idnits 2.17.1 draft-smyshlyaev-tls12-gost-suites-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 28, 2019) is 1757 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'ChangeCipherSpec' is mentioned on line 382, but not defined -- Looks like a reference, but probably isn't: '0' on line 657 == Outdated reference: A later version (-17) exists of draft-irtf-cfrg-re-keying-12 ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Smyshlyaev, Ed. 3 Internet-Draft CryptoPro 4 Intended status: Informational D. Belyavsky 5 Expires: December 30, 2019 Cryptocom 6 M. Saarinen 7 Independent Consultant 8 June 28, 2019 10 GOST Cipher Suites for Transport Layer Security (TLS) Protocol Version 11 1.2 12 draft-smyshlyaev-tls12-gost-suites-05 14 Abstract 16 This document specifies a set of cipher suites for the Transport 17 Layer Security (TLS) protocol Version 1.2 to support the Russian 18 cryptographic standard algorithms. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at https://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on December 30, 2019. 37 Copyright Notice 39 Copyright (c) 2019 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (https://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 55 2. Conventions Used in This Document . . . . . . . . . . . . . . 4 56 3. Basic Terms and Definitions . . . . . . . . . . . . . . . . . 4 57 4. Cipher Suite Definitions . . . . . . . . . . . . . . . . . . 5 58 4.1. Record Payload Protection . . . . . . . . . . . . . . . . 5 59 4.1.1. CTR_OMAC . . . . . . . . . . . . . . . . . . . . . . 6 60 4.1.2. CNT_IMIT . . . . . . . . . . . . . . . . . . . . . . 7 61 4.2. Key Exchange and Authentication . . . . . . . . . . . . . 8 62 4.2.1. Hello Messages . . . . . . . . . . . . . . . . . . . 10 63 4.2.2. Server Certificate . . . . . . . . . . . . . . . . . 11 64 4.2.3. CertificateRequest . . . . . . . . . . . . . . . . . 11 65 4.2.4. ClientKeyExchange . . . . . . . . . . . . . . . . . . 12 66 4.2.4.1. CTR_OMAC . . . . . . . . . . . . . . . . . . . . 12 67 4.2.4.2. CNT_IMIT . . . . . . . . . . . . . . . . . . . . 14 68 4.2.5. CertificateVerify . . . . . . . . . . . . . . . . . . 16 69 4.2.6. Finished . . . . . . . . . . . . . . . . . . . . . . 16 70 4.3. Cryptographic Algorithms . . . . . . . . . . . . . . . . 17 71 4.3.1. Block Cipher . . . . . . . . . . . . . . . . . . . . 17 72 4.3.2. MAC algorithm . . . . . . . . . . . . . . . . . . . . 17 73 4.3.3. Encryption algorithm . . . . . . . . . . . . . . . . 18 74 4.3.4. PRF and HASH algorithms . . . . . . . . . . . . . . . 18 75 4.3.5. SNMAX parameter . . . . . . . . . . . . . . . . . . . 18 76 5. New Values for the SignatureAlgorithm Registry . . . . . . . 18 77 6. New Values for the Supported Groups Registry . . . . . . . . 19 78 7. New Values for the ClientCertificateType Identifiers Registry 20 79 8. Additional Algorithms . . . . . . . . . . . . . . . . . . . . 21 80 8.1. TLSTREE . . . . . . . . . . . . . . . . . . . . . . . . . 21 81 8.1.1. Key Tree Parameters . . . . . . . . . . . . . . . . . 21 82 8.2. Key export and key import algorithms . . . . . . . . . . 22 83 8.2.1. KExp15 and KImp15 Algorithms . . . . . . . . . . . . 22 84 8.2.2. KExp28147 and KImp28147 Algorithms . . . . . . . . . 23 85 8.3. Key Exchange Generation Algorithms . . . . . . . . . . . 24 86 8.3.1. KEG Algorithm . . . . . . . . . . . . . . . . . . . . 24 87 8.3.2. KEG_28147 Algorithm . . . . . . . . . . . . . . . . . 26 88 8.4. gostIMIT28147 . . . . . . . . . . . . . . . . . . . . . . 27 89 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27 90 10. Historical considerations . . . . . . . . . . . . . . . . . . 29 91 11. Security Considerations . . . . . . . . . . . . . . . . . . . 30 92 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 30 93 12.1. Normative References . . . . . . . . . . . . . . . . . . 30 94 12.2. Informative References . . . . . . . . . . . . . . . . . 32 95 Appendix A. Test Examples . . . . . . . . . . . . . . . . . . . 33 96 A.1. Test Examples for CTR_OMAC cipher suites . . . . . . . . 33 97 A.1.1. TLSTREE Examples . . . . . . . . . . . . . . . . . . 33 98 A.1.1.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 99 ciphersuite . . . . . . . . . . . . . . . . . . . 33 100 A.1.1.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC 101 ciphersuite . . . . . . . . . . . . . . . . . . . 35 102 A.1.2. Record Examples . . . . . . . . . . . . . . . . . . . 37 103 A.1.2.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 104 ciphersuite . . . . . . . . . . . . . . . . . . . 37 105 A.1.2.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC 106 ciphersuite . . . . . . . . . . . . . . . . . . . 40 107 A.1.3. Handshake Examples . . . . . . . . . . . . . . . . . 43 108 A.1.3.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 109 ciphersuite . . . . . . . . . . . . . . . . . . . 43 110 A.1.3.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC 111 ciphersuite . . . . . . . . . . . . . . . . . . . 57 112 A.2. Test Examples for CNT_IMIT cipher suites . . . . . . . . 75 113 A.2.1. Record Examples . . . . . . . . . . . . . . . . . . . 75 114 A.2.2. Handshake Examples . . . . . . . . . . . . . . . . . 77 115 Appendix B. Contributors . . . . . . . . . . . . . . . . . . . . 90 116 Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 90 117 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 90 119 1. Introduction 121 This document specifies three new cipher suites for the Transport 122 Layer Security (TLS) Protocol Version 1.2 [RFC5246] to support the 123 set of Russian cryptographic standard algorithms (called GOST 124 algorithms). These cipher suites use the same hash algorithm GOST R 125 34.11-2012 [GOST3411-2012] (the English version can be found in 126 [RFC6986]) and the same signature algorithm GOST R 34.10-2012 127 [GOST3410-2012] (the English version can be found in [RFC7091]) but 128 use different encryption and MAC algorithms, so they are divided into 129 two types: the CTR_OMAC cipher suites and the CNT_IMIT cipher suite. 131 The CTR_OMAC cipher suites use the GOST R 34.12-2015 [GOST3412-2015] 132 block ciphers (the English version can be found in [RFC7801]) and 133 have the following values: 135 TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC = {0xC1, 0x00}; 136 TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC = {0xC1, 0x01}. 138 The CNT_IMIT cipher suite uses the GOST 28147-89 [GOST28147-89] block 139 cipher (the English version can be found in [RFC5830]) and has the 140 following value: 142 TLS_GOSTR341112_256_WITH_28147_CNT_IMIT = {0xC1, 0x02}. 144 2. Conventions Used in This Document 146 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 147 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 148 document are to be interpreted as described in [RFC2119]. 150 3. Basic Terms and Definitions 152 This document uses the following terms and definitions for the sets 153 and operations on the elements of these sets: 155 B_t the set of byte strings of length t, t >= 0, for t = 0 the 156 B_t set consists of a single empty string of zero length. If 157 A is an element of B_t, then A = (a_1, a_2, ... , a_t), where 158 a_1, a_2, ... , a_t are in {0, ... , 255}; 160 B* the set of all byte strings of a finite length (hereinafter 161 referred to as strings), including the empty string; 163 A[i..j] the string A[i..j] = (a_i, a_{i+1}, ... , a_j) in B_{j-i+1} 164 where A = (a_1, ... , a_t) in B_t and 1<=i<=j<=t; 166 |A| the byte length of the byte string A; 168 A | C concatenation of strings A and C both belonging to B*, i.e., 169 a string in B_{|A|+|C|}, where the left substring in B_|A| is 170 equal to A, and the right substring in B_|C| is equal to C; 172 A XOR C bitwise exclusive-or of strings A and C both belonging to 173 B_t, i.e., a string in B_t such that if A = (a_1, a_2, ... , 174 a_t), C = (c_1, c_2, ... , c_t) then A XOR C = (a_1 (xor) 175 c_1, a_2 (xor) c_2, ... , a_t (xor) c_t) where (xor) is 176 bitwise exclusive-or of bytes; 178 i & j bitwise AND of integers i and j; 180 STR_t the transformation that maps an integer i = 256^{t-1} * i_1 + 181 ... + 256 * i_{t-1} + i_t into the byte string STR_t(i) = 182 (i_1, ... , i_t) in B_t (the interpretation of the integer as 183 a byte string in big-endian format); 185 str_t the transformation that maps an integer i = 256^{t-1} * i_t + 186 ... + 256 * i_2 + i_1 into the byte string str_t(i) = (i_1, 187 ... , i_t) in B_t (the interpretation of the integer as a 188 byte string in little-endian format); 190 INT the transformation that maps a string a = (a_1, ... , a_t) in 191 B_t into the integer INT(a) = 256^{t-1} * a_1 + ... + 256 * 192 a_{t-1} + a_t (the interpretation of the byte string in big- 193 endian format as an integer); 195 int the transformation that maps a string a = (a_1, ... , a_t) in 196 B_t into the integer int(a) = 256^{t-1} * a_t + ... + 256 * 197 a_2 + a_1 (the interpretation of the byte string in little- 198 endian format as an integer); 200 k the byte-length of the block cipher key; 202 n the byte-length of the block cipher block; 204 Q_c the public key stored in the client's certificate; 206 d_c the private key that corresponds to the Q_c key; 208 Q_s the public key stored in the server's certificate; 210 d_s the private key that corresponds to the Q_s key; 212 q_s subgroup order of group of points of the elliptic curve that 213 corresponds to Q_s; 215 P_s the point of order q_s that belongs to the same curve as Q_s; 217 r_c the random string contained in ClientHello.random field (see 218 [RFC5246]); 220 r_s the random string contained in ServerHello.random field (see 221 [RFC5246]). 223 4. Cipher Suite Definitions 225 4.1. Record Payload Protection 227 All of the cipher suites described in this document MUST use the 228 "null" compression method (see Section 6.2.2 of [RFC5246] and 229 Section 4.2.1). Note that the CompressionMethod.null operation is an 230 identity operation; no fields are altered. 232 All of the cipher suites described in this document use the stream 233 cipher (see Section 4.3.3) to protect records. The TLSCiphertext 234 structure for the CTR_OMAC and CNT_IMIT cipher suites is specified in 235 accordance with the Standard Stream Cipher case (see Section 6.2.3.1 236 of [RFC5246]): 238 struct { 239 ContentType type; 240 ProtocolVersion version; 241 uint16 length; 242 GenericStreamCipher fragment; 243 } TLSCiphertext; 245 where TLSCiphertext.fragment is generated in accordance with 246 Section 4.1.1 or Section 4.1.2. 248 The connection key material is a key material that consists of the 249 sender_write_key (either the client_write_key or the 250 server_write_key), the sender_write_MAC_key (either the 251 client_write_MAC_key or the server_write_MAC_key) and the 252 sender_write_IV (either the client_write_IV or the server_write_IV) 253 parameters that are generated in accordance with Section 6.3 of 254 [RFC5246]. 256 The record key material is a key material that is generated from the 257 connection key material and is used to protect a record with the 258 certain sequence number. Note that in the cipher suites defined in 259 this document the record key material can be equal to the connection 260 key material. 