Skip to content

ZenGo-X/Bad_randomness_tls_client_handshake_pure_python

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits

.venv

.venv

 
 

__pycache__

__pycache__

 
 

debug

debug

 
 

path/to/venv

path/to/venv

 
 

.python-version

.python-version

 
 

1.txt

1.txt

 
 

Dockerfile

Dockerfile

 
 

Pipfile

Pipfile

 
 

Pipfile.lock

Pipfile.lock

 
 

certificates.py

certificates.py

 
 

cipher_suites.py

cipher_suites.py

 
 

client.py

client.py

 
 

constants.py

constants.py

 
 

ec_curves.py

ec_curves.py

 
 

encryption_algorithms.py

encryption_algorithms.py

 
 

extensions.py

extensions.py

 
 

hosts.txt

hosts.txt

 
 

index.py

index.py

 
 

key_exchange.py

key_exchange.py

 
 

packer.py

packer.py

 
 

prf.py

prf.py

 
 

print_colors.py

print_colors.py

 
 

reader.py

reader.py

 
 

readme.md

readme.md

 
 

requirements.txt

requirements.txt

 
 

signature_algorithms.py

signature_algorithms.py

 
 

tls.py

tls.py

 
 

Repository files navigation

TLS Client Handshake Pure Python implementation

This project is mainly used for demonstrating bad randomness impact on the security of tls handshake.
Do not use this project in any production environment.

Supports

TLSv1.1, TLSv1.2
RSA, ECDHE-RSA, ECDHE-ECDSA key exchange
AES CBC, GCM encryption
SSLKEYLOGFILE

Requirements

Python 3.6 (tested)
pipenv
cryptography

Installation

venv

python -m venv .
source bin/activate (linux)
Scripts/activate (windows cmd)

pip install pipenv
pipenv install
# or you can install cryptography directly without pipenv

python index.py www.google.com

pipenv

pipenv install
pipenv run python index.py google.com

Usage

python index.py
for example,
python index.py www.facebook.com
To specify cipher
python index.py -c
for example,
python index.py www.facebook.com -c AES256-SHA

cat <<EOF | python index.py -c ECDHE-ECDSA-AES256-GCM-SHA384 -
www.facebook.com
www.google.com
EOF

cat hosts.txt | python index.py -

Todo

TLS v1.3
TLS v1.0 (low priority as its life has already ended)
PSS Padding on signature algorithm
Other Cipher suites such as DE
http2

Contribution

PR is welcome

RSA key exchange algorithm

When RSA is used for server authentication and key exchange, a 48-byte pre_master_secret
is generated by the client, encrypted under the server's public key, and sent to the server.
The server uses its private key to decrypt the pre_master_secret. Both parties then
convert the pre_master_secret into the master_secret.

ECDHE-RSA / ECDHE-ECDSA Algorithm

Client Hello

Suggest Cipher Suites

Server Hello

Agree on ECDHE-RSA / ECDHE-ECDSA.
Server generates its ec key pair and sends the ec public key to the client along with the signature made by the server's private key which the public counterpart could be found in the server's digital certificate.

Client Finish

Client verifies the ec public key with the rsa / ec public key in the server's digital certificate.
Client uses the ec public key and generates its own ec key pair in exchange for the pre master secret.
Client sends its ec public key to the server.
Client generates the master secret with the pre master secret and having shared randoms.
Client starts sending encrypted data.

Server Finish

Server receives the client's ec public key
Server uses the client's ec public key and the server private key in exchange for the same pre master secret.
Server generates the master secret with the pre master secret and having shared randoms.
Server decrypts the request with the master secret.

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

2 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages