Overview

JA3 and JA4 are cryptographic fingerprinting techniques used to identify and analyze Transport Layer Security (TLS) client and server communications. These fingerprints help security teams detect malicious activities, including botnets, malware, and evasive threats that disguise themselves in encrypted traffic.

What is JA3?

JA3 is a method for fingerprinting TLS client communications. It extracts specific attributes from a TLS Client Hello packet and generates a hash value, enabling network defenders to identify unique client configurations regardless of IP addresses or other mutable properties.

How JA3 Works

JA3 fingerprints are created by collecting and concatenating the following fields from the TLS Client Hello:

Version (TLS version used)

Cipher Suites (list of supported ciphers)

Extensions (TLS extensions used)

Elliptic Curves (supported curves for key exchange)

Elliptic Curve Formats (preferred format for key exchange)

This sequence is then hashed using MD5 to create a unique JA3 fingerprint.

What is JA4?

JA4 extends JA3 fingerprinting by adding the ability to track TLS server responses and distinguishing between different encryption behaviors, particularly in TLS 1.3.

JA4 Components

JA4 consists of two primary fingerprints:

JA4-Client (JA4C): Similar to JA3, but enhanced to cover additional TLS 1.3 parameters such as key share groups and supported protocols.

JA4-Server (JA4S): Captures attributes from the TLS Server Hello message, including:

Chosen cipher suite

Supported groups

Key share values

Server extensions

JA4 offers improved accuracy in detecting malicious actors who modify their TLS configurations dynamically to evade detection.

Conclusion

JA3 and JA4 fingerprints provide valuable insights into encrypted network traffic, aiding in threat detection and analysis. While not foolproof, they serve as a critical tool in a security team’s arsenal for identifying suspicious TLS communications and enhancing network defense strategies.