JA3 Fingerprint
So called JA3 fingerprint is a cryptographic fingerprint created by John Althouse, Jeff Atkinson and Josh Atkins. It is the fingerprint based on the detection of attributes of the secure connection which may be calculated for both client and server part. The calculation is based on the protocol version like TLS, cipher suites, protocol extensions or information about elliptic curve cryptography.
The fingerprint is being used mainly to detect known behavior within the area of computer security, mainly the detection of known malware like Emotet malware or Trickbot malware.
Although malware communicates with it's C&C server in encrypted form it is possible to do the fingerprinting for both client and server part. The server part uses JA3S variant where S letter denotes it's the fingerprint calculated for the server component.
Attributes and representation[edit]
To calculate the JA3 fingerprint itself following of the encryption connection attributes are being included in this precise order:
- TLS protocol version
- cipher suite support
- protocol extension support
- elliptic curve type support
- elliptic curve format support
By translation of all the attributes into their numeric notation we can get a value like:
771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53-10,0-23-65281-10-11-35-16-5-13-18-51-45-43-27-21,29-23-24,0
Since the string is too long for verification by intelligent IDS systems those systems use MD5 hashing instead. In this case we will get:
66918128f1b9b03303d77c6f2eefd128
It is much shorter string (32 hexademical digits) of constant length which is useful mainly by those IDS systems. The hashing algorithm used is MD5 hash function.
Attributes and representation[edit]
For calculation of server-side fingerprint similar algorithm is being used with the exception that only following encryption connection attributes are being used:
- TLS protocol version
- cipher suite support
- protocol extension support
Same like in the case of JA3 client-side hashing we do the translation of attributes into their numeric representation which makes us get, for example, following string:
769,47,65281-0-11-35-5-16
After applying MD5 hash function on this string we get:
836ce314215654b5b1f85f97c73e506f
The big advantage of using MD5 hash instead of the "raw" text is that MD5 hash will always ensure the same length no matter how many cipher suites or protocol extensions are support as MD5 hash string in it's hexadecimal representation is always 32 bytes long.
Examples[edit]
Common TOR client:
JA3 = e7d705a3286e19ea42f587b344ee6865 (TOR client)
JA3S = a95ca7eab4d47d051a5cd4fb7b6005dc (TOR server reply)
Trickbot malware:
JA3 = 6734f37431670b3ab4292b8f60f29984 (Trickbot malware)
JA3S = 623de93db17d313345d7ea481e7443cf (Trickbot malware command and control center reply)
Emotet malware:
JA3 = 4d7a28d6f2263ed61de88ca66eb011e3 (Emotet malware)
JA3S = 80b3a14bccc8598a1f3bbe83e71f735f (Emotet malware command and control center reply)
Implementation[edit]
The principle of both JA3 and JA3S has been implemented as open-source software with the source codes available on the GitHub server. For more information please see following URL:
Verification[edit]
To verify JA3 hashes it is possible to use the ja3er.com website:
References[edit]
- https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967
- https://www.plixer.com/blog/inspecting-encrypted-traffic-with-ja3-and-ja3s-fingerprinting/
- https://www.trisul.org/devzone/doku.php/app:auto_fingerprint
This article "JA3 Fingerprint" is from Wikipedia. The list of its authors can be seen in its historical and/or the page Edithistory:JA3 Fingerprint. Articles copied from Draft Namespace on Wikipedia could be seen on the Draft Namespace of Wikipedia and not main one.
