Fingerprinting Cryptographic Protocols with Key Exchange using an Entropy Measure

Encryption has increasingly been used in all applications for various purposes, but it also brings big challenges to network security. In this paper, we take first steps towards addressing some of these chal- lenges by introducing a novel system to identify key exchange protocols, which are usually required if encryption keys are not pre-shared. We ob- served that key exchange protocols yield certain patterns of high-entropy data blocks, e.g. as found in key material. We propose a multi-resolution approach of accurately detecting high-entropy data blocks and a method of generating scalable fingerprints for cryptographic protocols. We pro- vide experimental evidence that our approach has great potential for identifying cryptographic protocols by their unique key exchanges, and furthermore for detecting malware traffic that includes customized key exchange protocols.