PAS-5: Replace observed Cipher Suites with Human Readable versions



Issue Information

Issue Type: New Feature
 
Priority: Major
Status: Closed

Reported By:
Ben Tasker
Assigned To:
Ben Tasker
Project: PCAP Analysis Script (PAS)
Resolution: Done (2015-11-27 13:13:38)
Affects Version: 0.1,
Target version: 0.1,
Components: Reports , SSL/TLS ,
Labels: HTTPS, TLS,

Created: 2015-11-22 10:38:41
Time Spent Working
Estimated:
 
45 minutes
Remaining:
  
6 minutes
Logged:
  
39 minutes


Description
At the moment, TLS/SSL information extracted from the handshake is stored as follows
0xc02b,0xc02f,0x009e,0xc00a,0xc009,0xc013,0xc014,0x0033,0x0039,0x009c,0x002f,0x0035,0x000a

Which, while compact, isn't particularly helpful for a human reader. Entries should be replaced with the Human readable version

For example,
0xc02b = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
0xc02f = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
0xc00a = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
0xc013 = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
0xc014 = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
0x0088 = TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA

Need to look up the others though


Issue Links

RFC 5246 Appendix A.5
RFC 4492 Section 6
Hex to Human Readable Cipherlist (Projects Static)
RFC 5288 Section 3
RFC 5289 Section 3
RFC 7251 Section 2
RFC 4785 Section 3
Toggle State Changes

Activity


btasker added 'HTTPS' to labels
btasker changed labels from 'HTTPS' to 'HTTPS TLS'
The values for each ciphersuite are listed in RFC 5246 Appendix A.5 so we can pull from there
Eliptic Curve based cipher suites were added in TLS1.2 and are defined in RFC 4492 Section 6
So, the values defined in RFC 4492 give us
0xC001 = TLS_ECDH_ECDSA_WITH_NULL_SHA
0xC002 = TLS_ECDH_ECDSA_WITH_RC4_128_SHA
0xC003 = TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
0xC004 = TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 
0xC005 = TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
0xC006 = TLS_ECDHE_ECDSA_WITH_NULL_SHA 
0xC007 = TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 
0xC008 = TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
0xC009 = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
0xC00A = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
0xC00B = TLS_ECDH_RSA_WITH_NULL_SHA 
0xC00C = TLS_ECDH_RSA_WITH_RC4_128_SHA
0xC00D = TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
0xC00E = TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
0xC00F = TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
0xC010 = TLS_ECDHE_RSA_WITH_NULL_SHA
0xC011 = TLS_ECDHE_RSA_WITH_RC4_128_SHA
0xC012 = TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
0xC013 = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
0xC014 = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
0xC015 = TLS_ECDH_anon_WITH_NULL_SHA
0xC016 = TLS_ECDH_anon_WITH_RC4_128_SHA
0xC017 = TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
0xC018 = TLS_ECDH_anon_WITH_AES_128_CBC_SHA
0xC019 = TLS_ECDH_anon_WITH_AES_256_CBC_SHA

I'll start implementing something used for those first, so that it can be tested and the grab the rest from RFC 5246
btasker changed status from 'Open' to 'In Progress'
Replacement of the EC ciphersuites as been implemented, using the following command to build sed expressions from the file at http://projectsstatic.bentasker.co.uk/PAS/PAS5-Humanise_ciphersuite_output/ciphersuite_list.txt
wget -q -O - "http://projectsstatic.bentasker.co.uk/PAS/PAS5-Humanise_ciphersuite_output/ciphersuite_list.txt" | egrep -v -e "^#" | while read -r line; do hex=$(echo "$line" | cut -d\= -f1); str=$(echo "$line" | cut -d\= -f2); echo "-e 's/$hex/$str/gi' \\"; done

Test is still running, but looks OK so far. Will work on building a list of the other suites from RFC 5246
Have updated the list in projectsstatic and regenerated the list of cipher replacements. Test run going at the moment, if all goes well will commit the change
btasker changed status from 'In Progress' to 'Open'
btasker changed timespent from '0 minutes' to '30 minutes'
Current version seems to work, though I've missed RFC 5288 (doi) so some suites still aren't being replaced. Probably missed a couple of other RFCs too but the concept at least seems to be working

