To initiate a TLS session, a client sends a TLS Client Hello packet following the TCP handshake. This packet, and the way in which it is generated, is dependent on packages and methods that are used when building the client application.
The server responds with a TLS Server Hello packet that is based on server-side supported ciphers and configurations as well as details in the Client Hello .
Because TLS negotiations are transmitted in the clear, it is possible to fingerprint and potentially identify client applications using the details in the TLS Client Hello packet.
The JA3 method gathers the decimal values of the bytes for the following fields in the Client Hello packet:
- Version
- Accepted cipher suites
- List of extensions
- Elliptic curves
- Elliptic curve formats
It then concatenates those values together to create an MD5 hash (or unique fingerprint) that can enhance traditional cybersecurity approaches such as allow lists, deny lists, and searching for IOCs.
The JA3S method then gathers the decimal values of the bytes for the following fields in the Server Hello packet:
- Version
- Accepted cipher
- List of extensions
It concatenates these values in the same way as the Client Hello packet, resulting in an MD5 hash known as a JA3S fingerprint.
