Use Handshake Data to create TLS Fingerprints

https://commons.wikimedia.org/wiki/File:Fingerprint_picture.svgWhile the whole world busily works on the next round of the Crypto Wars, the smart people work on actual information security. TLS has always been in the focus of inspection. Using on-the-fly generated certificates to look inside is a features of many gadgets and filter applications. Peeking at the data is moot if you control either the server or the client. If you have to break TLS on purpose (hopefully) inside your own network, you probably have to deal with software or system you cannot control. In this case TLS is the least of your security problems. Dealing with a lot of network traffic often uses a metadata approach in order not to process gigantic amounts of data. Enter TLS fingerprinting.

The TLS handshake contains a lot of parameters such as version numbers, cipher suites, extensions, elliptic curve options, and their order. Additionally you can look at messages sizes and timestamps. Measuring this data and hashing it makes for a nice identification metric. This technique called TLS fingerprinting. There exist some publications describing implementations and ways to obtain fingerprint data sets from either live traffic or captured data. Examples are JA3/JA3S, TLS Fingerprinting by Lee Brotherston, research by Cisco, or using the fingerprints in applications. There are databases published with known fingerprint values. You can also use the JA3 web site to see the hash your TLS client produces.

The Secure Linux Administration Conference (SLAC) 2019 will feature a presentation about this topic held by René Pfeiffer. In case you attend SLAC, have a look. Otherwise you should play with the implementations. The JA3 GitHub page has a list of them.

Tags: , ,

Leave a Comment