262 In this section the TLSCiphertext.fragment generation is described 263 for one particular endpoint (server or client) with the corresponding 264 connection key material and record key material. 266 4.1.1. CTR_OMAC 268 In case of the CTR_OMAC cipher suites the record key material differs 269 from the connection key material and for the certain sequence number 270 seqnum consists of: 272 o K_ENC_seqnum in B_k; 274 o K_MAC_seqnum in B_k; 276 o IV_seqnum in B_{n/2}. 278 The K_ENC_seqnum and K_MAC_seqnum values are calculated using the 279 TLSTREE function defined in Section 8.1 and the connection key 280 material. IV_seqnum is calculated by adding seqnum value to 281 sender_write_IV modulo 2^{(n/2)*8}: 283 o K_ENC_seqnum = TLSTREE(sender_write_key, seqnum); 284 o K_MAC_seqnum = TLSTREE(sender_write_MAC_key, seqnum); 286 o IV_seqnum = STR_{n/2}((INT(sender_write_IV) + seqnum) mod 287 2^{(n/2)*8}). 289 The TLSCiphertext.fragment that corresponds to the certain sequence 290 number seqnum is equal to the ENCValue_seqnum value that is 291 calculated as follows: 293 1. The MAC value (MACValue_seqnum) is generated using the MAC 294 algorithm (see Section 4.3.2) similar to Section 6.2.3.1 of [RFC5246] 295 except the sender_write_MAC_key is replaced by the K_MAC_seqnum key: 297 MACData_seqnum = STR_8(seqnum) | type_seqnum | version_seqnum | 298 length_seqnum | fragment_seqnum; 300 MACValue_seqnum = MAC(K_MAC_seqnum, MACData_seqnum), 302 where type_seqnum, version_seqnum, length_seqnum, fragment_seqnum are 303 the TLSCompressed.type, TLSCompressed.version, TLSCompressed.length 304 and TLSCompressed.fragment values of the record with the seqnum 305 sequence number. 307 2. The entire data with the MACValue is encrypted with the ENC 308 stream cipher (see Section 4.3.3): 310 ENCData_seqnum = fragment_seqnum | MACValue_seqnum; 312 ENCValue_seqnum = ENC(K_ENC_seqnum, IV_seqnum, ENCData_seqnum). 314 4.1.2. CNT_IMIT 316 In case of the CNT_IMIT cipher suite the record key material is equal 317 to the connection key material and consists of: 319 o sender_write_key in B_k; 321 o sender_write_MAC_key in B_k; 323 o sender_write_IV in B_n. 325 The TLSCiphertext.fragment that corresponds to the certain sequence 326 number seqnum is equal to the ENCValue_seqnum value that is 327 calculated as follows: 329 1. The MAC value (MACValue_seqnum) is generated by the MAC algorithm 330 (see Section 4.3.2) as follows: 332 MACData_i = STR_8(i) | type_i | version_i | length_i | fragment_i, 333 i in {0, ... , seqnum}; 335 MACValue_seqnum = MAC(sender_write_MAC_key, MACData_0 | ... | 336 MACData_seqnum), 338 where type_i, version_i, length_i, fragment_i are the 339 TLSCompressed.type, TLSCompressed.version, TLSCompressed.length and 340 TLSCompressed.fragment values of the record with the i sequence 341 number. 343 Implementation note: Due to the use of the CBC-MAC based mode it is 344 not necessarily to store all previous fragments MACData_0, ... , 345 MACData{i-1} to generate the MACValue_i fragment for the i-th record. 346 It's enough to know only the intermediate internal state of the MAC 347 algorithm. 349 2. The entire data with the MACValue is encrypted with the ENC 350 stream cipher (see Section 4.3.3): 352 ENCData_i = fragment_i | MACValue_i, i in {0, ... , seqnum}; 354 ENCValue_0 | ... | ENCValue_seqnum = ENC(sender_write_key, 355 sender_write_IV, ENCData_0 | ... | ENCData_seqnum), 357 where |ENCValue_i| = |ENCData_i|, i in {0, ... , seqnum}. 359 Implementation note: Due to the use of the stream cipher it is not 360 necessarily to store all previous fragments ENCData_0, ... , 361 ENCData{i-1} to generate the ENCValue_i fragment for the i-th record. 362 It's enough to know only the intermediate internal state of the ENC 363 stream cipher. 365 4.2. Key Exchange and Authentication 367 All of the cipher suites described in this document use ECDHE based 368 schema to share the TLS premaster secret. 370 Client Server 372 ClientHello --------> 373 ServerHello 374 Certificate 375 CertificateRequest* 376 <-------- ServerHelloDone 377 Certificate* 378 ClientKeyExchange 379 CertificateVerify* 380 [ChangeCipherSpec] 381 Finished --------> 382 [ChangeCipherSpec] 383 <-------- Finished 384 Application Data <-------> Application Data 386 Figure 1: Message flow for a full handshake. 388 * Indicates optional messages that are sent for 389 the client authentication. 391 Figure 1 shows all messages involved in the TLS key establishment 392 protocol (full handshake). A ServerKeyExchange MUST NOT be sent (the 393 server's certificate contains enough data to allow client to exchange 394 the premaster secret). 396 The server side of the channel is always authenticated; the client 397 side is optionally authenticated. The server is authenticated by 398 proving that it knows the premaster secret that is encrypted with the 399 public key Q_s from the server's certificate. The client is 400 authenticated via its signature over the handshake transcript. 402 In general the key exchange process for both CTR_OMAC and CNT_IMIT 403 cipher suites consists of the following steps: 405 1. The client generates the ephemeral key pair (d_eph, Q_eph) that 406 corresponds to the server's public key Q_s stored in its 407 certificate. 409 2. The client generates the premaster secret PS. The PS value is 410 chosen from B_32 at random. 412 3. Using d_eph and Q_s the client generates the export key material 413 (see Section 4.2.4.1 and Section 4.2.4.2) for the particular key 414 export algorithm (see Section 8.2.1 and Section 8.2.2) to 415 generate the export representation PSExp of the PS value. 417 4. The client sends its ephemeral public key Q_eph and PSExp value 418 in the ClientKeyExchange message. 420 5. Using its private key d_s the server generates the import key 421 material (see Section 4.2.4.1 and Section 4.2.4.2) for the 422 particular key import algorithm (see Section 8.2.1 and 423 Section 8.2.2) to extract the premaster secret PS from the export 424 representation PSExp. 426 The proposed cipher suites specify the ClientHello, ServerHello, 427 ServerCertificate, CertificateRequest, ClientKeyExchange, 428 CertificateVerify and Finished handshake messages, that are described 429 in further detail below. 431 4.2.1. Hello Messages 433 The ClientHello message is generated in accordance with the following 434 requirements: 436 o The ClientHello.compression_methods field SHOULD contain exactly 437 one byte, set to zero, which corresponds to the "null" compression 438 method. 440 o The ClientHello.extensions field SHOULD contain the 441 signature_algorithms extension (see [RFC5246]) with the values 442 defined in Section 5. 444 If the negotiated cipher suite is one of CTR_OMAC/CTR_IMIT and the 445 client implementation does not support generating the 446 signature_algorithms extension with the appropriate values, the 447 server MUST either abort the connection or ignore this extension 448 and behave as if the client had sent the signature_algorithms 449 extension with the values {0x08, 0x40} and {0x08, 0x41}. 451 o The ClientHello.extensions field is RECOMMENDED to contain the 452 extended_master_secret (see [RFC7627]) and the renegotiation_info 453 (see [RFC5746]) extensions. 455 o The ClientHello.extensions field MAY contain the supported_groups 456 extension (see [RFC8422] and [RFC7919]) with the values defined in 457 Section 6. 459 The ServerHello message is generated in accordance with the following 460 requirements: 462 o The ServerHello.compression_method field MUST contain exactly one 463 byte, set to zero, which corresponds to the "null" compression 464 method. 466 o The ServerHello.extensions field is RECOMMENDED to contain the 467 extended_master_secret (see [RFC7627]) and the renegotiation_info 468 (see [RFC5746]) extensions. 470 o The ServerHello.extensions field MUST NOT contain the 471 encrypt_then_mac extension (see [RFC7366]). 473 If the extended_master_secret extension is agreed, then the master 474 secret value MUST be calculated in accordance with [RFC7627]. 476 4.2.2. Server Certificate 478 This message is used to authentically convey the server's public key 479 Q_s to the client and is generated in accordance with Section 7.4.2 480 of [RFC5246]. 482 Note: If the client has used supported_groups extension, the public 483 key in the server's certificate MUST respect the client's choice of 484 elliptic curves. 486 Upon receiving this message the client validates the certificate 487 chain, extracts the server's public key, and checks that the key type 488 is appropriate for the negotiated key exchange algorithm. (A 489 possible reason for a fatal handshake failure is that the client's 490 capabilities for handling elliptic curves and point formats are 491 exceeded) 493 4.2.3. CertificateRequest 495 This message is sent when requesting client authentication and is 496 specified in accordance with [RFC5246] as follows. 498 struct { 499 ClientCertificateType certificate_types<1..2^8-1>; 500 SignatureAndHashAlgorithm 501 supported_signature_algorithms<2..2^16-2>; 502 DistinguishedName certificate_authorities<0..2^16-1>; 503 } CertificateRequest; 505 If the CTR_OMAC or CNT_IMIT cipher suite is negotiated, the 506 CertificateRequest message MUST meet the following requirements: 508 o the CertificateRequest.supported_signature_algorithm field MUST 509 contain only signature/hash algorithm pairs with the values {0x08, 510 0x40} or {0x08, 0x41} defined in Section 5; 512 o the CertificateRequest.certificate_types field MUST contain only 513 the gost_sign256 (0x43) or gost_sign512 (0x44) values defined in 514 Section 7. 516 4.2.4. ClientKeyExchange 518 The ClientKeyExchange message is defined as follows. 520 enum { vko_kdf_gost, vko_gost } KeyExchangeAlgorithm; 522 struct { 523 select (KeyExchangeAlgorithm) { 524 case vko_kdf_gost: GostKeyTransport; 525 case vko_gost: TLSGostKeyTransportBlob; 526 } exchange_keys; 527 } ClientKeyExchange; 529 The body of the ClientKeyExchange message consists of a 530 GostKeyTransport/TLSGostKeyTransportBlob structure that contains an 531 export representation of the premaster secret PS. 533 The GostKeyTransport structure corresponds to the CTR_OMAC cipher 534 suites and is described in Section 4.2.4.1 and the 535 TLSGostKeyTransportBlob corresponds to CNT_IMIT cipher suite and is 536 described in Section 4.2.4.2. 538 4.2.4.1. CTR_OMAC 540 In case of the CTR_OMAC cipher suites the body of the 541 ClientKeyExchange message consists of the GostKeyTransport structure 542 that is defined bellow. 544 The client generates the ClientKeyExchange message in accordance with 545 the following steps: 547 1. Generates the ephemeral key pair (Q_eph, d_eph), where: 549 d_eph is chosen from {1, ... , q_s - 1} at random; 551 Q_eph = d_eph * P_s. 553 2. Generates export keys (K_EXP_MAC and K_EXP_ENC) using the KEG 554 algorithm defined in Section 8.3.1: 556 H = HASH(r_c | r_s); 557 K_EXP_MAC | K_EXP_ENC = KEG(d_eph, Q_s, H). 