Committing current build and will dig out the other details shortly

Repo: PCAPAnalyseandReport
Commit: 0eac1dd8b4012c04ae5564d4a791716a8eda3a78
Author: Ben Tasker <github@<Domain Hidden>>

Date: Tue Nov 24 15:35:38 2015 +0000
Commit Message: Humanised Eliptic Curve related ciphers for PAS-5



Modified (-)(+)
-------
PCAP_Analysis.sh




Webhook User-Agent

GitHub-Hookshot/333881f


View Commit


Repo: PCAPAnalyseandReport
Commit: f99ab0c333b39597394fcc3d617f2e5fe680a17f
Author: Ben Tasker <github@<Domain Hidden>>

Date: Tue Nov 24 15:52:01 2015 +0000
Commit Message: Humanised RFC5246 ciphersuites. See PAS-5



Modified (-)(+)
-------
PCAP_Analysis.sh




Webhook User-Agent

GitHub-Hookshot/333881f


View Commit

btasker changed status from 'Open' to 'In Progress'

Repo: PCAPAnalyseandReport
Commit: e9b5b538d870dce84afe7376b5f2df7fb75b7556
Author: Ben Tasker <github@<Domain Hidden>>

Date: Tue Nov 24 16:09:24 2015 +0000
Commit Message: Added translation of RFC5288 and RFC5289 ciphersuites. See PAS-5



Modified (-)(+)
-------
PCAP_Analysis.sh




Webhook User-Agent

GitHub-Hookshot/333881f


View Commit

Support for RFC5288 and RFC5289 Ciphersuites has been added (and the list on projectsstatic updated).

Test run going at the moment
btasker changed status from 'In Progress' to 'Open'
btasker changed timespent from '30 minutes' to '39 minutes'
There are probably more, but that should just leave

- RFC 4785
- RFC 7251 (though don't think that's been published yet)

Repo: PCAPAnalyseandReport
Commit: d3bfda69b5eae56a4556914ac92fbc5f2fa17bd2
Author: Ben Tasker <github@<Domain Hidden>>

Date: Tue Nov 24 16:31:01 2015 +0000
Commit Message: Added RFC5289 Galois Counter Mode suites for PAS-5



Modified (-)(+)
-------
PCAP_Analysis.sh




Webhook User-Agent

GitHub-Hookshot/333881f


View Commit


Repo: PCAPAnalyseandReport
Commit: 140bb69c65a939074d9681079b857bab38d30e2a
Author: Ben Tasker <github@<Domain Hidden>>

Date: Thu Nov 26 00:09:06 2015 +0000
Commit Message: Added support for more ciphersuites (more to come). See PAS-5



Modified (-)(+)
-------
PCAP_Analysis.sh




Webhook User-Agent

GitHub-Hookshot/333881f


View Commit

Bit more awake this time round, wasn't far off when I said
There are probably more

Quite a few more, in fact - http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml

Which leaves

- RFC 4346
- RFC 5469
- RFC 2712
- RFC 5932
- RFC 4279
- RFC 6347
- RFC 5487
- RFC 5932
- RFC 5746
- RFC 7507
- RFC 5054
- RFC 5489
- RFC 6209
- RFC 6367
- RFC 6655

I may just cheat and process the registry's CSV to generate the rest
List of ciphers on projectsstatic updated with
ben@milleniumfalcon:~$ wget -q -O - https://www.iana.org/assignments/tls-parameters/tls-parameters-4.csv | egrep -v -e '5246|4785|4162|5288|4492|5289|7251' | cut -d\, -f1,2,3,5 | grep RFC | cut -d\] -f1 | sed 's/\[//g' | sort -n -k 4 |while read -r line; do     value=$(echo "$line" | cut -d\, -f1,2 | sed -e 's/"//g' -e 's/,//g' -e 's/0x//2');     desc=$(echo "$line" | cut -d\, -f3);     rfc=$(echo "$line" | cut -d\, -f4 );      if [ "$rfc" != "$lastrfc" ];     then echo "#"; echo "# From $rfc";     fi;     echo "$value=$desc";     lastrfc=$rfc; done

And sed statements regenerated with
ben@milleniumfalcon:/tmp$ wget -q -O - "http://projectsstatic.bentasker.co.uk/PAS/PAS5-Humanise_ciphersuite_output/ciphersuite_list.txt?1=7" | egrep -v -e "^#" | while read -r line; do hex=$(echo "$line" | cut -d\= -f1); str=$(echo "$line" | cut -d\= -f2); echo "-e 's/$hex/$str/gi' \\"; done

Should now (as of commit 881f9f4 ) have 100% coverage of any RFC defined ciphersuites - at least until a new RFC gets released.

