idnits 2.17.1 draft-smyshlyaev-tls12-gost-suites-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 37 instances of too long lines in the document, the longest one being 15 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 29, 2018) is 1945 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'ChangeCipherSpec' is mentioned on line 382, but not defined -- Looks like a reference, but probably isn't: '0' on line 657 -- Looks like a reference, but probably isn't: '64' on line 3628 -- Looks like a reference, but probably isn't: '32' on line 3704 -- Looks like a reference, but probably isn't: '48' on line 3699 -- Looks like a reference, but probably isn't: '8' on line 3706 == Outdated reference: A later version (-17) exists of draft-irtf-cfrg-re-keying-12 ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) Summary: 2 errors (**), 0 flaws (~~), 3 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Smyshlyaev, Ed. 3 Internet-Draft CryptoPro 4 Intended status: Informational D. Belyavsky 5 Expires: July 2, 2019 Cryptocom 6 M. Saarinen 7 Independent Consultant 8 December 29, 2018 10 GOST Cipher Suites for Transport Layer Security (TLS) Protocol Version 11 1.2 12 draft-smyshlyaev-tls12-gost-suites-04 14 Abstract 16 This document specifies a set of cipher suites for the Transport 17 Layer Security (TLS) protocol Version 1.2 to support the Russian 18 cryptographic standard algorithms. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at https://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on July 2, 2019. 37 Copyright Notice 39 Copyright (c) 2018 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (https://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 55 2. Conventions Used in This Document . . . . . . . . . . . . . . 4 56 3. Basic Terms and Definitions . . . . . . . . . . . . . . . . . 4 57 4. Cipher Suite Definitions . . . . . . . . . . . . . . . . . . 5 58 4.1. Record Payload Protection . . . . . . . . . . . . . . . . 5 59 4.1.1. CTR_OMAC . . . . . . . . . . . . . . . . . . . . . . 6 60 4.1.2. CNT_IMIT . . . . . . . . . . . . . . . . . . . . . . 7 61 4.2. Key Exchange and Authentication . . . . . . . . . . . . . 8 62 4.2.1. Hello Messages . . . . . . . . . . . . . . . . . . . 10 63 4.2.2. Server Certificate . . . . . . . . . . . . . . . . . 11 64 4.2.3. CertificateRequest . . . . . . . . . . . . . . . . . 11 65 4.2.4. ClientKeyExchange . . . . . . . . . . . . . . . . . . 12 66 4.2.4.1. CTR_OMAC . . . . . . . . . . . . . . . . . . . . 12 67 4.2.4.2. CNT_IMIT . . . . . . . . . . . . . . . . . . . . 14 68 4.2.5. CertificateVerify . . . . . . . . . . . . . . . . . . 16 69 4.2.6. Finished . . . . . . . . . . . . . . . . . . . . . . 16 70 4.3. Cryptographic Algorithms . . . . . . . . . . . . . . . . 17 71 4.3.1. Block Cipher . . . . . . . . . . . . . . . . . . . . 17 72 4.3.2. MAC algorithm . . . . . . . . . . . . . . . . . . . . 17 73 4.3.3. Encryption algorithm . . . . . . . . . . . . . . . . 18 74 4.3.4. PRF and HASH algorithms . . . . . . . . . . . . . . . 18 75 4.3.5. SNMAX parameter . . . . . . . . . . . . . . . . . . . 18 76 5. New Values for the SignatureAlgorithm Registry . . . . . . . 18 77 6. New Values for the Supported Groups Registry . . . . . . . . 19 78 7. New Values for the ClientCertificateType Identifiers Registry 20 79 8. Additional Algorithms . . . . . . . . . . . . . . . . . . . . 21 80 8.1. TLSTREE . . . . . . . . . . . . . . . . . . . . . . . . . 21 81 8.1.1. Key Tree Parameters . . . . . . . . . . . . . . . . . 21 82 8.2. Key export and key import algorithms . . . . . . . . . . 22 83 8.2.1. KExp15 and KImp15 Algorithms . . . . . . . . . . . . 22 84 8.2.2. KExp28147 and KImp28147 Algorithms . . . . . . . . . 23 85 8.3. Key Exchange Generation Algorithms . . . . . . . . . . . 24 86 8.3.1. KEG Algorithm . . . . . . . . . . . . . . . . . . . . 24 87 8.3.2. KEG_28147 Algorithm . . . . . . . . . . . . . . . . . 26 88 8.4. gostIMIT28147 . . . . . . . . . . . . . . . . . . . . . . 27 89 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27 90 10. Historical considerations . . . . . . . . . . . . . . . . . . 29 91 11. Security Considerations . . . . . . . . . . . . . . . . . . . 29 92 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 29 93 12.1. Normative References . . . . . . . . . . . . . . . . . . 29 94 12.2. Informative References . . . . . . . . . . . . . . . . . 31 95 Appendix A. Test Examples . . . . . . . . . . . . . . . . . . . 32 96 A.1. Test Examples for CTR_OMAC cipher suites . . . . . . . . 32 97 A.1.1. TLSTREE Examples . . . . . . . . . . . . . . . . . . 32 98 A.1.1.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 99 ciphersuite . . . . . . . . . . . . . . . . . . . 32 100 A.1.1.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC 101 ciphersuite . . . . . . . . . . . . . . . . . . . 34 102 A.1.2. Record Examples . . . . . . . . . . . . . . . . . . . 36 103 A.1.2.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 104 ciphersuite . . . . . . . . . . . . . . . . . . . 36 105 A.1.2.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC 106 ciphersuite . . . . . . . . . . . . . . . . . . . 39 107 A.1.3. Handshake Examples . . . . . . . . . . . . . . . . . 42 108 A.1.3.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 109 ciphersuite . . . . . . . . . . . . . . . . . . . 42 110 A.1.3.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC 111 ciphersuite . . . . . . . . . . . . . . . . . . . 55 112 A.2. Test Examples for CNT_IMIT cipher suites . . . . . . . . 74 113 A.2.1. Record Examples . . . . . . . . . . . . . . . . . . . 74 114 A.2.2. Handshake Examples . . . . . . . . . . . . . . . . . 75 115 Appendix B. Contributors . . . . . . . . . . . . . . . . . . . . 85 116 Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 85 117 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 85 119 1. Introduction 121 This document specifies three new cipher suites for the Transport 122 Layer Security (TLS) Protocol Version 1.2 [RFC5246] to support the 123 set of Russian cryptographic standard algorithms (called GOST 124 algorithms). These cipher suites use the same hash algorithm GOST R 125 34.11-2012 [GOST3411-2012] (the English version can be found in 126 [RFC6986]) and the same signature algorithm GOST R 34.10-2012 127 [GOST3410-2012] (the English version can be found in [RFC7091]) but 128 use different encryption and MAC algorithms, so they are divided into 129 two types: the CTR_OMAC cipher suites and the CNT_IMIT cipher suite. 131 The CTR_OMAC cipher suites use the GOST R 34.12-2015 [GOST3412-2015] 132 block ciphers (the English version can be found in [RFC7801]) and 133 have the following values: 135 TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC = {TBD1}; 136 TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC = {TBD2}. 138 The CNT_IMIT cipher suite uses the GOST 28147-89 [GOST28147-89] block 139 cipher (the English version can be found in [RFC5830]) and has the 140 following value: 142 TLS_GOSTR341112_256_WITH_28147_CNT_IMIT = {TBD3}. 144 2. Conventions Used in This Document 146 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 147 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 148 document are to be interpreted as described in [RFC2119]. 150 3. Basic Terms and Definitions 152 This document uses the following terms and definitions for the sets 153 and operations on the elements of these sets: 155 B_t the set of byte strings of length t, t >= 0, for t = 0 the 156 B_t set consists of a single empty string of zero length. If 157 A is an element of B_t, then A = (a_1, a_2, ... , a_t), where 158 a_1, a_2, ... , a_t are in {0, ... , 255}; 160 B* the set of all byte strings of a finite length (hereinafter 161 referred to as strings), including the empty string; 163 A[i..j] the string A[i..j] = (a_i, a_{i+1}, ... , a_j) in B_{j-i+1} 164 where A = (a_1, ... , a_t) in B_t and 1<=i<=j<=t; 166 |A| the byte length of the byte string A; 168 A | C concatenation of strings A and C both belonging to B*, i.e., 169 a string in B_{|A|+|C|}, where the left substring in B_|A| is 170 equal to A, and the right substring in B_|C| is equal to C; 172 A XOR C bitwise exclusive-or of strings A and C both belonging to 173 B_t, i.e., a string in B_t such that if A = (a_1, a_2, ... , 174 a_t), C = (c_1, c_2, ... , c_t) then A XOR C = (a_1 (xor) 175 c_1, a_2 (xor) c_2, ... , a_t (xor) c_t) where (xor) is 176 bitwise exclusive-or of bytes; 178 i & j bitwise AND of integers i and j; 180 STR_t the transformation that maps an integer i = 256^{t-1} * i_1 + 181 ... + 256 * i_{t-1} + i_t into the byte string STR_t(i) = 182 (i_1, ... , i_t) in B_t (the interpretation of the integer as 183 a byte string in big-endian format); 185 str_t the transformation that maps an integer i = 256^{t-1} * i_t + 186 ... + 256 * i_2 + i_1 into the byte string str_t(i) = (i_1, 187 ... , i_t) in B_t (the interpretation of the integer as a 188 byte string in little-endian format); 190 INT the transformation that maps a string a = (a_1, ... , a_t) in 191 B_t into the integer INT(a) = 256^{t-1} * a_1 + ... + 256 * 192 a_{t-1} + a_t (the interpretation of the byte string in big- 193 endian format as an integer); 195 int the transformation that maps a string a = (a_1, ... , a_t) in 196 B_t into the integer int(a) = 256^{t-1} * a_t + ... + 256 * 197 a_2 + a_1 (the interpretation of the byte string in little- 198 endian format as an integer); 200 k the byte-length of the block cipher key; 202 n the byte-length of the block cipher block; 204 Q_c the public key stored in the client's certificate; 206 d_c the private key that corresponds to the Q_c key; 208 Q_s the public key stored in the server's certificate; 210 d_s the private key that corresponds to the Q_s key; 212 q_s subgroup order of group of points of the elliptic curve that 213 corresponds to Q_s; 215 P_s the point of order q_s that belongs to the same curve as Q_s; 217 r_c the random string contained in ClientHello.random field (see 218 [RFC5246]); 220 r_s the random string contained in ServerHello.random field (see 221 [RFC5246]). 223 4. Cipher Suite Definitions 225 4.1. Record Payload Protection 227 All of the cipher suites described in this document MUST use the 228 "null" compression method (see Section 6.2.2 of [RFC5246] and 229 Section 4.2.1). Note that the CompressionMethod.null operation is an 230 identity operation; no fields are altered. 232 All of the cipher suites described in this document use the stream 233 cipher (see Section 4.3.3) to protect records. The TLSCiphertext 234 structure for the CTR_OMAC and CNT_IMIT cipher suites is specified in 235 accordance with the Standard Stream Cipher case (see Section 6.2.3.1 236 of [RFC5246]): 238 struct { 239 ContentType type; 240 ProtocolVersion version; 241 uint16 length; 242 GenericStreamCipher fragment; 243 } TLSCiphertext; 245 where TLSCiphertext.fragment is generated in accordance with 246 Section 4.1.1 or Section 4.1.2. 248 The connection key material is a key material that consists of the 249 sender_write_key (either the client_write_key or the 250 server_write_key), the sender_write_MAC_key (either the 251 client_write_MAC_key or the server_write_MAC_key) and the 252 sender_write_IV (either the client_write_IV or the server_write_IV) 253 parameters that are generated in accordance with Section 6.3 of 254 [RFC5246]. 256 The record key material is a key material that is generated from the 257 connection key material and is used to protect a record with the 258 certain sequence number. Note that in the cipher suites defined in 259 this document the record key material can be equal to the connection 260 key material. 262 In this section the TLSCiphertext.fragment generation is described 263 for one particular endpoint (server or client) with the corresponding 264 connection key material and record key material. 266 4.1.1. CTR_OMAC 268 In case of the CTR_OMAC cipher suites the record key material differs 269 from the connection key material and for the certain sequence number 270 seqnum consists of: 272 o K_ENC_seqnum in B_k; 274 o K_MAC_seqnum in B_k; 276 o IV_seqnum in B_{n/2}. 278 The K_ENC_seqnum and K_MAC_seqnum values are calculated using the 279 TLSTREE function defined in Section 8.1 and the connection key 280 material. IV_seqnum is calculated by adding seqnum value to 281 sender_write_IV modulo 2^{(n/2)*8}: 283 o K_ENC_seqnum = TLSTREE(sender_write_key, seqnum); 284 o K_MAC_seqnum = TLSTREE(sender_write_MAC_key, seqnum); 286 o IV_seqnum = STR_{n/2}((INT(sender_write_IV) + seqnum) mod 287 2^{(n/2)*8}). 289 The TLSCiphertext.fragment that corresponds to the certain sequence 290 number seqnum is equal to the ENCValue_seqnum value that is 291 calculated as follows: 293 1. The MAC value (MACValue_seqnum) is generated using the MAC 294 algorithm (see Section 4.3.2) similar to Section 6.2.3.1 of [RFC5246] 295 except the sender_write_MAC_key is replaced by the K_MAC_seqnum key: 297 MACData_seqnum = STR_8(seqnum) | type_seqnum | version_seqnum | 298 length_seqnum | fragment_seqnum; 300 MACValue_seqnum = MAC(K_MAC_seqnum, MACData_seqnum), 302 where type_seqnum, version_seqnum, length_seqnum, fragment_seqnum are 303 the TLSCompressed.type, TLSCompressed.version, TLSCompressed.length 304 and TLSCompressed.fragment values of the record with the seqnum 305 sequence number. 307 2. The entire data with the MACValue is encrypted with the ENC 308 stream cipher (see Section 4.3.3): 310 ENCData_seqnum = fragment_seqnum | MACValue_seqnum; 312 ENCValue_seqnum = ENC(K_ENC_seqnum, IV_seqnum, ENCData_seqnum). 314 4.1.2. CNT_IMIT 316 In case of the CNT_IMIT cipher suite the record key material is equal 317 to the connection key material and consists of: 319 o sender_write_key in B_k; 321 o sender_write_MAC_key in B_k; 323 o sender_write_IV in B_n. 325 The TLSCiphertext.fragment that corresponds to the certain sequence 326 number seqnum is equal to the ENCValue_seqnum value that is 327 calculated as follows: 329 1. The MAC value (MACValue_seqnum) is generated by the MAC algorithm 330 (see Section 4.3.2) as follows: 332 MACData_i = STR_8(i) | type_i | version_i | length_i | fragment_i, 333 i in {0, ... , seqnum}; 335 MACValue_seqnum = MAC(sender_write_MAC_key, MACData_0 | ... | 336 MACData_seqnum), 338 where type_i, version_i, length_i, fragment_i are the 339 TLSCompressed.type, TLSCompressed.version, TLSCompressed.length and 340 TLSCompressed.fragment values of the record with the i sequence 341 number. 343 Implementation note: Due to the use of the CBC-MAC based mode it is 344 not necessarily to store all previous fragments MACData_0, ... , 345 MACData{i-1} to generate the MACValue_i fragment for the i-th record. 346 It's enough to know only the intermediate internal state of the MAC 347 algorithm. 349 2. The entire data with the MACValue is encrypted with the ENC 350 stream cipher (see Section 4.3.3): 352 ENCData_i = fragment_i | MACValue_i, i in {0, ... , seqnum}; 354 ENCValue_0 | ... | ENCValue_seqnum = ENC(sender_write_key, 355 sender_write_IV, ENCData_0 | ... | ENCData_seqnum), 357 where |ENCValue_i| = |ENCData_i|, i in {0, ... , seqnum}. 359 Implementation note: Due to the use of the stream cipher it is not 360 necessarily to store all previous fragments ENCData_0, ... , 361 ENCData{i-1} to generate the ENCValue_i fragment for the i-th record. 362 It's enough to know only the intermediate internal state of the ENC 363 stream cipher. 365 4.2. Key Exchange and Authentication 367 All of the cipher suites described in this document use ECDHE based 368 schema to share the TLS premaster secret. 370 Client Server 372 ClientHello --------> 373 ServerHello 374 Certificate 375 CertificateRequest* 376 <-------- ServerHelloDone 377 Certificate* 378 ClientKeyExchange 379 CertificateVerify* 380 [ChangeCipherSpec] 381 Finished --------> 382 [ChangeCipherSpec] 383 <-------- Finished 384 Application Data <-------> Application Data 386 Figure 1: Message flow for a full handshake. 388 * Indicates optional messages that are sent for 389 the client authentication. 391 Figure 1 shows all messages involved in the TLS key establishment 392 protocol (full handshake). A ServerKeyExchange MUST NOT be sent (the 393 server's certificate contains enough data to allow client to exchange 394 the premaster secret). 396 The server side of the channel is always authenticated; the client 397 side is optionally authenticated. The server is authenticated by 398 proving that it knows the premaster secret that is encrypted with the 399 public key Q_s from the server's certificate. The client is 400 authenticated via its signature over the handshake transcript. 402 In general the key exchange process for both CTR_OMAC and CNT_IMIT 403 cipher suites consists of the following steps: 405 1. The client generates the ephemeral key pair (d_eph, Q_eph) that 406 corresponds to the server's public key Q_s stored in its 407 certificate. 409 2. The client generates the premaster secret PS. The PS value is 410 chosen from B_32 at random. 412 3. Using d_eph and Q_s the client generates the export key material 413 (see Section 4.2.4.1 and Section 4.2.4.2) for the particular key 414 export algorithm (see Section 8.2.1 and Section 8.2.2) to 415 generate the export representation PSExp of the PS value. 417 4. The client sends its ephemeral public key Q_eph and PSExp value 418 in the ClientKeyExchange message. 