ja3 & ja3s with resumed tls

Zeek
1

Hi,

I'm researching ja3 and ja3s tls signatures.

With resumed tls connections there is no complete

handshake etc. Does it make sense to calculate a ja3

on resumed tls ?

Regards,

Daniel

2

Hi Daniel,

unless I am missing something, there should be no difference in the signature of a resumed and a new connection for JA3. I don’t remember them hashing anything in that has to do with session resumption.

Johanna

3

Hi Johanna

I was thinking the same but after the results i became insecure about this.
I have attached 2 examples.

Daniel

Example 1

resumed false

{
    "cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
    "established": true,
    "client_cert_chain_fuids": "[]",
    "curve": "secp256r1",
    "issuerdn": "CN=DigiCert ECC Secure Server CA,O=DigiCert Inc,C=US",
    "ja3s": "7d3eb4120cd50e889bcd3f3783be0f82",
    "subject": "CN=*.adnxs.com,O=AppNexus\\, Inc.,L=New York,ST=New York,C=US",
    "cert_chain_fuids": [
      "FwvSeKet5kqNoujSf",
      "FNxask2v3HjNVTB5ff"
    ],
    "dest_asname": "AppNexus, Inc",
    "next_protocol": "http/1.1",
    "type": "tls",
    "version": "TLSv12",
    "sni": "ib.adnxs.com",
    "src_ip": "192.168.1.93",
    "src_port": 58443,
    "uid": "Cfc50Q1EnIW0GAYWch",
    "dest_ip": "37.252.172.40",
    "validation_status": "ok",
    "resumed": false,
    "ja3": "b20b44b18b853ef29ab773e921b03422",
    "dest_port": 443,
    "timestamp": "2018-12-16T17:16:44.801Z"
  }

next resumed true

{
    "cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
    "established": true,
    "ja3s": "02bdc318d9f618eea3e10d0a7ba25ba0",
    "dest_asname": "AppNexus, Inc",
    "next_protocol": "http/1.1",
    "type": "tls",
    "version": "TLSv12",
    "sni": "ib.adnxs.com",
    "src_ip": "192.168.1.93",
    "src_port": 58446,
    "uid": "CyYQVc1FuxLDABqxpj",
    "dest_ip": "37.252.172.40",
    "resumed": true,
    "ja3": "334da95730484a993c6063e36bc90a47",
    "dest_port": 443,
    "timestamp": "2018-12-16T17:16:45.071Z"
  }

Example 2

resumed false

{
    "cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
    "established": true,
    "client_cert_chain_fuids": "[]",
    "curve": "secp256r1",
    "issuerdn": "CN=DigiCert ECC Secure Server CA,O=DigiCert Inc,C=US",
    "ja3s": "cabc8aadc20a64fa7156022319d177c0",
    "subject": "CN=*.adnxs.com,O=AppNexus\\, Inc.,L=New York,ST=New York,C=US",
    "cert_chain_fuids": [
      "FCxxdLhSpJHRDMYv4",
      "FYW4Fs3VrkciMfUhc6"
    ],
    "dest_asname": "AppNexus, Inc",
    "next_protocol": "http/1.1",
    "type": "tls",
    "version": "TLSv12",
    "sni": "secure.adnxs.com",
    "src_ip": "192.168.1.93",
    "src_port": 55912,
    "uid": "CvUDsF40fhpESTJlLd",
    "dest_ip": "37.252.172.40",
    "validation_status": "ok",
    "resumed": false,
    "ja3": "5c118da645babe52f060d0754256a73c",
    "dest_port": 443,
    "timestamp": "2018-12-27T15:43:45.898Z"
  }

resumed true
{
    "cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
    "established": true,
    "ja3s": "93174bff9e6f484d06ff9552fe757554",
    "dest_asname": "AppNexus, Inc",
    "type": "tls",
    "version": "TLSv12",
    "sni": "secure.adnxs.com",
    "src_ip": "192.168.1.93",
    "src_port": 55927,
    "uid": "Ctr8MRZepl9Z0r6E6",
    "dest_ip": "37.252.172.40",
    "resumed": true,
    "ja3": "7b1ac424884b798ca987e3e27b99d1a8",
    "dest_port": 443,
    "timestamp": "2018-12-27T15:43:46.019Z"
  }

4

Hey Daniel! I can help here. So when a TLS session resumes there is still a Client Hello packet, however the details can be different in the resuming hello packet vs the original, producing a different JA3, which will produce a different response from the server and therefore a different JA3S.

Capturing this with JA3 is by design. There could be interesting unique qualities to the resumed negotiations vs the original that could assist in building more complex detections. The fact that Zeek is able to differentiate between new and resumed connections makes it so you can use this data however you want, or ignore it completely. The power of networking metadata is in your hands.

John Althouse

5

So far ..

First I use a mac with firefox to generate pcap (could be something).

The hashing uses the ssl extensions, cipher and version.

The server extensions at the first connection contains all options

the server can use, but on a resumed connection it uses only the

negociated extensions. For this reason the ja3s for a resumed false

is different from a ja3s with resumed true. This is the same for clients.

If the extensions are stored when the tls connection resumed flag

is false. It could be used for a resumed connection, after a check if

one of the offered extensions is used..., to calculate the ja3s.

6

Hi,

I have made a change to the j3s script. It stores the server extensions in a table

with the server_name. When a tls connection is resumed it uses the stored extensions.

Result, resumed tls has the same ja3s as none resumed.

Regards,

Daniel

ja3s.bro:

This Bro script appends JA3S (JA3 Server) to ssl.log

Version 1.0 (August 2018)

This builds a fingerprint for the SSL Server Hello packet based on SSL/TLS version, cipher picked, and extensions used.

Designed to be used in conjunction with JA3 to fingerprint SSL communication between clients and servers.