Repo: PCAPAnalyseandReport
Commit: 881f9f4e69c97653f73fde41582cb5d18dd1217e
Author: Ben Tasker <github@<Domain Hidden>>

Date: Thu Nov 26 12:42:29 2015 +0000
Commit Message: Added remaining ciphers. See PAS-5



Modified (-)(+)
-------
PCAP_Analysis.sh




Webhook User-Agent

GitHub-Hookshot/333881f


View Commit

There are still at least two missing (0xcc14 and 0xcc13) , a quick search says they're from the draft-mavrogiannopoulos-chacha - https://tools.ietf.org/html/draft-mavrogiannopoulos-chacha-tls-01

    TLS_RSA_WITH_CHACHA20_SHA              = {0xTBD, 0xTBD} {0xCC, 0x20}
    TLS_ECDHE_RSA_WITH_CHACHA20_SHA        = {0xTBD, 0xTBD} {0xCC, 0x21}
    TLS_ECDHE_ECDSA_WITH_CHACHA20_SHA      = {0xTBD, 0xTBD} {0xCC, 0x22}

    TLS_DHE_RSA_WITH_CHACHA20_SHA          = {0xTBD, 0xTBD} {0xCC, 0x23}
    TLS_DHE_PSK_WITH_CHACHA20_SHA          = {0xTBD, 0xTBD} {0xCC, 0x24}

    TLS_PSK_WITH_CHACHA20_SHA              = {0xTBD, 0xTBD} {0xCC, 0x25}
    TLS_ECDHE_PSK_WITH_CHACHA20_SHA        = {0xTBD, 0xTBD} {0xCC, 0x26}
    TLS_RSA_PSK_WITH_CHACHA20_SHA          = {0xTBD, 0xTBD} {0xCC, 0x27}


and

    TLS_RSA_WITH_CHACHA20_POLY1305         = {0xTBD, 0xTBD} {0xCC, 0x12}
    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305   = {0xTBD, 0xTBD} {0xCC, 0x13}
    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} {0xCC, 0x14}

    TLS_DHE_RSA_WITH_CHACHA20_POLY1305     = {0xTBD, 0xTBD} {0xCC, 0x15}
    TLS_DHE_PSK_WITH_CHACHA20_POLY1305     = {0xTBD, 0xTBD} {0xCC, 0x16}

    TLS_PSK_WITH_CHACHA20_POLY1305         = {0xTBD, 0xTBD} {0xCC, 0x17}
    TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305   = {0xTBD, 0xTBD} {0xCC, 0x18}
    TLS_RSA_PSK_WITH_CHACHA20_POLY1305     = {0xTBD, 0xTBD} {0xCC, 0x19}


Added,

Gives 100% coverage in my test samples at least, will have to add others as they come up
btasker changed status from 'Open' to 'Resolved'
btasker added 'Done' to resolution
btasker changed status from 'Resolved' to 'Closed'

Repo: PCAPAnalyseandReport
Commit: 752d21b8e7066d866728fdb6c9b8f551422f77bc
Author: Ben Tasker <github@<Domain Hidden>>

Date: Thu Nov 26 13:11:31 2015 +0000
Commit Message: Added mavrogiannopoulos-chacha ciphers. PAS-5



Modified (-)(+)
-------
PCAP_Analysis.sh




Webhook User-Agent

GitHub-Hookshot/333881f


View Commit

Re-opening to assign to a component
btasker removed 'Done' from resolution
btasker changed status from 'Closed' to 'Reopened'
btasker changed status from 'Reopened' to 'Resolved'
btasker added 'Done' to resolution
btasker changed status from 'Resolved' to 'Closed'

Work log


Ben Tasker
Permalink
2015-11-24 15:38:54

Time Spent: 30 minutes
Log Entry: Building list of replacements, implementing replacement and testing

Ben Tasker
Permalink
2015-11-24 16:13:26

Time Spent: 9 minutes
Log Entry: Adding RFC5288/9 ciphersuites and testing