Decrypt Lightning Node Client Traffic

[simpleSliv3r]

Hi,

I need to sniff traffic from the p2p Lightning Network and check it using Wireshark or some other package capture program.
The issue here is that the traffic is encrypted. Is there any node implementation that has some option to extract the key used for encrypting that traffic?

If you know of any other solution to take that traffic and be able to read it without extracting the key from the node for example doing some man in the middle between the Node and the P2P network please, let me know.


Thank for reading!


Best Regards,
SS

[DaveF]

Assuming you are running the node and using LND as an example in the lnd.conf file you can specify the TLS certificate used:
https://docs.lightning.engineering/lightning-network-tools/lnd/lnd.conf

Not perfect and you won't get everything but anything connecting to your node can then be read.
As a cheat, if you just want to see what is going on in general you can setup a bunch of nodes that just talk to each other and read all of their traffic.

-Dave

[simpleSliv3r]

Assuming you are running the node and using LND as an example in the lnd.conf file you can specify the TLS certificate used:
https://docs.lightning.engineering/lightning-network-tools/lnd/lnd.conf

Not perfect and you won't get everything but anything connecting to your node can then be read.
As a cheat, if you just want to see what is going on in general you can setup a bunch of nodes that just talk to each other and read all of their traffic.

-Dave

Hi Dave,

Thanks for your answer!

Checking the link you provided, I'm only able to see configuration for the TLS certificate on RPC connections.
I don't know if the node will use the same certificate, but I'm looking to read the p2p network messages (gossip protocol). I mean, the messages that are sent between the nodes.

[DaveF]

I just read though and did a quick search of
https://github.com/lightning/bolts/blob/master/07-routing-gossip.md
and did not see anything mentioning encryption.

Odd, but you have to have some certificate someplace that you send your side to when they connect.

Didn't check, IS it even encrypted? I mean it's 'sudo public' information being sent.

-Dave

[simpleSliv3r]

I just read though and did a quick search of
https://github.com/lightning/bolts/blob/master/07-routing-gossip.md
and did not see anything mentioning encryption.

Odd, but you have to have some certificate someplace that you send your side to when they connect.

Didn't check, IS it even encrypted? I mean it's 'sudo public' information being sent.

-Dave

I guess it is, for privacy and security reasons.

https://github.com/lightning/bolts/blob/master/08-transport.md

As far as I understand from here, it uses the node ID (a pubkey) to encrypt the traffic.

SS

[NotATether]

I guess it is, for privacy and security reasons.

https://github.com/lightning/bolts/blob/master/08-transport.md

As far as I understand from here, it uses the node ID (a pubkey) to encrypt the traffic.

SS

It looks like it's a non-standard authentication method, not using TLS but it is using keys on the secp256k1 curve and a form of ECDH called Noise_XK.

In order to get the session key that is generated by this algorithm which encrypts the traffic, you'll have to find a utility which allows you to replicate the Noise_XK key exchange process.

[simpleSliv3r]

It looks like it's a non-standard authentication method, not using TLS but it is using keys on the secp256k1 curve and a form of ECDH called Noise_XK.

In order to get the session key that is generated by this algorithm which encrypts the traffic, you'll have to find a utility which allows you to replicate the Noise_XK key exchange process.

Thank you!

It looks like it. If anyone knows how to do it it will really help.

SS