Fingerprinting Cryptographic Protocols with Key Exchange using an Entropy Measure

TL;DR

This paper introduces a novel entropy-based fingerprinting system for identifying cryptographic key exchange protocols, aiding network security by detecting encrypted traffic and malware using unique high-entropy data patterns.

Contribution

The paper presents a new multi-resolution method for detecting high-entropy data blocks and generating scalable fingerprints for cryptographic protocols.

Findings

Effective identification of key exchange protocols through entropy patterns

Potential to detect malware traffic with custom key exchanges

Experimental results show high accuracy in protocol recognition

Abstract

Encryption has increasingly been used in all applications for various purposes, but it also brings big challenges to network security. In this paper, we take first steps towards addressing some of these chal- lenges by introducing a novel system to identify key exchange protocols, which are usually required if encryption keys are not pre-shared. We ob- served that key exchange protocols yield certain patterns of high-entropy data blocks, e.g. as found in key material. We propose a multi-resolution approach of accurately detecting high-entropy data blocks and a method of generating scalable fingerprints for cryptographic protocols. We pro- vide experimental evidence that our approach has great potential for identifying cryptographic protocols by their unique key exchanges, and furthermore for detecting malware traffic that includes customized key exchange protocols.