#SSL Record Types

  1. First 6 SSL/TLS packets from ClientHello filtered using ssl shows: i. specify the source of the packet (client or server): ii. list the SSL record types for the packet:
  2. Source: 10.24.33.248 (client)
    • Record type: HANDSHAKE (0x16)
    • Handshake type value: CLIENT_HELLO(0x01)
  3. Source: 23.13.248.68 (server)
    • Record type: HANDSHAKE (0x16)
    • Handshake type value: SERVER_HELLO(0x02)
  4. Source: 23.13.248.68 (server)
    • Record type: HANDSHAKE (0x16)
    • Handshake type value: CERTIFICATE (0x0b), SERVER_KEY_EXCHANGE (0x0c), SERVER_DONE (0x0e)
  5. Source: 10.24.33.248 (client)
    • Record type: HANDSHAKE (0x16) and CHANGE_CIPHER_SPEC (0x14)
    • Handshake type value: CLIENT_KEY_EXCHANGE (0x10), FINISHED
  6. Source: 10.24.33.248 (client)
    • Record type: APPLICATION_DATA (0x17)
  7. Source: 23.13.248.68 (server)
    • Record type: HANDSHAKE (0x16) and CHANGE_CIPHER_SPEC (0x14)
    • Handshake type value: NEW_SESSION_TICKET (0x04), FINISHED
  8. Each of the SSL records begins with the same three fields, known as it’s header.
    • The TLS Record header comprises three fields, necessary to allow the higher layer to be built upon it:
  9. Content type (record type), with length of 1 byte
  10. Version (TLS version), with length of 2 bytes
  11. Length (length of the data), with length of 2 bytes

#Client Hello

  1. Expanding the first ClientHello record found, the value of content type shows the type of the record which is HANDSHAKE, it’s hexadecimal value is 0x16 and in decimal is 22.
  2. The ClientHello record advertise the cipher suites it supports. In the first listed cipher suite of ClientHello we see: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, which means:
  3. The public-key algorithm is ECDHE (Elliptical Curve Diffe-Hellman Ephemeral) and ECDSA (Elliptic Curve Digital Signature Algorithm)
  4. The symmetric-key algorithm is AES-128 and GCM
  5. The hash algorithm is SHA-256

#Client Key Exchange

  1. Locating to the client key exchange record, the public key included in this record is 04:f6:30:ef:4f:1d:b4:cc:6d:3e:6b:24:c5:12:ac:0c:1f:29:3e:9b:2b:28:3d:3e:db:32:86:5a:ab:57:18:ea:02:7b:f1:ea:ea:b0:1a:b0:5d:af:98:32:4b:6a:e4:76:c7:3a:88:84:5e:0b:bb:69:fa:60:2d:cf:40:77:9a:13:e2, with the length of 65 bytes.

#Application Data

  1. The application data is encrypted with the symmetric-key algorithm chosen in the HANDSHAKE phase (AES-128 combined with GCM).
  2. The records containing application data does include a MAC, as it’s appended to the application data prior to encryption.
  3. From the look of it, wireshark doesn’t distinguish the encrypted application data and the MAC.