Fingerprinting Cryptographic Protocols with Key Exchange Using an Entropy Measure

Encryption has become increasingly prevalent in many applications and for various purposes, but its use also brings big challenges to network security. In this paper, we take the first steps towards addressing some of these challenges by introducing a novel system to identify key exchange protocols. These protocols are usually required if encryption keys are not shared in advance. We observed that key exchange protocols yield certain patterns of high-entropy data blocks, such as those found in key material. We propose a multi-resolution approach to accurately detect high-entropy data blocks and a method of generating fingerprints for cryptographic protocols. We provide experimental evidence that our approach has the potential to identify cryptographic protocols by their unique key exchanges, leading to the ability to detect malware traffic that includes customized key exchange protocols.