559 3. Generates an export representation PSExp of the premaster secret 560 PS using the KExp15 algorithm defined in Section 8.2.1: 562 IV = H[25..24 + n / 2]; 564 PSExp = KExp15(PS, K_EXP_MAC, K_EXP_ENC, IV). 566 4. Generates the ClientKeyExchange message using the 567 GostKeyTransport structure that is defined as follows: 569 GostKeyTransport ::= SEQUENCE { 570 keyExp OCTET STRING, 571 ephemeralPublicKey SubjectPublicKeyInfo, 572 ukm OCTET STRING OPTIONAL 573 } 575 SubjectPublicKeyInfo ::= SEQUENCE { 576 algorithm AlgorithmIdentifier, 577 subjectPublicKey BITSTRING 578 } 579 AlgorithmIdentifier ::= SEQUENCE { 580 algorithm OBJECT IDENTIFIER, 581 parameters ANY OPTIONAL 582 } 584 where the keyExp field contains the PSExp value, the 585 ephemeralPublicKey field contains the Q_eph value and the ukm field 586 MUST be ignored by the server. 588 Upon receiving the ClientKeyExchange message, the server process it 589 as follows. 591 1. Checks the following three conditions. If either of these checks 592 fails, then the server MUST abort the handshake with an alert. 594 o Q_eph belongs to the same curve as server public key Q_s; 596 o Q_eph is not equal to zero point; 598 o q_s * Q_eph is equal to zero point. 600 2. Generates export keys (K_EXP_MAC and K_EXP_ENC) using the KEG 601 algorithm defined in Section 8.3.1: 603 H = HASH(r_c | r_s); 605 K_EXP_MAC | K_EXP_ENC = KEG(d_s, Q_eph, H). 607 3. Extracts the premaster secret PS from the export representation 608 PSExp using the KImp15 algorithm defined in Section 8.2.1: 610 IV = H[25..24 + n / 2]; 612 PS = KImp15(PSExp, K_EXP_MAC, K_EXP_ENC, IV). 614 4.2.4.2. CNT_IMIT 616 In case of the CNT_IMIT cipher suite the body of the 617 ClientKeyExchange message consists of a TLSGostKeyTransportBlob 618 structure that is defined bellow. 620 The client generates the ClientKeyExchange message in accordance with 621 the following steps: 623 1. Generates the ephemeral key pair (Q_eph, d_eph), where: 625 d_eph is chosen from {1, ... , q_s - 1} at random; 627 Q_eph = d_eph * P_s. 629 2. Generates export key (K_EXP) using the KEG_28147 algorithm 630 defined in Section 8.3.2: 632 H = HASH(r_c | r_s); 634 K_EXP = KEG_28147(d_eph, Q_s, H). 636 3. Generates an export representation PSExp of the premaster secret 637 PS using the KExp28147 algorithm defined in Section 8.2.2: 639 PSExp = IV | CEK_ENC | CEK_MAC = KExp28147(PS, K_EXP, H[1..8]). 641 4. Generates the ClientKeyExchange message using the 642 TLSGostKeyTransportBlob structure that is defined as follows: 644 TLSGostKeyTransportBlob ::= SEQUENCE { 645 keyBlob GostR3410-KeyTransport, 646 } 647 GostR3410-KeyTransport ::= SEQUENCE { 648 sessionEncryptedKey Gost28147-89-EncryptedKey, 649 transportParameters [0] IMPLICIT GostR3410-TransportParameters 650 } 651 Gost28147-89-EncryptedKey ::= SEQUENCE { 652 encryptedKey Gost28147-89-Key, 653 macKey Gost28147-89-MAC 654 } 655 GostR3410-TransportParameters ::= SEQUENCE { 656 encryptionParamSet OBJECT IDENTIFIER, 657 ephemeralPublicKey [0] IMPLICIT SubjectPublicKeyInfo, 658 ukm OCTET STRING 659 } 661 where Gost28147-89-EncryptedKey.encryptedKey field contains the 662 CEK_ENC value, the Gost28147-89-EncryptedKey.macKey field contains 663 the CEK_MAC value, and GostR3410-TransportParameters.ukm field 664 contains the IV value. 666 The keyBlob.transportParameters.ephemeralPublicKey field contains the 667 client ephemeral public key Q_eph. The encryptionParamSet contains 668 value 1.2.643.7.1.2.5.1.1 that corresponds to the id-tc26-gost- 669 28147-param-Z parameters set defined in [RFC7836]. 671 Upon receiving the ClientKeyExchange message, the server process it 672 as follows. 674 1. Checks the following three conditions. If either of these checks 675 fails, then the server MUST abort the handshake with an alert. 677 1. Q_eph belongs to the same curve as server public key Q_s; 679 2. Q_eph is not equal to zero point; 681 3. q_s * Q_eph is equal to zero point; 683 2. Generates export key (K_EXP) using the KEG_28147 algorithm 684 defined in Section 8.3.2: 686 H = HASH(r_c | r_s); 688 K_EXP = KEG_28147(d_s, Q_eph, H). 690 3. Extracts the premaster secret PS from the export representation 691 PSExp using the KImp28147 algorithm defined in Section 8.2.2: 693 PS = KImp28147(PSExp, K_EXP, H[1..8]). 695 4.2.5. CertificateVerify 697 Client generates the value sgn as follows: 699 sgn = SIGN_{d_c}(handshake_messages) = str_l(r) | str_l(s) 701 where SIGN_{d_c} is the GOST R 34.10-2012 [RFC7091] signature 702 algorithm, d_c is a client long-term private key that corresponds to 703 the client long-term public key Q_c from the client's certificate, l 704 = 32 for gostr34102012_256 value of the SignatureAndHashAlgorithm 705 field and l = 64 for gostr34102012_512 value of the 706 SignatureAndHashAlgorithm field. 708 Here handshake_messages refers to all handshake messages sent or 709 received, starting at client hello and up to CertificateVerify, but 710 not including, this message, including the type and length fields of 711 the handshake messages. 713 The TLS CertificateVerify message is specified as follows. 715 struct { 716 SignatureAndHashAlgorithm algorithm; 717 opaque signature<0..2^16-1>; 718 } CertificateVerify; 720 where SignatureAndHashAlgorithm structure is specified in Section 5 721 and CertificateVerify.signature field contains sgn value. 723 4.2.6. Finished 725 The TLS Finished message is specified as follows. 727 struct { 728 opaque verify_data[verify_data_length]; 729 } Finished; 731 verify_data = PRF(master_secret, finished_label, 732 HASH(handshake_messages))[0..verify_data_length-1]; 734 where the verify_data_length value is equal to 32 for the CTR_OMAC 735 cipher suites and is equal to 12 for the CNT_IMIT cipher suite. The 736 PRF function is defined in Section 4.3.4. 738 4.3. Cryptographic Algorithms 740 4.3.1. Block Cipher 742 The cipher suite TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC MUST 743 uses Kuznyechik [RFC7801] as a base block cipher for the encryption 744 and MAC algorithm. The block length n is 16 bytes and the key length 745 k is 32 bytes. 747 The cipher suite TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC MUST uses 748 Magma [GOST3412-2015] as a base block cipher for the encryption and 749 MAC algorithm. The block length n is 8 bytes and the key length k is 750 32 bytes. 752 The cipher suite TLS_GOSTR341112_256_WITH_28147_CNT_IMIT MUST uses 753 GOST 28147-89 as a base block cipher [RFC5830] with the set of 754 parameters id-tc26-gost-28147-param-Z defined in [RFC7836]. The 755 block length n is 8 bytes and the key length k is 32 bytes. 757 4.3.2. MAC algorithm 759 The CTR_OMAC cipher suites use the OMAC message authentication code 760 construction defined in [GOST3413-2015], which can be considered as 761 the CMAC mode defined in [CMAC] where Kuznyechik or Magma block 762 cipher (see Section 4.3.1) are used instead of AES block cipher (see 763 [IK2003] for more detail) as the MAC function. The resulting MAC 764 length is equal to the block length and the MAC key length is 32 765 bytes. 767 The CNT_IMIT cipher suite uses the message authentication code 768 function gostIMIT28147 defined in Section 8.4 with the initialization 769 vector IV = IV0, where IV0 in B_8 is a string of all zeros, with the 770 CryptoPro Key Meshing algorithm defined in [RFC4357]. The resulting 771 MAC length is 4 bytes and the MAC key length is 32 bytes. 773 4.3.3. Encryption algorithm 775 The CTR_OMAC cipher suites use the block cipher in CTR-ACPKM 776 encryption mode defined in [DraftRekeying] as the ENC function. The 777 section size N is 4 KB for 778 TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC cipher suite and 1 KB 779 for TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC cipher suite. The 780 initial counter nonce is defined as in Section 4.1. 782 The CNT_IMIT cipher suite uses the block cipher in counter encryption 783 mode (CNT) defined in Section 6 of [RFC5830] with the CryptoPro Key 784 Meshing algorithm defined in [RFC4357] as the ENC function. 786 4.3.4. PRF and HASH algorithms 788 The pseudorandom function (PRF) for all the cipher suites defined in 789 this document is the PRF_TLS_GOSTR3411_2012_256 function defined in 790 [RFC7836]. 792 The hash function HASH for all the cipher suites defined in this 793 document is the GOST R 34.11-2012 [RFC6986] hash algorithm with 794 32-byte (256-bit) hash code. 796 4.3.5. SNMAX parameter 798 The SNMAX parameter defines the maximal value of the sequence number 799 seqnum during one TLS 1.2 connection and is defined as follows: 801 +---------------------------------------------+--------------------+ 802 | CipherSuites | SNMAX | 803 +---------------------------------------------+--------------------+ 804 |TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC | SNMAX = 2^64 - 1 | 805 |TLS_GOSTR341112_256_WITH_28147_CNT_IMIT | | 806 +---------------------------------------------+--------------------+ 807 |TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC | SNMAX = 2^32 - 1 | 808 +---------------------------------------------+--------------------+ 809 Table 1 811 5. New Values for the SignatureAlgorithm Registry 813 The signature/hash algorithm pairs are used to indicate to the 814 server/client which algorithms can be used in digital signatures and 815 are defined by the SignatureAndHashAlgorithm structure (see 816 Section 7.4.1.4.1 of [RFC5246]) as follows: 818 struct { 819 HashAlgorithm hash; 820 SignatureAlgorithm signature; 821 } SignatureAndHashAlgorithm; 823 This document defines new values for the "SignatureAlgorithm 824 Registry" that can be used in the SignatureAndHashAlgorithm.signature 825 field for the particular signature/hash algorithm pair: 827 enum { 828 gostr34102012_256(0x40), 829 gostr34102012_512(0x41), 830 } SignatureAlgorithm; 832 where the gostr34102012_256 and gostr34102012_512 values correspond 833 to the GOST R 34.10-2012 [RFC7091] signature algorithm with 32-byte 834 (256-bit) and 64-byte (512-bit) key length respectively. 836 According to [RFC7091] the GOST R 34.10-2012 signature algorithm with 837 32-byte (256-bit) or 64-byte (512-bit) key length use the GOST R 838 34.11-2012 [RFC6986] hash algorithm with 32-byte (256-bit) or 64-byte 839 (512-bit) hash code respectively (the hash algorithm is intrinsic to 840 the signature algorithm). Therefore, if the 841 SignatureAndHashAlgorithm.signature field of a particular hash/ 842 signature pair listed in the Signature Algorithms Extension is equal 843 to the 0x40 (gostr34102012_256) or 0x41 (gostr34102012_512) value, 844 the SignatureAndHashAlgorithm.hash field of this pair MUST contain 845 the "Intrinsic" value 0x08 (see [RFC8422]). 847 6. New Values for the Supported Groups Registry 849 The Supported Groups Extension indicates the set of elliptic curves 850 supported by the client and is defined in [RFC8422] and [RFC7919]. 