allow other users or groups to view decrypted traffic without having to provide the RSA key(s) to the end users, where they may be significantly less secure.
Debugging SSL Decryption
Administrators have the ability to generate an SSL debug log to help them look for issues setting up decryption keys with traffic. Because this debug log can potentially expose private key information, this is only available to members of the Administrator group, and the resulting debug log is must be accessed by logging into the underlying OS. It is not delivered via the web.
To make the “debug log” button appear as an admin, you must first apply either an RSA Key or Client Keylog to the capture file, apply the changes, and then re-open the Decrypt SSL dialog box.
RSA Key Storage
All RSA keys are ultimately stored on the CloudShark Appliance file system and only readable by the cloudshark OS user that does the actual decryption. A CloudShark web user does not normally have OS access.
Users should take all the normal security precautions you would for any server that has a key stored on the file system. There is always some risk that the base OS is compromised.