JA3 Fingerprint
So called JA3 fingerprint is a cryptographic fingerprint created by John Althouse, Jeff Atkinson and Josh Atkins. It is a fingerprint based on the detection of attributes of the secure connection which may be calculated for both the client and server side. The calculation is based on the protocol version, like TLS, cipher suites, protocol extensions, or information about elliptic curve cryptography.
The fingerprint is being used mainly to detect known behavior within the area of computer security, mainly the detection of known malware like Emotet or Trickbot.
Although malware communicates with its C&C server in encrypted form, it is possible to do the fingerprinting for both the client and server side. The server side uses the JA3S variant, where the letter S denotes that it’s the fingerprint calculated for the server component.
Attributes and representation
To calculate the JA3 fingerprint, the following encryption connection attributes are included in this precise order:
- TLS protocol version
- cipher suite support
- protocol extension support
- elliptic curve type support
- elliptic curve format support
By translating all the attributes into their numeric notation, we can get a value like:
771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53-10,0-23-65281-10-11-35-16-5-13-18-51-45-43-27-21,29-23-24,0
Since the string is too long for verification by intelligent IDS systems, those systems use MD5 hashing instead. In this case, we will get:
66918128f1b9b03303d77c6f2eefd128
It is a much shorter string (32 hexadecimal digits) of constant length, which is useful mainly for those IDS systems. The hashing algorithm used is MD5.
Attributes and representation
For calculation of the server-side fingerprint, a similar algorithm is used with the exception that only the following encryption connection attributes are used:
- TLS protocol version
- cipher suite support
- protocol extension support
Same as in the case of JA3 client-side hashing, we translate the attributes into their numeric representation, which results in, for example, the following string:
769,47,65281-0-11-35-5-16
After applying the MD5 hash function on this string, we get:
836ce314215654b5b1f85f97c73e506f
The big advantage of using MD5 hash instead of the "raw" text is that the MD5 hash will always ensure the same length, no matter how many cipher suites or protocol extensions are supported, as the MD5 hash string in its hexadecimal representation is always 32 bytes long.
Examples
Common TOR client:
JA3 = e7d705a3286e19ea42f587b344ee6865 (TOR client)
JA3S = a95ca7eab4d47d051a5cd4fb7b6005dc (TOR server reply)
Trickbot malware:
JA3 = 6734f37431670b3ab4292b8f60f29984 (Trickbot malware)
JA3S = 623de93db17d313345d7ea481e7443cf (Trickbot malware command and control center reply)
Emotet malware:
JA3 = 4d7a28d6f2263ed61de88ca66eb011e3 (Emotet malware)
JA3S = 80b3a14bccc8598a1f3bbe83e71f735f (Emotet malware command and control center reply)
Implementation
The principle of both JA3 and JA3S has been implemented as open-source software with the source codes available on the GitHub server. For more information, please see the following URL:
Verification
To verify JA3 hashes, it is possible to use the ja3er.com website:
- https://ja3er.com/ Archived 2021-04-19 at the Wayback Machine
References
- https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967
- https://www.plixer.com/blog/inspecting-encrypted-traffic-with-ja3-and-ja3s-fingerprinting/
- https://www.trisul.org/devzone/doku.php/app:auto_fingerprint
This article "JA3 Fingerprint" is from Wikipedia. The list of its authors can be seen in its historical and/or the page Edithistory:JA3 Fingerprint. Articles copied from Draft Namespace on Wikipedia could be seen on the Draft Namespace of Wikipedia and not main one.
