Secure electronic transactions using transport layer security (SETUTLS)
US-11240270-B1 · Feb 1, 2022 · US
Active fingerprinting for transport layer security (TLS) servers
US11411997B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11411997-B2 |
| Application number | US-202017125283-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 17, 2020 |
| Priority date | Aug 13, 2020 |
| Publication date | Aug 9, 2022 |
| Grant date | Aug 9, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Methods, systems, and devices supporting active fingerprinting for transport layer security (TLS) servers are described. In some systems, a client device may transmit a same set of client hello messages to each TLS server. The client device may receive a set of server hello messages in response to the standard set of client hello messages based on the contents of each client hello message. For example, a server hello message may indicate a selected cipher suite, TLS protocol version, and set of extensions in response to the specific information included in a client hello message. The client device may generate a hash value (e.g., a fuzzy hash) based on the set of server hello messages received from a TLS server. By comparing the hash values generated for different TLS servers, the client device may determine whether the TLS configurations for the different TLS servers are the same or different.
First claim
Opening claim text (preview).
What is claimed is: 1. A method for actively fingerprinting transport layer security (TLS) servers, comprising: transmitting, to a first TLS server and a second TLS server, a same plurality of client-side security parameter messages, each client-side security parameter message of the plurality of client-side security parameter messages indicating a cipher suite list for a client, a TLS protocol version for the client, a set of extensions for the client, or a combination thereof; receiving, in response to the plurality of client-side security parameter messages, a first plurality of server-side security parameter messages from the first TLS server and a second plurality of server-side security parameter messages from the second TLS server, each server-side security parameter message of the first plurality of server-side security parameter messages and the second plurality of server-side security parameter messages indicating a cipher suite selected by a TLS server, a TLS protocol version selected by the TLS server, a set of extensions selected by the TLS server, or a combination thereof; generating a first hash value corresponding to the first TLS server based at least in part on the first plurality of server-side security parameter messages and a second hash value corresponding to the second TLS server based at least in part on the second plurality of server-side security parameter messages; and determining whether a first TLS configuration for the first TLS server is different from a second TLS configuration for the second TLS server based at least in part on a comparison of the first hash value and the second hash value. 2. The method of claim 1 , wherein: a first portion of the first hash value indicates the cipher suite selected by the TLS server and the TLS protocol version selected by the TLS server for each of the first plurality of server-side security parameter messages; and a second portion of the first hash value comprises a third hash value generated based at least in part on the set of extensions selected by the TLS server for each of the first plurality of server-side security parameter messages. 3. The method of claim 2 , further comprising: comparing the first portion of the first hash value to a first portion of the second hash value to determine whether the first TLS configuration for the first TLS server and the second TLS configuration for the second TLS server comprise different procedures for selecting the cipher suite selected by the TLS server, the TLS protocol version selected by the TLS server, or both; and comparing the second portion of the first hash value to a second portion of the second hash value to determine whether the first TLS configuration for the first TLS server and the second TLS configuration for the second TLS server comprise different procedures for selecting the set of extensions selected by the TLS server. 4. The method of claim 1 , further comprising: receiving, in response to a first client-side security parameter message of the plurality of client-side security parameter messages, a handshake failure alert or no response from the first TLS server, wherein generating the first hash value further comprises: inputting, into the first hash value, a set of zeroes corresponding to a response to the first client-side security parameter message based at least in part on receiving the handshake failure alert or no response from the first TLS server. 5. The method of claim 1 , further comprising: transmitting, to a third TLS server, the same plurality of client-side security parameter messages; receiving a handshake failure alert or no response from the third TLS server in response to each client-side security parameter message of the plurality of client-side security parameter messages; and generating a third hash value corresponding to the third TLS server by setting the third hash value to a set of zeroes based at least in part on receiving the handshake failure alert or no response from the third TLS server in response to each client-side security parameter message. 6. The method of claim 1 , wherein receiving the first plurality of server-side security parameter messages from the first TLS server further comprises: receiving a first server-side security parameter message in response to a first client-side security parameter message, the first client-side security parameter message indicating a first cipher suite list, a first TLS protocol version, and a first set of extensions, and the first server-side security parameter message indicating a second cipher suite selected based at least in part on a set of cipher suites in the first cipher suite list, an order of the first cipher suite list, or both, a second TLS protocol version selected based at least in part on the first TLS protocol version, and a second set of extensions selected based at least in part on the first set of extensions. 7. The method of claim 1 , further comprising: identifying that the first TLS server is associated with malware; and determining that the second TLS server is associated with the malware based at least in part on determining that the first TLS configuration for the first TLS server is the same as the second TLS configuration for the second TLS server based at least in part on the comparison of the first hash value and the second hash value. 8. The method of claim 1 , further comprising: scanning a set of TLS servers over an Internet, wherein the scanning comprises generating at least the first hash value for the first TLS server and the second hash value for the second TLS server; determining one or more TLS servers of the set of TLS servers associated with malware based at least in part on the scanning; and generating a blocklist indicating the one or more TLS servers associated with the malware. 9. The method of claim 1 , further comprising: sending the first hash value and the second hash value for display in a user interface of a user device. 10. The method of claim 1 , wherein: a client-side security parameter message comprises a TLS Client Hello message; and a server-side security parameter message comprises a TLS Server Hello message. 11. An apparatus for actively fingerprinting transport layer security (TLS) servers, comprising: a processor; memory coupled with the processor; and instructions stored in the memory and executable by the processor to cause the apparatus to: transmit, to a first TLS server and a second TLS server, a same plurality of client-side security parameter messages, each client-side security parameter message of the plurality of client-side security parameter messages indicating a cipher suite list for a client, a TLS protocol version for the client, a set of extensions for the client, or a combination thereof; receive, in response to the plurality of client-side security parameter messages, a first plurality of server-side security parameter messages from the first TLS server and a second plurality of server-side security parameter messages from the second TLS server, each server-side security parameter message of the first plurality of server-side security parameter messages and the second plurality of server-side security parameter messages indicating a cipher suite selected by a TLS server, a TLS protocol version selected by the TLS server, a set of extensions selected by the TLS server, or a combination thereof; generate a first hash value corresponding to the first TLS server based at least in part on the first plurality of server-side security parameter messages and a second hash value corresponding to the second TLS server based at least in part on the second plurality of server-side security parameter
Assignees
Inventors
Classifications
Active monitoring, e.g. heartbeat, ping or trace-route · CPC title
Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage · CPC title
Event detection, e.g. attack signature detection · CPC title
- H04L9/0643Primary
Hash functions, e.g. MD5, SHA, HMAC or f9 MAC · CPC title
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11411997B2 cover?
- Methods, systems, and devices supporting active fingerprinting for transport layer security (TLS) servers are described. In some systems, a client device may transmit a same set of client hello messages to each TLS server. The client device may receive a set of server hello messages in response to the standard set of client hello messages based on the contents of each client hello message. For …
- Who is the assignee on this patent?
- Salesforce Com Inc, Salesforce Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L9/0643. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Aug 09 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).