420 5. Using its private key d_s the server generates the import key 421 material (see Section 4.2.4.1 and Section 4.2.4.2) for the 422 particular key import algorithm (see Section 8.2.1 and 423 Section 8.2.2) to extract the premaster secret PS from the export 424 representation PSExp. 426 The proposed cipher suites specify the ClientHello, ServerHello, 427 ServerCertificate, CertificateRequest, ClientKeyExchange, 428 CertificateVerify and Finished handshake messages, that are described 429 in further detail below. 431 4.2.1. Hello Messages 433 The ClientHello message is generated in accordance with the following 434 requirements: 436 o The ClientHello.compression_methods field SHOULD contain exactly 437 one byte, set to zero, which corresponds to the "null" compression 438 method. 440 o The ClientHello.extensions field SHOULD contain the 441 signature_algorithms extension (see [RFC5246]) with the values 442 defined in Section 5. 444 If the negotiated cipher suite is one of CTR_OMAC/CTR_IMIT and the 445 client implementation does not support generating the 446 signature_algorithms extension with the appropriate values, the 447 server MUST either abort the connection or ignore this extension 448 and behave as if the client had sent the signature_algorithms 449 extension with the values {8, TBD4} and {8, TBD5}. 451 o The ClientHello.extensions field is RECOMMENDED to contain the 452 extended_master_secret (see [RFC7627]) and the renegotiation_info 453 (see [RFC5746]) extensions. 455 o The ClientHello.extensions field MAY contain the supported_groups 456 extension (see [RFC8422] and [RFC7919]) with the values defined in 457 Section 6. 459 The ServerHello message is generated in accordance with the following 460 requirements: 462 o The ServerHello.compression_method field MUST contain exactly one 463 byte, set to zero, which corresponds to the "null" compression 464 method. 466 o The ServerHello.extensions field is RECOMMENDED to contain the 467 extended_master_secret (see [RFC7627]) and the renegotiation_info 468 (see [RFC5746]) extensions. 470 o The ServerHello.extensions field MUST NOT contain the 471 encrypt_then_mac extension (see [RFC7366]). 473 If the extended_master_secret extension is agreed, then the master 474 secret value MUST be calculated in accordance with [RFC7627]. 476 4.2.2. Server Certificate 478 This message is used to authentically convey the server's public key 479 Q_s to the client and is generated in accordance with Section 7.4.2 480 of [RFC5246]. 482 Note: If the client has used supported_groups extension, the public 483 key in the server's certificate MUST respect the client's choice of 484 elliptic curves. 486 Upon receiving this message the client validates the certificate 487 chain, extracts the server's public key, and checks that the key type 488 is appropriate for the negotiated key exchange algorithm. (A 489 possible reason for a fatal handshake failure is that the client's 490 capabilities for handling elliptic curves and point formats are 491 exceeded) 493 4.2.3. CertificateRequest 495 This message is sent when requesting client authentication and is 496 specified in accordance with [RFC5246] as follows. 498 struct { 499 ClientCertificateType certificate_types<1..2^8-1>; 500 SignatureAndHashAlgorithm 501 supported_signature_algorithms<2..2^16-2>; 502 DistinguishedName certificate_authorities<0..2^16-1>; 503 } CertificateRequest; 505 If the CTR_OMAC or CNT_IMIT cipher suite is negotiated, the 506 CertificateRequest message MUST meet the following requirements: 508 o the CertificateRequest.supported_signature_algorithm field MUST 509 contain only signature/hash algorithm pairs with the values {8, 510 TBD4} or {8, TBD5} defined in Section 5; 512 o the CertificateRequest.certificate_types field MUST contain only 513 the gost_sign256 (TBD13) or gost_sign512 (TBD14) values defined in 514 Section 7. 516 4.2.4. ClientKeyExchange 518 The ClientKeyExchange message is defined as follows. 520 enum { vko_kdf_gost, vko_gost } KeyExchangeAlgorithm; 522 struct { 523 select (KeyExchangeAlgorithm) { 524 case vko_kdf_gost: GostKeyTransport; 525 case vko_gost: TLSGostKeyTransportBlob; 526 } exchange_keys; 527 } ClientKeyExchange; 529 The body of the ClientKeyExchange message consists of a 530 GostKeyTransport/TLSGostKeyTransportBlob structure that contains an 531 export representation of the premaster secret PS. 533 The GostKeyTransport structure corresponds to the CTR_OMAC cipher 534 suites and is described in Section 4.2.4.1 and the 535 TLSGostKeyTransportBlob corresponds to CNT_IMIT cipher suite and is 536 described in Section 4.2.4.2. 538 4.2.4.1. CTR_OMAC 540 In case of the CTR_OMAC cipher suites the body of the 541 ClientKeyExchange message consists of the GostKeyTransport structure 542 that is defined bellow. 544 The client generates the ClientKeyExchange message in accordance with 545 the following steps: 547 1. Generates the ephemeral key pair (Q_eph, d_eph), where: 549 d_eph is chosen from {1, ... , q_s - 1} at random; 551 Q_eph = d_eph * P_s. 553 2. Generates export keys (K_EXP_MAC and K_EXP_ENC) using the KEG 554 algorithm defined in Section 8.3.1: 556 H = HASH(r_c | r_s); 557 K_EXP_MAC | K_EXP_ENC = KEG(d_eph, Q_s, H). 559 3. Generates an export representation PSExp of the premaster secret 560 PS using the KExp15 algorithm defined in Section 8.2.1: 562 IV = H[25..24 + n / 2]; 564 PSExp = KExp15(PS, K_EXP_MAC, K_EXP_ENC, IV). 566 4. Generates the ClientKeyExchange message using the 567 GostKeyTransport structure that is defined as follows: 569 GostKeyTransport ::= SEQUENCE { 570 keyExp OCTET STRING, 571 ephemeralPublicKey SubjectPublicKeyInfo, 572 ukm OCTET STRING OPTIONAL 573 } 575 SubjectPublicKeyInfo ::= SEQUENCE { 576 algorithm AlgorithmIdentifier, 577 subjectPublicKey BITSTRING 578 } 579 AlgorithmIdentifier ::= SEQUENCE { 580 algorithm OBJECT IDENTIFIER, 581 parameters ANY OPTIONAL 582 } 584 where the keyExp field contains the PSExp value, the 585 ephemeralPublicKey field contains the Q_eph value and the ukm field 586 MUST be ignored by the server. 588 Upon receiving the ClientKeyExchange message, the server process it 589 as follows. 591 1. Checks the following three conditions. If either of these checks 592 fails, then the server MUST abort the handshake with an alert. 594 o Q_eph belongs to the same curve as server public key Q_s; 596 o Q_eph is not equal to zero point; 598 o q_s * Q_eph is equal to zero point. 600 2. Generates export keys (K_EXP_MAC and K_EXP_ENC) using the KEG 601 algorithm defined in Section 8.3.1: 603 H = HASH(r_c | r_s); 605 K_EXP_MAC | K_EXP_ENC = KEG(d_s, Q_eph, H). 607 3. Extracts the premaster secret PS from the export representation 608 PSExp using the KImp15 algorithm defined in Section 8.2.1: 610 IV = H[25..24 + n / 2]; 612 PS = KImp15(PSExp, K_EXP_MAC, K_EXP_ENC, IV). 614 4.2.4.2. CNT_IMIT 616 In case of the CNT_IMIT cipher suite the body of the 617 ClientKeyExchange message consists of a TLSGostKeyTransportBlob 618 structure that is defined bellow. 620 The client generates the ClientKeyExchange message in accordance with 621 the following steps: 623 1. Generates the ephemeral key pair (Q_eph, d_eph), where: 625 d_eph is chosen from {1, ... , q_s - 1} at random; 627 Q_eph = d_eph * P_s. 629 2. Generates export key (K_EXP) using the KEG_28147 algorithm 630 defined in Section 8.3.2: 632 H = HASH(r_c | r_s); 634 K_EXP = KEG_28147(d_eph, Q_s, H). 636 3. Generates an export representation PSExp of the premaster secret 637 PS using the KExp28147 algorithm defined in Section 8.2.2: 639 PSExp = IV | CEK_ENC | CEK_MAC = KExp28147(PS, K_EXP, H[1..8]). 641 4. Generates the ClientKeyExchange message using the 642 TLSGostKeyTransportBlob structure that is defined as follows: 644 TLSGostKeyTransportBlob ::= SEQUENCE { 645 keyBlob GostR3410-KeyTransport, 646 } 647 GostR3410-KeyTransport ::= SEQUENCE { 648 sessionEncryptedKey Gost28147-89-EncryptedKey, 649 transportParameters [0] IMPLICIT GostR3410-TransportParameters 650 } 651 Gost28147-89-EncryptedKey ::= SEQUENCE { 652 encryptedKey Gost28147-89-Key, 653 macKey Gost28147-89-MAC 654 } 655 GostR3410-TransportParameters ::= SEQUENCE { 656 encryptionParamSet OBJECT IDENTIFIER, 657 ephemeralPublicKey [0] IMPLICIT SubjectPublicKeyInfo, 658 ukm OCTET STRING 659 } 661 where Gost28147-89-EncryptedKey.encryptedKey field contains the 662 CEK_ENC value, the Gost28147-89-EncryptedKey.macKey field contains 663 the CEK_MAC value, and GostR3410-TransportParameters.ukm field 664 contains the IV value. 666 The keyBlob.transportParameters.ephemeralPublicKey field contains the 667 client ephemeral public key Q_eph. The encryptionParamSet contains 668 value 1.2.643.7.1.2.5.1.1 that corresponds to the id-tc26-gost- 669 28147-param-Z parameters set defined in [RFC7836]. 671 Upon receiving the ClientKeyExchange message, the server process it 672 as follows. 674 1. Checks the following three conditions. If either of these checks 675 fails, then the server MUST abort the handshake with an alert. 677 1. Q_eph belongs to the same curve as server public key Q_s; 679 2. Q_eph is not equal to zero point; 681 3. q_s * Q_eph is equal to zero point; 683 2. Generates export key (K_EXP) using the KEG_28147 algorithm 684 defined in Section 8.3.2: 686 H = HASH(r_c | r_s); 688 K_EXP = KEG_28147(d_s, Q_eph, H). 690 3. Extracts the premaster secret PS from the export representation 691 PSExp using the KImp28147 algorithm defined in Section 8.2.2: 693 PS = KImp28147(PSExp, K_EXP, H[1..8]). 695 4.2.5. CertificateVerify 697 Client generates the value sgn as follows: 699 sgn = SIGN_{d_c}(handshake_messages) = str_l(r) | str_l(s) 701 where SIGN_{d_c} is the GOST R 34.10-2012 [RFC7091] signature 702 algorithm, d_c is a client long-term private key that corresponds to 703 the client long-term public key Q_c from the client's certificate, l 704 = 32 for gostr34102012_256 value of the SignatureAndHashAlgorithm 705 field and l = 64 for gostr34102012_512 value of the 706 SignatureAndHashAlgorithm field. 708 Here handshake_messages refers to all handshake messages sent or 709 received, starting at client hello and up to CertificateVerify, but 710 not including, this message, including the type and length fields of 711 the handshake messages. 713 The TLS CertificateVerify message is specified as follows. 715 struct { 716 SignatureAndHashAlgorithm algorithm; 717 opaque signature<0..2^16-1>; 718 } CertificateVerify; 720 where SignatureAndHashAlgorithm structure is specified in Section 5 721 and CertificateVerify.signature field contains sgn value. 723 4.2.6. Finished 725 The TLS Finished message is specified as follows. 727 struct { 728 opaque verify_data[verify_data_length]; 729 } Finished; 731 verify_data = PRF(master_secret, finished_label, 732 HASH(handshake_messages))[0..verify_data_length-1]; 734 where the verify_data_length value is equal to 32 for the CTR_OMAC 735 cipher suites and is equal to 12 for the CNT_IMIT cipher suite. The 736 PRF function is defined in Section 4.3.4. 738 4.3. Cryptographic Algorithms 740 4.3.1. Block Cipher 742 The cipher suite TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC MUST 743 uses Kuznyechik [RFC7801] as a base block cipher for the encryption 744 and MAC algorithm. The block length n is 16 bytes and the key length 745 k is 32 bytes. 747 The cipher suite TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC MUST uses 748 Magma [GOST3412-2015] as a base block cipher for the encryption and 749 MAC algorithm. The block length n is 8 bytes and the key length k is 750 32 bytes. 752 The cipher suite TLS_GOSTR341112_256_WITH_28147_CNT_IMIT MUST uses 753 GOST 28147-89 as a base block cipher [RFC5830] with the set of 754 parameters id-tc26-gost-28147-param-Z defined in [RFC7836]. The 755 block length n is 8 bytes and the key length k is 32 bytes. 757 4.3.2. MAC algorithm 759 The CTR_OMAC cipher suites use the OMAC message authentication code 760 construction defined in [GOST3413-2015], which can be considered as 761 the CMAC mode defined in [CMAC] where Kuznyechik or Magma block 762 cipher (see Section 4.3.1) are used instead of AES block cipher (see 763 [IK2003] for more detail) as the MAC function. The resulting MAC 764 length is equal to the block length and the MAC key length is 32 765 bytes. 767 The CNT_IMIT cipher suite uses the message authentication code 768 function gostIMIT28147 defined in Section 8.4 with the initialization 769 vector IV = IV0, where IV0 in B_8 is a string of all zeros, with the 770 CryptoPro Key Meshing algorithm defined in [RFC4357]. The resulting 771 MAC length is 4 bytes and the MAC key length is 32 bytes. 773 4.3.3. Encryption algorithm 775 The CTR_OMAC cipher suites use the block cipher in CTR-ACPKM 776 encryption mode defined in [DraftRekeying] as the ENC function. The 777 section size N is 4 KB for 778 TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC cipher suite and 1 KB 779 for TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC cipher suite. The 780 initial counter nonce is defined as in Section 4.1. 782 The CNT_IMIT cipher suite uses the block cipher in counter encryption 783 mode (CNT) defined in Section 6 of [RFC5830] with the CryptoPro Key 784 Meshing algorithm defined in [RFC4357] as the ENC function. 786 4.3.4. PRF and HASH algorithms 788 The pseudorandom function (PRF) for all the cipher suites defined in 789 this document is the PRF_TLS_GOSTR3411_2012_256 function defined in 790 [RFC7836]. 792 The hash function HASH for all the cipher suites defined in this 793 document is the GOST R 34.11-2012 [RFC6986] hash algorithm with 794 32-byte (256-bit) hash code. 796 4.3.5. SNMAX parameter 798 The SNMAX parameter defines the maximal value of the sequence number 799 seqnum during one TLS 1.2 connection and is defined as follows: 801 +---------------------------------------------+--------------------+ 802 | CipherSuites | SNMAX | 803 +---------------------------------------------+--------------------+ 804 |TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC | SNMAX = 2^64 - 1 | 805 |TLS_GOSTR341112_256_WITH_28147_CNT_IMIT | | 806 +---------------------------------------------+--------------------+ 807 |TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC | SNMAX = 2^32 - 1 | 808 +---------------------------------------------+--------------------+ 810 5. New Values for the SignatureAlgorithm Registry 812 The signature/hash algorithm pairs are used to indicate to the 813 server/client which algorithms can be used in digital signatures and 814 are defined by the SignatureAndHashAlgorithm structure (see 815 Section 7.4.1.4.1 of [RFC5246]) as follows: 817 struct { 818 HashAlgorithm hash; 819 SignatureAlgorithm signature; 820 } SignatureAndHashAlgorithm; 822 This document defines new values for the "SignatureAlgorithm 823 Registry" that can be used in the SignatureAndHashAlgorithm.signature 824 field for the particular signature/hash algorithm pair: 826 enum { 827 gostr34102012_256(TBD4), 828 gostr34102012_512(TBD5), 829 } SignatureAlgorithm; 831 where the gostr34102012_256 and gostr34102012_512 values correspond 832 to the GOST R 34.10-2012 [RFC7091] signature algorithm with 32-byte 833 (256-bit) and 64-byte (512-bit) key length respectively. 835 According to [RFC7091] the GOST R 34.10-2012 signature algorithm with 836 32-byte (256-bit) or 64-byte (512-bit) key length use the GOST R 837 34.11-2012 [RFC6986] hash algorithm with 32-byte (256-bit) or 64-byte 838 (512-bit) hash code respectively (the hash algorithm is intrinsic to 839 the signature algorithm). Therefore, if the 840 SignatureAndHashAlgorithm.signature field of a particular hash/ 841 signature pair listed in the Signature Algorithms Extension is equal 842 to the TBD4 (gostr34102012_256) or TBD5 (gostr34102012_512) value, 843 the SignatureAndHashAlgorithm.hash field of this pair MUST contain 844 the "Intrinsic" value 8 (see [RFC8422]). 846 6. New Values for the Supported Groups Registry 848 The Supported Groups Extension indicates the set of elliptic curves 849 supported by the client and is defined in [RFC8422] and [RFC7919]. 851 This document defines new values for the "Supported Groups" registry: 853 enum { 854 GC256A(TBD6), GC256B(TBD7), GC256C(TBD8), GC256D(TBD9), 855 GC512A(TBD10), GC512B(TBD11), GC512C(TBD12), 856 } NamedGroup; 858 Where the values corresponds to the following curves: 860 +-------------+--------------------------------------+-----------+ 861 | Description | Curve Identifier Value | Reference | 862 +-------------+--------------------------------------+-----------+ 863 | GC256A | id-tc26-gost-3410-2012-256-paramSetA | RFC 7836 | 864 +-------------+--------------------------------------+-----------+ 865 | GC256B |id-GostR3410-2001-CryptoPro-A-ParamSet| RFC 4357 | 866 +-------------+--------------------------------------+-----------+ 867 | GC256C |id-GostR3410-2001-CryptoPro-B-ParamSet| RFC 4357 | 868 +-------------+--------------------------------------+-----------+ 869 | GC256D |id-GostR3410-2001-CryptoPro-C-ParamSet| RFC 4357 | 870 +-------------+--------------------------------------+-----------+ 871 | GC512A | id-tc26-gost-3410-12-512-paramSetA | RFC 7836 | 872 +-------------+--------------------------------------+-----------+ 873 | GC512B | id-tc26-gost-3410-12-512-paramSetB | RFC 7836 | 874 +-------------+--------------------------------------+-----------+ 875 | GC512C | id-tc26-gost-3410-2012-512-paramSetC | RFC 7836 | 876 +-------------+--------------------------------------+-----------+ 878 7. New Values for the ClientCertificateType Identifiers Registry 880 The ClientCertificateType field of the CertificateRequest message 881 contains a list of the types of certificate types that the client may 882 offer and is defined in Section 7.4.4 of [RFC5246]. 