Lab #$6($Authentication$)$

ITN $262$

In previous labs you have captured several packets using Wireshark. In this lab, you$$ll investigate the

Secure Sockets Layer $($SSL$)$ protocol, focusing on the SSL records sent over a TCP connection. Then you

will analyze a trace of the SSL records sent between your host and a server. You will also investigate the

various SSL record types as well as the fields in the SSL messages and find out how client and server

authentication is done.

I suggest, before starting this lab you read the book and understand the concepts behind. To learn more

about SSL$/$TLS you may read the RFC too. TLS is standardized in RFC $2246.$

Try to do the following steps consecutively. Some answers require you to mark the answer in

the screen capture of your packet capture.

$1.$ Click on start in Wireshark to start capturing traffic. Login to any secure site. $($Ex: Gmail,

Hotmail, BB$,$ or any site of your choice$),$ and click stop after one minute or so$.$ How many

packet did you capture? What is your source address and what is destination address

$(5)$

$2.$ After capturing the packets with Wireshark, you should set the filter so that it displays only the

frames that contain SSL records sent from and received by your host. SSL normally carried on

port $443$ in case of a secure pages. As such set a filter $$tcp$.$port $==443$ What is the purpose

of filtering? Did you find any other useful feature k Of Wireshark other than those were used

for previous labs? Find out two more features which were not used for previous labs and show

how did you used them. $(5)$

$3.$ Take a look at the captured SSL records and answer the following questions. $($Please

provide a screen shot to support your answer$/$analysis$.$ Without appropriate screen

capture, points will not be awarded$)$ Select a TLS message somewhere in the middle of your

trace for which the Info reads $$Application Data$,$ and expand its Secure Sockets Layer block.

List the SSL record types that are included in the frame. Each of the SSL records begins with the

same three fields. One of these fields is $$content type$$ and has length of one byte.

List all three fields and their lengths. $(5)$

Examine the ClientHello Record:

$4.$ Expand the Client Hello record. What is the value of the content type? $(5)$

$5.$ Does the Client Hello record contain a nonce $($also known as a $$challenge$)?$ If so$,$ what is the value of

the challenge in hexadecimal notation? How long in bytes is the random data in the Hellos? Both the

Client and Server include this random number. $(5)$

$6.$ Does the Client Hello record sends the cypher suites it supports? If so$,$ in the first listed suite, what are

the public$-$key algorithm, the symmetric$-$key algorithm, and the hash algorithm sent? $(5)$

Locate the ServerHello SSL record and open the Server Hello Record:

$7.$ Does this record specify a chosen cipher suite? What Cipher method is chosen by the Server? Give its

name and value. The Client will list the different cipher methods it supports, and the Server will pick one

of these methods to use. $(5)$

$8.$ Does this record include a nonce? If so$,$ how long is it$?$ What is the purpose of the client and server

nonce in SSL$?$ Why it is required? $(5)$

$9.$ Does this record include a session ID$?$ What is the purpose of the session ID$?$ Does this record contain

a certificate, or is the certificate included in a separate record. Does the certificate fit into a single

Ethernet frame? If not how many frames did it take to send the certificate $(5)$

Trace the client key exchange record.

$10.$ Does this record contain a pre$-$master secret? What is this secret used for? Is the secret encrypted?

If so$,$ how? How long is the encrypted secret? $(5)$

The final step is examining the Change Cipher Spec Record $($sent by client$)$ and

Encrypted Handshake Record:

$11.$ What is the purpose of the Change Cipher Spec record? How many bytes is the record in your trace?

$(5)$

$12.$ In the encrypted handshake record, what is being encrypted? How? $(5)$

$13.$ Does the server also send a change cipher record and an encrypted handshake record to the client?

How are those records different from those sent by the client? $(5)$

$14.$ How is the application data being encrypted? Can you decrypt SSL traffic? If no$,$ explain why can$$t

you decrypt the application data? If yes, explain how? $(5)$