Identification of TLS Communications Using Randomness Testing

In recent years, the use of encryption in Internet communications, such as HTTPS, has become more widespread. While encrypted communication technology has been popular and improved the security of communications, there is a concern that the information available from the communications will be reduced, making it difficult to distinguish between normal and malicious communications. As for SSL/TLS, there is an existing measurement called TLS fingerprinting which tries to identify a server or client based on surface-level information such as headers and handshake parameters. However, by randomizing parameters or modifying handshakes, some attacks have already bypassed the detection. Our goal is to identify encrypted communications in a way that is more robust against such circumvention. Therefore, we propose a method that can identify encryption algorithms and cryptographic libraries used in a communication. We focus on the randomness of encrypted communications and use the statistical characteristics of randomness. Our experiment on HTTPS shows that by using only the encrypted application data from TLS communications, we can identify encryption algorithms (without considering the key length), used in the communication, with 89.6% accuracy.