884 This document defines new values for the "ClientCertificateType 885 Identifiers" registry: 887 enum { 888 gost_sign256(TBD13), 889 gost_sign512(TBD14), 890 } ClientCertificateType; 892 To use the gost_sign256 or gost_sign512 authentication mechanism, the 893 client MUST possess a certificate containing a GOST R 894 34.10-2012-capable public key that corresponds to the 32-byte 895 (256-bit) or 64-byte (512-bit) signature key respectively. 897 The client proves possession of the private key corresponding to the 898 certified key by including a signature in the CertificateVerify 899 message as described in Section 4.2.5. 901 8. Additional Algorithms 903 8.1. TLSTREE 905 The TLSTREE function is defined as follows: 907 TLSTREE(K_root, i) = KDF_3(KDF_2(KDF_1(K_root, STR_8(i & C_1)), 908 STR_8(i & C_2)), STR_8(i & C_3)), 910 where 912 o K_root in B_32; 914 o i in {0, 1, ... , 2^64 - 1}; 916 o C_1, C_2, C_3 are constants defined by the particular cipher suite 917 (see Section 8.1.1); 919 o KDF_j(K, D), j = 1, 2, 3, K in B_32, D in B_8, is the key 920 derivation function based on the KDF_GOSTR3411_2012_256 function 921 defined in [RFC7836]: 923 KDF_1(K, D) = KDF_GOSTR3411_2012_256(K, "level1", D); 924 KDF_2(K, D) = KDF_GOSTR3411_2012_256(K, "level2", D); 925 KDF_3(K, D) = KDF_GOSTR3411_2012_256(K, "level3", D). 927 8.1.1. Key Tree Parameters 929 The CTR_OMAC cipher suites use the TLSTREE function for the re-keying 930 approach. The constants for it are defined as in the table below. 932 +---------------------------------------------+------------------------+ 933 | CipherSuites | C_1, C_2, C_3 | 934 +---------------------------------------------+------------------------+ 935 |TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC | C_1=0xFFFFFFFF00000000 | 936 | | C_2=0xFFFFFFFFFFF80000 | 937 | | C_3=0xFFFFFFFFFFFFFFC0 | 938 +---------------------------------------------+------------------------+ 939 |TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC | C_1=0xFFFFFFC000000000 | 940 | | C_2=0xFFFFFFFFFE000000 | 941 | | C_3=0xFFFFFFFFFFFFF000 | 942 +---------------------------------------------+------------------------+ 943 8.2. Key export and key import algorithms 945 8.2.1. KExp15 and KImp15 Algorithms 947 Algorithms KExp15 and KImp15 use the block cipher determined by the 948 particular cipher suite. 950 The KExp15 key export algorithm is defined as follows. 952 +------------------------------------------------------------+ 953 | KExp15(S, K_Exp_MAC, K_Exp_ENC, IV) | 954 |------------------------------------------------------------| 955 | Input: | 956 | - secret S to be exported, S in B*, | 957 | - key K_Exp_MAC in B_k, | 958 | - key K_Exp_ENC in B_k, | 959 | - IV in B_{n/2} | 960 | Output: | 961 | - export representation SExp in B_{|S|+n} | 962 |------------------------------------------------------------| 963 | 1. CEK_MAC = OMAC(K_Exp_MAC, IV | S), CEK_MAC in B_n | 964 | 2. SExp = CTR-Encrypt(K_Exp_ENC, IV, S | CEK_MAC) | 965 | 3. return SExp | 966 +------------------------------------------------------------+ 968 where the OMAC function is defined in [MODES], the CTR-Encrypt(K, IV, 969 S) function denotes the encryption of message S on key K and nonce IV 970 in the CTR mode with s = n (see [MODES]). 972 The KImp15 key import algorithm is defined as follows. 974 +--------------------------------------------------------------------+ 975 | KImp15(SExp, K_Exp_MAC, K_Exp_ENC, IV) | 976 |--------------------------------------------------------------------| 977 | Input: | 978 | - export representation SExp in B* | 979 | - key K_Exp_MAC in B_k, | 980 | - key K_Exp_ENC in B_k, | 981 | - IV in B_{n/2} | 982 | Output: | 983 | - secret S in B_{|SExp|-n} or FAIL | 984 |--------------------------------------------------------------------| 985 | 1. S | CEK_MAC = CTR-Decrypt(K_Exp_ENC, IV, SExp), CEK_MAC in B_n | 986 | 2. If CEK_MAC = OMAC(K_Exp_MAC, IV | S) | 987 | then return S; else return FAIL | 988 +--------------------------------------------------------------------+ 990 where the OMAC function is defined in [MODES], the CTR-Decrypt(K, IV, 991 S) function denotes the decryption of message S on key K and nonce IV 992 in the CTR mode (see [MODES]). 994 The keys K_Exp_MAC and K_Exp_ENC MUST be independent. For every pair 995 of keys (K_Exp_ENC, K_Exp_MAC) the IV values MUST be unique. For the 996 import of key K with the KImp15 algorithm every IV value MUST be sent 997 with the export key representation or be a preshared value. 999 8.2.2. KExp28147 and KImp28147 Algorithms 1001 The KExp28147 key export algorithm is defined as follows. 1003 +----------------------------------------------------------------+ 1004 | KExp28147(S, K, IV) | 1005 |----------------------------------------------------------------| 1006 | Input: | 1007 | - secret S to be exported, S in B_32, | 1008 | - key K in B_32, | 1009 | - IV in B_8. | 1010 | Output: | 1011 | - export representation SExp in B_44 | 1012 |----------------------------------------------------------------| 1013 | 1. CEK_MAC = gost28147IMIT(IV, K, S), CEK_MAC in B_4 | 1014 | 2. CEK_ENC = ECB-Encrypt(K, S), CEK_ENC in B_32 | 1015 | 3. return SExp = IV | CEK_ENC | CEK_MAC | 1016 +----------------------------------------------------------------+ 1017 where the gost28147IMIT function is defined in Section 8.4, the ECB- 1018 Encrypt(K, S) function denotes the encryption of message S on key K 1019 with the block cipher GOST 28147-89 in the ECB mode (see [RFC5830]). 1021 The KImp28147 key import algorithm is defined as follows. 1023 +----------------------------------------------------------------+ 1024 | KImp28147(SExp, K, IV) | 1025 |----------------------------------------------------------------| 1026 | Input: | 1027 | - export representation SExp in B_44, | 1028 | - key K in B_32, | 1029 | - IV in B_8. | 1030 | Output: | 1031 | - imported secret S in B_32 or FAIL | 1032 |----------------------------------------------------------------| 1033 | 1. extract from SExp | 1034 | IV' = SExp[1..8], | 1035 | CEK_ENC = SExp[9..40], | 1036 | CEK_MAC = SExp[41..44] | 1037 | 2. if IV' != IV then return FAIL; else | 1038 | 3. S = ECB-Decrypt(K, CEK_ENC), S in B_32 | 1039 | 4. If CEK_MAC = gost28147IMIT(IV, K, S) | 1040 | then return S; else return FAIL | 1041 +----------------------------------------------------------------+ 1043 where the gost28147IMIT function is defined in Section 8.4, the ECB- 1044 Decrypt(CEK_ENC, M) function denotes the decryption of ciphertext 1045 CEK_ENC on key K with a block cipher GOST 28147-89 in the ECB mode 1046 (see [RFC5830]). 1048 8.3. Key Exchange Generation Algorithms 1050 8.3.1. KEG Algorithm 1052 The KEG algorithm is defined as follows: 1054 +----------------------------------------------------------------+ 1055 | KEG(d, Q, H) | 1056 |----------------------------------------------------------------| 1057 | Input: | 1058 | - private key d, | 1059 | - public key Q, | 1060 | - H in B_32. | 1061 | Output: | 1062 | - key material K in B_64. | 1063 |----------------------------------------------------------------| 1064 | 1. If m < 2^{256} | 1065 | return KEG_256(d, Q, H) | 1066 | 2. If m < 2^{512} | 1067 | return KEG_512(d, Q, H) | 1068 | 3. return FAIL | 1069 +----------------------------------------------------------------+ 1071 where m is the order of the used elliptic curve points group 1072 containing point Q, d in {1, ... , m - 1}. 1074 The KEG_256 algorithm is defined as follows: 1076 +----------------------------------------------------------------+ 1077 | KEG_256(d, Q, H) | 1078 |----------------------------------------------------------------| 1079 | Input: | 1080 | - private key d, | 1081 | - public key Q, | 1082 | - H in B_32. | 1083 | Output: | 1084 | - key material K in B_64. | 1085 |----------------------------------------------------------------| 1086 | 1. r = INT(H[1..16]) | 1087 | 2. If r = 0 | 1088 | UKM = 1; else UKM = r | 1089 | 3. K_EXP = VKO_256(d, Q, UKM) | 1090 | 4. seed = H[17..24] | 1091 | 5. return KDFTREE_256(K_EXP, "kdf tree", seed, 1) | 1092 +----------------------------------------------------------------+ 1094 where VKO_256 is the function VKO_GOSTR3410_2012_256 defined in 1095 [RFC7836] and KDFTREE_256 is the KDF_TREE_GOSTR3411_2012_256 function 1096 defined in [RFC7836] with the parameter L equal to 512. 1098 The KEG_512 algorithm is defined as follows: 1100 +----------------------------------------------------------------+ 1101 | KEG_512(d, Q, H) | 1102 |----------------------------------------------------------------| 1103 | Input: | 1104 | - private key d, | 1105 | - public key Q, | 1106 | - H in B_32. | 1107 | Output: | 1108 | - key material K in B_64. | 1109 |----------------------------------------------------------------| 1110 | 1. r = INT(H[1..16]) | 1111 | 2. If r = 0 | 1112 | UKM = 1; else UKM = r | 1113 | 3. return VKO_512(d, Q, UKM) | 1114 +----------------------------------------------------------------+ 1116 where VKO_512 is the VKO_GOSTR3410_2012_512 function defined in 1117 [RFC7836]. 1119 8.3.2. KEG_28147 Algorithm 1121 The KEG_28147 algorithm is defined as follows: 1123 +----------------------------------------------------------------+ 1124 | KEG_28147(d, Q, H) | 1125 |----------------------------------------------------------------| 1126 | Input: | 1127 | - private key d, | 1128 | - public key Q, | 1129 | - H in B_32. | 1130 | Output: | 1131 | - key material K in B_32. | 1132 |----------------------------------------------------------------| 1133 | 1. UKM = H[1..8] | 1134 | 2. R = VKO_256(d, Q, int(UKM)) | 1135 | 3. return K = CPDivers(UKM, R) | 1136 +----------------------------------------------------------------+ 1138 where the VKO_256 function is equal to the VKO_GOSTR3410_2012_256 1139 function defined in [RFC7836], the CPDivers function corresponds to 1140 the CryptoPro KEK Diversification Algorithm defined in [RFC4357], 1141 which takes as input the UKM value and the key value. 1143 8.4. gostIMIT28147 1145 gost28147IMIT(IV, K, M) is a MAC algorithm with 4 bytes output and is 1146 defined as follows: 1148 +----------------------------------------------------------------+ 1149 | gost28147IMIT(IV, K, M) | 1150 |----------------------------------------------------------------| 1151 | Input: | 1152 | - initial value IV in B_8, | 1153 | - key K in B_32, | 1154 | - message M in B*. | 1155 | Output: | 1156 | - MAC value T in B_4. | 1157 |----------------------------------------------------------------| 1158 | 1. M' = PAD(M) | 1159 | 2. M' = M'_0 | ... | M'_r, |M'_i| = 8, i in {0, ... , r} | 1160 | 3. M'' = (M'_0 XOR IV) | M'_1 | ... | M'_r | 1161 | 4. return K = MAC28147(K, M'') | 1162 +----------------------------------------------------------------+ 1164 where the PAD function is the padding function that adds m zero bytes 1165 to the end of the message, where m is the smallest, non-negative 1166 solution to the equation (|M| + m) mod 8 = 0, the MAC28147 function 1167 corresponds to Message Authentication Code Generation Mode defined in 1168 [RFC5830] with 4 byte length output. 1170 9. IANA Considerations 1172 IANA is asked to assign numbers TBD1, TBD2 and TBD3 with the names 1173 TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC, 1174 TTLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC, 1175 TLS_GOSTR341112_256_WITH_28147_CNT_IMIT to the "TLS Cipher Suite" 1176 registry with this document as reference, as shown below. 1178 +-----------+--------------------------------------------+---------+----------+ 1179 | Value | Description | DTLS-OK | Reference| 1180 +-----------+--------------------------------------------+---------+----------+ 1181 | TBD1 |TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC| N | this RFC | 1182 +-----------+--------------------------------------------+---------+----------+ 1183 | TBD2 | TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC | N | this RFC | 1184 +-----------+--------------------------------------------+---------+----------+ 1185 | TBD3 | TLS_GOSTR341112_256_WITH_28147_CNT_IMIT | N | this RFC | 1186 +-----------+--------------------------------------------+---------+----------+ 1187 IANA is asked to assign numbers TBD4, TBD5 with the names 1188 gostr34102012_256, gostr34102012_512, to the "TLS SignatureAlgorithm" 1189 registry, as shown below. 1191 +-----------+---------------------+---------+----------+ 1192 | Value | Description | DTLS-OK | Reference| 1193 +-----------+---------------------+---------+----------+ 1194 | TBD4 | gostr34102012_256 | Y | this RFC | 1195 +-----------+---------------------+---------+----------+ 1196 | TBD5 | gostr34102012_512 | Y | this RFC | 1197 +-----------+---------------------+---------+----------+ 1199 IANA is asked to assign numbers TBD6, TBD7, TBD8, TBD9, TBD10, TBD11, 1200 TBD12 with the names GC256A, GC256B, GC256C, GC256D, GC512A, GC512B, 1201 GC512C to the "TLS Supported Groups" registry, as shown below. 1203 +-----------+----------------+---------+------------+-----------+ 1204 | Value | Description | DTLS-OK | Recomended | Reference | 1205 +-----------+----------------+---------+------------+-----------+ 1206 | TBD6 | GC256A | Y | N | this RFC | 1207 +-----------+----------------+---------+------------+-----------+ 1208 | TBD7 | GC256B | Y | N | this RFC | 1209 +-----------+----------------+---------+------------+-----------+ 1210 | TBD8 | GC256C | Y | N | this RFC | 1211 +-----------+----------------+---------+------------+-----------+ 1212 | TBD9 | GC256D | Y | N | this RFC | 1213 +-----------+----------------+---------+------------+-----------+ 1214 | TBD10 | GC512A | Y | N | this RFC | 1215 +-----------+----------------+---------+------------+-----------+ 1216 | TBD11 | GC512B | Y | N | this RFC | 1217 +-----------+----------------+---------+------------+-----------+ 1218 | TBD12 | GC512C | Y | N | this RFC | 1219 +-----------+----------------+---------+------------+-----------+ 1221 IANA is asked to assign numbers TBD13, TBD14 with the names 1222 gost_sign256, gost_sign512 to the "ClientCertificateType Identifiers" 1223 registry, as shown below. 1225 +-----------+---------------------+---------+----------+ 1226 | Value | Description | DTLS-OK | Reference| 1227 +-----------+---------------------+---------+----------+ 1228 | TBD13 | gost_sign256 | Y | this RFC | 1229 +-----------+---------------------+---------+----------+ 1230 | TBD14 | gost_sign512 | Y | this RFC | 1231 +-----------+---------------------+---------+----------+ 1233 10. Historical considerations 1235 Note that prior to the existence of this document implementations 1236 could use only the values from the Private Use space in order to use 1237 the GOST-based algorithms. So some old implementations can still use 1238 the old value {0x00,0x81} instead of the TBD3 value to indicate the 1239 TLS_GOSTR341112_256_WITH_28147_CNT_IMIT cipher suite; one old value 1240 238 instead of the values TBD4, 8 and TBD13 (to indicate the 1241 gostr34102012_256 signature algorithm, the Intrinsic hash algorithm 1242 and the gost_sign256 certificate type respectively); one old value 1243 239 instead of the values TBD5, 8 and TBD14 (to indicate the 1244 gostr34102012_512 signature algorithm, the Intrinsic hash algorithm 1245 and the gost_sign512 certificate type respectively). 1247 11. Security Considerations 1249 This entire document is about security considerations. 1251 12. References 1253 12.1. Normative References 1255 [DraftRekeying] 1256 Smyshlyaev, S., "Re-keying Mechanisms for Symmetric Keys", 1257 2018, . 1260 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1261 Requirement Levels", BCP 14, RFC 2119, 1262 DOI 10.17487/RFC2119, March 1997, 1263 . 1265 [RFC4357] Popov, V., Kurepkin, I., and S. Leontiev, "Additional 1266 Cryptographic Algorithms for Use with GOST 28147-89, GOST 1267 R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 1268 Algorithms", RFC 4357, DOI 10.17487/RFC4357, January 2006, 1269 . 1271 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 1272 (TLS) Protocol Version 1.2", RFC 5246, 1273 DOI 10.17487/RFC5246, August 2008, 1274 . 1276 [RFC5746] Rescorla, E., Ray, M., Dispensa, S., and N. Oskov, 1277 "Transport Layer Security (TLS) Renegotiation Indication 1278 Extension", RFC 5746, DOI 10.17487/RFC5746, February 2010, 1279 . 1281 [RFC5830] Dolmatov, V., Ed., "GOST 28147-89: Encryption, Decryption, 1282 and Message Authentication Code (MAC) Algorithms", 1283 RFC 5830, DOI 10.17487/RFC5830, March 2010, 1284 . 1286 [RFC6986] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.11-2012: 1287 Hash Function", RFC 6986, DOI 10.17487/RFC6986, August 1288 2013, . 1290 [RFC7091] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.10-2012: 1291 Digital Signature Algorithm", RFC 7091, 1292 DOI 10.17487/RFC7091, December 2013, 1293 . 1295 [RFC7366] Gutmann, P., "Encrypt-then-MAC for Transport Layer 1296 Security (TLS) and Datagram Transport Layer Security 1297 (DTLS)", RFC 7366, DOI 10.17487/RFC7366, September 2014, 1298 . 1300 [RFC7627] Bhargavan, K., Ed., Delignat-Lavaud, A., Pironti, A., 1301 Langley, A., and M. Ray, "Transport Layer Security (TLS) 1302 Session Hash and Extended Master Secret Extension", 1303 RFC 7627, DOI 10.17487/RFC7627, September 2015, 1304 . 1306 [RFC7801] Dolmatov, V., Ed., "GOST R 34.12-2015: Block Cipher 1307 "Kuznyechik"", RFC 7801, DOI 10.17487/RFC7801, March 2016, 1308 . 