852 This document defines new values for the "Supported Groups" registry: 854 enum { 855 GC256A(0x22), GC256B(0x23), GC256C(0x24), GC256D(0x25), 856 GC512A(0x26), GC512B(0x27), GC512C(0x28), 857 } NamedGroup; 859 Where the values corresponds to the following curves: 861 +-------------+--------------------------------------+-----------+ 862 | Description | Curve Identifier Value | Reference | 863 +-------------+--------------------------------------+-----------+ 864 | GC256A | id-tc26-gost-3410-2012-256-paramSetA | RFC 7836 | 865 +-------------+--------------------------------------+-----------+ 866 | GC256B |id-GostR3410-2001-CryptoPro-A-ParamSet| RFC 4357 | 867 +-------------+--------------------------------------+-----------+ 868 | GC256C |id-GostR3410-2001-CryptoPro-B-ParamSet| RFC 4357 | 869 +-------------+--------------------------------------+-----------+ 870 | GC256D |id-GostR3410-2001-CryptoPro-C-ParamSet| RFC 4357 | 871 +-------------+--------------------------------------+-----------+ 872 | GC512A | id-tc26-gost-3410-12-512-paramSetA | RFC 7836 | 873 +-------------+--------------------------------------+-----------+ 874 | GC512B | id-tc26-gost-3410-12-512-paramSetB | RFC 7836 | 875 +-------------+--------------------------------------+-----------+ 876 | GC512C | id-tc26-gost-3410-2012-512-paramSetC | RFC 7836 | 877 +-------------+--------------------------------------+-----------+ 878 Table 2 880 7. New Values for the ClientCertificateType Identifiers Registry 882 The ClientCertificateType field of the CertificateRequest message 883 contains a list of the types of certificate types that the client may 884 offer and is defined in Section 7.4.4 of [RFC5246]. 886 This document defines new values for the "ClientCertificateType 887 Identifiers" registry: 889 enum { 890 gost_sign256(0x43), 891 gost_sign512(0x44), 892 } ClientCertificateType; 894 To use the gost_sign256 or gost_sign512 authentication mechanism, the 895 client MUST possess a certificate containing a GOST R 896 34.10-2012-capable public key that corresponds to the 32-byte 897 (256-bit) or 64-byte (512-bit) signature key respectively. 899 The client proves possession of the private key corresponding to the 900 certified key by including a signature in the CertificateVerify 901 message as described in Section 4.2.5. 903 8. Additional Algorithms 905 8.1. TLSTREE 907 The TLSTREE function is defined as follows: 909 TLSTREE(K_root, i) = KDF_3(KDF_2(KDF_1(K_root, STR_8(i & C_1)), 910 STR_8(i & C_2)), STR_8(i & C_3)), 912 where 914 o K_root in B_32; 916 o i in {0, 1, ... , 2^64 - 1}; 918 o C_1, C_2, C_3 are constants defined by the particular cipher suite 919 (see Section 8.1.1); 921 o KDF_j(K, D), j = 1, 2, 3, K in B_32, D in B_8, is the key 922 derivation function based on the KDF_GOSTR3411_2012_256 function 923 defined in [RFC7836]: 925 KDF_1(K, D) = KDF_GOSTR3411_2012_256(K, "level1", D); 926 KDF_2(K, D) = KDF_GOSTR3411_2012_256(K, "level2", D); 927 KDF_3(K, D) = KDF_GOSTR3411_2012_256(K, "level3", D). 929 8.1.1. Key Tree Parameters 931 The CTR_OMAC cipher suites use the TLSTREE function for the re-keying 932 approach. The constants for it are defined as in the table below. 934 +--------------------------------------------+----------------------+ 935 | CipherSuites | C_1, C_2, C_3 | 936 +--------------------------------------------+----------------------+ 937 |TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC|C_1=0xFFFFFFFF00000000| 938 | |C_2=0xFFFFFFFFFFF80000| 939 | |C_3=0xFFFFFFFFFFFFFFC0| 940 +--------------------------------------------+----------------------+ 941 |TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC |C_1=0xFFFFFFC000000000| 942 | |C_2=0xFFFFFFFFFE000000| 943 | |C_3=0xFFFFFFFFFFFFF000| 944 +--------------------------------------------+----------------------+ 945 Table 3 947 8.2. Key export and key import algorithms 949 8.2.1. KExp15 and KImp15 Algorithms 951 Algorithms KExp15 and KImp15 use the block cipher determined by the 952 particular cipher suite. 954 The KExp15 key export algorithm is defined as follows. 956 +------------------------------------------------------------+ 957 | KExp15(S, K_Exp_MAC, K_Exp_ENC, IV) | 958 |------------------------------------------------------------| 959 | Input: | 960 | - secret S to be exported, S in B*, | 961 | - key K_Exp_MAC in B_k, | 962 | - key K_Exp_ENC in B_k, | 963 | - IV in B_{n/2} | 964 | Output: | 965 | - export representation SExp in B_{|S|+n} | 966 |------------------------------------------------------------| 967 | 1. CEK_MAC = OMAC(K_Exp_MAC, IV | S), CEK_MAC in B_n | 968 | 2. SExp = CTR-Encrypt(K_Exp_ENC, IV, S | CEK_MAC) | 969 | 3. return SExp | 970 +------------------------------------------------------------+ 972 where the OMAC function is defined in [MODES], the CTR-Encrypt(K, IV, 973 S) function denotes the encryption of message S on key K and nonce IV 974 in the CTR mode with s = n (see [MODES]). 976 The KImp15 key import algorithm is defined as follows. 978 +-------------------------------------------------------------------+ 979 | KImp15(SExp, K_Exp_MAC, K_Exp_ENC, IV) | 980 |-------------------------------------------------------------------| 981 | Input: | 982 | - export representation SExp in B* | 983 | - key K_Exp_MAC in B_k, | 984 | - key K_Exp_ENC in B_k, | 985 | - IV in B_{n/2} | 986 | Output: | 987 | - secret S in B_{|SExp|-n} or FAIL | 988 |-------------------------------------------------------------------| 989 | 1. S | CEK_MAC = CTR-Decrypt(K_Exp_ENC, IV, SExp), CEK_MAC in B_n| 990 | 2. If CEK_MAC = OMAC(K_Exp_MAC, IV | S) | 991 | then return S; else return FAIL | 992 +-------------------------------------------------------------------+ 994 where the OMAC function is defined in [MODES], the CTR-Decrypt(K, IV, 995 S) function denotes the decryption of message S on key K and nonce IV 996 in the CTR mode (see [MODES]). 998 The keys K_Exp_MAC and K_Exp_ENC MUST be independent. For every pair 999 of keys (K_Exp_ENC, K_Exp_MAC) the IV values MUST be unique. For the 1000 import of key K with the KImp15 algorithm every IV value MUST be sent 1001 with the export key representation or be a preshared value. 1003 8.2.2. KExp28147 and KImp28147 Algorithms 1005 The KExp28147 key export algorithm is defined as follows. 1007 +----------------------------------------------------------------+ 1008 | KExp28147(S, K, IV) | 1009 |----------------------------------------------------------------| 1010 | Input: | 1011 | - secret S to be exported, S in B_32, | 1012 | - key K in B_32, | 1013 | - IV in B_8. | 1014 | Output: | 1015 | - export representation SExp in B_44 | 1016 |----------------------------------------------------------------| 1017 | 1. CEK_MAC = gost28147IMIT(IV, K, S), CEK_MAC in B_4 | 1018 | 2. CEK_ENC = ECB-Encrypt(K, S), CEK_ENC in B_32 | 1019 | 3. return SExp = IV | CEK_ENC | CEK_MAC | 1020 +----------------------------------------------------------------+ 1021 where the gost28147IMIT function is defined in Section 8.4, the ECB- 1022 Encrypt(K, S) function denotes the encryption of message S on key K 1023 with the block cipher GOST 28147-89 in the ECB mode (see [RFC5830]). 1025 The KImp28147 key import algorithm is defined as follows. 1027 +----------------------------------------------------------------+ 1028 | KImp28147(SExp, K, IV) | 1029 |----------------------------------------------------------------| 1030 | Input: | 1031 | - export representation SExp in B_44, | 1032 | - key K in B_32, | 1033 | - IV in B_8. | 1034 | Output: | 1035 | - imported secret S in B_32 or FAIL | 1036 |----------------------------------------------------------------| 1037 | 1. extract from SExp | 1038 | IV' = SExp[1..8], | 1039 | CEK_ENC = SExp[9..40], | 1040 | CEK_MAC = SExp[41..44] | 1041 | 2. if IV' != IV then return FAIL; else | 1042 | 3. S = ECB-Decrypt(K, CEK_ENC), S in B_32 | 1043 | 4. If CEK_MAC = gost28147IMIT(IV, K, S) | 1044 | then return S; else return FAIL | 1045 +----------------------------------------------------------------+ 1047 where the gost28147IMIT function is defined in Section 8.4, the ECB- 1048 Decrypt(CEK_ENC, M) function denotes the decryption of ciphertext 1049 CEK_ENC on key K with a block cipher GOST 28147-89 in the ECB mode 1050 (see [RFC5830]). 1052 8.3. Key Exchange Generation Algorithms 1054 8.3.1. KEG Algorithm 1056 The KEG algorithm is defined as follows: 1058 +----------------------------------------------------------------+ 1059 | KEG(d, Q, H) | 1060 |----------------------------------------------------------------| 1061 | Input: | 1062 | - private key d, | 1063 | - public key Q, | 1064 | - H in B_32. | 1065 | Output: | 1066 | - key material K in B_64. | 1067 |----------------------------------------------------------------| 1068 | 1. If m < 2^{256} | 1069 | return KEG_256(d, Q, H) | 1070 | 2. If m < 2^{512} | 1071 | return KEG_512(d, Q, H) | 1072 | 3. return FAIL | 1073 +----------------------------------------------------------------+ 1075 where m is the order of the used elliptic curve points group 1076 containing point Q, d in {1, ... , m - 1}. 1078 The KEG_256 algorithm is defined as follows: 1080 +----------------------------------------------------------------+ 1081 | KEG_256(d, Q, H) | 1082 |----------------------------------------------------------------| 1083 | Input: | 1084 | - private key d, | 1085 | - public key Q, | 1086 | - H in B_32. | 1087 | Output: | 1088 | - key material K in B_64. | 1089 |----------------------------------------------------------------| 1090 | 1. r = INT(H[1..16]) | 1091 | 2. If r = 0 | 1092 | UKM = 1; else UKM = r | 1093 | 3. K_EXP = VKO_256(d, Q, UKM) | 1094 | 4. seed = H[17..24] | 1095 | 5. return KDFTREE_256(K_EXP, "kdf tree", seed, 1) | 1096 +----------------------------------------------------------------+ 1098 where VKO_256 is the function VKO_GOSTR3410_2012_256 defined in 1099 [RFC7836] and KDFTREE_256 is the KDF_TREE_GOSTR3411_2012_256 function 1100 defined in [RFC7836] with the parameter L equal to 512. 1102 The KEG_512 algorithm is defined as follows: 1104 +----------------------------------------------------------------+ 1105 | KEG_512(d, Q, H) | 1106 |----------------------------------------------------------------| 1107 | Input: | 1108 | - private key d, | 1109 | - public key Q, | 1110 | - H in B_32. | 1111 | Output: | 1112 | - key material K in B_64. | 1113 |----------------------------------------------------------------| 1114 | 1. r = INT(H[1..16]) | 1115 | 2. If r = 0 | 1116 | UKM = 1; else UKM = r | 1117 | 3. return VKO_512(d, Q, UKM) | 1118 +----------------------------------------------------------------+ 1120 where VKO_512 is the VKO_GOSTR3410_2012_512 function defined in 1121 [RFC7836]. 1123 8.3.2. KEG_28147 Algorithm 1125 The KEG_28147 algorithm is defined as follows: 1127 +----------------------------------------------------------------+ 1128 | KEG_28147(d, Q, H) | 1129 |----------------------------------------------------------------| 1130 | Input: | 1131 | - private key d, | 1132 | - public key Q, | 1133 | - H in B_32. | 1134 | Output: | 1135 | - key material K in B_32. | 1136 |----------------------------------------------------------------| 1137 | 1. UKM = H[1..8] | 1138 | 2. R = VKO_256(d, Q, int(UKM)) | 1139 | 3. return K = CPDivers(UKM, R) | 1140 +----------------------------------------------------------------+ 1142 where the VKO_256 function is equal to the VKO_GOSTR3410_2012_256 1143 function defined in [RFC7836], the CPDivers function corresponds to 1144 the CryptoPro KEK Diversification Algorithm defined in [RFC4357], 1145 which takes as input the UKM value and the key value. 