| { |
| "cells": [ |
| { |
| "cell_type": "markdown", |
| "metadata": {}, |
| "source": [ |
| "# TLS 1.3 handshake overview\n", |
| "This is the basic TLS 1.3 handshake:\n", |
| "\n", |
| "<img src=\"images/handshake_tls13.png\" alt=\"Handshake TLS 1.3\" width=\"400\"/>" |
| ] |
| }, |
| { |
| "cell_type": "code", |
| "execution_count": null, |
| "metadata": { |
| "collapsed": true |
| }, |
| "outputs": [], |
| "source": [ |
| "from scapy.all import *" |
| ] |
| }, |
| { |
| "cell_type": "code", |
| "execution_count": null, |
| "metadata": {}, |
| "outputs": [], |
| "source": [ |
| "record1_str = open('raw_data/tls_session_13/01_cli.raw').read()\n", |
| "record1 = TLS(record1_str)\n", |
| "sess = record1.tls_session\n", |
| "record1.show()" |
| ] |
| }, |
| { |
| "cell_type": "code", |
| "execution_count": null, |
| "metadata": {}, |
| "outputs": [], |
| "source": [ |
| "record2_str = open('raw_data/tls_session_13/02_srv.raw').read()\n", |
| "record2 = TLS(record2_str, tls_session=sess.mirror())\n", |
| "record2.show()" |
| ] |
| }, |
| { |
| "cell_type": "code", |
| "execution_count": null, |
| "metadata": {}, |
| "outputs": [], |
| "source": [ |
| "record3_str = open('raw_data/tls_session_13/03_cli.raw').read()\n", |
| "record3 = TLS(record3_str, tls_session=sess.mirror())\n", |
| "record3.show()" |
| ] |
| }, |
| { |
| "cell_type": "code", |
| "execution_count": null, |
| "metadata": { |
| "collapsed": true |
| }, |
| "outputs": [], |
| "source": [ |
| "# The PFS relies on the ECDH secret below being kept from observers, and deleted right after the key exchange\n", |
| "#from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePrivateNumbers\n", |
| "#from cryptography.hazmat.backends import default_backend\n", |
| "#secp256r1_client_privkey = open('raw_data/tls_session_13/cli_key.raw').read()\n", |
| "#pubnum = sess.tls13_client_pubshares[\"secp256r1\"].public_numbers()\n", |
| "#privnum = EllipticCurvePrivateNumbers(pkcs_os2ip(secp256r1_client_privkey), pubnum)\n", |
| "#privkey = privnum.private_key(default_backend())\n", |
| "#sess.tls13_client_privshares[\"secp256r1\"] = privkey" |
| ] |
| }, |
| { |
| "cell_type": "code", |
| "execution_count": null, |
| "metadata": { |
| "scrolled": true |
| }, |
| "outputs": [], |
| "source": [ |
| "record4_str = open('raw_data/tls_session_13/04_srv.raw').read()\n", |
| "record4 = TLS(record4_str, tls_session=sess.mirror())\n", |
| "record4.show()" |
| ] |
| }, |
| { |
| "cell_type": "code", |
| "execution_count": null, |
| "metadata": {}, |
| "outputs": [], |
| "source": [ |
| "record5_str = open('raw_data/tls_session_13/05_srv.raw').read()\n", |
| "record5 = TLS(record5_str, tls_session=sess)\n", |
| "record5.show()" |
| ] |
| }, |
| { |
| "cell_type": "code", |
| "execution_count": null, |
| "metadata": {}, |
| "outputs": [], |
| "source": [ |
| "record6_str = open('raw_data/tls_session_13/06_cli.raw').read()\n", |
| "record6 = TLS(record6_str, tls_session=sess.mirror())\n", |
| "record6.show()" |
| ] |
| }, |
| { |
| "cell_type": "markdown", |
| "metadata": {}, |
| "source": [ |
| "## Observations sur TLS 1.3\n", |
| "* Certificat désormais chiffré...\n", |
| "* ...mais pas le Server Name dans le ClientHello\n", |
| "* Risques du mode 0-RTT" |
| ] |
| } |
| ], |
| "metadata": { |
| "kernelspec": { |
| "display_name": "Python 2", |
| "language": "python", |
| "name": "python2" |
| }, |
| "language_info": { |
| "codemirror_mode": { |
| "name": "ipython", |
| "version": 2 |
| }, |
| "file_extension": ".py", |
| "mimetype": "text/x-python", |
| "name": "python", |
| "nbconvert_exporter": "python", |
| "pygments_lexer": "ipython2", |
| "version": "2.7.13" |
| } |
| }, |
| "nbformat": 4, |
| "nbformat_minor": 2 |
| } |