1310 [RFC7836] Smyshlyaev, S., Ed., Alekseev, E., Oshkin, I., Popov, V., 1311 Leontiev, S., Podobaev, V., and D. Belyavsky, "Guidelines 1312 on the Cryptographic Algorithms to Accompany the Usage of 1313 Standards GOST R 34.10-2012 and GOST R 34.11-2012", 1314 RFC 7836, DOI 10.17487/RFC7836, March 2016, 1315 . 1317 [RFC7919] Gillmor, D., "Negotiated Finite Field Diffie-Hellman 1318 Ephemeral Parameters for Transport Layer Security (TLS)", 1319 RFC 7919, DOI 10.17487/RFC7919, August 2016, 1320 . 1322 [RFC8422] Nir, Y., Josefsson, S., and M. Pegourie-Gonnard, "Elliptic 1323 Curve Cryptography (ECC) Cipher Suites for Transport Layer 1324 Security (TLS) Versions 1.2 and Earlier", RFC 8422, 1325 DOI 10.17487/RFC8422, August 2018, 1326 . 1328 12.2. Informative References 1330 [CMAC] Dworkin, M., "Recommendation for Block Cipher Modes of 1331 Operation: the CMAC Mode for Authentication", NIST Special 1332 Publication 800-38B, 2005. 1334 [GOST28147-89] 1335 Government Committee of the USSR for Standards, 1336 "Cryptographic Protection for Data Processing System, 1337 Gosudarstvennyi Standard of USSR (In Russian)", 1338 GOST 28147-89, 1989. 1340 [GOST3410-2012] 1341 Federal Agency on Technical Regulating and Metrology, 1342 "Information technology. Cryptographic data security. 1343 Signature and verification processes of [electronic] 1344 digital signature", GOST R 34.10-2012, 2012. 1346 [GOST3411-2012] 1347 Federal Agency on Technical Regulating and Metrology, 1348 "Information technology. Cryptographic Data Security. 1349 Hashing function", GOST R 34.11-2012, 2012. 1351 [GOST3412-2015] 1352 Federal Agency on Technical Regulating and Metrology, 1353 "Information technology. Cryptographic data security. 1354 Block ciphers", GOST R 34.12-2015, 2015. 1356 [GOST3413-2015] 1357 Federal Agency on Technical Regulating and Metrology, 1358 "Information technology. Cryptographic data security. 1359 Modes of operation for block ciphers", GOST R 34.13-2015, 1360 2015. 1362 [IK2003] Iwata T., Kurosawa K. (2003), "OMAC: One-Key CBC MAC.", 1363 FSE 2003. Lecture Notes in Computer Science, vol 2887. 1364 Springer, Berlin, Heidelberg, 2003. 1366 [MODES] Dworkin, M., "Recommendation for Block Cipher Modes of 1367 Operation: Methods and Techniques", NIST Special 1368 Publication 800-38A, December 2001. 1370 Appendix A. Test Examples 1372 [[TODO: This section must be updated after receiving IANA values 1373 TBD1, TBD2, TBD3, TBD4, TBD5.]] 1375 A.1. Test Examples for CTR_OMAC cipher suites 1377 A.1.1. TLSTREE Examples 1379 A.1.1.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC ciphersuite 1381 TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 1382 *********************************************** 1383 Root Key K_root: 1384 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 1385 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 1387 seqnum = 0 1388 First level key from Divers_1: 1389 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1390 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1392 Second level key from Divers_2: 1393 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1394 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1396 The resulting key from Divers 3: 1397 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1398 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1400 seqnum = 4095 1401 First level key from Divers_1: 1402 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1403 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1405 Second level key from Divers_2: 1406 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1407 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1409 The resulting key from Divers 3: 1410 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1411 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1412 seqnum = 4096 1413 First level key from Divers_1: 1414 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1415 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1417 Second level key from Divers_2: 1418 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1419 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1421 The resulting key from Divers 3: 1422 FB 30 EE 53 CF CF 89 D7 48 FC 0C 72 EF 16 0B 8B 1423 53 CB BB FD 03 12 82 B0 26 21 4A B2 E0 77 58 FF 1425 seqnum = 33554431 1426 First level key from Divers_1: 1427 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1428 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1430 Second level key from Divers_2: 1431 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1432 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1434 The resulting key from Divers 3: 1435 B8 5B 36 DC 22 82 32 6B C0 35 C5 72 DC 93 F1 8D 1436 83 AA 01 74 F3 94 20 9A 51 3B B3 74 DC 09 35 AE 1438 seqnum = 33554432 1439 First level key from Divers_1: 1440 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1441 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1443 Second level key from Divers_2: 1444 3F EA 59 38 DA 2B F8 DD C4 7E C1 DC 55 61 89 66 1445 79 02 BE 42 0D F4 C3 7D AF 21 75 3B CB 1D C7 F3 1447 The resulting key from Divers 3: 1448 0F D7 C0 9E FD F8 E8 15 73 EE CC F8 6E 4B 95 E3 1449 AF 7F 34 DA B1 17 7C FD 7D B9 7B 6D A9 06 40 8A 1451 seqnum = 274877906943 1452 First level key from Divers_1: 1453 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1454 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1456 Second level key from Divers_2: 1457 AB F3 A5 37 98 3A 1B 98 40 06 6D E6 8A 49 BF 25 1458 97 7E E5 C3 F5 2D 33 3E 3C 22 0F 1D 15 C5 08 93 1459 The resulting key from Divers 3: 1460 48 0F 99 72 BA F2 5D 4C 36 9A 96 AF 91 BC A4 55 1461 3F 79 D8 F0 C5 61 8B 19 FD 44 CF DC 57 FA 37 33 1463 seqnum = 274877906944 1464 First level key from Divers_1: 1465 15 60 0D 9E 8F A6 85 54 CF 15 2D C7 4F BC 42 51 1466 17 B0 3E 09 76 BB 28 EA 98 24 C3 B7 0F 28 CB D8 1468 Second level key from Divers_2: 1469 6C C2 8E B0 93 24 72 12 5C 7A D3 F8 09 73 B3 C8 1470 C4 13 7D A5 73 BC 17 1A 24 ED D4 A3 71 F1 F8 73 1472 The resulting key from Divers 3: 1473 25 28 C1 C6 A8 F0 92 7B F2 BE 27 BB 78 D2 7F 21 1474 46 D6 55 93 B0 C7 17 3A 06 CB 9D 88 DF 92 32 65 1476 A.1.1.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC ciphersuite 1478 TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC 1479 *********************************************** 1480 Root Key K_root: 1481 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 1482 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 1484 seqnum = 0 1485 First level key from Divers_1: 1486 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1487 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1489 Second level key from Divers_2: 1490 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1491 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1493 The resulting key from Divers 3: 1494 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1495 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1497 seqnum = 63 1498 First level key from Divers_1: 1499 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1500 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1502 Second level key from Divers_2: 1503 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1504 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1506 The resulting key from Divers 3: 1507 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1508 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1510 seqnum = 64 1511 First level key from Divers_1: 1512 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1513 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1515 Second level key from Divers_2: 1516 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1517 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1519 The resulting key from Divers 3: 1520 AE BE 1E F4 18 71 3B F0 44 B9 FC D9 E5 72 D4 37 1521 FB 38 B5 D8 29 56 7A 6F 79 18 39 6D 9F 4E 09 6B 1523 seqnum = 524287 1524 First level key from Divers_1: 1525 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1526 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1528 Second level key from Divers_2: 1529 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1530 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1532 The resulting key from Divers 3: 1533 6F 18 D4 00 3E A2 CB 30 F5 FE C1 93 A2 34 F0 7D 1534 7C 43 94 98 7F 50 75 8D E2 2B 22 0D 8A 10 51 06 1536 seqnum = 524288 1537 First level key from Divers_1: 1538 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1539 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1541 Second level key from Divers_2: 1542 F6 59 EB 85 EE BD 2A 8D CC 1B B3 F7 C6 00 57 FF 1543 6D 33 B6 0F 74 65 DD 42 B5 11 2C F3 A6 B1 AB 66 1545 The resulting key from Divers 3: 1546 E5 4B 16 41 5B 3B 66 3E 78 0B 06 2D 24 F7 36 C4 1547 49 54 63 C3 A8 91 E1 FA 46 F7 AE 99 FF F9 F3 78 1549 seqnum = 4294967295 1550 First level key from Divers_1: 1551 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1552 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1554 Second level key from Divers_2: 1555 F4 BC 10 1A BB 68 86 2A 8C E3 1E A0 0D DF A7 FE 1556 B8 29 10 F1 24 F4 B1 E2 9E A8 3B E0 06 C2 26 8D 1558 The resulting key from Divers 3: 1559 CF 60 09 04 C7 1E 7B 88 A4 9A C8 E2 45 77 4B 3D 1560 BE ED FB 81 DE 9A 0E 2F 4E 46 C3 56 07 BC 2F 04 1562 seqnum = 4294967296 1563 First level key from Divers_1: 1564 55 CC 95 E0 D1 FB 54 85 AF 8E F6 9A CD 72 B2 32 1565 79 7C D2 E8 5D 86 CD FD 1D E5 5B D1 FA 14 37 78 1567 Second level key from Divers_2: 1568 72 16 91 E1 01 C4 28 96 A6 40 AE 18 3F BB 44 5B 1569 76 37 9C 57 E1 FD 8A 7D 49 A6 23 E4 23 8C 0E 1D 1571 The resulting key from Divers 3: 1572 16 18 0B 24 64 54 00 B8 36 14 38 37 D8 6A AC 93 1573 95 2A E3 EB 82 44 D5 EC 2A B0 2C FF 30 78 11 38 1575 A.1.2. Record Examples 1577 A.1.2.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC ciphersuite 1579 TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 1580 ******************************************************** 1581 It is assumed that during Handshake following keys were established: 1583 - MAC key: 1584 00000: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 1585 00010: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 1586 - Encryption key: 1587 00000: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 1588 00010: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 1589 - IV: 1590 00000: 00 00 00 00 1591 --------------------------------------------------------- 1592 seqnum = 0 1594 Application data: 1595 00000: 00 00 00 00 00 00 00 1596 TLSPlaintext: 1597 00000: 17 03 03 00 07 00 00 00 00 00 00 00 1599 K_MAC_0: 1600 00000: 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1601 00010: 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1603 MAC value: 1604 00000: F3 3E B6 89 6F EC E2 86 1606 K_ENC_0: 1607 00000: 58 AF BE 9A 4C 31 98 AA AB AA 26 92 C4 19 F1 79 1608 00010: 7C 9B 92 DE B3 CC 74 46 B3 63 57 71 13 F0 FB 56 1610 IV_0: 1611 00000: 00 00 00 00 1613 TLSCiphertext: 1614 00000: 17 03 03 00 0F 9B 42 0D A8 6F AF 36 7F 05 14 43 1615 00010: CE 9C 10 72 1616 --------------------------------------------------------- 1617 seqnum = 4095 1619 Application data: 1620 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1621 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1622 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1623 . . . 1624 003D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1625 003E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1626 003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1628 TLSPlaintext: 1629 00000: 17 03 03 04 00 00 00 00 00 00 00 00 00 00 00 00 1630 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1631 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1632 . . . 1633 003D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1634 003E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1635 003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1636 00400: 00 00 00 00 00 1638 K_MAC_4095: 1639 00000: 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1640 00010: 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1642 MAC value: 1643 00000: 58 D3 BB 60 8F BC 98 B8 1644 K_ENC_4095: 1645 00000: 58 AF BE 9A 4C 31 98 AA AB AA 26 92 C4 19 F1 79 1646 00010: 7C 9B 92 DE B3 CC 74 46 B3 63 57 71 13 F0 FB 56 1648 IV_4095: 1649 00000: 00 00 0F FF 1651 TLSCiphertext: 1652 00000: 17 03 03 04 08 B7 11 43 8B 16 20 1F 3C 49 33 95 1653 00010: 21 C9 C8 CA 75 66 D4 C2 0F D3 3E 58 1F 80 07 DC 1654 00020: 76 04 3E 2B 35 C8 E8 4B B2 55 08 27 66 13 59 6F 1655 . . . 1656 003D0: E7 77 70 BF 45 17 E1 F8 DD 1B 2C 05 64 AD 68 FC 1657 003E0: 4A 88 9A 48 B8 B1 FF 0E A4 E1 BB 70 4D 56 A4 75 1658 003F0: 2F 51 A5 82 CC 54 1A 80 8F 8C 8B 62 97 68 88 C8 1659 00400: 10 59 DE 41 27 63 A3 E0 99 9A CD DA 77 1661 --------------------------------------------------------- 1662 seqnum = 4096 1664 Application data: 1665 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1666 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1667 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1668 . . . 1669 007D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1670 007E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1671 007F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1673 TLSPlaintext: 1674 00000: 17 03 03 08 00 00 00 00 00 00 00 00 00 00 00 00 1675 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1676 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1677 . . . 1678 007D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1679 007E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1680 007F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1681 00800: 00 00 00 00 00 1683 K_MAC_4096: 1684 00000: FB 30 EE 53 CF CF 89 D7 48 FC 0C 72 EF 16 0B 8B 1685 00010: 53 CB BB FD 03 12 82 B0 26 21 4A B2 E0 77 58 FF 1687 MAC value: 1688 00000: 50 55 A2 6A BE 19 63 81 1690 K_ENC_4096: 1691 00000: ED F2 FD 02 47 71 60 23 83 09 00 2D 1D 57 DF 9F 1692 00010: D2 ED 18 D6 45 66 C7 6F 4B F0 3D 3A BF 7B BB 1E 1694 IV_4096: 1695 00000: 00 00 10 00 1697 TLSCiphertext: 1698 00000: 17 03 03 08 08 99 95 26 07 03 47 1D ED A2 E6 55 1699 00010: B6 B3 93 83 5E 33 8B 1E D0 0E DD 22 47 A2 FB 88 1700 00020: FB B7 A8 94 80 62 08 8A F3 2C AE B6 AA 2C 4F 2A 1701 . . . 1702 007D0: 7F 0B 24 61 E7 5F E1 06 34 B8 4D C5 70 35 72 5A 1703 007E0: CA 4F 0C BC A9 B0 6C B9 F7 6F BD 2F 80 46 2B 8D 1704 007F0: 77 5E BD 41 6F 63 41 39 AC 89 C2 ED 3D F1 9F E2 1705 00800: 4E F8 C0 5A A8 90 93 1B 01 86 FD 7D DF 1707 A.1.2.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC ciphersuite 1709 TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC 1710 *********************************************** 1711 It is assumed that during Handshake following keys were established: 1713 - MAC key: 1714 00000: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 1715 00010: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 1716 - Encryption key: 1717 00000: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 1718 00010: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 1719 - IV: 1720 00000: 00 00 00 00 00 00 00 00 1722 --------------------------------------------------------- 1723 seqnum = 0 1725 Application data: 1726 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1728 TLSPlaintext: 1729 00000: 17 03 03 00 0F 00 00 00 00 00 00 00 00 00 00 00 1730 00010: 00 00 00 00 1732 K_MAC_0: 1733 00000: 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1734 00010: 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1736 MAC value: 1738 00000: FD 17 19 DD 95 08 37 EB 7C 7B B8 F5 00 37 99 81 1740 K_ENC_0: 1741 00000: 58 AF BE 9A 4C 31 98 AA AB AA 26 92 C4 19 F1 79 1742 00010: 7C 9B 92 DE B3 CC 74 46 B3 63 57 71 13 F0 FB 56 1744 IV_0: 1745 00000: 00 00 00 00 00 00 00 00 1747 TLSCiphertext: 1748 00000: 17 03 03 00 1F 4D 1A 30 52 36 57 3B FF C1 4E 46 1749 00010: DC BE 74 6D B6 C9 9A 17 5A 81 C4 71 1E 2F 84 C3 1750 00020: 92 C5 40 7C 1752 --------------------------------------------------------- 1753 seqnum = 63 1755 Application data: 1756 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1757 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1758 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1759 . . . 1760 00FD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1761 00FE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1762 00FF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1764 TLSPlaintext: 1765 00000: 17 03 03 10 00 00 00 00 00 00 00 00 00 00 00 00 1766 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1767 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1768 . . . 1769 00FD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1770 00FE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1771 00FF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1772 01000: 00 00 00 00 00 1774 K_MAC_63: 1775 00000: 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1776 00010: 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1778 Mac value: 1779 00000: 98 46 27 61 D0 26 24 4A 2C 0B 7D 1B CC CB E7 B0 1781 K_ENC_63: 1782 00000: 58 AF BE 9A 4C 31 98 AA AB AA 26 92 C4 19 F1 79 1783 00010: 7C 9B 92 DE B3 CC 74 46 B3 63 57 71 13 F0 FB 56 1785 IV_63: 1787 00000: 00 00 00 00 00 00 00 3F 1789 TLSCiphertext: 1790 00000: 17 03 03 10 10 12 93 51 D2 6E 14 07 13 A2 1B 37 1791 00010: 68 24 A2 23 17 CD C0 D8 8E 01 CF A3 FE 21 41 5F 1792 00020: 5C 5E 05 86 9C CF 38 A5 1B C2 E0 ED 68 94 46 A8 1793 . . . 