PAS-5: Replace observed Cipher Suites with Human Readable versions

Issue Information

Issue Type: New Feature
 
Priority: Major
Status: Closed

Reported By:
Ben Tasker
Assigned To:
Ben Tasker
Project: PCAP Analysis Script (PAS)
Resolution: Done (2015-11-27 13:13:38)
Affects Version: 0.1,
Target version: 0.1,
Components: Reports , SSL/TLS ,
Labels: HTTPS, TLS,

Created: 2015-11-22 10:38:41
Time Spent Working
Estimated:
 
45 minutes
Remaining:
  
6 minutes
Logged:
  
39 minutes


Description
At the moment, TLS/SSL information extracted from the handshake is stored as follows 
0xc02b,0xc02f,0x009e,0xc00a,0xc009,0xc013,0xc014,0x0033,0x0039,0x009c,0x002f,0x0035,0x000a

Which, while compact, isn't particularly helpful for a human reader. Entries should be replaced with the Human readable version

For example, 
0xc02b = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
0xc02f = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
0xc00a = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
0xc013 = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
0xc014 = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
0x0088 = TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA

Need to look up the others though


Issue Links

RFC 5246 Appendix A.5
RFC 4492 Section 6
Hex to Human Readable Cipherlist (Projects Static)
RFC 5288 Section 3
RFC 5289 Section 3
RFC 7251 Section 2
RFC 4785 Section 3
Toggle State Changes

Activity


2015-11-22 10:38:53
btasker added 'HTTPS' to labels

2015-11-22 10:39:00
btasker changed labels from 'HTTPS' to 'HTTPS TLS'

2015-11-24 14:41:48
The values for each ciphersuite are listed in RFC 5246 Appendix A.5 so we can pull from there

2015-11-24 14:44:48
Eliptic Curve based cipher suites were added in TLS1.2 and are defined in RFC 4492 Section 6

2015-11-24 15:01:17
So, the values defined in RFC 4492 give us 
0xC001 = TLS_ECDH_ECDSA_WITH_NULL_SHA
0xC002 = TLS_ECDH_ECDSA_WITH_RC4_128_SHA
0xC003 = TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
0xC004 = TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 
0xC005 = TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
0xC006 = TLS_ECDHE_ECDSA_WITH_NULL_SHA 
0xC007 = TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 
0xC008 = TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
0xC009 = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
0xC00A = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
0xC00B = TLS_ECDH_RSA_WITH_NULL_SHA 
0xC00C = TLS_ECDH_RSA_WITH_RC4_128_SHA
0xC00D = TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
0xC00E = TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
0xC00F = TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
0xC010 = TLS_ECDHE_RSA_WITH_NULL_SHA
0xC011 = TLS_ECDHE_RSA_WITH_RC4_128_SHA
0xC012 = TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
0xC013 = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
0xC014 = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
0xC015 = TLS_ECDH_anon_WITH_NULL_SHA
0xC016 = TLS_ECDH_anon_WITH_RC4_128_SHA
0xC017 = TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
0xC018 = TLS_ECDH_anon_WITH_AES_128_CBC_SHA
0xC019 = TLS_ECDH_anon_WITH_AES_256_CBC_SHA

I'll start implementing something used for those first, so that it can be tested and the grab the rest from RFC 5246

2015-11-24 15:07:50
btasker changed status from 'Open' to 'In Progress'

2015-11-24 15:23:24
Replacement of the EC ciphersuites as been implemented, using the following command to build sed expressions from the file at http://projectsstatic.bentasker.co.uk/PAS/PAS5-Humanise_ciphersuite_output/ciphersuite_list.txt 
wget -q -O - "http://projectsstatic.bentasker.co.uk/PAS/PAS5-Humanise_ciphersuite_output/ciphersuite_list.txt" | egrep -v -e "^#" | while read -r line; do hex=$(echo "$line" | cut -d\= -f1); str=$(echo "$line" | cut -d\= -f2); echo "-e 's/$hex/$str/gi' \\"; done

Test is still running, but looks OK so far. Will work on building a list of the other suites from RFC 5246

2015-11-24 15:38:28
Have updated the list in projectsstatic and regenerated the list of cipher replacements. Test run going at the moment, if all goes well will commit the change

2015-11-24 15:38:31
btasker changed status from 'In Progress' to 'Open'

2015-11-24 15:38:54
btasker changed timespent from '0 minutes' to '30 minutes'

2015-11-24 15:53:54
Current version seems to work, though I've missed RFC 5288 (doi) so some suites still aren't being replaced. Probably missed a couple of other RFCs too but the concept at least seems to be working

