Ayan Khan

0801IT221044

Lab Assignment 5

1. What is the packet number in your trace that contains the initial TCP SYN message? (By
“packet number,” we meant the number in the “No.” column at the left of the Wireshark display, not
the sequence number in the TCP segment itself). 17

2. Is the TCP connection set up before or after the first TLS message is sent from client to server?
TCP was set before TLS was sent

3. What is the packet number in your trace that contains the TLS Client Hello message?
28

4. What version of TLS is your client running, as declared in the Client Hello message?
TLSv1.2

5. How many cipher suites are supported by your client, as declared in the Client Hello message?
A cipher suite is a set of related cryptographic algorithms that determine how session keys will
be derived, and how data will be encrypted and be digitally signed via a HMAC algorithm.
17 suites

6. Your client generates and sends a string of “random bytes” to the server in the Client Hello
message. What are the first two hexadecimal digits in the random bytes field of the Client Hello
message? Enter the two hexadecimal digits (without spaces between the hex digits and without any
leading '0x' , using lowercase letters where needed). Hint: be careful to fully dig into the Random field
to find the Random Bytes subfield (do not consider the GMT UNIX Time subfield of Random).
4b90
 Ayan Khan
0801IT221044
7. What is the purpose(s) of the “random bytes” field in the Client Hello message? Note: you’ll
have do some searching and reading to get the answer to this question; see section 8.6 and in RFC
5246 (section 8.1 in RFC 5246 in particular).
The random bytes field in the Client Hello message serves to:
1. Prevent replay attacks by ensuring each session is unique.
2. Contribute to key generation by combining with the server's random value.
3. Ensure handshake freshness to enhance security.
4. Help derive the master secret for encryption.

8. What is the packet number in your trace that contains the TLS Server Hello message?
32

9. Which cipher suite has been chosen by the server from among those offered in the earlier
Client Hello message?

10. Does the Server Hello message contain random bytes, similar to how the Client Hello message
contained random bytes? And if so, what is/are their purpose(s)? Yes, the Server Hello message
contains random bytes.
Purpose:
1. Key Generation – Used with the client’s random to derive session keys.
2. Session Uniqueness – Prevents reuse of old handshakes.
3. Security Enhancement – Adds randomness to encryption.

11. What is the packet number in your trace for the TLS message part that contains the public key
certificate for the www.cics.umass.edu server (actually the www.cs.umass.edu server)?
37

12. A server may return more than one certificate. If more than one certificate is returned, are all of
these certificates for www.cs.umass.edu? If not all are for www.cs.umass.edu, then who are these
other certificates for? You can determine who the certificate is for by checking the id-at-
commonName field in the returned certificate.
 Ayan Khan
0801IT221044

13. What is the name of the certification authority that issued the certificate for id-at-
commonName=www.cs.umass.edu?
rdnSequence: 6 items (id-at-commonName=InCommon RSA Server
CA,id-at-organizationalUnitName=InCommon,id-at-organizationName=Internet2,id-atlocalityName=Ann
Arbor,id-at-stateOrProvinceName=MI,id-at-countryName=US)

14. What digital signature algorithm is used by the CA to sign this certificate? Hint:
this information can be found in the signature subfield of the SignedCertificate field of the certificate
for www.cs.umass.edu.

15. Let's take a look at what a real public key looks like! What are the first four hexadecimal digits of
the modulus of the public key being used by www.cics.umass.edu? Enter the four hexadecimal
digits (without spaces between the hex digits and without any leading '0x' , using lowercase
letters where needed, and including any leading 0s after '0x'). Hint: this information can be found
in subjectPublicKeyInfo subfield of the SignedCertificate field of the certificate for
www.cs.umass.edu.
00b3

16. Look in your trace to find messages between the client and a CA to get the CA’s public key
information, so that the client can verify that the CA-signed certificate sent by the server is indeed
valid and has not been forged or altered. Do you see such message in your trace? If so, what is
the number in the trace of the first packet sent from your client to the CA? If not, explain why the
client did not contact the CA.

17. What is the packet number in your trace for the TLS message part that contains the Server Hello
Done TLS record?
 Ayan Khan
0801IT221044

18. What is the packet number in your trace for the TLS message that contains the public key
information, Change Cipher Spec, and Encrypted Handshake message, being sent from client to
server?

19. Does the client provide its own CA-signed public key certificate back to the server? If so, what is
the packet number in your trace containing your client’s certificate?
No packet appears → The client did not send a certificate.

20. What symmetric key cryptography algorithm is being used by the client and server to encrypt
application data (in this case, HTTP messages)?

21. In which of the TLS messages is this symmetric key cryptography algorithm finally decided and
declared?

22. What is the packet number in your trace for the first encrypted message carrying application data
from client to server?

23. What do you think the content of this encrypted application-data is, given that this trace was
generated by fetching the homepage of www.cics.umass.edu? Since this trace was generated by
fetching the homepage of www.cics.umass.edu, the encrypted data likely contains:
● An HTTP GET request for /index.html.
● Possibly some CSS, JavaScript, or images required by the homepage.
● TLS encryption prevents Wireshark from showing the exact content, but we know it corresponds to the
website's homepage.
 Ayan Khan
0801IT221044

24. What packet number contains the client-to-server TLS message that shuts down the TLS
connection? Because TLS messages are encrypted in our Wireshark traces, we can’t actually look inside
a TLS message and so we’ll have to make an educated guess here.
358

843