1794 00FE0: 19 AD 99 8C 06 25 21 E6 7B 63 59 A4 F5 C8 16 F9 1795 00FF0: 47 6B A7 13 26 82 BB A8 CE 0B ED AD 65 E4 20 A2 1796 01000: 97 B6 E2 C6 1F A4 06 D9 B8 CA 36 FD 9F CD 3A EE 1797 01010: 24 78 F4 D1 96 1799 --------------------------------------------------------- 1800 seqnum = 64 1802 Application data: 1803 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1804 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1805 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1806 . . . 1807 01FD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1808 01FE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1809 01FF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1811 TLSPlaintext: 1812 00000: 17 03 03 20 00 00 00 00 00 00 00 00 00 00 00 00 1813 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1814 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1815 . . . 1816 01FD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1817 01FE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1818 01FF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1819 02000: 00 00 00 00 00 1821 K_MAC_64: 1822 00000: AE BE 1E F4 18 71 3B F0 44 B9 FC D9 E5 72 D4 37 1823 00010: FB 38 B5 D8 29 56 7A 6F 79 18 39 6D 9F 4E 09 6B 1825 Mac value: 1826 00000: EA C3 97 87 84 2B 1D BD 60 80 CC 3F BF AE 5C 2F 1828 K_ENC_64: 1829 00000: 64 F5 5A FC 37 A1 74 D9 53 3E 70 8B CD 14 FA 4A 1830 00010: EE C3 7B C0 E3 2B A4 99 01 B4 66 9E 96 A6 3D 96 1832 IV_64: 1833 00000: 00 00 00 00 00 00 00 40 1834 TLSCiphertext: 1835 00000: 17 03 03 20 10 E6 66 BB 98 AC 5B 0F 39 31 D8 55 1836 00010: 1B 93 36 85 96 EE F0 EB A8 26 9C B8 BD AA E7 EB 1837 00020: 80 C8 30 D7 5A B7 D4 6C 25 06 DC 8B 83 E1 F2 D3 1838 . . . 1839 01FE0: B3 02 67 2C CB 02 86 CD 40 48 FB D5 38 1A 65 55 1840 01FF0: 26 11 25 51 01 4F A8 ED F5 C2 1B 7D 1D B3 9D 6B 1841 02000: AD EC 0D 7C 07 05 34 8B 5C 55 6C 4D 50 81 69 1A 1842 02010: A9 EC 36 F8 B5 1844 A.1.3. Handshake Examples 1846 A.1.3.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC ciphersuite 1848 Server certificate curve OID: 1849 id-tc26-gost-3410-2012-256-paramSetB, "1.2.643.2.2.36.0" 1851 Server public key Q_s: 1852 x = 0xE823FFEB48C2A92D1AFDDB0BC7265699 1853 D35640ECC69AF3DC85E7C21960DD109A 1855 y = 0xC80CBACDAECF6F04631A03118E5D0B9E 1856 DEEEC7CBEAF765C4AB299447706FD6CA 1858 Server private key d_s: 1859 0x03495493ABCA61B3B65E158398455D70 1860 C22107DA5B68195BB65B99C01A0FD3C0 1862 ---------------------------Client--------------------------- 1864 ClientHello message: 1865 msg_type: 01 1866 length: 000040 1867 body: 1868 client_version: 1869 major: 03 1870 minor: 03 1871 random: 933EA21EC3802A561550EC78D6ED51AC 1872 2439D7E749C31BC3A3456165889684CA 1873 session_id: 1874 length: 00 1875 vector: -- 1876 cipher_suites: 1878 length: 0004 1879 vector: 1880 CipherSuite: FF88 1881 CipherSuite: FF89 1882 compression_methods: 1883 length: 01 1884 vector: 1885 CompressionMethod: 00 1886 extensions: 1887 length: 0013 1888 Extension: /* signature_algorithms */ 1889 extension_type: 000D 1890 extension_data: 1891 length: 0006 1892 vector: 1893 supported_signature_algorithms: 1894 length: 0004 1895 vector: 1896 /* 1 pair of algorithms */ 1897 hash: EE 1898 signature: 1899 EE 1900 /* 2 pair of algorithms */ 1901 hash: EF 1902 signature: 1903 EF 1904 Extension: /* renegotiation_info */ 1905 extension_type: FF01 1906 extension_data: 1907 length: 0001 1908 vector: 1909 renegotiated_connection: 1910 length: 00 1911 vector: -- 1912 Extension: /* extended_master_secret */ 1913 extension_type: 0017 1914 extension_data: 1915 length: 0000 1916 vector: -- 1918 00000: 01 00 00 40 03 03 93 3E A2 1E C3 80 2A 56 15 50 1919 00010: EC 78 D6 ED 51 AC 24 39 D7 E7 49 C3 1B C3 A3 45 1920 00020: 61 65 88 96 84 CA 00 00 04 FF 88 FF 89 01 00 00 1921 00030: 13 00 0D 00 06 00 04 EE EE EF EF FF 01 00 01 00 1922 00040: 00 17 00 00 1924 Record layer message: 1925 type: 16 1926 version: 1927 major: 03 1928 minor: 03 1929 length: 0044 1930 fragment: 010000400303933EA21EC3802A561550 1931 EC78D6ED51AC2439D7E749C31BC3A345 1932 6165889684CA000004FF88FF89010000 1933 13000D00060004EEEEEFEFFF01000100 1934 00170000 1936 00000: 16 03 03 00 44 01 00 00 40 03 03 93 3E A2 1E C3 1937 00010: 80 2A 56 15 50 EC 78 D6 ED 51 AC 24 39 D7 E7 49 1938 00020: C3 1B C3 A3 45 61 65 88 96 84 CA 00 00 04 FF 88 1939 00030: FF 89 01 00 00 13 00 0D 00 06 00 04 EE EE EF EF 1940 00040: FF 01 00 01 00 00 17 00 00 1942 ---------------------------Server--------------------------- 1944 ServerHello message: 1945 msg_type: 02 1946 length: 000041 1947 body: 1948 client_version: 1949 major: 03 1950 minor: 03 1951 random: 933EA21E49C31BC3A3456165889684CA 1952 A5576CE7924A24F58113808DBD9EF856 1953 session_id: 1954 length: 10 1955 vector: C3802A561550EC78D6ED51AC2439D7E7 1956 cipher_suite: 1957 CipherSuite: FF88 1958 compression_method: 1959 CompressionMethod: 00 1960 extensions: 1961 length: 0009 1962 Extension: /* renegotiation_info */ 1963 extension_type: FF01 1964 extension_data: 1965 length: 0001 1966 vector: 1967 renegotiated_connection: 1968 length: 00 1969 vector: -- 1970 Extension: /* extended_master_secret */ 1971 extension_type: 0017 1972 extension_data: 1973 length: 0000 1974 vector: -- 1976 00000: 02 00 00 41 03 03 93 3E A2 1E 49 C3 1B C3 A3 45 1977 00010: 61 65 88 96 84 CA A5 57 6C E7 92 4A 24 F5 81 13 1978 00020: 80 8D BD 9E F8 56 10 C3 80 2A 56 15 50 EC 78 D6 1979 00030: ED 51 AC 24 39 D7 E7 FF 88 00 00 09 FF 01 00 01 1980 00040: 00 00 17 00 00 1982 Record layer message:: 1983 type: 16 1984 version: 1985 major: 03 1986 minor: 03 1987 length: 0045 1988 fragment: 020000410303933EA21E49C31BC3A345 1989 6165889684CAA5576CE7924A24F58113 1990 808DBD9EF85610C3802A561550EC78D6 1991 ED51AC2439D7E7FF88000009FF010001 1992 0000170000 1994 00000: 16 03 03 00 45 02 00 00 41 03 03 93 3E A2 1E 49 1995 00010: C3 1B C3 A3 45 61 65 88 96 84 CA A5 57 6C E7 92 1996 00020: 4A 24 F5 81 13 80 8D BD 9E F8 56 10 C3 80 2A 56 1997 00030: 15 50 EC 78 D6 ED 51 AC 24 39 D7 E7 FF 88 00 00 1998 00040: 09 FF 01 00 01 00 00 17 00 00 2000 ---------------------------Server--------------------------- 2002 Certificate message: 2003 msg_type: 0B 2004 length: 0001C6 2005 body: 2006 certificate_list: 2007 length: 0001C3 2008 vector: 2009 ASN.1Cert: 2010 length: 0001C0 2011 vector: 308201BC30820169A003020102020101 2012 300A06082A850307010103023042312C 2013 302A06092A864886F70D010901161D74 2014 . . . 2015 C24737BEB0FF7D291D391E4D79514AE2 2016 8AC284F45169886F65B0080F53501EF7 2017 06012FBF9396B9766911213C18ECE1FD 2019 00000: 0B 00 01 C6 00 01 C3 00 01 C0 30 82 01 BC 30 82 2020 00010: 01 69 A0 03 02 01 02 02 01 01 30 0A 06 08 2A 85 2021 00020: 03 07 01 01 03 02 30 42 31 2C 30 2A 06 09 2A 86 2022 00030: 48 86 F7 0D 01 09 01 16 1D 74 6C 73 31 32 5F 73 2023 00040: 65 72 76 65 72 32 35 36 41 40 63 72 79 70 74 6F 2024 00050: 70 72 6F 2E 72 75 31 12 30 10 06 03 55 04 03 13 2025 00060: 09 53 65 72 76 65 72 32 35 36 30 1E 17 0D 31 37 2026 00070: 30 35 32 35 30 39 32 32 34 37 5A 17 0D 33 30 30 2027 00080: 35 30 31 30 39 32 32 34 37 5A 30 42 31 2C 30 2A 2028 00090: 06 09 2A 86 48 86 F7 0D 01 09 01 16 1D 74 6C 73 2029 000A0: 31 32 5F 73 65 72 76 65 72 32 35 36 41 40 63 72 2030 000B0: 79 70 74 6F 70 72 6F 2E 72 75 31 12 30 10 06 03 2031 000C0: 55 04 03 13 09 53 65 72 76 65 72 32 35 36 30 66 2032 000D0: 30 1F 06 08 2A 85 03 07 01 01 01 01 30 13 06 07 2033 000E0: 2A 85 03 02 02 24 00 06 08 2A 85 03 07 01 01 02 2034 000F0: 02 03 43 00 04 40 9A 10 DD 60 19 C2 E7 85 DC F3 2035 00100: 9A C6 EC 40 56 D3 99 56 26 C7 0B DB FD 1A 2D A9 2036 00110: C2 48 EB FF 23 E8 CA D6 6F 70 47 94 29 AB C4 65 2037 00120: F7 EA CB C7 EE DE 9E 0B 5D 8E 11 03 1A 63 04 6F 2038 00130: CF AE CD BA 0C C8 A3 43 30 41 30 1D 06 03 55 1D 2039 00140: 0E 04 16 04 14 68 AB F5 C4 EE D8 68 6E 9C 68 35 2040 00150: 22 EC 09 AA E9 D3 CF 30 10 30 0B 06 03 55 1D 0F 2041 00160: 04 04 03 02 03 28 30 13 06 03 55 1D 25 04 0C 30 2042 00170: 0A 06 08 2B 06 01 05 05 07 03 01 30 0A 06 08 2A 2043 00180: 85 03 07 01 01 03 02 03 41 00 88 2E 34 FB 75 8C 2044 00190: FB BE 2C 42 34 14 C4 6A D4 31 C2 47 37 BE B0 FF 2045 001A0: 7D 29 1D 39 1E 4D 79 51 4A E2 8A C2 84 F4 51 69 2046 001B0: 88 6F 65 B0 08 0F 53 50 1E F7 06 01 2F BF 93 96 2047 001C0: B9 76 69 11 21 3C 18 EC E1 FD 2049 Record layer message: 2050 type: 16 2051 version: 2052 major: 03 2053 minor: 03 2054 length: 01CA 2055 fragment: 0B0001C60001C30001C0308201BC3082 2056 0169A003020102020101300A06082A85 2057 0307010103023042312C302A06092A86 2058 . . . 2059 FBBE2C423414C46AD431C24737BEB0FF 2060 7D291D391E4D79514AE28AC284F45169 2061 886F65B0080F53501EF706012FBF9396 2062 B9766911213C18ECE1FD 2064 00000: 16 03 03 01 CA 0B 00 01 C6 00 01 C3 00 01 C0 30 2065 00010: 82 01 BC 30 82 01 69 A0 03 02 01 02 02 01 01 30 2066 00020: 0A 06 08 2A 85 03 07 01 01 03 02 30 42 31 2C 30 2067 00030: 2A 06 09 2A 86 48 86 F7 0D 01 09 01 16 1D 74 6C 2068 00040: 73 31 32 5F 73 65 72 76 65 72 32 35 36 41 40 63 2069 00050: 72 79 70 74 6F 70 72 6F 2E 72 75 31 12 30 10 06 2070 00060: 03 55 04 03 13 09 53 65 72 76 65 72 32 35 36 30 2071 00070: 1E 17 0D 31 37 30 35 32 35 30 39 32 32 34 37 5A 2072 00080: 17 0D 33 30 30 35 30 31 30 39 32 32 34 37 5A 30 2073 00090: 42 31 2C 30 2A 06 09 2A 86 48 86 F7 0D 01 09 01 2074 000A0: 16 1D 74 6C 73 31 32 5F 73 65 72 76 65 72 32 35 2075 000B0: 36 41 40 63 72 79 70 74 6F 70 72 6F 2E 72 75 31 2076 000C0: 12 30 10 06 03 55 04 03 13 09 53 65 72 76 65 72 2077 000D0: 32 35 36 30 66 30 1F 06 08 2A 85 03 07 01 01 01 2078 000E0: 01 30 13 06 07 2A 85 03 02 02 24 00 06 08 2A 85 2079 000F0: 03 07 01 01 02 02 03 43 00 04 40 9A 10 DD 60 19 2080 00100: C2 E7 85 DC F3 9A C6 EC 40 56 D3 99 56 26 C7 0B 2081 00110: DB FD 1A 2D A9 C2 48 EB FF 23 E8 CA D6 6F 70 47 2082 00120: 94 29 AB C4 65 F7 EA CB C7 EE DE 9E 0B 5D 8E 11 2083 00130: 03 1A 63 04 6F CF AE CD BA 0C C8 A3 43 30 41 30 2084 00140: 1D 06 03 55 1D 0E 04 16 04 14 68 AB F5 C4 EE D8 2085 00150: 68 6E 9C 68 35 22 EC 09 AA E9 D3 CF 30 10 30 0B 2086 00160: 06 03 55 1D 0F 04 04 03 02 03 28 30 13 06 03 55 2087 00170: 1D 25 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 2088 00180: 30 0A 06 08 2A 85 03 07 01 01 03 02 03 41 00 88 2089 00190: 2E 34 FB 75 8C FB BE 2C 42 34 14 C4 6A D4 31 C2 2090 001A0: 47 37 BE B0 FF 7D 29 1D 39 1E 4D 79 51 4A E2 8A 2091 001B0: C2 84 F4 51 69 88 6F 65 B0 08 0F 53 50 1E F7 06 2092 001C0: 01 2F BF 93 96 B9 76 69 11 21 3C 18 EC E1 FD 2094 ---------------------------Server--------------------------- 2096 ServerHelloDone message: 2097 msg_type: 0E 2098 length: 000000 2099 body: -- 2101 00000: 0E 00 00 00 2103 Record layer message:: 2104 type: 16 2105 version: 2106 major: 03 2107 minor: 03 2108 length: 0004 2109 fragment: 0E000000 2111 00000: 16 03 03 00 04 0E 00 00 00 2112 ---------------------------Client--------------------------- 2114 PMS: 2115 00000: A5 57 6C E7 92 4A 24 F5 81 13 80 8D BD 9E F8 56 2116 00010: F5 BD C3 B1 83 CE 5D AD CA 36 A5 3A A0 77 65 1D 2118 Random d_eph value: 2119 0xA5C77C7482373DE16CE4A6F73CCE7F78 2120 471493FF2C0709B8B706C9E8A25E6C1E 2122 Q_eph ephemeral key: 2123 x = 0xA8F36D63D262A203978F1B3B6795CDBB 2124 F1AE7FB8EF7F47F1F18871C198E00793 2126 y = 0x34CA5D6B4485640EA195435993BEB1F8 2127 B016ED610496B5CC175AC2EA1F14F887 2129 HASH (r_c | r_s): 2130 00000: C3 EF 04 28 D4 B7 A1 F4 C5 02 5F 2E 65 DD 2B 2E 2131 00010: A5 83 AE EF DB 67 C7 F4 21 4A 6A 29 8E 99 E3 25 2133 Export key generation. r value: 2134 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 2136 Export key generation. UKM value: 2137 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 2139 Export keys K_Exp_MAC | K_Exp_ENC used in KExp15 algorithm: 2140 00000: 0E 01 38 D5 83 68 57 0B 89 F4 D2 50 71 5A E6 52 2141 00010: B1 B6 D8 02 A0 60 D3 CD D7 75 C6 8C 5C 53 B9 98 2142 00020: 3B B7 27 99 3C D2 3A 3C 27 C1 B9 BB 44 E6 AF B7 2143 00030: 62 71 F9 7D 80 38 1F 3C B1 FF 6E 7E 93 B0 62 02 2145 IV: 2146 00000: 21 4A 6A 29 2148 PMSEXP: 2149 00000: 9E C3 E0 76 C5 56 73 1E 3B 25 3B E5 8B 8F AD D4 2150 00010: A9 0A 24 B3 42 F6 13 A5 E2 AC 13 CE 07 53 0A 00 2151 00020: A9 8C 1E E2 A2 AF C0 E0 2153 ---------------------------Client--------------------------- 2155 ClientKeyExchange message: 2156 msg_type: 10 2157 length: 000095 2158 body: 2160 exchange_keys: 30819204289EC3E076C556731E3B253B 2161 E58B8FADD4A90A24B342F613A5E2AC13 2162 CE07530A00A98C1EE2A2AFC0E0306630 2163 . . . 2164 EFB87FAEF1BBCD95673B1B8F9703A262 2165 D2636DF3A887F8141FEAC25A17CCB596 2166 0461ED16B0F8B1BE93594395A10E6485 2167 446B5DCA34 2169 00000: 10 00 00 95 30 81 92 04 28 9E C3 E0 76 C5 56 73 2170 00010: 1E 3B 25 3B E5 8B 8F AD D4 A9 0A 24 B3 42 F6 13 2171 00020: A5 E2 AC 13 CE 07 53 0A 00 A9 8C 1E E2 A2 AF C0 2172 00030: E0 30 66 30 1F 06 08 2A 85 03 07 01 01 01 01 30 2173 00040: 13 06 07 2A 85 03 02 02 24 00 06 08 2A 85 03 07 2174 00050: 01 01 02 02 03 43 00 04 40 93 07 E0 98 C1 71 88 2175 00060: F1 F1 47 7F EF B8 7F AE F1 BB CD 95 67 3B 1B 8F 2176 00070: 97 03 A2 62 D2 63 6D F3 A8 87 F8 14 1F EA C2 5A 2177 00080: 17 CC B5 96 04 61 ED 16 B0 F8 B1 BE 93 59 43 95 2178 00090: A1 0E 64 85 44 6B 5D CA 34 2180 Record layer message: 2181 type: 16 2182 version: 2183 major: 03 2184 minor: 03 2185 length: 0099 2186 fragment: 1000009530819204289EC3E076C55673 2187 1E3B253BE58B8FADD4A90A24B342F613 2188 A5E2AC13CE07530A00A98C1EE2A2AFC0 2189 . . . 2190 F1F1477FEFB87FAEF1BBCD95673B1B8F 2191 9703A262D2636DF3A887F8141FEAC25A 2192 17CCB5960461ED16B0F8B1BE93594395 2193 A10E6485446B5DCA34 2195 00000: 16 03 03 00 99 10 00 00 95 30 81 92 04 28 9E C3 2196 00010: E0 76 C5 56 73 1E 3B 25 3B E5 8B 8F AD D4 A9 0A 2197 00020: 24 B3 42 F6 13 A5 E2 AC 13 CE 07 53 0A 00 A9 8C 2198 00030: 1E E2 A2 AF C0 E0 30 66 30 1F 06 08 2A 85 03 07 2199 00040: 01 01 01 01 30 13 06 07 2A 85 03 02 02 24 00 06 2200 00050: 08 2A 85 03 07 01 01 02 02 03 43 00 04 40 93 07 2201 00060: E0 98 C1 71 88 F1 F1 47 7F EF B8 7F AE F1 BB CD 2202 00070: 95 67 3B 1B 8F 97 03 A2 62 D2 63 6D F3 A8 87 F8 2203 00080: 14 1F EA C2 5A 17 CC B5 96 04 61 ED 16 B0 F8 B1 2204 00090: BE 93 59 43 95 A1 0E 64 85 44 6B 5D CA 34 2206 ---------------------------Server--------------------------- 2207 PMSEXP extracted: 2208 00000: 9E C3 E0 76 C5 56 73 1E 3B 25 3B E5 8B 8F AD D4 2209 00010: A9 0A 24 B3 42 F6 13 A5 E2 AC 13 CE 07 53 0A 00 2210 00020: A9 8C 1E E2 A2 AF C0 E0 2212 HASH(r_c | r_s): 2213 00000: C3 EF 04 28 D4 B7 A1 F4 C5 02 5F 2E 65 DD 2B 2E 2214 00010: A5 83 AE EF DB 67 C7 F4 21 4A 6A 29 8E 99 E3 25 2216 Export key generation. r value: 2217 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 2219 Export key generation. UKM value: 2220 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 2222 Import keys K_Imp_MAC | K_Imp_ENC used in KImp15 algorithm: 2223 00000: 0E 01 38 D5 83 68 57 0B 89 F4 D2 50 71 5A E6 52 2224 00010: B1 B6 D8 02 A0 60 D3 CD D7 75 C6 8C 5C 53 B9 98 2225 00020: 3B B7 27 99 3C D2 3A 3C 27 C1 B9 BB 44 E6 AF B7 2226 00030: 62 71 F9 7D 80 38 1F 3C B1 FF 6E 7E 93 B0 62 02 2228 IV: 2229 00000: 21 4A 6A 29 2231 PMS: 2232 00000: A5 57 6C E7 92 4A 24 F5 81 13 80 8D BD 9E F8 56 2233 00010: F5 BD C3 B1 83 CE 5D AD CA 36 A5 3A A0 77 65 1D 2235 ---------------------------Client--------------------------- 2237 HASH(HM): 2238 00000: F7 90 79 19 83 24 FD 49 8D FE A7 10 56 46 DE 41 2239 00010: DA 87 DC 0B 0A 91 71 A2 F9 7C 65 E7 EA DA 48 92 2241 MS: 2242 00000: ED 28 A3 02 79 AC 3E 83 A7 E3 73 22 65 96 BA D8 2243 00010: DD 7F 5E C5 FE 60 BB 2F 32 4C B0 14 7D F1 F3 51 2244 00020: 04 EB DB 85 04 53 5C E6 9A 96 68 8C BD FE A5 6D 2246 Client connection key material 2247 K_write_MAC|K_read_MAC|K_write_ENC|K_read_ENC|IV_write|IV_read: 2248 00000: 50 BB E5 17 CF 2A 6E 3A 15 04 F6 91 3C 07 2B 89 2249 00010: 17 17 46 89 86 9E CF A4 70 AC C2 C6 1C 1A 5B 4D 2250 00020: 11 03 A5 C1 E5 9F 18 7B 82 6C F0 26 D8 F0 21 35 2251 00030: 0B 44 48 F2 FC E5 0A 51 52 F5 43 2C 2F 25 24 FE 2252 00040: 1D FA 50 19 2E E1 69 BC 60 A6 24 A6 98 12 08 A7 2253 00050: 80 D1 F0 02 20 A1 CF B3 4B 0D 2E 71 7D BE 67 7A 2254 00060: 62 41 A1 0E 1A 10 49 53 97 00 6F AC BF 63 96 19 2255 00070: 22 7C 4C 03 0A E8 E5 3F C3 6E 43 A7 17 AF FE 60 2256 00080: 5F 23 58 29 21 BE FE 71 2258 ---------------------------Server--------------------------- 2260 HASH(HM): 2261 00000: F7 90 79 19 83 24 FD 49 8D FE A7 10 56 46 DE 41 2262 00010: DA 87 DC 0B 0A 91 71 A2 F9 7C 65 E7 EA DA 48 92 2264 MS: 2265 00000: ED 28 A3 02 79 AC 3E 83 A7 E3 73 22 65 96 BA D8 2266 00010: DD 7F 5E C5 FE 60 BB 2F 32 4C B0 14 7D F1 F3 51 2267 00020: 04 EB DB 85 04 53 5C E6 9A 96 68 8C BD FE A5 6D 2269 Server connection key material 2270 K_read_MAC|K_write_MAC|K_read_ENC|K_write_ENC|IV_read|IV_write: 2271 00000: 50 BB E5 17 CF 2A 6E 3A 15 04 F6 91 3C 07 2B 89 2272 00010: 17 17 46 89 86 9E CF A4 70 AC C2 C6 1C 1A 5B 4D 2273 00020: 11 03 A5 C1 E5 9F 18 7B 82 6C F0 26 D8 F0 21 35 2274 00030: 0B 44 48 F2 FC E5 0A 51 52 F5 43 2C 2F 25 24 FE 2275 00040: 1D FA 50 19 2E E1 69 BC 60 A6 24 A6 98 12 08 A7 2276 00050: 80 D1 F0 02 20 A1 CF B3 4B 0D 2E 71 7D BE 67 7A 2277 00060: 62 41 A1 0E 1A 10 49 53 97 00 6F AC BF 63 96 19 2278 00070: 22 7C 4C 03 0A E8 E5 3F C3 6E 43 A7 17 AF FE 60 2279 00080: 5F 23 58 29 21 BE FE 71 2281 ---------------------------Client--------------------------- 2283 ChangeCipherSpec message: 2284 type: 01 2286 00000: 01 2288 Record layer message: 2289 type: 14 2290 version: 2291 major: 03 2292 minor: 03 2293 length: 0001 2294 fragment: 01 2296 00000: 14 03 03 00 01 01 2298 ---------------------------Client--------------------------- 2299 HASH(HM): 2300 00000: F7 90 79 19 83 24 FD 49 8D FE A7 10 56 46 DE 41 2301 00010: DA 87 DC 0B 0A 91 71 A2 F9 7C 65 E7 EA DA 48 92 2303 client_verify_data: 2304 00000: C5 D6 43 59 6D 0D BC C5 39 22 D6 3C A2 57 A4 D8 2305 00010: 83 B7 C9 02 7A 61 F4 53 E9 7C 97 1E F9 AB 78 03 2307 ---------------------------Client--------------------------- 2309 Finished message: 2310 msg_type: 14 2311 length: 000020 2312 body: 2313 verify_data: C5D643596D0DBCC53922D63CA257A4D8 2314 83B7C9027A61F453E97C971EF9AB7803 2316 00000: 14 00 00 20 C5 D6 43 59 6D 0D BC C5 39 22 D6 3C 2317 00010: A2 57 A4 D8 83 B7 C9 02 7A 61 F4 53 E9 7C 97 1E 2318 00020: F9 AB 78 03 2320 Record layer message: 2321 type: 16 2322 version: 2323 major: 03 2324 minor: 03 2325 length: 002C 2326 fragment: 69F034DADA4950821E59013560B9823C 2327 C86AC12516C477C9811ABD6489EBC2AF 2328 F291A308F18250F3938D1742 2330 00000: 16 03 03 00 2C 69 F0 34 DA DA 49 50 82 1E 59 01 2331 00010: 35 60 B9 82 3C C8 6A C1 25 16 C4 77 C9 81 1A BD 2332 00020: 64 89 EB C2 AF F2 91 A3 08 F1 82 50 F3 93 8D 17 2333 00030: 42 2335 ---------------------------Server--------------------------- 2337 ChangeCipherSpec message: 2338 type: 01 2340 00000: 01 2342 Record layer message: 2343 type: 14 2344 version: 2346 major: 03 2347 minor: 03 2348 length: 0001 2349 fragment: 01 2351 00000: 14 03 03 00 01 01 2353 ---------------------------Server--------------------------- 2355 HASH(HM): 2356 00000: 79 58 3A 49 C2 DC 4D DB B4 CA 81 02 60 AE 3A 05 2357 00010: EE 01 E4 F2 2D C2 49 52 4B 28 2E 63 A1 5A FD A1 2359 server_verify_data: 2360 00000: 46 91 5D 21 6B 19 42 E8 8B 0D 78 B8 EB 66 18 84 2361 00010: C3 E8 74 94 AC 48 92 08 46 48 7D A5 8D CF 7C CD 2363 ---------------------------Server--------------------------- 2365 Finished message: 2366 msg_type: 14 2367 length: 000020 2368 body: 2369 verify_data: 46915D216B1942E88B0D78B8EB661884 2370 C3E87494AC48920846487DA58DCF7CCD 2372 00000: 14 00 00 20 46 91 5D 21 6B 19 42 E8 8B 0D 78 B8 2373 00010: EB 66 18 84 C3 E8 74 94 AC 48 92 08 46 48 7D A5 2374 00020: 8D CF 7C CD 2376 Record layer message: 2377 type: 16 2378 version: 2379 major: 03 2380 minor: 03 2381 length: 002C 2382 fragment: 4403C9BE3831E9E4BC71BDB3E4F3706D 2383 628DC8FCF87859E572C2236DB091BAC9 2384 EA0FC11A22163195563D7EC2 2386 00000: 16 03 03 00 2C 44 03 C9 BE 38 31 E9 E4 BC 71 BD 2387 00010: B3 E4 F3 70 6D 62 8D C8 FC F8 78 59 E5 72 C2 23 2388 00020: 6D B0 91 BA C9 EA 0F C1 1A 22 16 31 95 56 3D 7E 2389 00030: C2 2390 ---------------------------Client--------------------------- 2392 Application data: 2393 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2394 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2396 Record layer message: 2397 type: 17 2398 version: 2399 major: 03 2400 minor: 03 2401 length: 0028 2402 fragment: E2F569C4F3495C6B77C94FB94BE4FE9B 2403 D94832077D05BFF0F5A4A2E667F727EF 2404 8C3CFDE990FD741D 2405 00000: 17 03 03 00 28 E2 F5 69 C4 F3 49 5C 6B 77 C9 4F 2406 00010: B9 4B E4 FE 9B D9 48 32 07 7D 05 BF F0 F5 A4 A2 2407 00020: E6 67 F7 27 EF 8C 3C FD E9 90 FD 74 1D 2409 ---------------------------Server--------------------------- 2411 Application data: 2412 00000: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 2413 00010: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 2415 Record layer message: 2416 type: 17 2417 version: 2418 major: 03 2419 minor: 03 2420 length: 0028 2421 fragment: EB8458C2C5F1EBF2E81C6550F88C4978 2422 5F90566E2E1EF46741CF4F9FB6D0B5EB 2423 8E98BEDB8AFB31CD 2425 00000: 17 03 03 00 28 EB 84 58 C2 C5 F1 EB F2 E8 1C 65 2426 00010: 50 F8 8C 49 78 5F 90 56 6E 2E 1E F4 67 41 CF 4F 2427 00020: 9F B6 D0 B5 EB 8E 98 BE DB 8A FB 31 CD 2429 ---------------------------Client--------------------------- 2431 close_notify alert: 2432 Alert: 2433 level: 01 2434 description: 00 2436 00000: 01 00 2438 Record layer message: 2439 type: 15 2440 version: 2441 major: 03 2442 minor: 03 2443 length: 000A 2444 fragment: D6B17B5D426B0C7FE629 2446 00000: 15 03 03 00 0A D6 B1 7B 5D 42 6B 0C 7F E6 29 2448 ---------------------------Server--------------------------- 2450 close_notify alert: 2451 Alert: 2452 level: 01 2453 description: 00 2455 00000: 01 00 2457 Record layer message: 2458 type: 15 2459 version: 2460 major: 03 2461 minor: 03 2462 length: 000A 2463 fragment: E20498CC0DFA0D8EC6B5 2465 00000: 15 03 03 00 0A E2 04 98 CC 0D FA 0D 8E C6 B5 2467 A.1.3.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC ciphersuite 2469 Server certificate curve OID: 2470 id-tc26-gost-3410-2012-512-paramSetC, "1.2.643.7.1.2.1.2.3" 2472 Server public key Q_s: 2473 x = 0xF14589DA479AD972C66563669B3FF580 2474 92E6A30A288BF447CD9FF6C3133E9724 2475 7A9706B267703C9B4E239F0D7C7E3310 2476 C22D2752B35BD2E4FD39B8F11DEB833A 2478 y = 0xF305E95B36502D4E60A1059FB20AB30B 2479 FC7C95727F3A2C04B1DFDDB53B0413F2 2480 99F2DFE66A5E1CCB4101A7A01D612BE6 2481 BD78E1E3B3D567EBB16ABE587A11F4EA 2483 Server private key d_s: 2484 0x12FD7A70067479A0F66C59F9A25534AD 2485 FBC7ABFD3CC72D79806F8B402601644B 2486 3005ED365A2D8989A8CCAE640D5FC08D 2487 D27DFBBFE137CF528E1AC6D445192E01 2489 Client certificate curve OID: 2490 id-tc26-gost-3410-2012-256-paramSetA, "1.2.643.7.1.2.1.1.1" 2492 Client public key Q_c: 2493 x = 0x0F5DB18A9E15F324B778676025BFD7B5 2494 DF066566EABAA1C51CD879F87B0B4975 2496 y = 0x9EE5BBF18361F842D3F087DEC2943939 2497 E0FA2BFB4EDEC25A8D10ABB22C48F386 2499 Client private key d_c: 2500 0x0918AD3F7D209ABF89F1E8505DA894CE 2501 E10DA09D32E72E815D9C0ADA30B5A103 2503 ---------------------------Client--------------------------- 2505 ClientHello message: 2506 msg_type: 01 2507 length: 000040 2508 body: 2509 client_version: 2510 major: 03 2511 minor: 03 2512 random: 933EA21EC3802A561550EC78D6ED51AC 2513 2439D7E749C31BC3A3456165889684CA 2514 session_id: 2515 length: 00 2516 vector: -- 2517 cipher_suites: 2518 length: 0004 2519 vector: 2520 CipherSuite: FF88 2521 CipherSuite: FF89 2522 compression_methods: 2523 length: 01 2524 vector: 2526 CompressionMethod: 00 2527 extensions: 2528 length: 0013 2529 vector: 2530 Extension: /* signature_algorithms */ 2531 extension_type: 000D 2532 extension_data: 2533 length: 0006 2534 vector: 2535 supported_signature_algorithms: 2536 length: 0004 2537 vector: 2538 /* 1 pair of algorithms */ 2539 hash: EE 2540 signature: 2541 EE 2542 /* 2 pair of algorithms */ 2543 hash: EF 2544 signature: 2545 EF 2546 Extension: /* renegotiation_info */ 2547 extension_type: FF01 2548 extension_data: 2549 length: 0001 2550 vector: 2551 renegotiated_connection: 2552 length: 00 2553 vector: -- 2554 Extension: /* extended_master_secret */ 2555 extension_type: 0017 2556 extension_data: 2557 length: 0000 2558 vector: -- 2560 00000: 01 00 00 40 03 03 93 3E A2 1E C3 80 2A 56 15 50 2561 00010: EC 78 D6 ED 51 AC 24 39 D7 E7 49 C3 1B C3 A3 45 2562 00020: 61 65 88 96 84 CA 00 00 04 FF 88 FF 89 01 00 00 2563 00030: 13 00 0D 00 06 00 04 EE EE EF EF FF 01 00 01 00 2564 00040: 00 17 00 00 2566 Record layer message: 2567 type: 16 2568 version: 2569 major: 03 2570 minor: 03 2571 length: 0044 2572 fragment: 010000400303933EA21EC3802A561550 2573 EC78D6ED51AC2439D7E749C31BC3A345 2574 6165889684CA000004FF88FF89010000 2575 13000D00060004EEEEEFEFFF01000100 2576 00170000 2578 00000: 16 03 03 00 44 01 00 00 40 03 03 93 3E A2 1E C3 2579 00010: 80 2A 56 15 50 EC 78 D6 ED 51 AC 24 39 D7 E7 49 2580 00020: C3 1B C3 A3 45 61 65 88 96 84 CA 00 00 04 FF 88 2581 00030: FF 89 01 00 00 13 00 0D 00 06 00 04 EE EE EF EF 2582 00040: FF 01 00 01 00 00 17 00 00 2584 ---------------------------Server--------------------------- 2586 ServerHello message: 2587 msg_type: 02 2588 length: 000041 2589 body: 2590 server_version: 2591 major: 03 2592 minor: 03 2593 random: 933EA21E49C31BC3A3456165889684CA 2594 A5576CE7924A24F58113808DBD9EF856 2595 session_id: 2596 length: 10 2597 vector: C3802A561550EC78D6ED51AC2439D7E7 2598 cipher_suite: 2599 CipherSuite: FF89 2600 compression_method: 2601 CompressionMethod: 00 2602 extensions: 2603 length: 0009 2604 vector: 2605 Extension: /* renegotiation_info */ 2606 extension_type: FF01 2607 extension_data: 2608 length: 0001 2609 vector: 2610 renegotiated_connection: 2611 length: 00 2612 vector: -- 2613 Extension: /* extended_master_secret */ 2614 extension_type: 0017 2615 extension_data: 2616 length: 0000 2617 vector: -- 2619 00000: 02 00 00 41 03 03 93 3E A2 1E 49 C3 1B C3 A3 45 2620 00010: 61 65 88 96 84 CA A5 57 6C E7 92 4A 24 F5 81 13 2621 00020: 80 8D BD 9E F8 56 10 C3 80 2A 56 15 50 EC 78 D6 2622 00030: ED 51 AC 24 39 D7 E7 FF 89 00 00 09 FF 01 00 01 2623 00040: 00 00 17 00 00 2625 Record layer message: 2626 type: 16 2627 version: 2628 major: 03 2629 minor: 03 2630 length: 0045 2631 fragment: 020000410303933EA21E49C31BC3A345 2632 6165889684CAA5576CE7924A24F58113 2633 808DBD9EF85610C3802A561550EC78D6 2634 ED51AC2439D7E7FF89000009FF010001 2635 0000170000 2637 00000: 16 03 03 00 45 02 00 00 41 03 03 93 3E A2 1E 49 2638 00010: C3 1B C3 A3 45 61 65 88 96 84 CA A5 57 6C E7 92 2639 00020: 4A 24 F5 81 13 80 8D BD 9E F8 56 10 C3 80 2A 56 2640 00030: 15 50 EC 78 D6 ED 51 AC 24 39 D7 E7 FF 89 00 00 2641 00040: 09 FF 01 00 01 00 00 17 00 00 2643 ---------------------------Server--------------------------- 2645 Certificate message: 2646 msg_type: 0B 2647 length: 00024C 2648 body: 2649 certificate_list: 2650 length: 000249 2651 vector: 2652 ASN.1Cert: 2653 length: 000246 2654 vector: 30820242308201AEA003020102020101 2655 300A06082A850307010103033042312C 2656 302A06092A864886F70D010901161D74 2657 . . . 2658 371AF83C5BC58B366DFEFA7345D50317 2659 867C177AC84AC07EE8612164629AB7BD 2660 C48AA0F64A741FE7298E82C5BFCE8672 2661 029F875391F7 2663 00000: 0B 00 02 4C 00 02 49 00 02 46 30 82 02 42 30 82 2664 00010: 01 AE A0 03 02 01 02 02 01 01 30 0A 06 08 2A 85 2665 00020: 03 07 01 01 03 03 30 42 31 2C 30 2A 06 09 2A 86 2666 00030: 48 86 F7 0D 01 09 01 16 1D 74 6C 73 31 32 5F 73 2667 00040: 65 72 76 65 72 35 31 32 43 40 63 72 79 70 74 6F 2668 00050: 70 72 6F 2E 72 75 31 12 30 10 06 03 55 04 03 13 2669 00060: 09 53 65 72 76 65 72 35 31 32 30 1E 17 0D 31 37 2670 00070: 30 35 32 35 30 39 32 35 31 38 5A 17 0D 33 30 30 2671 00080: 35 30 31 30 39 32 35 31 38 5A 30 42 31 2C 30 2A 2672 00090: 06 09 2A 86 48 86 F7 0D 01 09 01 16 1D 74 6C 73 2673 000A0: 31 32 5F 73 65 72 76 65 72 35 31 32 43 40 63 72 2674 000B0: 79 70 74 6F 70 72 6F 2E 72 75 31 12 30 10 06 03 2675 000C0: 55 04 03 13 09 53 65 72 76 65 72 35 31 32 30 81 2676 000D0: AA 30 21 06 08 2A 85 03 07 01 01 01 02 30 15 06 2677 000E0: 09 2A 85 03 07 01 02 01 02 03 06 08 2A 85 03 07 2678 000F0: 01 01 02 03 03 81 84 00 04 81 80 3A 83 EB 1D F1 2679 00100: B8 39 FD E4 D2 5B B3 52 27 2D C2 10 33 7E 7C 0D 2680 00110: 9F 23 4E 9B 3C 70 67 B2 06 97 7A 24 97 3E 13 C3 2681 00120: F6 9F CD 47 F4 8B 28 0A A3 E6 92 80 F5 3F 9B 66 2682 00130: 63 65 C6 72 D9 9A 47 DA 89 45 F1 EA F4 11 7A 58 2683 00140: BE 6A B1 EB 67 D5 B3 E3 E1 78 BD E6 2B 61 1D A0 2684 00150: A7 01 41 CB 1C 5E 6A E6 DF F2 99 F2 13 04 3B B5 2685 00160: DD DF B1 04 2C 3A 7F 72 95 7C FC 0B B3 0A B2 9F 2686 00170: 05 A1 60 4E 2D 50 36 5B E9 05 F3 A3 43 30 41 30 2687 00180: 1D 06 03 55 1D 0E 04 16 04 14 87 9C C6 5A 0F 4A 2688 00190: 89 CB 4A 58 49 DF 05 61 56 9B AA DC 11 69 30 0B 2689 001A0: 06 03 55 1D 0F 04 04 03 02 03 28 30 13 06 03 55 2690 001B0: 1D 25 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 2691 001C0: 30 0A 06 08 2A 85 03 07 01 01 03 03 03 81 81 00 2692 001D0: 35 BE 38 51 EC B6 E9 2D 32 40 01 81 0F 8C 89 03 2693 001E0: 52 42 F4 05 46 9F 4C 4E CB 05 02 7C 57 E2 71 52 2694 001F0: 12 AF D7 CD BB 0C ED 7A 8B 4D 33 42 CC 50 1A BD 2695 00200: 99 99 75 A5 8A DE 0E 58 4F CA 35 F5 2E 45 58 B7 2696 00210: 31 1D 49 D0 A0 51 32 79 F7 39 37 1A F8 3C 5B C5 2697 00220: 8B 36 6D FE FA 73 45 D5 03 17 86 7C 17 7A C8 4A 2698 00230: C0 7E E8 61 21 64 62 9A B7 BD C4 8A A0 F6 4A 74 2699 00240: 1F E7 29 8E 82 C5 BF CE 86 72 02 9F 87 53 91 F7 2701 Record layer message: 2702 type: 16 2703 version: 2704 major: 03 2705 minor: 03 2706 length: 0250 2707 fragment: 0B00024C000249000246308202423082 2708 01AEA003020102020101300A06082A85 2709 0307010103033042312C302A06092A86 2710 . . . 2711 8B366DFEFA7345D50317867C177AC84A 2712 C07EE8612164629AB7BDC48AA0F64A74 2713 1FE7298E82C5BFCE8672029F875391F7 2715 00000: 16 03 03 02 50 0B 00 02 4C 00 02 49 00 02 46 30 2716 00010: 82 02 42 30 82 01 AE A0 03 02 01 02 02 01 01 30 2717 00020: 0A 06 08 2A 85 03 07 01 01 03 03 30 42 31 2C 30 2718 00030: 2A 06 09 2A 86 48 86 F7 0D 01 09 01 16 1D 74 6C 2719 00040: 73 31 32 5F 73 65 72 76 65 72 35 31 32 43 40 63 2720 00050: 72 79 70 74 6F 70 72 6F 2E 72 75 31 12 30 10 06 2721 00060: 03 55 04 03 13 09 53 65 72 76 65 72 35 31 32 30 2722 00070: 1E 17 0D 31 37 30 35 32 35 30 39 32 35 31 38 5A 2723 00080: 17 0D 33 30 30 35 30 31 30 39 32 35 31 38 5A 30 2724 00090: 42 31 2C 30 2A 06 09 2A 86 48 86 F7 0D 01 09 01 2725 000A0: 16 1D 74 6C 73 31 32 5F 73 65 72 76 65 72 35 31 2726 000B0: 32 43 40 63 72 79 70 74 6F 70 72 6F 2E 72 75 31 2727 000C0: 12 30 10 06 03 55 04 03 13 09 53 65 72 76 65 72 2728 000D0: 35 31 32 30 81 AA 30 21 06 08 2A 85 03 07 01 01 2729 000E0: 01 02 30 15 06 09 2A 85 03 07 01 02 01 02 03 06 2730 000F0: 08 2A 85 03 07 01 01 02 03 03 81 84 00 04 81 80 2731 00100: 3A 83 EB 1D F1 B8 39 FD E4 D2 5B B3 52 27 2D C2 2732 00110: 10 33 7E 7C 0D 9F 23 4E 9B 3C 70 67 B2 06 97 7A 2733 00120: 24 97 3E 13 C3 F6 9F CD 47 F4 8B 28 0A A3 E6 92 2734 00130: 80 F5 3F 9B 66 63 65 C6 72 D9 9A 47 DA 89 45 F1 2735 00140: EA F4 11 7A 58 BE 6A B1 EB 67 D5 B3 E3 E1 78 BD 2736 00150: E6 2B 61 1D A0 A7 01 41 CB 1C 5E 6A E6 DF F2 99 2737 00160: F2 13 04 3B B5 DD DF B1 04 2C 3A 7F 72 95 7C FC 2738 00170: 0B B3 0A B2 9F 05 A1 60 4E 2D 50 36 5B E9 05 F3 2739 00180: A3 43 30 41 30 1D 06 03 55 1D 0E 04 16 04 14 87 2740 00190: 9C C6 5A 0F 4A 89 CB 4A 58 49 DF 05 61 56 9B AA 2741 001A0: DC 11 69 30 0B 06 03 55 1D 0F 04 04 03 02 03 28 2742 001B0: 30 13 06 03 55 1D 25 04 0C 30 0A 06 08 2B 06 01 2743 001C0: 05 05 07 03 01 30 0A 06 08 2A 85 03 07 01 01 03 2744 001D0: 03 03 81 81 00 35 BE 38 51 EC B6 E9 2D 32 40 01 2745 001E0: 81 0F 8C 89 03 52 42 F4 05 46 9F 4C 4E CB 05 02 2746 001F0: 7C 57 E2 71 52 12 AF D7 CD BB 0C ED 7A 8B 4D 33 2747 00200: 42 CC 50 1A BD 99 99 75 A5 8A DE 0E 58 4F CA 35 2748 00210: F5 2E 45 58 B7 31 1D 49 D0 A0 51 32 79 F7 39 37 2749 00220: 1A F8 3C 5B C5 8B 36 6D FE FA 73 45 D5 03 17 86 2750 00230: 7C 17 7A C8 4A C0 7E E8 61 21 64 62 9A B7 BD C4 2751 00240: 8A A0 F6 4A 74 1F E7 29 8E 82 C5 BF CE 86 72 02 2752 00250: 9F 87 53 91 F7 2754 ---------------------------Server--------------------------- 2756 CertificateRequest message: 2757 msg_type: 0D 2758 length: 00000B 2759 body: 2760 certificate_types: 2761 length: 02 2762 vector: 2764 /* gostr34102012_256 */ 2765 EE 2766 /* gostr34102012_512 */ 2767 EF 2768 supported_signature_algorithms: 2769 length: 0004 2770 vector: 2771 /* 1 pair of algorithms */ 2772 hash: EE 2773 signature: EE 2774 /* 2 pair of algorithms */ 2775 hash: EF 2776 signature: EF 2777 certificate_authorities: 2778 length: 0000 2779 vector: -- 2781 00000: 0D 00 00 0B 02 EE EF 00 04 EE EE EF EF 00 00 2783 Record layer message: 2784 type: 16 2785 version: 2786 major: 03 2787 minor: 03 2788 length: 000F 2789 fragment: 0D00000B02EEEF0004EEEEEFEF0000 2791 00000: 16 03 03 00 0F 0D 00 00 0B 02 EE EF 00 04 EE EE 2792 00010: EF EF 00 00 2794 ---------------------------Server--------------------------- 2796 ServerHelloDone message: 2797 msg_type: 0E 2798 length: 000000 2799 body: -- 2801 00000: 0E 00 00 00 2803 Record layer message: 2804 type: 16 2805 version: 2806 major: 03 2807 minor: 03 2808 length: 0004 2809 fragment: 0E000000 2810 00000: 16 03 03 00 04 0E 00 00 00 2812 ---------------------------Client--------------------------- 2814 Certificate message: 2815 msg_type: 0B 2816 length: 0001EA 2817 body: 2818 certificate_list: 2819 length: 0001E7 2820 vector: 2821 ASN.1Cert: 2822 length: 0001E4 2823 vector: 308201E03082018DA003020102020101 2824 300A06082A850307010103023053312E 2825 302C06092A864886F70D010901161F74 2826 . . . 2827 C1CAB43AC01AFB0F3451BDC2DB188BBC 2828 B77884251CDF6037BA830F4B31D5E96F 2829 DC9BC1C95ABE658266C48402E070DE1F 2830 292724E8 2832 00000: 0B 00 01 EA 00 01 E7 00 01 E4 30 82 01 E0 30 82 2833 00010: 01 8D A0 03 02 01 02 02 01 01 30 0A 06 08 2A 85 2834 00020: 03 07 01 01 03 02 30 53 31 2E 30 2C 06 09 2A 86 2835 00030: 48 86 F7 0D 01 09 01 16 1F 74 6C 73 31 32 5F 63 2836 00040: 6C 69 65 6E 74 32 35 36 41 5F 45 40 63 72 79 70 2837 00050: 74 6F 70 72 6F 2E 72 75 31 21 30 1F 06 03 55 04 2838 00060: 03 1E 18 00 43 00 6C 00 69 00 65 00 6E 00 74 00 2839 00070: 32 00 35 00 36 00 41 00 5F 00 45 30 1E 17 0D 31 2840 00080: 37 30 35 32 35 30 39 33 31 31 38 5A 17 0D 33 30 2841 00090: 30 35 30 31 30 39 33 31 31 38 5A 30 53 31 2E 30 2842 000A0: 2C 06 09 2A 86 48 86 F7 0D 01 09 01 16 1F 74 6C 2843 000B0: 73 31 32 5F 63 6C 69 65 6E 74 32 35 36 41 5F 45 2844 000C0: 40 63 72 79 70 74 6F 70 72 6F 2E 72 75 31 21 30 2845 000D0: 1F 06 03 55 04 03 1E 18 00 43 00 6C 00 69 00 65 2846 000E0: 00 6E 00 74 00 32 00 35 00 36 00 41 00 5F 00 45 2847 000F0: 30 68 30 21 06 08 2A 85 03 07 01 01 01 01 30 15 2848 00100: 06 09 2A 85 03 07 01 02 01 01 01 06 08 2A 85 03 2849 00110: 07 01 01 02 02 03 43 00 04 40 75 49 0B 7B F8 79 2850 00120: D8 1C C5 A1 BA EA 66 65 06 DF B5 D7 BF 25 60 67 2851 00130: 78 B7 24 F3 15 9E 8A B1 5D 0F 86 F3 48 2C B2 AB 2852 00140: 10 8D 5A C2 DE 4E FB 2B FA E0 39 39 94 C2 DE 87 2853 00150: F0 D3 42 F8 61 83 F1 BB E5 9E A3 43 30 41 30 1D 2854 00160: 06 03 55 1D 0E 04 16 04 14 74 49 1E 77 30 D3 42 2855 00170: A6 28 0E 72 A1 13 9D D9 90 8B FA F1 03 30 0B 06 2856 00180: 03 55 1D 0F 04 04 03 02 07 80 30 13 06 03 55 1D 2857 00190: 25 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 02 30 2858 001A0: 0A 06 08 2A 85 03 07 01 01 03 02 03 41 00 1C 2D 2859 001B0: 35 22 B4 11 02 D6 20 1F 23 50 C1 CA B4 3A C0 1A 2860 001C0: FB 0F 34 51 BD C2 DB 18 8B BC B7 78 84 25 1C DF 2861 001D0: 60 37 BA 83 0F 4B 31 D5 E9 6F DC 9B C1 C9 5A BE 2862 001E0: 65 82 66 C4 84 02 E0 70 DE 1F 29 27 24 E8 2864 Record layer message: 2865 type: 16 2866 version: 2867 major: 03 2868 minor: 03 2869 length: 01EE 2870 fragment: 0B0001EA0001E70001E4308201E03082 2871 018DA003020102020101300A06082A85 2872 0307010103023053312E302C06092A86 2873 . . . 