How to find the session keys to use with the matter-dissector Wireshark plugin

[potto216]

Hi I'm trying to decrypt the session data between a matter-node-shell and a matter-device using the matter-dissector Wireshark plugin and cannot find the keys to add to the plugin for decryption. Where should I look for them? Below is what I did.

First I started Wireshark with the matter-dissector to capture the local host traffic between the two matter.js nodes I planned to run with

sudo tshark -i lo -w /mnt/hgfs/WiresharkRemoteCaptures/dumpout.pcap

Then I started the commissioner with:

cd matter.js/packages/matter-node-shell.js/
npm run shell 2

Then I started the socket node with

cd matter.js/packages/matter-node.js-examples/
npm run matter-device -- -type socket -on "echo 255 > /sys/class/leds/led1/brightness" -off "echo 0 > /sys/class/leds/led1/brightness"

Now I commissioned the Node with the command commission pair in the commissioner node
The pairing process completed successfully.

I stopped the capture and when viewing in Wireshark I can see the PASE and CASE commissioning, however I cannot view the encrypted data.

I tried using the value of the privateKey field in
matter.js/packages/matter-node-shell.js/.matter-shell-2/0.RootCertificateManager.rootKeyPair by splitting it in half assuming that is the combined session keys but that did not decrypt the data.

I tried using the value of the sharedSecret field in matter.js/packages/matter-node-shell.js/.matter-shell-2/0.SessionManager.resumptionRecords by splitting it in half assuming that is the combined session keys but that did not decrypt the data.

I also tried the standard test keys (below), but that did not work either.

Initiator-to-Responder Test key: 5EDED244E5532B3CDC23409DBAD052D2
Responder-to-Initiator Test key: A9E011B1737C6D4B70E4C0A2FE660476

Any thoughts on what I should be doing to decrypt the session data? Thanks!

[Apollon77]

Honestly, no idea ... I never used that plugin. But that brings me to the question: Why you need that? Just set loglevel in matter.js to debug and the Logs should show anything you need - at least it logs all relevant stuff, the already decoded Tlv streams and also data as decoded and before being encoded.

Why te plugin is needed? ;-)

[potto216]

The plugin is needed because I am interested in using Matter.js as a flexible way to generate point of comparison captures with over the air captures especially when commissioning is done. @Apollon77 I tried your logging suggestion and ran programs with the logging level as debug by running
npm run matter-device -- -type socket -on "echo 255 > /sys/class/leds/led1/brightness" -off "echo 0 > /sys/class/leds/led1/brightness" -loglevel debug

and running the command config loglevel set debug in npm run shell 2

Although more logging information was generated, the session keys were not included.

Section 4.13.2.6. of the Matter Core spec describes the input key material that is used to generate the session keys. At least some of the input key material is in the .device-node directory, but it is unclear if the session keys are available there. @Apollon77 do you have recommendations on how to determine if the session keys are being written (or can be written)?

[Apollon77]

I also did not said that the session key is logged, I just say that the debug log provides decoded information, but if you really want to decode via Wireshark then ... hhmmm ... you could check the code and add logs to log the session data. normally session keys are considered security relevant so I do not see any benefit to log them anywhere ;-)

Somewhen later we plan to persist sessions for reasons and they we might store the data, but it is not in yet

[potto216]

Okay great. I'll take that approach and leave the question open so I can post how I did the logging in case others want to do the same. BTW thanks for the efforts you and the other contributors have made to grow matter.js into an impressive suite of code.

[potto216]

To print the session keys edit the function static async create<T> in the file
/matter.js/packages/matter.js/src/session/SecureSession.ts in static async create(args: {

after this line:

matter.js/packages/matter.js/src/session/SecureSession.ts

Line 77 in 0fb5578

const attestationKey = keys.slice(32, 48);

add the logging statement

logger.debug(`Session keys for ${isResumption ? "resumption" : "establishment"}: decrypt=${decryptKey.toHex()}, encrypt=${encryptKey.toHex()}, attestation=${attestationKey.toHex()}`,
);

When performing commissioning and working with the node, multiple session key logs will be created. They will look like:

2024-02-14 18:13:29.055 DEBUG SecureSession        Session keys for establishment: decrypt=be3f6f29d4557ee7332cf960e92f8226, encrypt=cf4838d0465ad7a71ae1635a90639fd6, attestation=86eaf1de655cea2dafa29d6dd6231f53

To decrypt the Matter capture in Wireshark take only the hex values from decrypt and encrypt and enter these keys from all of the session key log lines as described in the section
Manually adding Encryption Keys

The Matter messages will then be decrypted.