Committing current build and will dig out the other details shortly

2015-11-24 15:55:42

Repo: PCAPAnalyseandReport
Commit: 0eac1dd8b4012c04ae5564d4a791716a8eda3a78
Author: Ben Tasker <github@<Domain Hidden>>

Date: Tue Nov 24 15:35:38 2015 +0000
Commit Message: Humanised Eliptic Curve related ciphers for PAS-5



Modified (-)(+)
-------
PCAP_Analysis.sh




Webhook User-Agent 

GitHub-Hookshot/333881f


View Commit


2015-11-24 15:55:42

Repo: PCAPAnalyseandReport
Commit: f99ab0c333b39597394fcc3d617f2e5fe680a17f
Author: Ben Tasker <github@<Domain Hidden>>

Date: Tue Nov 24 15:52:01 2015 +0000
Commit Message: Humanised RFC5246 ciphersuites. See PAS-5



Modified (-)(+)
-------
PCAP_Analysis.sh




Webhook User-Agent 

GitHub-Hookshot/333881f


View Commit


2015-11-24 16:03:05
btasker changed status from 'Open' to 'In Progress'

2015-11-24 16:09:41

Repo: PCAPAnalyseandReport
Commit: e9b5b538d870dce84afe7376b5f2df7fb75b7556
Author: Ben Tasker <github@<Domain Hidden>>

Date: Tue Nov 24 16:09:24 2015 +0000
Commit Message: Added translation of RFC5288 and RFC5289 ciphersuites. See PAS-5



Modified (-)(+)
-------
PCAP_Analysis.sh




Webhook User-Agent 

GitHub-Hookshot/333881f


View Commit


2015-11-24 16:12:46
Support for RFC5288 and RFC5289 Ciphersuites has been added (and the list on projectsstatic updated).

Test run going at the moment

2015-11-24 16:12:49
btasker changed status from 'In Progress' to 'Open'

2015-11-24 16:13:26
btasker changed timespent from '30 minutes' to '39 minutes'

2015-11-24 16:22:11
There are probably more, but that should just leave

- RFC 4785
- RFC 7251 (though don't think that's been published yet)

2015-11-24 16:31:41

Repo: PCAPAnalyseandReport
Commit: d3bfda69b5eae56a4556914ac92fbc5f2fa17bd2
Author: Ben Tasker <github@<Domain Hidden>>

Date: Tue Nov 24 16:31:01 2015 +0000
Commit Message: Added RFC5289 Galois Counter Mode suites for PAS-5



Modified (-)(+)
-------
PCAP_Analysis.sh




Webhook User-Agent 

GitHub-Hookshot/333881f


View Commit


2015-11-26 00:09:41

Repo: PCAPAnalyseandReport
Commit: 140bb69c65a939074d9681079b857bab38d30e2a
Author: Ben Tasker <github@<Domain Hidden>>

Date: Thu Nov 26 00:09:06 2015 +0000
Commit Message: Added support for more ciphersuites (more to come). See PAS-5



Modified (-)(+)
-------
PCAP_Analysis.sh




Webhook User-Agent 

GitHub-Hookshot/333881f


View Commit


2015-11-26 00:11:49
Bit more awake this time round, wasn't far off when I said
There are probably more

Quite a few more, in fact - http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml

Which leaves

- RFC 4346
- RFC 5469
- RFC 2712
- RFC 5932
- RFC 4279
- RFC 6347
- RFC 5487
- RFC 5932
- RFC 5746
- RFC 7507
- RFC 5054
- RFC 5489
- RFC 6209
- RFC 6367
- RFC 6655

I may just cheat and process the registry's CSV to generate the rest

2015-11-26 12:43:12
List of ciphers on projectsstatic updated with 
ben@milleniumfalcon:~$ wget -q -O - https://www.iana.org/assignments/tls-parameters/tls-parameters-4.csv | egrep -v -e '5246|4785|4162|5288|4492|5289|7251' | cut -d\, -f1,2,3,5 | grep RFC | cut -d\] -f1 | sed 's/\[//g' | sort -n -k 4 |while read -r line; do     value=$(echo "$line" | cut -d\, -f1,2 | sed -e 's/"//g' -e 's/,//g' -e 's/0x//2');     desc=$(echo "$line" | cut -d\, -f3);     rfc=$(echo "$line" | cut -d\, -f4 );      if [ "$rfc" != "$lastrfc" ];     then echo "#"; echo "# From $rfc";     fi;     echo "$value=$desc";     lastrfc=$rfc; done

And sed statements regenerated with 
ben@milleniumfalcon:/tmp$ wget -q -O - "http://projectsstatic.bentasker.co.uk/PAS/PAS5-Humanise_ciphersuite_output/ciphersuite_list.txt?1=7" | egrep -v -e "^#" | while read -r line; do hex=$(echo "$line" | cut -d\= -f1); str=$(echo "$line" | cut -d\= -f2); echo "-e 's/$hex/$str/gi' \\"; done

Should now (as of commit 881f9f4 ) have 100% coverage of any RFC defined ciphersuites - at least until a new RFC gets released.