2874 3522B41102D6201F2350C1CAB43AC01A 2875 FB0F3451BDC2DB188BBCB77884251CDF 2876 6037BA830F4B31D5E96FDC9BC1C95ABE 2877 658266C48402E070DE1F292724E8 2879 00000: 16 03 03 01 EE 0B 00 01 EA 00 01 E7 00 01 E4 30 2880 00010: 82 01 E0 30 82 01 8D A0 03 02 01 02 02 01 01 30 2881 00020: 0A 06 08 2A 85 03 07 01 01 03 02 30 53 31 2E 30 2882 00030: 2C 06 09 2A 86 48 86 F7 0D 01 09 01 16 1F 74 6C 2883 00040: 73 31 32 5F 63 6C 69 65 6E 74 32 35 36 41 5F 45 2884 00050: 40 63 72 79 70 74 6F 70 72 6F 2E 72 75 31 21 30 2885 00060: 1F 06 03 55 04 03 1E 18 00 43 00 6C 00 69 00 65 2886 00070: 00 6E 00 74 00 32 00 35 00 36 00 41 00 5F 00 45 2887 00080: 30 1E 17 0D 31 37 30 35 32 35 30 39 33 31 31 38 2888 00090: 5A 17 0D 33 30 30 35 30 31 30 39 33 31 31 38 5A 2889 000A0: 30 53 31 2E 30 2C 06 09 2A 86 48 86 F7 0D 01 09 2890 000B0: 01 16 1F 74 6C 73 31 32 5F 63 6C 69 65 6E 74 32 2891 000C0: 35 36 41 5F 45 40 63 72 79 70 74 6F 70 72 6F 2E 2892 000D0: 72 75 31 21 30 1F 06 03 55 04 03 1E 18 00 43 00 2893 000E0: 6C 00 69 00 65 00 6E 00 74 00 32 00 35 00 36 00 2894 000F0: 41 00 5F 00 45 30 68 30 21 06 08 2A 85 03 07 01 2895 00100: 01 01 01 30 15 06 09 2A 85 03 07 01 02 01 01 01 2896 00110: 06 08 2A 85 03 07 01 01 02 02 03 43 00 04 40 75 2897 00120: 49 0B 7B F8 79 D8 1C C5 A1 BA EA 66 65 06 DF B5 2898 00130: D7 BF 25 60 67 78 B7 24 F3 15 9E 8A B1 5D 0F 86 2899 00140: F3 48 2C B2 AB 10 8D 5A C2 DE 4E FB 2B FA E0 39 2900 00150: 39 94 C2 DE 87 F0 D3 42 F8 61 83 F1 BB E5 9E A3 2901 00160: 43 30 41 30 1D 06 03 55 1D 0E 04 16 04 14 74 49 2902 00170: 1E 77 30 D3 42 A6 28 0E 72 A1 13 9D D9 90 8B FA 2903 00180: F1 03 30 0B 06 03 55 1D 0F 04 04 03 02 07 80 30 2904 00190: 13 06 03 55 1D 25 04 0C 30 0A 06 08 2B 06 01 05 2905 001A0: 05 07 03 02 30 0A 06 08 2A 85 03 07 01 01 03 02 2906 001B0: 03 41 00 1C 2D 35 22 B4 11 02 D6 20 1F 23 50 C1 2907 001C0: CA B4 3A C0 1A FB 0F 34 51 BD C2 DB 18 8B BC B7 2908 001D0: 78 84 25 1C DF 60 37 BA 83 0F 4B 31 D5 E9 6F DC 2909 001E0: 9B C1 C9 5A BE 65 82 66 C4 84 02 E0 70 DE 1F 29 2910 001F0: 27 24 E8 2912 ---------------------------Client--------------------------- 2914 PMS value: 2915 00000: A5 57 6C E7 92 4A 24 F5 81 13 80 8D BD 9E F8 56 2916 00010: F5 BD C3 B1 83 CE 5D AD CA 36 A5 3A A0 77 65 1D 2918 Random d_eph value: 2919 0x150ACD11B66DD695AD18418FA7A2DC63 2920 6B7E29DCA24536AABC826EE3175BB1FA 2921 DC3AA0D01D3092E120B0FCF7EB872F4B 2922 7E26EA17849D689222A48CF95A6E4831 2924 Q_eph ephemeral key: 2925 x = 0xC941BE5193189B476D5A0334114A3E04 2926 BBE5B37C738AE40F150B334135288664 2927 FEBFC5622818894A07B1F7AD60E28480 2928 B4B637B90EA7D4BA980186B605D75BC6 2930 y = 0xA154F7B93E8148652011F4FD52C9A06A 2931 6471ADB28D0A949AE26BC786DE874153 2932 ABC00B35164F3214A8A83C00ECE27831 2933 B093528456234EFE766224FC2A7E9ABE 2935 HASH (r_c | r_s): 2936 00000: C3 EF 04 28 D4 B7 A1 F4 C5 02 5F 2E 65 DD 2B 2E 2937 00010: A5 83 AE EF DB 67 C7 F4 21 4A 6A 29 8E 99 E3 25 2939 Export key generation. r value: 2940 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 2942 Export key generation. UKM value: 2943 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 2945 Export keys K_Exp_MAC | K_Exp_ENC used in KExp15 algorithm: 2946 00000: 7D AC 56 E4 8A 4D C1 70 FA A8 FC BA E2 0D B8 45 2947 00010: 45 0C CC C4 C6 32 8B DC 8D 01 15 7C EF A2 A5 F1 2948 00020: 1F 1C BA D8 86 61 66 F0 1F FA AB 01 52 E2 4B F4 2949 00030: 60 9D 5F 46 A5 C8 99 C7 87 90 0D 08 B9 FC AD 24 2951 IV: 2953 00000: 21 4A 6A 29 8E 99 E3 25 2955 PMSEXP: 2956 00000: 25 0D 1B 67 A2 70 AB 04 D3 F6 54 18 E1 D3 80 B4 2957 00010: CB 94 5F 0A 3D CA 51 50 0C F3 A1 BE F3 7F 76 C0 2958 00020: 73 41 A9 83 9C CF 6C BA 71 89 DA 61 EB 67 17 6C 2960 ---------------------------Client--------------------------- 2962 ClientKeyExchange message: 2963 msg_type: 10 2964 length: 0000E2 2965 body: 2966 exchange_keys: 3081DF0430250D1B67A270AB04D3F654 2967 18E1D380B4CB945F0A3DCA51500CF3A1 2968 BEF37F76C07341A9839CCF6CBA7189DA 2969 . . . 2970 93B03178E2EC003CA8A814324F16350B 2971 C0AB534187DE86C76BE29A940A8DB2AD 2972 71646AA0C952FDF411206548813EB9F7 2973 54A1 2975 00000: 10 00 00 E2 30 81 DF 04 30 25 0D 1B 67 A2 70 AB 2976 00010: 04 D3 F6 54 18 E1 D3 80 B4 CB 94 5F 0A 3D CA 51 2977 00020: 50 0C F3 A1 BE F3 7F 76 C0 73 41 A9 83 9C CF 6C 2978 00030: BA 71 89 DA 61 EB 67 17 6C 30 81 AA 30 21 06 08 2979 00040: 2A 85 03 07 01 01 01 02 30 15 06 09 2A 85 03 07 2980 00050: 01 02 01 02 03 06 08 2A 85 03 07 01 01 02 03 03 2981 00060: 81 84 00 04 81 80 C6 5B D7 05 B6 86 01 98 BA D4 2982 00070: A7 0E B9 37 B6 B4 80 84 E2 60 AD F7 B1 07 4A 89 2983 00080: 18 28 62 C5 BF FE 64 86 28 35 41 33 0B 15 0F E4 2984 00090: 8A 73 7C B3 E5 BB 04 3E 4A 11 34 03 5A 6D 47 9B 2985 000A0: 18 93 51 BE 41 C9 BE 9A 7E 2A FC 24 62 76 FE 4E 2986 000B0: 23 56 84 52 93 B0 31 78 E2 EC 00 3C A8 A8 14 32 2987 000C0: 4F 16 35 0B C0 AB 53 41 87 DE 86 C7 6B E2 9A 94 2988 000D0: 0A 8D B2 AD 71 64 6A A0 C9 52 FD F4 11 20 65 48 2989 000E0: 81 3E B9 F7 54 A1 2991 Record layer message: 2992 type: 16 2993 version: 2994 major: 03 2995 minor: 03 2996 length: 00E6 2997 fragment: 100000E23081DF0430250D1B67A270AB 2998 04D3F65418E1D380B4CB945F0A3DCA51 2999 500CF3A1BEF37F76C07341A9839CCF6C 3000 . . . 3001 2356845293B03178E2EC003CA8A81432 3002 4F16350BC0AB534187DE86C76BE29A94 3003 0A8DB2AD71646AA0C952FDF411206548 3004 813EB9F754A1 3006 00000: 16 03 03 00 E6 10 00 00 E2 30 81 DF 04 30 25 0D 3007 00010: 1B 67 A2 70 AB 04 D3 F6 54 18 E1 D3 80 B4 CB 94 3008 00020: 5F 0A 3D CA 51 50 0C F3 A1 BE F3 7F 76 C0 73 41 3009 00030: A9 83 9C CF 6C BA 71 89 DA 61 EB 67 17 6C 30 81 3010 00040: AA 30 21 06 08 2A 85 03 07 01 01 01 02 30 15 06 3011 00050: 09 2A 85 03 07 01 02 01 02 03 06 08 2A 85 03 07 3012 00060: 01 01 02 03 03 81 84 00 04 81 80 C6 5B D7 05 B6 3013 00070: 86 01 98 BA D4 A7 0E B9 37 B6 B4 80 84 E2 60 AD 3014 00080: F7 B1 07 4A 89 18 28 62 C5 BF FE 64 86 28 35 41 3015 00090: 33 0B 15 0F E4 8A 73 7C B3 E5 BB 04 3E 4A 11 34 3016 000A0: 03 5A 6D 47 9B 18 93 51 BE 41 C9 BE 9A 7E 2A FC 3017 000B0: 24 62 76 FE 4E 23 56 84 52 93 B0 31 78 E2 EC 00 3018 000C0: 3C A8 A8 14 32 4F 16 35 0B C0 AB 53 41 87 DE 86 3019 000D0: C7 6B E2 9A 94 0A 8D B2 AD 71 64 6A A0 C9 52 FD 3020 000E0: F4 11 20 65 48 81 3E B9 F7 54 A1 3022 ---------------------------Server--------------------------- 3024 PMSEXP extracted: 3025 00000: 25 0D 1B 67 A2 70 AB 04 D3 F6 54 18 E1 D3 80 B4 3026 00010: CB 94 5F 0A 3D CA 51 50 0C F3 A1 BE F3 7F 76 C0 3027 00020: 73 41 A9 83 9C CF 6C BA 71 89 DA 61 EB 67 17 6C 3029 HASH(r_c | r_s): 3030 00000: C3 EF 04 28 D4 B7 A1 F4 C5 02 5F 2E 65 DD 2B 2E 3031 00010: A5 83 AE EF DB 67 C7 F4 21 4A 6A 29 8E 99 E3 25 3033 Export key generation. r value: 3034 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 3036 Export key generation. UKM value: 3037 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 3039 Export keys K_Exp_MAC | K_Exp_ENC used in KImp15 algorithm: 3040 00000: 7D AC 56 E4 8A 4D C1 70 FA A8 FC BA E2 0D B8 45 3041 00010: 45 0C CC C4 C6 32 8B DC 8D 01 15 7C EF A2 A5 F1 3042 00020: 1F 1C BA D8 86 61 66 F0 1F FA AB 01 52 E2 4B F4 3043 00030: 60 9D 5F 46 A5 C8 99 C7 87 90 0D 08 B9 FC AD 24 3045 IV: 3047 00000: 21 4A 6A 29 8E 99 E3 25 3049 PMS: 3050 00000: A5 57 6C E7 92 4A 24 F5 81 13 80 8D BD 9E F8 56 3051 00010: F5 BD C3 B1 83 CE 5D AD CA 36 A5 3A A0 77 65 1D 3053 ---------------------------Client--------------------------- 3055 Random value k used in signature generation: 3056 0x163962EEA268203E7C6B3F70BF8D4A36 3057 34CE6E2CFC424687951D70ACE0B4292A 3059 Signature value sgn_c = SIGN_d_c(HM): 3060 00000: F7 1F 43 62 45 5B C5 5B A8 9A 8F AF 01 82 88 EC 3061 00010: 00 B3 27 17 48 2E 76 24 B2 57 D9 79 7C 8F F6 02 3062 00020: 71 B2 94 AF 3F 2D 07 51 7A F1 48 DA B3 2F E9 45 3063 00030: 94 85 C8 93 63 C2 F9 D8 2B 88 93 52 6A 92 D6 2E 3065 ---------------------------Client--------------------------- 3067 CertificateVerify message: 3068 msg_type: 0F 3069 length: 000044 3070 body: 3071 algorithm: 3072 hash: EE 3073 signature: EE 3074 signature: 3075 length: 0040 3076 vector: F71F4362455BC55BA89A8FAF018288EC 3077 00B32717482E7624B257D9797C8FF602 3078 71B294AF3F2D07517AF148DAB32FE945 3079 9485C89363C2F9D82B8893526A92D62E 3080 00000: 0F 00 00 44 EE EE 00 40 F7 1F 43 62 45 5B C5 5B 3081 00010: A8 9A 8F AF 01 82 88 EC 00 B3 27 17 48 2E 76 24 3082 00020: B2 57 D9 79 7C 8F F6 02 71 B2 94 AF 3F 2D 07 51 3083 00030: 7A F1 48 DA B3 2F E9 45 94 85 C8 93 63 C2 F9 D8 3084 00040: 2B 88 93 52 6A 92 D6 2E 3086 Record layer message: 3087 type: 16 3088 version: 3089 major: 03 3090 minor: 03 3091 length: 0048 3092 fragment: 0F000044EEEE0040F71F4362455BC55B 3093 A89A8FAF018288EC00B32717482E7624 3094 B257D9797C8FF60271B294AF3F2D0751 3095 7AF148DAB32FE9459485C89363C2F9D8 3096 2B8893526A92D62E 3098 00000: 16 03 03 00 48 0F 00 00 44 EE EE 00 40 F7 1F 43 3099 00010: 62 45 5B C5 5B A8 9A 8F AF 01 82 88 EC 00 B3 27 3100 00020: 17 48 2E 76 24 B2 57 D9 79 7C 8F F6 02 71 B2 94 3101 00030: AF 3F 2D 07 51 7A F1 48 DA B3 2F E9 45 94 85 C8 3102 00040: 93 63 C2 F9 D8 2B 88 93 52 6A 92 D6 2E 3104 ---------------------------Client--------------------------- 3106 HASH(HM): 3107 00000: A5 71 AD 3C A4 E8 1B 38 69 01 E1 6A 1B E7 F9 38 3108 00010: CC 0A 5C 52 94 F1 34 B4 30 31 F2 40 FA EA 24 D4 3110 MS: 3111 00000: 30 17 37 13 09 D6 91 42 3B B0 E2 C6 F5 5B 9D F7 3112 00010: 85 21 D8 81 11 29 D8 9A 75 D9 85 1C 12 A1 55 DA 3113 00020: CA 1C EC 8F F2 62 81 8D 46 F9 7D CC 1E 46 AF 26 3115 Client connection key material 3116 K_write_MAC|K_read_MAC|K_write_ENC|K_read_ENC|IV_write|IV_read: 3117 00000: DC 78 65 3E F5 45 8F 54 02 70 6B 35 AA CC 15 8C 3118 00010: C4 20 8C 51 7D 4F 1F 76 35 AD 7E B0 B5 5D 35 D1 3119 00020: DF DA 05 F6 77 7A B7 24 A3 F5 FC 1D E9 43 64 C4 3120 00030: 10 C9 D3 88 ED 9C 4B 6E CA C6 18 60 6B 23 4A 47 3121 00040: 19 F6 C5 37 3B 2D D7 34 A2 A0 8D 0B 09 47 56 84 3122 00050: B6 88 34 63 70 AA 7B 9E 22 6B 99 1B 7F FE 96 D0 3123 00060: B0 DA EF 30 98 13 85 2C 8E 90 D9 A6 F2 96 EF 84 3124 00070: F5 0F 2A CD 13 BE 46 44 4D BD 5F CA 38 48 EC 74 3125 00080: A3 85 90 95 6E F0 BD 0C BA 36 E9 8A 0E 42 C2 62 3127 ---------------------------Server--------------------------- 3129 HASH(HM): 3130 00000: A5 71 AD 3C A4 E8 1B 38 69 01 E1 6A 1B E7 F9 38 3131 00010: CC 0A 5C 52 94 F1 34 B4 30 31 F2 40 FA EA 24 D4 3133 MS: 3134 00000: 30 17 37 13 09 D6 91 42 3B B0 E2 C6 F5 5B 9D F7 3135 00010: 85 21 D8 81 11 29 D8 9A 75 D9 85 1C 12 A1 55 DA 3136 00020: CA 1C EC 8F F2 62 81 8D 46 F9 7D CC 1E 46 AF 26 3138 Server connection key material 3139 K_read_MAC|K_write_MAC|K_read_ENC|K_write_ENC|IV_read|IV_write: 3140 00000: DC 78 65 3E F5 45 8F 54 02 70 6B 35 AA CC 15 8C 3141 00010: C4 20 8C 51 7D 4F 1F 76 35 AD 7E B0 B5 5D 35 D1 3142 00020: DF DA 05 F6 77 7A B7 24 A3 F5 FC 1D E9 43 64 C4 3143 00030: 10 C9 D3 88 ED 9C 4B 6E CA C6 18 60 6B 23 4A 47 3144 00040: 19 F6 C5 37 3B 2D D7 34 A2 A0 8D 0B 09 47 56 84 3145 00050: B6 88 34 63 70 AA 7B 9E 22 6B 99 1B 7F FE 96 D0 3146 00060: B0 DA EF 30 98 13 85 2C 8E 90 D9 A6 F2 96 EF 84 3147 00070: F5 0F 2A CD 13 BE 46 44 4D BD 5F CA 38 48 EC 74 3148 00080: A3 85 90 95 6E F0 BD 0C BA 36 E9 8A 0E 42 C2 62 3150 ---------------------------Client--------------------------- 3152 ChangeCipherSpec message: 3153 type: 01 3155 00000: 01 3157 Record layer message: 3158 type: 14 3159 version: 3160 major: 03 3161 minor: 03 3162 length: 0001 3163 fragment: 01 3165 00000: 14 03 03 00 01 01 3167 ---------------------------Client--------------------------- 3169 HASH(HM): 3170 00000: A5 71 AD 3C A4 E8 1B 38 69 01 E1 6A 1B E7 F9 38 3171 00010: CC 0A 5C 52 94 F1 34 B4 30 31 F2 40 FA EA 24 D4 3173 client_verify_data: 3174 00000: 5A 96 F3 54 37 5E 7F 05 CC E8 29 63 CB 06 74 DE 3175 00010: B2 E2 DD 50 5F 57 94 7E 2A 92 C5 26 B3 8B 5F BC 3177 ---------------------------Client--------------------------- 3179 Finished message: 3180 msg_type: 14 3181 length: 000020 3182 body: 3183 verify_data: 5A96F354375E7F05CCE82963CB0674DE 3184 B2E2DD505F57947E2A92C526B38B5FBC 3186 00000: 14 00 00 20 5A 96 F3 54 37 5E 7F 05 CC E8 29 63 3187 00010: CB 06 74 DE B2 E2 DD 50 5F 57 94 7E 2A 92 C5 26 3188 00020: B3 8B 5F BC 3190 Record layer message: 3191 type: 16 3192 version: 3193 major: 03 3194 minor: 03 3195 length: 0034 3196 fragment: CA97257884E730D5AC1FB76D6526899B 3197 8840C07A057E1DCBEC3B1D20C7CD7FD4 3198 16BA78B87DC0CD49F9718F87D7C2F81F 3199 27C8BA8B 3201 00000: 16 03 03 00 34 CA 97 25 78 84 E7 30 D5 AC 1F B7 3202 00010: 6D 65 26 89 9B 88 40 C0 7A 05 7E 1D CB EC 3B 1D 3203 00020: 20 C7 CD 7F D4 16 BA 78 B8 7D C0 CD 49 F9 71 8F 3204 00030: 87 D7 C2 F8 1F 27 C8 BA 8B 3206 ---------------------------Server--------------------------- 3208 ChangeCipherSpec message: 3209 type: 01 3211 00000: 01 3213 Record layer message: 3214 type: 14 3215 version: 3216 major: 03 3217 minor: 03 3218 length: 0001 3219 fragment: 01 3221 00000: 14 03 03 00 01 01 3223 ---------------------------Server--------------------------- 3225 HASH(HM): 3226 00000: A1 0A B7 4A DC BC EB DF D3 20 79 3E 5D 3E 90 90 3227 00010: CE 30 E3 AE 93 5F 6F E0 30 01 DB 03 D5 0D 5D 1B 3229 server_verify_data: 3231 00000: A2 03 08 F0 17 39 63 EE DD AE 6E 1E 12 76 8F A3 3232 00010: 91 C8 4E B5 48 41 C3 7B DB A3 2D 27 5A 17 88 66 3234 ---------------------------Server--------------------------- 3236 Finished message: 3237 msg_type: 14 3238 length: 000020 3239 body: 3240 verify_data: A20308F0173963EEDDAE6E1E12768FA3 3241 91C84EB54841C37BDBA32D275A178866 3243 00000: 14 00 00 20 A2 03 08 F0 17 39 63 EE DD AE 6E 1E 3244 00010: 12 76 8F A3 91 C8 4E B5 48 41 C3 7B DB A3 2D 27 3245 00020: 5A 17 88 66 3247 Record layer message: 3248 type: 16 3249 version: 3250 major: 03 3251 minor: 03 3252 length: 0034 3253 fragment: F3DBAB6EA0562B3F71A879D3D6750FDA 3254 269DA9A8FF8686C8E229D8F542500743 3255 B44A13BA7737325AC0E617AA5BFFA4A4 3256 E48FA7E8 3258 00000: 16 03 03 00 34 F3 DB AB 6E A0 56 2B 3F 71 A8 79 3259 00010: D3 D6 75 0F DA 26 9D A9 A8 FF 86 86 C8 E2 29 D8 3260 00020: F5 42 50 07 43 B4 4A 13 BA 77 37 32 5A C0 E6 17 3261 00030: AA 5B FF A4 A4 E4 8F A7 E8 3263 ---------------------------Client--------------------------- 3265 Application data: 3266 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3267 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3269 Record layer message: 3270 type: 17 3271 version: 3272 major: 03 3273 minor: 03 3274 length: 0030 3275 fragment: E01DFE3155F02E164284F359D3E811BB 3276 CEAA9F24EA9BCEB26C1D1DA80996F72A 3277 9D097430398FE2A414BE9B97C8603E97 3279 00000: 17 03 03 00 30 E0 1D FE 31 55 F0 2E 16 42 84 F3 3280 00010: 59 D3 E8 11 BB CE AA 9F 24 EA 9B CE B2 6C 1D 1D 3281 00020: A8 09 96 F7 2A 9D 09 74 30 39 8F E2 A4 14 BE 9B 3282 00030: 97 C8 60 3E 97 3284 ---------------------------Server--------------------------- 3286 Application data: 3287 00000: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3288 00010: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3290 Record layer message: 3291 type: 17 3292 version: 3293 major: 03 3294 minor: 03 3295 length: 0030 3296 fragment: F7F5A29767A3C0DC2B070A61C97BFB0A 3297 E94BB6126D0DD745C1FB8361C7146AE6 3298 4966244F4D142A724F6E141549BA1201 3300 00000: 17 03 03 00 30 F7 F5 A2 97 67 A3 C0 DC 2B 07 0A 3301 00010: 61 C9 7B FB 0A E9 4B B6 12 6D 0D D7 45 C1 FB 83 3302 00020: 61 C7 14 6A E6 49 66 24 4F 4D 14 2A 72 4F 6E 14 3303 00030: 15 49 BA 12 01 3305 ---------------------------Client--------------------------- 3307 close_notify alert: 3308 Alert: 3309 level: 01 3310 description: 00 3312 00000: 01 00 3314 Record layer message: 3315 type: 15 3316 version: 3317 major: 03 3318 minor: 03 3319 length: 0012 3320 fragment: B9B550F9458C7E0CD60038C979662CAD 3321 EE16 3323 00000: 15 03 03 00 12 B9 B5 50 F9 45 8C 7E 0C D6 00 38 3324 00010: C9 79 66 2C AD EE 16 3326 ---------------------------Server--------------------------- 3328 close_notify alert: 3329 Alert: 3330 level: 01 3331 description: 00 3333 00000: 01 00 3335 Record layer message: 3336 type: 15 3337 version: 3338 major: 03 3339 minor: 03 3340 length: 0012 3341 fragment: 453DF39A53D9A0F33CDDE9F1E0476BA7 3342 F10C 3344 00000: 15 03 03 00 12 45 3D F3 9A 53 D9 A0 F3 3C DD E9 3345 00010: F1 E0 47 6B A7 F1 0C 3347 A.2. Test Examples for CNT_IMIT cipher suites 3349 A.2.1. Record Examples 3351 It is assumed that during Handshake following keys were established: 3353 - MAC key: 3354 00000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 3355 00010: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 3356 - Encryption key: 3357 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3358 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3359 - IV: 3360 00000: 00 00 00 00 00 00 00 00 3362 --------------------------------------------------------- 3363 seqnum = 0 3365 Application data: 3366 00000: 00 00 00 00 00 00 00 3367 Plaintext: 3368 00000: 17 03 03 00 07 00 00 00 00 00 00 00 3370 MAC: 3371 00000: 30 01 34 a1 3373 Ciphertext: 3374 00000: 17 03 03 00 0b 86 71 cd bf 3c 1a ae 0f 62 4b 04 3376 --------------------------------------------------------- 3377 seqnum = 1 3379 Application data: 3381 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3382 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3383 .... 3384 007f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3386 Plaintext: 3387 00000: 17 03 03 08 00 00 00 00 00 00 00 00 00 00 00 00 3388 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3389 .... 