1147 8.4. gostIMIT28147 1149 gost28147IMIT(IV, K, M) is a MAC algorithm with 4 bytes output and is 1150 defined as follows: 1152 +----------------------------------------------------------------+ 1153 | gost28147IMIT(IV, K, M) | 1154 |----------------------------------------------------------------| 1155 | Input: | 1156 | - initial value IV in B_8, | 1157 | - key K in B_32, | 1158 | - message M in B*. | 1159 | Output: | 1160 | - MAC value T in B_4. | 1161 |----------------------------------------------------------------| 1162 | 1. M' = PAD(M) | 1163 | 2. M' = M'_0 | ... | M'_r, |M'_i| = 8, i in {0, ... , r} | 1164 | 3. M'' = (M'_0 XOR IV) | M'_1 | ... | M'_r | 1165 | 4. return K = MAC28147(K, M'') | 1166 +----------------------------------------------------------------+ 1168 where the PAD function is the padding function that adds m zero bytes 1169 to the end of the message, where m is the smallest, non-negative 1170 solution to the equation (|M| + m) mod 8 = 0, the MAC28147 function 1171 corresponds to Message Authentication Code Generation Mode defined in 1172 [RFC5830] with 4 byte length output. 1174 9. IANA Considerations 1176 IANA has added numbers {0xC1, 0x00}, {0xC1, 0x01} and {0xC1, 0x02} 1177 with the names TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC, 1178 TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC, 1179 TLS_GOSTR341112_256_WITH_28147_CNT_IMIT to the "TLS Cipher Suite" 1180 registry with this document as reference, as shown below. 1182 +-------------+-----------------------------+---------+----------+ 1183 | Value | Description | DTLS-OK | Reference| 1184 +-------------+-----------------------------+---------+----------+ 1185 | 0xC1, 0x00 | TLS_GOSTR341112_256_ | N | this RFC | 1186 | | _WITH_KUZNYECHIK_CTR_OMAC | | | 1187 +-------------+-----------------------------+---------+----------+ 1188 | 0xC1, 0x01 | TLS_GOSTR341112_256_ | N | this RFC | 1189 | | _WITH_MAGMA_CTR_OMAC | | | 1190 +-------------+-----------------------------+---------+----------+ 1191 | 0xC1, 0x02 | TLS_GOSTR341112_256_ | N | this RFC | 1192 | | _WITH_28147_CNT_IMIT | | | 1193 +-------------+-----------------------------+---------+----------+ 1194 Table 4 1196 IANA has added numbers 0x40, 0x41 with the names gostr34102012_256, 1197 gostr34102012_512, to the "TLS SignatureAlgorithm" registry, as shown 1198 below. 1200 +-----------+---------------------+---------+----------+ 1201 | Value | Description | DTLS-OK | Reference| 1202 +-----------+---------------------+---------+----------+ 1203 | 0x40 | gostr34102012_256 | Y | this RFC | 1204 +-----------+---------------------+---------+----------+ 1205 | 0x41 | gostr34102012_512 | Y | this RFC | 1206 +-----------+---------------------+---------+----------+ 1207 Table 5 1209 IANA has added numbers 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28 with 1210 the names GC256A, GC256B, GC256C, GC256D, GC512A, GC512B, GC512C to 1211 the "TLS Supported Groups" registry, as shown below. 1213 +-----------+----------------+---------+------------+-----------+ 1214 | Value | Description | DTLS-OK | Recomended | Reference | 1215 +-----------+----------------+---------+------------+-----------+ 1216 | 0x22 | GC256A | Y | N | this RFC | 1217 +-----------+----------------+---------+------------+-----------+ 1218 | 0x23 | GC256B | Y | N | this RFC | 1219 +-----------+----------------+---------+------------+-----------+ 1220 | 0x24 | GC256C | Y | N | this RFC | 1221 +-----------+----------------+---------+------------+-----------+ 1222 | 0x25 | GC256D | Y | N | this RFC | 1223 +-----------+----------------+---------+------------+-----------+ 1224 | 0x26 | GC512A | Y | N | this RFC | 1225 +-----------+----------------+---------+------------+-----------+ 1226 | 0x27 | GC512B | Y | N | this RFC | 1227 +-----------+----------------+---------+------------+-----------+ 1228 | 0x28 | GC512C | Y | N | this RFC | 1229 +-----------+----------------+---------+------------+-----------+ 1230 Table 6 1232 IANA has added numbers 0x43, 0x44 with the names gost_sign256, 1233 gost_sign512 to the "ClientCertificateType Identifiers" registry, as 1234 shown below. 1236 +-----------+---------------------+---------+----------+ 1237 | Value | Description | DTLS-OK | Reference| 1238 +-----------+---------------------+---------+----------+ 1239 | 0x43 | gost_sign256 | Y | this RFC | 1240 +-----------+---------------------+---------+----------+ 1241 | 0x44 | gost_sign512 | Y | this RFC | 1242 +-----------+---------------------+---------+----------+ 1243 Table 7 1245 10. Historical considerations 1247 Note that prior to the existence of this document implementations 1248 could use only the values from the Private Use space in order to use 1249 the GOST-based algorithms. So some old implementations can still use 1250 the old value {0x00, 0x81} instead of the {0xC1, 0x02} value to 1251 indicate the TLS_GOSTR341112_256_WITH_28147_CNT_IMIT cipher suite; 1252 one old value 0xEE instead of the values 0x40, 0x08 and 0x43 (to 1253 indicate the gostr34102012_256 signature algorithm, the Intrinsic 1254 hash algorithm and the gost_sign256 certificate type respectively); 1255 one old value 0xEF instead of the values 0x41, 0x08 and 0x44 (to 1256 indicate the gostr34102012_512 signature algorithm, the Intrinsic 1257 hash algorithm and the gost_sign512 certificate type respectively). 1259 Due to historical reasons in addition to the curve identifier values 1260 listed in Table 2 there exist some extra identifier values that 1261 correspond to the curves GC256B, GC256C and GC256D as follows. 1263 +-------------+-----------------------------------------+ 1264 | Description | Curve Identifier Values | 1265 +-------------+-----------------------------------------+ 1266 | GC256B |id-GostR3410_2001-CryptoPro-XchA-ParamSet| 1267 | |id-tc26-gost-3410-2012-256-paramSetB | 1268 +-------------+-----------------------------------------+ 1269 | GC256C |id-tc26-gost-3410-2012-256-paramSetC | 1270 +-------------+-----------------------------------------+ 1271 | GC256D |id-GostR3410-2001-CryptoPro-XchB-ParamSet| 1272 | |id-tc26-gost-3410-2012-256-paramSetD | 1273 +-------------+-----------------------------------------+ 1274 Table 8 1276 Client should be prepared to handle any of them correctly if 1277 corresponding group is included in the supported_groups extension. 1279 11. Security Considerations 1281 This entire document is about security considerations. 1283 12. References 1285 12.1. Normative References 1287 [DraftRekeying] 1288 Smyshlyaev, S., "Re-keying Mechanisms for Symmetric Keys", 1289 2018, . 1292 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1293 Requirement Levels", BCP 14, RFC 2119, 1294 DOI 10.17487/RFC2119, March 1997, 1295 . 1297 [RFC4357] Popov, V., Kurepkin, I., and S. Leontiev, "Additional 1298 Cryptographic Algorithms for Use with GOST 28147-89, GOST 1299 R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 1300 Algorithms", RFC 4357, DOI 10.17487/RFC4357, January 2006, 1301 . 1303 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 1304 (TLS) Protocol Version 1.2", RFC 5246, 1305 DOI 10.17487/RFC5246, August 2008, 1306 . 1308 [RFC5746] Rescorla, E., Ray, M., Dispensa, S., and N. Oskov, 1309 "Transport Layer Security (TLS) Renegotiation Indication 1310 Extension", RFC 5746, DOI 10.17487/RFC5746, February 2010, 1311 . 1313 [RFC5830] Dolmatov, V., Ed., "GOST 28147-89: Encryption, Decryption, 1314 and Message Authentication Code (MAC) Algorithms", 1315 RFC 5830, DOI 10.17487/RFC5830, March 2010, 1316 . 1318 [RFC6986] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.11-2012: 1319 Hash Function", RFC 6986, DOI 10.17487/RFC6986, August 1320 2013, . 1322 [RFC7091] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.10-2012: 1323 Digital Signature Algorithm", RFC 7091, 1324 DOI 10.17487/RFC7091, December 2013, 1325 . 1327 [RFC7366] Gutmann, P., "Encrypt-then-MAC for Transport Layer 1328 Security (TLS) and Datagram Transport Layer Security 1329 (DTLS)", RFC 7366, DOI 10.17487/RFC7366, September 2014, 1330 . 1332 [RFC7627] Bhargavan, K., Ed., Delignat-Lavaud, A., Pironti, A., 1333 Langley, A., and M. Ray, "Transport Layer Security (TLS) 1334 Session Hash and Extended Master Secret Extension", 1335 RFC 7627, DOI 10.17487/RFC7627, September 2015, 1336 . 1338 [RFC7801] Dolmatov, V., Ed., "GOST R 34.12-2015: Block Cipher 1339 "Kuznyechik"", RFC 7801, DOI 10.17487/RFC7801, March 2016, 1340 . 1342 [RFC7836] Smyshlyaev, S., Ed., Alekseev, E., Oshkin, I., Popov, V., 1343 Leontiev, S., Podobaev, V., and D. Belyavsky, "Guidelines 1344 on the Cryptographic Algorithms to Accompany the Usage of 1345 Standards GOST R 34.10-2012 and GOST R 34.11-2012", 1346 RFC 7836, DOI 10.17487/RFC7836, March 2016, 1347 . 1349 [RFC7919] Gillmor, D., "Negotiated Finite Field Diffie-Hellman 1350 Ephemeral Parameters for Transport Layer Security (TLS)", 1351 RFC 7919, DOI 10.17487/RFC7919, August 2016, 1352 . 1354 [RFC8422] Nir, Y., Josefsson, S., and M. Pegourie-Gonnard, "Elliptic 1355 Curve Cryptography (ECC) Cipher Suites for Transport Layer 1356 Security (TLS) Versions 1.2 and Earlier", RFC 8422, 1357 DOI 10.17487/RFC8422, August 2018, 1358 . 1360 12.2. Informative References 1362 [CMAC] Dworkin, M., "Recommendation for Block Cipher Modes of 1363 Operation: the CMAC Mode for Authentication", NIST Special 1364 Publication 800-38B, 2005. 1366 [GOST28147-89] 1367 Government Committee of the USSR for Standards, 1368 "Cryptographic Protection for Data Processing System, 1369 Gosudarstvennyi Standard of USSR (In Russian)", 1370 GOST 28147-89, 1989. 1372 [GOST3410-2012] 1373 Federal Agency on Technical Regulating and Metrology, 1374 "Information technology. Cryptographic data security. 1375 Signature and verification processes of [electronic] 1376 digital signature", GOST R 34.10-2012, 2012. 1378 [GOST3411-2012] 1379 Federal Agency on Technical Regulating and Metrology, 1380 "Information technology. Cryptographic Data Security. 1381 Hashing function", GOST R 34.11-2012, 2012. 1383 [GOST3412-2015] 1384 Federal Agency on Technical Regulating and Metrology, 1385 "Information technology. Cryptographic data security. 1386 Block ciphers", GOST R 34.12-2015, 2015. 1388 [GOST3413-2015] 1389 Federal Agency on Technical Regulating and Metrology, 1390 "Information technology. Cryptographic data security. 1391 Modes of operation for block ciphers", GOST R 34.13-2015, 1392 2015. 1394 [IK2003] Iwata T., Kurosawa K. (2003), "OMAC: One-Key CBC MAC.", 1395 FSE 2003. Lecture Notes in Computer Science, vol 2887. 1396 Springer, Berlin, Heidelberg, 2003. 