2015-11-26 12:43:48

Repo: PCAPAnalyseandReport
Commit: 881f9f4e69c97653f73fde41582cb5d18dd1217e
Author: Ben Tasker <github@<Domain Hidden>>

Date: Thu Nov 26 12:42:29 2015 +0000
Commit Message: Added remaining ciphers. See PAS-5



Modified (-)(+)
-------
PCAP_Analysis.sh




Webhook User-Agent 

GitHub-Hookshot/333881f


View Commit


2015-11-26 13:06:18
There are still at least two missing (0xcc14 and 0xcc13) , a quick search says they're from the draft-mavrogiannopoulos-chacha - https://tools.ietf.org/html/draft-mavrogiannopoulos-chacha-tls-01 

    TLS_RSA_WITH_CHACHA20_SHA              = {0xTBD, 0xTBD} {0xCC, 0x20}
    TLS_ECDHE_RSA_WITH_CHACHA20_SHA        = {0xTBD, 0xTBD} {0xCC, 0x21}
    TLS_ECDHE_ECDSA_WITH_CHACHA20_SHA      = {0xTBD, 0xTBD} {0xCC, 0x22}

    TLS_DHE_RSA_WITH_CHACHA20_SHA          = {0xTBD, 0xTBD} {0xCC, 0x23}
    TLS_DHE_PSK_WITH_CHACHA20_SHA          = {0xTBD, 0xTBD} {0xCC, 0x24}

    TLS_PSK_WITH_CHACHA20_SHA              = {0xTBD, 0xTBD} {0xCC, 0x25}
    TLS_ECDHE_PSK_WITH_CHACHA20_SHA        = {0xTBD, 0xTBD} {0xCC, 0x26}
    TLS_RSA_PSK_WITH_CHACHA20_SHA          = {0xTBD, 0xTBD} {0xCC, 0x27}


and 

    TLS_RSA_WITH_CHACHA20_POLY1305         = {0xTBD, 0xTBD} {0xCC, 0x12}
    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305   = {0xTBD, 0xTBD} {0xCC, 0x13}
    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} {0xCC, 0x14}

    TLS_DHE_RSA_WITH_CHACHA20_POLY1305     = {0xTBD, 0xTBD} {0xCC, 0x15}
    TLS_DHE_PSK_WITH_CHACHA20_POLY1305     = {0xTBD, 0xTBD} {0xCC, 0x16}

    TLS_PSK_WITH_CHACHA20_POLY1305         = {0xTBD, 0xTBD} {0xCC, 0x17}
    TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305   = {0xTBD, 0xTBD} {0xCC, 0x18}
    TLS_RSA_PSK_WITH_CHACHA20_POLY1305     = {0xTBD, 0xTBD} {0xCC, 0x19}



2015-11-26 13:12:35
Added,

Gives 100% coverage in my test samples at least, will have to add others as they come up

2015-11-26 13:13:40
btasker changed status from 'Open' to 'Resolved'

2015-11-26 13:13:40
btasker added 'Done' to resolution

2015-11-26 13:13:48
btasker changed status from 'Resolved' to 'Closed'

2015-11-26 13:13:50

Repo: PCAPAnalyseandReport
Commit: 752d21b8e7066d866728fdb6c9b8f551422f77bc
Author: Ben Tasker <github@<Domain Hidden>>

Date: Thu Nov 26 13:11:31 2015 +0000
Commit Message: Added mavrogiannopoulos-chacha ciphers. PAS-5



Modified (-)(+)
-------
PCAP_Analysis.sh




Webhook User-Agent 

GitHub-Hookshot/333881f


View Commit


2015-11-27 13:13:17
Re-opening to assign to a component

2015-11-27 13:13:17
btasker removed 'Done' from resolution

2015-11-27 13:13:17
btasker changed status from 'Closed' to 'Reopened'

2015-11-27 13:13:38
btasker changed status from 'Reopened' to 'Resolved'

2015-11-27 13:13:38
btasker added 'Done' to resolution

2015-11-27 13:13:45
btasker changed status from 'Resolved' to 'Closed'

Work log

Ben Tasker
 Permalink
2015-11-24 15:38:54

Time Spent: 30 minutes
Log Entry: Building list of replacements, implementing replacement and testing
Ben Tasker
 Permalink
2015-11-24 16:13:26

Time Spent: 9 minutes
Log Entry: Adding RFC5288/9 ciphersuites and testing