3390 007f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3391 00804: 00 00 00 00 00 3393 MAC: 3394 00000: f7 c3 8b 8a 3396 Ciphertext: 3397 00000: 17 03 03 08 04 cf aa 0c b4 2f a5 a4 7a 13 3d 73 3398 00010: b9 f2 c0 b0 4f 8c a2 55 52 f8 56 bc be 6a 58 fa 3399 .... 3400 007f0: 3e e2 c7 6f a2 30 a0 44 be 21 dc 8e 1a 96 f9 a8 3401 00804: 88 1f ad 83 45 96 96 84 47 3403 A.2.2. Handshake Examples 3405 client -> server 3407 0000 16 03 03 00 3e 01 00 00 3a 03 03 61 53 80 49 30 3408 0010 e2 cf d2 ac 10 97 5d b1 66 ae 9f df f9 e7 3b 7a 3409 0020 47 68 27 f0 6e 37 10 e9 24 5a 3c 00 00 02 ff 85 3410 0030 01 00 00 0f 00 0d 00 06 00 04 ef ef ee ee ff 01 3411 0040 00 01 00 3412 TLSv1.2 Record Layer: Handshake Protocol: Client Hello 3413 Content Type: Handshake (22) 3414 Version: TLS 1.2 (0x0303) 3415 Length: 62 3416 Handshake Protocol: Client Hello 3417 Handshake Type: Client Hello (1) 3418 Length: 58 3419 Version: TLS 1.2 (0x0303) 3420 Random: 6153804930e2cfd2ac10975db166ae9fdff9e73b7a476827f06e3710e9245a3c 3421 Session ID Length: 0 3422 Cipher Suites Length: 2 3423 Cipher Suites (1 suite) 3424 Cipher Suite: TLS_GOSTR341112_256_WITH_28147_CNT_IMIT (0xff85) 3425 Compression Methods Length: 1 3426 Compression Methods (1 method) 3427 Extensions Length: 15 3428 Extension: signature_algorithms (len=6) 3429 Type: signature_algorithms (13) 3430 Length: 6 3431 Signature Hash Algorithms Length: 4 3432 Signature Hash Algorithms (2 algorithms) 3433 Signature Algorithm: gostr34102012_512 gostr34102012_512 (0xefef) 3434 Signature Hash Algorithm Hash: gostr34102012_512 (239) 3435 Signature Hash Algorithm Signature: gostr34102012_512 (239) 3436 Signature Algorithm: gostr34102012_256 gostr34102012_256 (0xeeee) 3437 Signature Hash Algorithm Hash: gostr34102012_256 (238) 3438 Signature Hash Algorithm Signature: gostr34102012_256 (238) 3439 Extension: renegotiation_info (len=1) 3440 Type: renegotiation_info (65281) 3441 Length: 1 3442 Renegotiation Info extension 3443 Renegotiation info extension length: 0 3445 --------------------------------------------------------- 3447 server -> client 3449 0000 16 03 03 00 51 02 00 00 4d 03 03 e6 bd 34 dd 03 3450 0010 26 e6 75 1d 8d 45 e5 81 05 b0 a9 5f 0e 12 88 a2 3451 0020 cf 9b 7b 44 4f 57 4e 47 52 44 01 20 5f d4 61 e1 3452 0030 ff 8d 62 1c 02 99 24 0c 6c c9 f6 7a b2 4d d7 ff 3453 0040 e4 e4 e5 f4 28 ee 6e bd 6d 9c a2 4a ff 85 00 00 3454 0050 05 ff 01 00 01 00 3456 TLSv1.2 Record Layer: Handshake Protocol: Server Hello 3457 Content Type: Handshake (22) 3458 Version: TLS 1.2 (0x0303) 3459 Length: 81 3460 Handshake Protocol: Server Hello 3461 Handshake Type: Server Hello (2) 3462 Length: 77 3463 Version: TLS 1.2 (0x0303) 3464 Random: e6bd34dd0326e6751d8d45e58105b0a95f0e1288a2cf9b7b444f574e47524401 3465 Session ID Length: 32 3466 Session ID: 5fd461e1ff8d621c0299240c6cc9f67ab24dd7ffe4e4e5f428ee6ebd6d9ca24a 3467 Cipher Suite: TLS_GOSTR341112_256_WITH_28147_CNT_IMIT (0xff85) 3468 Compression Method: null (0) 3469 Extensions Length: 5 3470 Extension: renegotiation_info (len=1) 3471 Type: renegotiation_info (65281) 3472 Length: 1 3473 Renegotiation Info extension 3474 Renegotiation info extension length: 0 3476 --------------------------------------------------------- 3478 server -> client 3480 0000 16 03 03 02 6a 0b 00 02 66 00 02 63 00 02 60 30 3481 0010 82 02 5c 30 82 01 c8 a0 03 02 01 02 02 14 78 94 3482 0020 dc 9d 92 09 77 80 91 91 64 2f 1d ae dc 26 ba 3b 3483 0030 51 04 30 0a 06 08 2a 85 03 07 01 01 03 03 30 19 3484 0040 31 17 30 15 06 03 55 04 03 13 0e 43 41 20 43 65 3485 0050 72 74 69 66 69 63 61 74 65 30 1e 17 0d 31 38 30 3486 0060 31 30 32 30 30 30 30 31 31 5a 17 0d 32 32 30 31 3487 0070 30 32 30 30 30 30 32 31 5a 30 21 31 1f 30 1d 06 3488 0080 03 55 04 03 13 16 53 65 72 76 65 72 20 35 31 32 3489 0090 20 43 65 72 74 69 66 69 63 61 74 65 30 81 aa 30 3490 00a0 21 06 08 2a 85 03 07 01 01 01 02 30 15 06 09 2a 3491 00b0 85 03 07 01 02 01 02 01 06 08 2a 85 03 07 01 01 3492 00c0 02 03 03 81 84 00 04 81 80 95 67 94 9f 6a bf a3 3493 00d0 d9 89 1c 70 21 f2 89 fd 24 14 1b 84 e3 23 29 24 3494 00e0 b8 58 91 38 55 46 79 54 e0 7a 9b 2e 9d 85 ac 2e 3495 00f0 0b 99 3e 43 d5 13 6a f3 97 6d 23 24 48 99 43 41 3496 0100 20 c8 8a 27 c0 66 05 db 16 cf d4 0f a0 c4 77 20 3497 0110 08 6d a0 15 16 76 44 04 22 82 32 f7 f7 f2 26 98 3498 0120 62 80 da ff aa 99 bb 6f 7d 5a e6 4a 5a 28 cb 02 3499 0130 fd b8 4f e2 0d d5 7a ae a5 35 16 bb 2b f1 85 6b 3500 0140 bc c8 23 bd c5 de 80 1e d0 a3 81 93 30 81 90 30 3501 0150 0c 06 03 55 1d 13 01 01 ff 04 02 30 00 30 1a 06 3502 0160 03 55 1d 11 04 13 30 11 82 09 6c 6f 63 61 6c 68 3503 0170 6f 73 74 87 04 7f 00 00 01 30 13 06 03 55 1d 25 3504 0180 04 0c 30 0a 06 08 2b 06 01 05 05 07 03 01 30 0f 3505 0190 06 03 55 1d 0f 01 01 ff 04 05 03 03 07 b0 00 30 3506 01a0 1d 06 03 55 1d 0e 04 16 04 14 ae 46 41 1b fd b3 3507 01b0 08 c3 39 03 47 57 57 2b 0f bf a3 6f 9a 99 30 1f 3508 01c0 06 03 55 1d 23 04 18 30 16 80 14 7f 7b 7a 15 61 3509 01d0 a6 f2 18 a2 e3 48 3b c6 39 d9 7f 42 db 6d af 30 3510 01e0 0a 06 08 2a 85 03 07 01 01 03 03 03 81 81 00 9c 3511 01f0 49 78 f7 1b ab 54 8a 25 6d 2a 18 7c a8 4d 72 4f 3512 0200 e1 ef a7 e5 36 67 2e 79 1f 8a 0c b6 74 1e b1 63 3513 0210 e2 96 37 8c 5b 82 83 ee da b4 1b a4 22 1e bc e2 3514 0220 05 f6 f8 79 cf eb f0 ad e9 36 07 0f b2 40 e5 0d 3515 0230 04 37 03 7f 2a ec 99 c7 cd 23 9f 6f 20 25 a8 6c 3516 0240 12 d5 1f 99 c9 8a 4a 99 04 f0 ea 54 86 fe d7 ff 3517 0250 66 ab 8e b2 42 5e 1a ce ae 8a 75 8b df 84 3b e1 3518 0260 a8 f6 fe bf 67 30 15 fe d7 ab 86 53 3d bf 20 3520 TLSv1.2 Record Layer: Handshake Protocol: Certificate 3521 Content Type: Handshake (22) 3522 Version: TLS 1.2 (0x0303) 3523 Length: 618 3524 Handshake Protocol: Certificate 3525 Handshake Type: Certificate (11) 3526 Length: 614 3527 Certificates Length: 611 3528 Certificates (611 bytes) 3529 Certificate Length: 608 3530 Certificate: 3082025c308201c8a00302010202147894dc9d9209778091... 3532 --------------------------------------------------------- 3534 server -> client 3536 0000 16 03 03 00 2f 0d 00 00 2b 05 01 02 40 ee ef 00 3537 0010 04 ef ef ee ee 00 1d 00 1b 30 19 31 17 30 15 06 3538 0020 03 55 04 03 13 0e 43 41 20 43 65 72 74 69 66 69 3539 0030 63 61 74 65 3541 TLSv1.2 Record Layer: Handshake Protocol: Certificate Request 3542 Content Type: Handshake (22) 3543 Version: TLS 1.2 (0x0303) 3544 Length: 47 3545 Handshake Protocol: Certificate Request 3546 Handshake Type: Certificate Request (13) 3547 Length: 43 3548 Certificate types count: 5 3549 Certificate types (5 types) 3550 Certificate type: RSA Sign (1) 3551 Certificate type: DSS Sign (2) 3552 Certificate type: ECDSA Sign (64) 3553 Certificate type: Unknown (238) 3554 Certificate type: Unknown (239) 3555 Signature Hash Algorithms Length: 4 3556 Signature Hash Algorithms (2 algorithms) 3557 Signature Algorithm: gostr34102012_512 gostr34102012_512 (0xefef) 3558 Signature Hash Algorithm Hash: gostr34102012_512 (239) 3559 Signature Hash Algorithm Signature: gostr34102012_512 (239) 3560 Signature Algorithm: gostr34102012_256 gostr34102012_256 (0xeeee) 3561 Signature Hash Algorithm Hash: gostr34102012_256 (238) 3562 Signature Hash Algorithm Signature: gostr34102012_256 (238) 3563 Distinguished Names Length: 29 3564 Distinguished Names (29 bytes) 3565 --------------------------------------------------------- 3567 server -> client 3569 0000 16 03 03 00 04 0e 00 00 00 3571 TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done 3572 Content Type: Handshake (22) 3573 Version: TLS 1.2 (0x0303) 3574 Length: 4 3575 Handshake Protocol: Server Hello Done 3576 Handshake Type: Server Hello Done (14) 3577 Length: 0 3579 --------------------------------------------------------- 3581 client -> server 3583 0000 16 03 03 02 07 0b 00 02 03 00 02 00 00 01 fd 30 3584 0010 82 01 f9 30 82 01 65 a0 03 02 01 02 02 14 47 07 3585 0020 04 a6 c5 d9 ed 65 1a 66 4d f8 f3 68 2d c3 59 8f 3586 0030 9f 3e 30 0a 06 08 2a 85 03 07 01 01 03 03 30 19 3587 0040 31 17 30 15 06 03 55 04 03 13 0e 43 41 20 43 65 3588 0050 72 74 69 66 69 63 61 74 65 30 1e 17 0d 31 38 30 3589 0060 31 30 32 30 30 30 30 31 32 5a 17 0d 32 32 30 31 3590 0070 30 32 30 30 30 30 33 32 5a 30 21 31 1f 30 1d 06 3591 0080 03 55 04 03 13 16 43 6c 69 65 6e 74 20 32 35 36 3592 0090 20 43 65 72 74 69 66 69 63 61 74 65 30 66 30 1f 3593 00a0 06 08 2a 85 03 07 01 01 01 01 30 13 06 07 2a 85 3594 00b0 03 02 02 23 01 06 08 2a 85 03 07 01 01 02 02 03 3595 00c0 43 00 04 40 57 e4 a2 be 86 1d e8 72 2d c5 d0 b2 3596 00d0 1b 21 57 0b ee 43 d9 07 40 ee db 6c ee 04 99 0f 3597 00e0 58 b3 f0 0f 66 f3 21 44 46 4d cc e8 b0 0d 72 c5 3598 00f0 89 21 da 05 3a 4b c7 f4 eb a5 25 68 ae 79 e8 23 3599 0100 29 4e 0c 56 a3 76 30 74 30 0c 06 03 55 1d 13 01 3600 0110 01 ff 04 02 30 00 30 13 06 03 55 1d 25 04 0c 30 3601 0120 0a 06 08 2b 06 01 05 05 07 03 02 30 0f 06 03 55 3602 0130 1d 0f 01 01 ff 04 05 03 03 07 b0 00 30 1d 06 03 3603 0140 55 1d 0e 04 16 04 14 0f 6d b6 a1 e3 a2 6f 52 ab 3604 0150 a7 39 d1 39 c2 51 bf 25 4d a2 aa 30 1f 06 03 55 3605 0160 1d 23 04 18 30 16 80 14 7f 7b 7a 15 61 a6 f2 18 3606 0170 a2 e3 48 3b c6 39 d9 7f 42 db 6d af 30 0a 06 08 3607 0180 2a 85 03 07 01 01 03 03 03 81 81 00 b2 83 3d db 3608 0190 7f 5a 80 54 d3 b4 42 cb 0b 61 7c 99 d6 27 36 d7 3609 01a0 2c 13 04 f5 28 22 89 f9 34 9a 1e 0f 8c db da f4 3610 01b0 7d 11 cd fa b9 f1 02 b4 a0 8f 3c 35 01 f3 1b 8f 3611 01c0 60 4a 64 c8 f7 16 01 cb 6f e1 55 c3 8f 76 d2 d9 3612 01d0 50 b7 55 74 10 a7 0d c5 d7 70 52 d2 bd 14 57 81 3613 01e0 7c 05 2f 21 03 3f 84 7b 7e 23 b1 ce 1b a7 cd 4a 3614 01f0 1f 7f 83 cc 43 75 e0 0b fe 7b 6a 14 21 76 ba 21 3615 0200 49 f5 88 51 a1 30 0a 04 b7 1c 95 d4 3617 TLSv1.2 Record Layer: Handshake Protocol: Certificate 3618 Content Type: Handshake (22) 3619 Version: TLS 1.2 (0x0303) 3620 Length: 519 3621 Handshake Protocol: Certificate 3622 Handshake Type: Certificate (11) 3623 Length: 515 3624 Certificates Length: 512 3625 Certificates (512 bytes) 3627 --------------------------------------------------------- 3628 VKO PRIVATE KEY[64]: 3629 d46a655f4fc7a0d419be74539761c99d5911061778c35bcdeb83e25ddeca331 3630 88dc3b5cd01bb119628c0b844a8c4b30e743576bb3222f959b9e8d0da377592 3631 --------------------------------------------------------- 3633 client -> server 3635 0000 16 03 03 00 f9 10 00 00 f5 30 81 f2 30 81 ef 30 3636 0010 28 04 20 de b2 79 5a a9 14 a7 e6 0b b1 6b c4 b5 3637 0020 ee 44 47 93 a9 37 e3 b1 fa 4b e6 80 1a 9c 12 04 3638 0030 93 bc 49 04 04 7a 70 60 69 a0 81 c2 06 09 2a 85 3639 0040 03 07 01 02 05 01 01 a0 81 aa 30 21 06 08 2a 85 3640 0050 03 07 01 01 01 02 30 15 06 09 2a 85 03 07 01 02 3641 0060 01 02 01 06 08 2a 85 03 07 01 01 02 03 03 81 84 3642 0070 00 04 81 80 6a 28 2e f5 e0 63 8b 93 35 09 b2 a0 3643 0080 91 5c 89 85 60 c0 9d ee 8c 14 35 d4 d7 8a ba 75 3644 0090 27 4c e1 9a 1a 0b a4 ba c9 6e 7a dd 83 9d 5a 2c 3645 00a0 14 49 ae 12 2e 82 3d 7e d3 bb 67 a5 4a 21 0c 74 3646 00b0 ff 56 1f 20 5c 12 44 7c 58 72 6c c9 c0 eb 8c 67 3647 00c0 62 4a 79 6a e3 5a 30 bd 89 98 12 e5 0e e8 a5 e5 3648 00d0 30 ed 50 1e fd f4 43 7d 55 79 fa de 34 73 66 7d 3649 00e0 ba 65 ba 56 61 29 fc 60 50 c3 a6 d9 d0 b5 0e 80 3650 00f0 c7 a2 a8 1b 04 08 c4 5e d2 ee bd 69 e3 c9 3651 TLSv1.2 Record Layer: Handshake Protocol: Client Key Exchange 3652 Content Type: Handshake (22) 3653 Version: TLS 1.2 (0x0303) 3654 Length: 249 3655 Handshake Protocol: Client Key Exchange 3656 Handshake Type: Client Key Exchange (16) 3657 Length: 245 3659 --------------------------------------------------------- 3661 client -> server 3663 0000 16 03 03 00 48 0f 00 00 44 ee ee 00 40 19 a9 05 3664 0010 4a c3 76 92 c5 60 02 bc 40 3f 62 6a 8b bc 25 e2 3665 0020 52 f9 f0 72 68 d4 70 da 72 6a ce 8a bb a5 83 53 3666 0030 d7 3c 4b 34 48 a7 2c bb 82 93 a6 4d 9e fc 36 98 3667 0040 18 e7 c8 04 c2 7e 9f ea ce ac 65 79 25 3669 TLSv1.2 Record Layer: Handshake Protocol: Certificate Verify 3670 Content Type: Handshake (22) 3671 Version: TLS 1.2 (0x0303) 3672 Length: 72 3673 Handshake Protocol: Certificate Verify 3674 Handshake Type: Certificate Verify (15) 3675 Length: 68 3676 Signature Algorithm: gostr34102012_256 gostr34102012_256 (0xeeee) 3677 Signature Hash Algorithm Hash: gostr34102012_256 (238) 3678 Signature Hash Algorithm Signature: gostr34102012_256 (238) 3679 Signature length: 64 3680 Signature: 19a9054ac37692c56002bc403f626a8bbc25e252f9f07268d470da726ace8abb 3681 a58353d73c4b3448a72cbb8293a64d9efc369818e7c804c27e9feaceac657925 3683 --------------------------------------------------------- 3685 client -> server 3687 0000 14 03 03 00 01 01 3689 TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec 3690 Content Type: Change Cipher Spec (20) 3691 Version: TLS 1.2 (0x0303) 3692 Length: 1 3693 Change Cipher Spec Message 3695 --------------------------------------------------------- 3696 PREMASTER SECRET[32]: fadd834d5d887253e33580b399b36a41ee42faf179a44c95885ddaaacdfd28c8 3697 CLIENT RANDOM[32]: 6153804930e2cfd2ac10975db166ae9fdff9e73b7a476827f06e3710e9245a3c 3698 SERVER RANDOM[32]: e6bd34dd0326e6751d8d45e58105b0a95f0e1288a2cf9b7b444f574e47524401 3699 MASTER SECRET[48]: 6fbf770be54c718da1a1875cbcc948722588ba2a374d5b496fbb270452a8f408c9 3700 5e1c28883b7524af2afa63cd2bbd2f 3701 CLIENT MAC KEY [32]: c9ffcd14ca3150732d1ee30c8c5acfa8fc43e813a8090407095c4870fef82f4d 3702 SERVER MAC KEY [32]: fe1c675405dc40e73c29274192126cb10c33afa09f7c009a49da6a9fded490b1 3703 CLIENT WRITE KEY [32]: abb7919a60ac828f001ba7fc824dfbc0a6ffc88818c4cc75cacb917049b4423d 3704 SERVER WRITE KEY [32]: c521c75efe65c17d2bb1e2a8e577e44b3dcf7dcc3e2a3b25c4f01bf24d9147b9 3705 CLIENT WRITE IV [8]: fd9ef69d6e246e7d 3706 SERVER WRITE IV [8]: 133088402844ae73 3707 --------------------------------------------------------- 3709 client -> server 3711 0000 16 03 03 00 14 5d 3d c6 48 44 3c 17 b6 95 90 e5 3712 0010 0b 7f 9a 86 eb 7e 08 db 78 3714 TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message 3715 Content Type: Handshake (22) 3716 Version: TLS 1.2 (0x0303) 3717 Length: 20 3718 Handshake Protocol: Encrypted Handshake Message 3720 Decrypted data: 3721 0000 14 00 00 0c 74 72 15 6e f1 d4 20 08 0b 52 18 39 3722 0010 c9 a0 cb 55 3724 SeqNo: 0 3725 Plaintext: 1400000c7472156ef1d420080b521839 3726 MAC: c9a0cb55 3728 --------------------------------------------------------- 3730 server -> client 3732 0000 14 03 03 00 01 01 3734 TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec 3735 Content Type: Change Cipher Spec (20) 3736 Version: TLS 1.2 (0x0303) 3737 Length: 1 3738 Change Cipher Spec Message 3740 --------------------------------------------------------- 3742 server -> client 3744 0000 16 03 03 00 14 1e 8d 8a 90 51 11 49 b0 0a c0 5b 3745 0010 3f a1 01 91 a7 7d d3 08 61 3746 TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message 3747 Content Type: Handshake (22) 3748 Version: TLS 1.2 (0x0303) 3749 Length: 20 3750 Handshake Protocol: Encrypted Handshake Message 3752 Decrypted data: 3754 0000 14 00 00 0c 5f 9a a2 91 63 73 c5 76 00 24 7d 89 3755 0010 2e bc 23 74 3757 SeqNo: 0 3758 Plaintext: 1400000c5f9aa2916373c57600247d89 3759 MAC: 2ebc2374 3761 --------------------------------------------------------- 3763 client -> server 3765 0000 17 03 03 00 0a 03 67 5c d5 b3 9c 42 af c7 79 3767 TLSv1.2 Record Layer: Application Data Protocol: Application Data 3768 Content Type: Application Data (23) 3769 Version: TLS 1.2 (0x0303) 3770 Length: 10 3771 Encrypted Application Data: 03675cd5b39c42afc779 3773 Decrypted data: 3775 0000 68 65 6c 6c 6f 0a a3 22 93 9c 3777 SeqNo: 1 3778 Plaintext: 68656c6c6f0a 3779 MAC: a322939c 3781 --------------------------------------------------------- 3783 server -> client 3785 0000 17 03 03 00 0a 17 fe 1c 80 18 55 3c a3 9f 72 3787 TLSv1.2 Record Layer: Application Data Protocol: Application Data 3788 Content Type: Application Data (23) 3789 Version: TLS 1.2 (0x0303) 3790 Length: 10 3791 Encrypted Application Data: 17fe1c8018553ca39f72 3793 Decrypted data: 3795 0000 68 65 6c 6c 6f 0a e9 f1 be f7 3797 SeqNo: 1 3798 Plaintext: 68656c6c6f0a 3799 MAC: e9f1bef7 3801 --------------------------------------------------------- 3803 client -> server 3805 0000 15 03 03 00 06 d2 85 f8 5e 11 40 3807 TLSv1.2 Record Layer: Encrypted Alert 3808 Content Type: Alert (21) 3809 Version: TLS 1.2 (0x0303) 3810 Length: 6 3811 Alert Message: Encrypted Alert 3813 Decrypted data: 3815 0000 01 00 18 8c fe 58 3817 SeqNo: 2 3818 Plaintext: 0100 3819 MAC: 188cfe58 3821 --------------------------------------------------------- 3823 server -> client 3825 0000 15 03 03 00 06 ca 7d 8b 03 21 04 3827 TLSv1.2 Record Layer: Encrypted Alert 3828 Content Type: Alert (21) 3829 Version: TLS 1.2 (0x0303) 3830 Length: 6 3831 Alert Message: Encrypted Alert 3833 Decrypted data: 3835 0000 01 00 be b9 f9 c2 3837 SeqNo: 2 3838 Plaintext: 0100 3839 MAC: beb9f9c2 3840 Appendix B. Contributors 3842 o Evgeny Alekseev 3843 CryptoPro 3844 alekseev@cryptopro.ru 3846 o Ekaterina Smyshlyaeva 3847 CryptoPro 3848 ess@cryptopro.ru 3850 o Grigory Sedov 3851 CryptoPro 3852 sedovgk@cryptopro.ru 3854 o Dmitry Eremin-Solenikov 3855 Auriga 3856 dbaryshkov@gmail.com 3858 Appendix C. Acknowledgments 3860 Authors' Addresses 3862 Stanislav Smyshlyaev (editor) 3863 CryptoPro 3864 18, Suschevsky val 3865 Moscow 127018 3866 Russian Federation 3868 Phone: +7 (495) 995-48-20 3869 Email: svs@cryptopro.ru 3871 Dmitry Belyavsky 3872 Cryptocom 3873 14/2 Kedrova st 3874 Moscow 117218 3875 Russian Federation 3877 Email: beldmit@gmail.com 3879 Markku-Juhani O. Saarinen 3880 Independent Consultant 3882 Email: mjos@iki.fi