1398 [MODES] Dworkin, M., "Recommendation for Block Cipher Modes of 1399 Operation: Methods and Techniques", NIST Special 1400 Publication 800-38A, December 2001. 1402 Appendix A. Test Examples 1404 A.1. Test Examples for CTR_OMAC cipher suites 1406 A.1.1. TLSTREE Examples 1408 A.1.1.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC ciphersuite 1410 TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 1411 *********************************************** 1412 Root Key K_root: 1413 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 1414 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 1416 seqnum = 0 1417 First level key from Divers_1: 1418 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1419 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1421 Second level key from Divers_2: 1422 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1423 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1425 The resulting key from Divers 3: 1426 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1427 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1429 seqnum = 4095 1430 First level key from Divers_1: 1431 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1432 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1434 Second level key from Divers_2: 1435 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1436 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1438 The resulting key from Divers 3: 1439 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1440 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1442 seqnum = 4096 1443 First level key from Divers_1: 1444 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1445 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1447 Second level key from Divers_2: 1448 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1449 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1451 The resulting key from Divers 3: 1452 FB 30 EE 53 CF CF 89 D7 48 FC 0C 72 EF 16 0B 8B 1453 53 CB BB FD 03 12 82 B0 26 21 4A B2 E0 77 58 FF 1455 seqnum = 33554431 1456 First level key from Divers_1: 1457 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1458 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1460 Second level key from Divers_2: 1461 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1462 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1464 The resulting key from Divers 3: 1465 B8 5B 36 DC 22 82 32 6B C0 35 C5 72 DC 93 F1 8D 1466 83 AA 01 74 F3 94 20 9A 51 3B B3 74 DC 09 35 AE 1468 seqnum = 33554432 1469 First level key from Divers_1: 1470 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1471 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1473 Second level key from Divers_2: 1474 3F EA 59 38 DA 2B F8 DD C4 7E C1 DC 55 61 89 66 1475 79 02 BE 42 0D F4 C3 7D AF 21 75 3B CB 1D C7 F3 1477 The resulting key from Divers 3: 1478 0F D7 C0 9E FD F8 E8 15 73 EE CC F8 6E 4B 95 E3 1479 AF 7F 34 DA B1 17 7C FD 7D B9 7B 6D A9 06 40 8A 1481 seqnum = 274877906943 1482 First level key from Divers_1: 1483 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1484 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1486 Second level key from Divers_2: 1487 AB F3 A5 37 98 3A 1B 98 40 06 6D E6 8A 49 BF 25 1488 97 7E E5 C3 F5 2D 33 3E 3C 22 0F 1D 15 C5 08 93 1490 The resulting key from Divers 3: 1491 48 0F 99 72 BA F2 5D 4C 36 9A 96 AF 91 BC A4 55 1492 3F 79 D8 F0 C5 61 8B 19 FD 44 CF DC 57 FA 37 33 1493 seqnum = 274877906944 1494 First level key from Divers_1: 1495 15 60 0D 9E 8F A6 85 54 CF 15 2D C7 4F BC 42 51 1496 17 B0 3E 09 76 BB 28 EA 98 24 C3 B7 0F 28 CB D8 1498 Second level key from Divers_2: 1499 6C C2 8E B0 93 24 72 12 5C 7A D3 F8 09 73 B3 C8 1500 C4 13 7D A5 73 BC 17 1A 24 ED D4 A3 71 F1 F8 73 1502 The resulting key from Divers 3: 1503 25 28 C1 C6 A8 F0 92 7B F2 BE 27 BB 78 D2 7F 21 1504 46 D6 55 93 B0 C7 17 3A 06 CB 9D 88 DF 92 32 65 1506 A.1.1.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC ciphersuite 1508 TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC 1509 *********************************************** 1510 Root Key K_root: 1511 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 1512 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 1514 seqnum = 0 1515 First level key from Divers_1: 1516 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1517 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1519 Second level key from Divers_2: 1520 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1521 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1523 The resulting key from Divers 3: 1524 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1525 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1527 seqnum = 63 1528 First level key from Divers_1: 1529 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1530 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1532 Second level key from Divers_2: 1533 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1534 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1536 The resulting key from Divers 3: 1537 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1538 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1540 seqnum = 64 1541 First level key from Divers_1: 1542 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1543 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1545 Second level key from Divers_2: 1546 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1547 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1549 The resulting key from Divers 3: 1550 AE BE 1E F4 18 71 3B F0 44 B9 FC D9 E5 72 D4 37 1551 FB 38 B5 D8 29 56 7A 6F 79 18 39 6D 9F 4E 09 6B 1553 seqnum = 524287 1554 First level key from Divers_1: 1555 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1556 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1558 Second level key from Divers_2: 1559 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1560 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1562 The resulting key from Divers 3: 1563 6F 18 D4 00 3E A2 CB 30 F5 FE C1 93 A2 34 F0 7D 1564 7C 43 94 98 7F 50 75 8D E2 2B 22 0D 8A 10 51 06 1566 seqnum = 524288 1567 First level key from Divers_1: 1568 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1569 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1571 Second level key from Divers_2: 1572 F6 59 EB 85 EE BD 2A 8D CC 1B B3 F7 C6 00 57 FF 1573 6D 33 B6 0F 74 65 DD 42 B5 11 2C F3 A6 B1 AB 66 1575 The resulting key from Divers 3: 1576 E5 4B 16 41 5B 3B 66 3E 78 0B 06 2D 24 F7 36 C4 1577 49 54 63 C3 A8 91 E1 FA 46 F7 AE 99 FF F9 F3 78 1579 seqnum = 4294967295 1580 First level key from Divers_1: 1581 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1582 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1584 Second level key from Divers_2: 1585 F4 BC 10 1A BB 68 86 2A 8C E3 1E A0 0D DF A7 FE 1586 B8 29 10 F1 24 F4 B1 E2 9E A8 3B E0 06 C2 26 8D 1588 The resulting key from Divers 3: 1589 CF 60 09 04 C7 1E 7B 88 A4 9A C8 E2 45 77 4B 3D 1590 BE ED FB 81 DE 9A 0E 2F 4E 46 C3 56 07 BC 2F 04 1592 seqnum = 4294967296 1593 First level key from Divers_1: 1594 55 CC 95 E0 D1 FB 54 85 AF 8E F6 9A CD 72 B2 32 1595 79 7C D2 E8 5D 86 CD FD 1D E5 5B D1 FA 14 37 78 1597 Second level key from Divers_2: 1598 72 16 91 E1 01 C4 28 96 A6 40 AE 18 3F BB 44 5B 1599 76 37 9C 57 E1 FD 8A 7D 49 A6 23 E4 23 8C 0E 1D 1601 The resulting key from Divers 3: 1602 16 18 0B 24 64 54 00 B8 36 14 38 37 D8 6A AC 93 1603 95 2A E3 EB 82 44 D5 EC 2A B0 2C FF 30 78 11 38 1605 A.1.2. Record Examples 1607 A.1.2.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC ciphersuite 1609 TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 1610 ******************************************************** 1611 It is assumed that during Handshake following keys were established: 1613 - MAC key: 1614 00000: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 1615 00010: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 1616 - Encryption key: 1617 00000: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 1618 00010: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 1619 - IV: 1620 00000: 00 00 00 00 1621 --------------------------------------------------------- 1622 seqnum = 0 1624 Application data: 1625 00000: 00 00 00 00 00 00 00 1627 TLSPlaintext: 1628 00000: 17 03 03 00 07 00 00 00 00 00 00 00 1630 K_MAC_0: 1632 00000: 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1633 00010: 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1635 MAC value: 1636 00000: F3 3E B6 89 6F EC E2 86 1638 K_ENC_0: 1639 00000: 58 AF BE 9A 4C 31 98 AA AB AA 26 92 C4 19 F1 79 1640 00010: 7C 9B 92 DE B3 CC 74 46 B3 63 57 71 13 F0 FB 56 1642 IV_0: 1643 00000: 00 00 00 00 1645 TLSCiphertext: 1646 00000: 17 03 03 00 0F 9B 42 0D A8 6F AF 36 7F 05 14 43 1647 00010: CE 9C 10 72 1648 --------------------------------------------------------- 1649 seqnum = 4095 1651 Application data: 1652 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1653 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1654 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1655 . . . 1656 003D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1657 003E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1658 003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1660 TLSPlaintext: 1661 00000: 17 03 03 04 00 00 00 00 00 00 00 00 00 00 00 00 1662 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1663 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1664 . . . 1665 003D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1666 003E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1667 003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1668 00400: 00 00 00 00 00 1670 K_MAC_4095: 1671 00000: 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1672 00010: 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1674 MAC value: 1675 00000: 58 D3 BB 60 8F BC 98 B8 1677 K_ENC_4095: 1678 00000: 58 AF BE 9A 4C 31 98 AA AB AA 26 92 C4 19 F1 79 1679 00010: 7C 9B 92 DE B3 CC 74 46 B3 63 57 71 13 F0 FB 56 1680 IV_4095: 1681 00000: 00 00 0F FF 1683 TLSCiphertext: 1684 00000: 17 03 03 04 08 B7 11 43 8B 16 20 1F 3C 49 33 95 1685 00010: 21 C9 C8 CA 75 66 D4 C2 0F D3 3E 58 1F 80 07 DC 1686 00020: 76 04 3E 2B 35 C8 E8 4B B2 55 08 27 66 13 59 6F 1687 . . . 1688 003D0: E7 77 70 BF 45 17 E1 F8 DD 1B 2C 05 64 AD 68 FC 1689 003E0: 4A 88 9A 48 B8 B1 FF 0E A4 E1 BB 70 4D 56 A4 75 1690 003F0: 2F 51 A5 82 CC 54 1A 80 8F 8C 8B 62 97 68 88 C8 1691 00400: 10 59 DE 41 27 63 A3 E0 99 9A CD DA 77 1693 --------------------------------------------------------- 1694 seqnum = 4096 1696 Application data: 1697 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1698 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1699 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1700 . . . 1701 007D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1702 007E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1703 007F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1705 TLSPlaintext: 1706 00000: 17 03 03 08 00 00 00 00 00 00 00 00 00 00 00 00 1707 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1708 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1709 . . . 1710 007D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1711 007E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1712 007F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1713 00800: 00 00 00 00 00 1715 K_MAC_4096: 1716 00000: FB 30 EE 53 CF CF 89 D7 48 FC 0C 72 EF 16 0B 8B 1717 00010: 53 CB BB FD 03 12 82 B0 26 21 4A B2 E0 77 58 FF 1719 MAC value: 1720 00000: 50 55 A2 6A BE 19 63 81 1722 K_ENC_4096: 1723 00000: ED F2 FD 02 47 71 60 23 83 09 00 2D 1D 57 DF 9F 1724 00010: D2 ED 18 D6 45 66 C7 6F 4B F0 3D 3A BF 7B BB 1E 1726 IV_4096: 1727 00000: 00 00 10 00 1728 TLSCiphertext: 1729 00000: 17 03 03 08 08 99 95 26 07 03 47 1D ED A2 E6 55 1730 00010: B6 B3 93 83 5E 33 8B 1E D0 0E DD 22 47 A2 FB 88 1731 00020: FB B7 A8 94 80 62 08 8A F3 2C AE B6 AA 2C 4F 2A 1732 . . . 1733 007D0: 7F 0B 24 61 E7 5F E1 06 34 B8 4D C5 70 35 72 5A 1734 007E0: CA 4F 0C BC A9 B0 6C B9 F7 6F BD 2F 80 46 2B 8D 1735 007F0: 77 5E BD 41 6F 63 41 39 AC 89 C2 ED 3D F1 9F E2 1736 00800: 4E F8 C0 5A A8 90 93 1B 01 86 FD 7D DF 1738 A.1.2.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC ciphersuite 1740 TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC 1741 *********************************************** 1742 It is assumed that during Handshake following keys were established: 1744 - MAC key: 1745 00000: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 1746 00010: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 1747 - Encryption key: 1748 00000: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 1749 00010: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 1750 - IV: 1751 00000: 00 00 00 00 00 00 00 00 1753 --------------------------------------------------------- 1754 seqnum = 0 1756 Application data: 1757 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1759 TLSPlaintext: 1760 00000: 17 03 03 00 0F 00 00 00 00 00 00 00 00 00 00 00 1761 00010: 00 00 00 00 1763 K_MAC_0: 1764 00000: 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1765 00010: 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1767 MAC value: 1768 00000: FD 17 19 DD 95 08 37 EB 7C 7B B8 F5 00 37 99 81 1770 K_ENC_0: 1771 00000: 58 AF BE 9A 4C 31 98 AA AB AA 26 92 C4 19 F1 79 1772 00010: 7C 9B 92 DE B3 CC 74 46 B3 63 57 71 13 F0 FB 56 1773 IV_0: 1774 00000: 00 00 00 00 00 00 00 00 1776 TLSCiphertext: 1777 00000: 17 03 03 00 1F 4D 1A 30 52 36 57 3B FF C1 4E 46 1778 00010: DC BE 74 6D B6 C9 9A 17 5A 81 C4 71 1E 2F 84 C3 1779 00020: 92 C5 40 7C 1781 --------------------------------------------------------- 1782 seqnum = 63 1784 Application data: 1785 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1786 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1787 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1788 . . . 1789 00FD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1790 00FE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1791 00FF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1793 TLSPlaintext: 1794 00000: 17 03 03 10 00 00 00 00 00 00 00 00 00 00 00 00 1795 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1796 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1797 . . . 1798 00FD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1799 00FE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1800 00FF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1801 01000: 00 00 00 00 00 1803 K_MAC_63: 1804 00000: 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1805 00010: 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1807 Mac value: 1808 00000: 98 46 27 61 D0 26 24 4A 2C 0B 7D 1B CC CB E7 B0 1810 K_ENC_63: 1811 00000: 58 AF BE 9A 4C 31 98 AA AB AA 26 92 C4 19 F1 79 1812 00010: 7C 9B 92 DE B3 CC 74 46 B3 63 57 71 13 F0 FB 56 1814 IV_63: 1815 00000: 00 00 00 00 00 00 00 3F 1817 TLSCiphertext: 1818 00000: 17 03 03 10 10 12 93 51 D2 6E 14 07 13 A2 1B 37 1819 00010: 68 24 A2 23 17 CD C0 D8 8E 01 CF A3 FE 21 41 5F 1820 00020: 5C 5E 05 86 9C CF 38 A5 1B C2 E0 ED 68 94 46 A8 1821 . . . 1822 00FE0: 19 AD 99 8C 06 25 21 E6 7B 63 59 A4 F5 C8 16 F9 1823 00FF0: 47 6B A7 13 26 82 BB A8 CE 0B ED AD 65 E4 20 A2 1824 01000: 97 B6 E2 C6 1F A4 06 D9 B8 CA 36 FD 9F CD 3A EE 1825 01010: 24 78 F4 D1 96 1827 --------------------------------------------------------- 1828 seqnum = 64 1830 Application data: 1831 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1832 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1833 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1834 . . . 1835 01FD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1836 01FE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1837 01FF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1839 TLSPlaintext: 1840 00000: 17 03 03 20 00 00 00 00 00 00 00 00 00 00 00 00 1841 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1842 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1843 . . . 1844 01FD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1845 01FE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1846 01FF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1847 02000: 00 00 00 00 00 1849 K_MAC_64: 1850 00000: AE BE 1E F4 18 71 3B F0 44 B9 FC D9 E5 72 D4 37 1851 00010: FB 38 B5 D8 29 56 7A 6F 79 18 39 6D 9F 4E 09 6B 1853 Mac value: 1854 00000: EA C3 97 87 84 2B 1D BD 60 80 CC 3F BF AE 5C 2F 1856 K_ENC_64: 1857 00000: 64 F5 5A FC 37 A1 74 D9 53 3E 70 8B CD 14 FA 4A 1858 00010: EE C3 7B C0 E3 2B A4 99 01 B4 66 9E 96 A6 3D 96 1860 IV_64: 1861 00000: 00 00 00 00 00 00 00 40 1863 TLSCiphertext: 1864 00000: 17 03 03 20 10 E6 66 BB 98 AC 5B 0F 39 31 D8 55 1865 00010: 1B 93 36 85 96 EE F0 EB A8 26 9C B8 BD AA E7 EB 1866 00020: 80 C8 30 D7 5A B7 D4 6C 25 06 DC 8B 83 E1 F2 D3 1867 . . . 1868 01FE0: B3 02 67 2C CB 02 86 CD 40 48 FB D5 38 1A 65 55 1869 01FF0: 26 11 25 51 01 4F A8 ED F5 C2 1B 7D 1D B3 9D 6B 1870 02000: AD EC 0D 7C 07 05 34 8B 5C 55 6C 4D 50 81 69 1A 1871 02010: A9 EC 36 F8 B5 1873 A.1.3. Handshake Examples 1875 A.1.3.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC ciphersuite 1877 Server certificate curve OID: 1878 id-GostR3410-2001-CryptoPro-A-ParamSet, "1.2.643.2.2.35.1" 1880 Server public key Q_s: 1881 x = 0x6531D4A72E655BFC9DFB94293B260702 1882 82FABF10D5C49B7366148C60E0BF8167 1884 y = 0x37F8CC71DC5D917FC4A66F7826E72750 1885 8270B4FFC266C26CD4363E77B553A5B8 1887 Server private key d_s: 1888 0x5F308355DFD6A8ACAEE0837B100A3B1F 1889 6D63FB29B78EF27D3967757F0527144C 1891 ---------------------------Client--------------------------- 1893 ClientHello message: 1894 msg_type: 01 1895 length: 000040 1896 body: 1897 client_version: 1898 major: 03 1899 minor: 03 1900 random: 933EA21EC3802A561550EC78D6ED51AC 1901 2439D7E749C31BC3A3456165889684CA 1902 session_id: 1903 length: 00 1904 vector: -- 1905 cipher_suites: 1906 length: 0004 1907 vector: 1908 CipherSuite: C100 1909 CipherSuite: C101 1910 compression_methods: 1911 length: 01 1912 vector: 1913 CompressionMethod: 00 1914 extensions: 1915 length: 0013 1916 vector: 1917 Extension: /* signature_algorithms */ 1918 extension_type: 000D 1919 extension_data: 1920 length: 0006 1921 vector: 1922 supported_signature_algorithms: 1923 length: 0004 1924 vector: 1925 /* 1 pair of algorithms */ 1926 hash: 08 1927 signature: 1928 40 1929 /* 2 pair of algorithms */ 1930 hash: 08 1931 signature: 1932 41 1933 Extension: /* renegotiation_info */ 1934 extension_type: FF01 1935 extension_data: 1936 length: 0001 1937 vector: 1938 renegotiated_connection: 1939 length: 00 1940 vector: -- 1941 Extension: /* extended_master_secret */ 1942 extension_type: 0017 1943 extension_data: 1944 length: 0000 1945 vector: -- 1947 00000: 01 00 00 40 03 03 93 3E A2 1E C3 80 2A 56 15 50 1948 00010: EC 78 D6 ED 51 AC 24 39 D7 E7 49 C3 1B C3 A3 45 1949 00020: 61 65 88 96 84 CA 00 00 04 C1 00 C1 01 01 00 00 1950 00030: 13 00 0D 00 06 00 04 08 40 08 41 FF 01 00 01 00 1951 00040: 00 17 00 00 1953 Record layer message: 1954 type: 16 1955 version: 1956 major: 03 1957 minor: 03 1958 length: 0044 1959 fragment: 010000400303933EA21EC3802A561550 1960 EC78D6ED51AC2439D7E749C31BC3A345 1961 6165889684CA000004C100C101010000 1962 13000D0006000408400841FF01000100 1963 00170000 1965 00000: 16 03 03 00 44 01 00 00 40 03 03 93 3E A2 1E C3 1966 00010: 80 2A 56 15 50 EC 78 D6 ED 51 AC 24 39 D7 E7 49 1967 00020: C3 1B C3 A3 45 61 65 88 96 84 CA 00 00 04 C1 00 1968 00030: C1 01 01 00 00 13 00 0D 00 06 00 04 08 40 08 41 1969 00040: FF 01 00 01 00 00 17 00 00 1971 ---------------------------Server--------------------------- 1973 ServerHello message: 1974 msg_type: 02 1975 length: 000041 1976 body: 1977 server_version: 1978 major: 03 1979 minor: 03 1980 random: 933EA21E49C31BC3A3456165889684CA 1981 A5576CE7924A24F58113808DBD9EF856 1982 session_id: 1983 length: 10 1984 vector: C3802A561550EC78D6ED51AC2439D7E7 1985 cipher_suite: 1986 CipherSuite: C101 1987 compression_method: 1988 CompressionMethod: 00 1989 extensions: 1990 length: 0009 1991 vector: 1992 Extension: /* renegotiation_info */ 1993 extension_type: FF01 1994 extension_data: 1995 length: 0001 1996 vector: 1997 renegotiated_connection: 1998 length: 00 1999 vector: -- 2000 Extension: /* extended_master_secret */ 2001 extension_type: 0017 2002 extension_data: 2003 length: 0000 2004 vector: -- 2006 00000: 02 00 00 41 03 03 93 3E A2 1E 49 C3 1B C3 A3 45 2007 00010: 61 65 88 96 84 CA A5 57 6C E7 92 4A 24 F5 81 13 2008 00020: 80 8D BD 9E F8 56 10 C3 80 2A 56 15 50 EC 78 D6 2009 00030: ED 51 AC 24 39 D7 E7 C1 01 00 00 09 FF 01 00 01 2010 00040: 00 00 17 00 00 2012 Record layer message: 2013 type: 16 2014 version: 2015 major: 03 2016 minor: 03 2017 length: 0045 2018 fragment: 020000410303933EA21E49C31BC3A345 2019 6165889684CAA5576CE7924A24F58113 2020 808DBD9EF85610C3802A561550EC78D6 2021 ED51AC2439D7E7C101000009FF010001 2022 0000170000 2024 00000: 16 03 03 00 45 02 00 00 41 03 03 93 3E A2 1E 49 2025 00010: C3 1B C3 A3 45 61 65 88 96 84 CA A5 57 6C E7 92 2026 00020: 4A 24 F5 81 13 80 8D BD 9E F8 56 10 C3 80 2A 56 2027 00030: 15 50 EC 78 D6 ED 51 AC 24 39 D7 E7 C1 01 00 00 2028 00040: 09 FF 01 00 01 00 00 17 00 00 2030 ---------------------------Server--------------------------- 2032 Certificate message: 2033 msg_type: 0B 2034 length: 0001DB 2035 body: 2036 certificate_list: 2037 length: 0001D8 2038 vector: 2039 ASN.1Cert: 2040 length: 0001D5 2041 vector: 308201D13082017EA003020102020833 2042 FBB2C0E9575A46300A06082A85030701 2043 010302301F311D301B06035504030C14 2044 . . . 2045 797990E4B5452CF82FE1F19EE237B754 2046 CBCD5078D752A28013DFFC8224AD114B 2047 BD7C1BB71E480AD6EEF9857A8C99C595 2048 9053EEDFE9 2050 00000: 0B 00 01 DB 00 01 D8 00 01 D5 30 82 01 D1 30 82 2051 00010: 01 7E A0 03 02 01 02 02 08 33 FB B2 C0 E9 57 5A 2052 00020: 46 30 0A 06 08 2A 85 03 07 01 01 03 02 30 1F 31 2053 00030: 1D 30 1B 06 03 55 04 03 0C 14 74 65 73 74 5F 73 2054 00040: 65 6C 66 73 69 67 6E 65 64 5F 63 65 72 74 30 1E 2055 00050: 17 0D 31 39 30 36 32 37 31 35 32 34 30 38 5A 17 2056 00060: 0D 32 30 31 32 31 38 31 35 33 34 30 38 5A 30 1F 2057 00070: 31 1D 30 1B 06 03 55 04 03 0C 14 74 65 73 74 5F 2058 00080: 73 65 6C 66 73 69 67 6E 65 64 5F 63 65 72 74 30 2059 00090: 66 30 1F 06 08 2A 85 03 07 01 01 01 01 30 13 06 2060 000A0: 07 2A 85 03 02 02 23 01 06 08 2A 85 03 07 01 01 2061 000B0: 02 02 03 43 00 04 40 67 81 BF E0 60 8C 14 66 73 2062 000C0: 9B C4 D5 10 BF FA 82 02 07 26 3B 29 94 FB 9D FC 2063 000D0: 5B 65 2E A7 D4 31 65 B8 A5 53 B5 77 3E 36 D4 6C 2064 000E0: C2 66 C2 FF B4 70 82 50 27 E7 26 78 6F A6 C4 7F 2065 000F0: 91 5D DC 71 CC F8 37 A3 81 96 30 81 93 30 1D 06 2066 00100: 03 55 1D 0E 04 16 04 14 E7 D0 0B B8 4D 8D 24 18 2067 00110: 29 3E 05 C1 7C E7 77 98 D4 8D 30 16 30 0E 06 03 2068 00120: 55 1D 0F 01 01 FF 04 04 03 02 01 C6 30 12 06 03 2069 00130: 55 1D 13 01 01 FF 04 08 30 06 01 01 FF 02 01 01 2070 00140: 30 4E 06 03 55 1D 23 04 47 30 45 80 14 E7 D0 0B 2071 00150: B8 4D 8D 24 18 29 3E 05 C1 7C E7 77 98 D4 8D 30 2072 00160: 16 A1 23 A4 21 30 1F 31 1D 30 1B 06 03 55 04 03 2073 00170: 0C 14 74 65 73 74 5F 73 65 6C 66 73 69 67 6E 65 2074 00180: 64 5F 63 65 72 74 82 08 33 FB B2 C0 E9 57 5A 46 2075 00190: 30 0A 06 08 2A 85 03 07 01 01 03 02 03 41 00 E2 2076 001A0: 88 44 F9 F1 C8 55 E2 DB 5B 19 79 79 90 E4 B5 45 2077 001B0: 2C F8 2F E1 F1 9E E2 37 B7 54 CB CD 50 78 D7 52 2078 001C0: A2 80 13 DF FC 82 24 AD 11 4B BD 7C 1B B7 1E 48 2079 001D0: 0A D6 EE F9 85 7A 8C 99 C5 95 90 53 EE DF E9 2081 Record layer message: 2082 type: 16 2083 version: 2084 major: 03 2085 minor: 03 2086 length: 01DF 2087 fragment: 0B0001DB0001D80001D5308201D13082 2088 017EA003020102020833FBB2C0E9575A 2089 46300A06082A85030701010302301F31 2090 . . . 2091 8844F9F1C855E2DB5B19797990E4B545 2092 2CF82FE1F19EE237B754CBCD5078D752 2093 A28013DFFC8224AD114BBD7C1BB71E48 2094 0AD6EEF9857A8C99C5959053EEDFE9 2096 00000: 16 03 03 01 DF 0B 00 01 DB 00 01 D8 00 01 D5 30 2097 00010: 82 01 D1 30 82 01 7E A0 03 02 01 02 02 08 33 FB 2098 00020: B2 C0 E9 57 5A 46 30 0A 06 08 2A 85 03 07 01 01 2099 00030: 03 02 30 1F 31 1D 30 1B 06 03 55 04 03 0C 14 74 2100 00040: 65 73 74 5F 73 65 6C 66 73 69 67 6E 65 64 5F 63 2101 00050: 65 72 74 30 1E 17 0D 31 39 30 36 32 37 31 35 32 2102 00060: 34 30 38 5A 17 0D 32 30 31 32 31 38 31 35 33 34 2103 00070: 30 38 5A 30 1F 31 1D 30 1B 06 03 55 04 03 0C 14 2104 00080: 74 65 73 74 5F 73 65 6C 66 73 69 67 6E 65 64 5F 2105 00090: 63 65 72 74 30 66 30 1F 06 08 2A 85 03 07 01 01 2106 000A0: 01 01 30 13 06 07 2A 85 03 02 02 23 01 06 08 2A 2107 000B0: 85 03 07 01 01 02 02 03 43 00 04 40 67 81 BF E0 2108 000C0: 60 8C 14 66 73 9B C4 D5 10 BF FA 82 02 07 26 3B 2109 000D0: 29 94 FB 9D FC 5B 65 2E A7 D4 31 65 B8 A5 53 B5 2110 000E0: 77 3E 36 D4 6C C2 66 C2 FF B4 70 82 50 27 E7 26 2111 000F0: 78 6F A6 C4 7F 91 5D DC 71 CC F8 37 A3 81 96 30 2112 00100: 81 93 30 1D 06 03 55 1D 0E 04 16 04 14 E7 D0 0B 2113 00110: B8 4D 8D 24 18 29 3E 05 C1 7C E7 77 98 D4 8D 30 2114 00120: 16 30 0E 06 03 55 1D 0F 01 01 FF 04 04 03 02 01 2115 00130: C6 30 12 06 03 55 1D 13 01 01 FF 04 08 30 06 01 2116 00140: 01 FF 02 01 01 30 4E 06 03 55 1D 23 04 47 30 45 2117 00150: 80 14 E7 D0 0B B8 4D 8D 24 18 29 3E 05 C1 7C E7 2118 00160: 77 98 D4 8D 30 16 A1 23 A4 21 30 1F 31 1D 30 1B 2119 00170: 06 03 55 04 03 0C 14 74 65 73 74 5F 73 65 6C 66 2120 00180: 73 69 67 6E 65 64 5F 63 65 72 74 82 08 33 FB B2 2121 00190: C0 E9 57 5A 46 30 0A 06 08 2A 85 03 07 01 01 03 2122 001A0: 02 03 41 00 E2 88 44 F9 F1 C8 55 E2 DB 5B 19 79 2123 001B0: 79 90 E4 B5 45 2C F8 2F E1 F1 9E E2 37 B7 54 CB 2124 001C0: CD 50 78 D7 52 A2 80 13 DF FC 82 24 AD 11 4B BD 2125 001D0: 7C 1B B7 1E 48 0A D6 EE F9 85 7A 8C 99 C5 95 90 2126 001E0: 53 EE DF E9 2128 ---------------------------Server--------------------------- 2130 ServerHelloDone message: 2131 msg_type: 0E 2132 length: 000000 2133 body: -- 2135 00000: 0E 00 00 00 2137 Record layer message:: 2138 type: 16 2139 version: 2140 major: 03 2141 minor: 03 2142 length: 0004 2143 fragment: 0E000000 2145 00000: 16 03 03 00 04 0E 00 00 00 2147 ---------------------------Client--------------------------- 2148 PMS: 2149 00000: A5 57 6C E7 92 4A 24 F5 81 13 80 8D BD 9E F8 56 2150 00010: F5 BD C3 B1 83 CE 5D AD CA 36 A5 3A A0 77 65 1D 2152 Random d_eph value: 2153 0xA5C77C7482373DE16CE4A6F73CCE7F78 2154 471493FF2C0709B8B706C9E8A25E6C1E 2156 Q_eph ephemeral key: 2157 x = 0xA8F36D63D262A203978F1B3B6795CDBB 2158 F1AE7FB8EF7F47F1F18871C198E00793 2160 y = 0x34CA5D6B4485640EA195435993BEB1F8 2161 B016ED610496B5CC175AC2EA1F14F887 2163 HASH (r_c | r_s): 2164 00000: C3 EF 04 28 D4 B7 A1 F4 C5 02 5F 2E 65 DD 2B 2E 2165 00010: A5 83 AE EF DB 67 C7 F4 21 4A 6A 29 8E 99 E3 25 2167 Export key generation. r value: 2168 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 2170 Export key generation. UKM value: 2171 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 2173 seed: 2174 00000: A5 83 AE EF DB 67 C7 F4 2176 K_EXP: 2177 00000: 1E 58 54 90 E8 65 FF D1 8F 18 D7 C0 A0 4D 0E E8 2178 00010: 4F 1A 5D 79 7C EF AD A0 1B 1E 3B 7F DB 90 E0 29 2180 Export keys K_Exp_MAC | K_Exp_ENC used in KExp15 algorithm: 2181 00000: 2D 8B A8 C8 4C B2 32 FF 41 F1 0C 3A D9 24 13 42 2182 00010: 23 25 4F 71 E5 69 6D 3D 29 C3 E4 C9 DA A6 B2 93 2183 00020: 84 9E B6 34 0B FF AE 69 28 A3 C3 E4 FF 92 EC CB 2184 00030: 1E 8F 0C F7 A1 88 36 8E 6B 74 8E 52 EA 37 8B 0C 2186 IV: 2187 00000: 21 4A 6A 29 2189 PMSEXP: 2190 00000: D7 F0 F0 42 23 67 86 7B 25 FA 42 33 A9 54 F5 8B 2191 00010: DE 92 E9 C9 BB FB 88 16 C9 9F 15 E6 39 87 22 A0 2192 00020: B2 B7 BF E8 49 3E 9A 5C 2194 ---------------------------Client--------------------------- 2195 ClientKeyExchange message: 2196 msg_type: 10 2197 length: 000095 2198 body: 2199 exchange_keys: 3081920428D7F0F0422367867B25FA42 2200 33A954F58BDE92E9C9BBFB8816C99F15 2201 E6398722A0B2B7BFE8493E9A5C306630 2202 . . . 2203 EFB87FAEF1BBCD95673B1B8F9703A262 2204 D2636DF3A887F8141FEAC25A17CCB596 2205 0461ED16B0F8B1BE93594395A10E6485 2206 446B5DCA34 2208 00000: 10 00 00 95 30 81 92 04 28 D7 F0 F0 42 23 67 86 2209 00010: 7B 25 FA 42 33 A9 54 F5 8B DE 92 E9 C9 BB FB 88 2210 00020: 16 C9 9F 15 E6 39 87 22 A0 B2 B7 BF E8 49 3E 9A 2211 00030: 5C 30 66 30 1F 06 08 2A 85 03 07 01 01 01 01 30 2212 00040: 13 06 07 2A 85 03 02 02 23 01 06 08 2A 85 03 07 2213 00050: 01 01 02 02 03 43 00 04 40 93 07 E0 98 C1 71 88 2214 00060: F1 F1 47 7F EF B8 7F AE F1 BB CD 95 67 3B 1B 8F 2215 00070: 97 03 A2 62 D2 63 6D F3 A8 87 F8 14 1F EA C2 5A 2216 00080: 17 CC B5 96 04 61 ED 16 B0 F8 B1 BE 93 59 43 95 2217 00090: A1 0E 64 85 44 6B 5D CA 34 2219 Record layer message: 2220 type: 16 2221 version: 2222 major: 03 2223 minor: 03 2224 length: 0099 2225 fragment: 100000953081920428D7F0F042236786 2226 7B25FA4233A954F58BDE92E9C9BBFB88 2227 16C99F15E6398722A0B2B7BFE8493E9A 2228 . . . 2229 F1F1477FEFB87FAEF1BBCD95673B1B8F 2230 9703A262D2636DF3A887F8141FEAC25A 2231 17CCB5960461ED16B0F8B1BE93594395 2232 A10E6485446B5DCA34 2234 00000: 16 03 03 00 99 10 00 00 95 30 81 92 04 28 D7 F0 2235 00010: F0 42 23 67 86 7B 25 FA 42 33 A9 54 F5 8B DE 92 2236 00020: E9 C9 BB FB 88 16 C9 9F 15 E6 39 87 22 A0 B2 B7 2237 00030: BF E8 49 3E 9A 5C 30 66 30 1F 06 08 2A 85 03 07 2238 00040: 01 01 01 01 30 13 06 07 2A 85 03 02 02 23 01 06 2239 00050: 08 2A 85 03 07 01 01 02 02 03 43 00 04 40 93 07 2240 00060: E0 98 C1 71 88 F1 F1 47 7F EF B8 7F AE F1 BB CD 2241 00070: 95 67 3B 1B 8F 97 03 A2 62 D2 63 6D F3 A8 87 F8 2242 00080: 14 1F EA C2 5A 17 CC B5 96 04 61 ED 16 B0 F8 B1 2243 00090: BE 93 59 43 95 A1 0E 64 85 44 6B 5D CA 34 2245 ---------------------------Server--------------------------- 2247 PMSEXP extracted: 2248 00000: D7 F0 F0 42 23 67 86 7B 25 FA 42 33 A9 54 F5 8B 2249 00010: DE 92 E9 C9 BB FB 88 16 C9 9F 15 E6 39 87 22 A0 2250 00020: B2 B7 BF E8 49 3E 9A 5C 2252 HASH(r_c | r_s): 2253 00000: C3 EF 04 28 D4 B7 A1 F4 C5 02 5F 2E 65 DD 2B 2E 2254 00010: A5 83 AE EF DB 67 C7 F4 21 4A 6A 29 8E 99 E3 25 2256 Export key generation. r value: 2257 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 2259 Export key generation. UKM value: 2260 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 2262 seed: 2263 00000: A5 83 AE EF DB 67 C7 F4 2265 K_EXP: 2266 00000: 1E 58 54 90 E8 65 FF D1 8F 18 D7 C0 A0 4D 0E E8 2267 00010: 4F 1A 5D 79 7C EF AD A0 1B 1E 3B 7F DB 90 E0 29 2269 Import keys K_Imp_MAC | K_Imp_ENC used in KImp15 algorithm: 2270 00000: 2D 8B A8 C8 4C B2 32 FF 41 F1 0C 3A D9 24 13 42 2271 00010: 23 25 4F 71 E5 69 6D 3D 29 C3 E4 C9 DA A6 B2 93 2272 00020: 84 9E B6 34 0B FF AE 69 28 A3 C3 E4 FF 92 EC CB 2273 00030: 1E 8F 0C F7 A1 88 36 8E 6B 74 8E 52 EA 37 8B 0C 2275 IV: 2276 00000: 21 4A 6A 29 2278 PMS: 2279 00000: A5 57 6C E7 92 4A 24 F5 81 13 80 8D BD 9E F8 56 2280 00010: F5 BD C3 B1 83 CE 5D AD CA 36 A5 3A A0 77 65 1D 2282 ---------------------------Client--------------------------- 2284 HASH(HM): 2285 00000: 7E 1F 59 D3 64 9D B6 09 00 EA 4F 8A 58 5A 65 7A 2286 00010: 92 77 B3 04 50 58 4C F5 43 51 19 8C DE A3 0C 49 2288 MS: 2290 00000: FD D2 7C B4 04 AD 4E 44 49 68 4F 7C 55 90 E9 E7 2291 00010: 02 EF 41 01 93 3B 52 77 A4 A9 6D F5 00 B0 7C C3 2292 00020: 32 4F D8 A6 D9 07 CB B0 3D F3 FB 33 1F 1C 4D 0C 2294 Client connection key material 2295 K_write_MAC|K_read_MAC|K_write_ENC|K_read_ENC|IV_write|IV_read: 2296 00000: DD 4E 10 17 E3 09 1F FD 86 75 65 8A 78 00 90 09 2297 00010: 3B BE 69 EC A6 93 31 5C A8 5B E0 A6 14 3D C9 F8 2298 00020: 1D 64 D0 23 46 5F 8B EA 17 F8 12 F8 C2 D8 BF C0 2299 00030: D9 BB AB A7 B4 DF D3 A1 7C E0 E1 3B 2D 63 65 F3 2300 00040: FC 8B 34 59 CF 54 FE 44 9A 04 07 64 53 73 08 00 2301 00050: 75 10 32 55 9D 07 B6 C4 EA C6 75 48 71 BC 97 8A 2302 00060: B9 0E 2A EE 98 77 14 BB D8 F7 57 AE F7 84 FF 24 2303 00070: 47 B3 94 2E B4 3E 26 35 73 1C 4C 28 22 D0 2D 79 2304 00080: 2B 6A 81 3F 93 ED A6 FA 2306 ---------------------------Server--------------------------- 2308 HASH(HM): 2309 00000: 7E 1F 59 D3 64 9D B6 09 00 EA 4F 8A 58 5A 65 7A 2310 00010: 92 77 B3 04 50 58 4C F5 43 51 19 8C DE A3 0C 49 2312 MS: 2313 00000: FD D2 7C B4 04 AD 4E 44 49 68 4F 7C 55 90 E9 E7 2314 00010: 02 EF 41 01 93 3B 52 77 A4 A9 6D F5 00 B0 7C C3 2315 00020: 32 4F D8 A6 D9 07 CB B0 3D F3 FB 33 1F 1C 4D 0C 2317 Server connection key material 2318 K_read_MAC|K_write_MAC|K_read_ENC|K_write_ENC|IV_read|IV_write: 2319 00000: DD 4E 10 17 E3 09 1F FD 86 75 65 8A 78 00 90 09 2320 00010: 3B BE 69 EC A6 93 31 5C A8 5B E0 A6 14 3D C9 F8 2321 00020: 1D 64 D0 23 46 5F 8B EA 17 F8 12 F8 C2 D8 BF C0 2322 00030: D9 BB AB A7 B4 DF D3 A1 7C E0 E1 3B 2D 63 65 F3 2323 00040: FC 8B 34 59 CF 54 FE 44 9A 04 07 64 53 73 08 00 2324 00050: 75 10 32 55 9D 07 B6 C4 EA C6 75 48 71 BC 97 8A 2325 00060: B9 0E 2A EE 98 77 14 BB D8 F7 57 AE F7 84 FF 24 2326 00070: 47 B3 94 2E B4 3E 26 35 73 1C 4C 28 22 D0 2D 79 2327 00080: 2B 6A 81 3F 93 ED A6 FA 2329 ---------------------------Client--------------------------- 2331 ChangeCipherSpec message: 2332 type: 01 2334 00000: 01 2335 Record layer message: 2336 type: 14 2337 version: 2338 major: 03 2339 minor: 03 2340 length: 0001 2341 fragment: 01 2343 00000: 14 03 03 00 01 01 2345 ---------------------------Client--------------------------- 2347 HASH(HM): 2348 00000: 7E 1F 59 D3 64 9D B6 09 00 EA 4F 8A 58 5A 65 7A 2349 00010: 92 77 B3 04 50 58 4C F5 43 51 19 8C DE A3 0C 49 2351 client_verify_data: 2352 00000: B4 61 C5 AD 25 EA 1E 62 B3 70 BD 1F 1B CB 16 91 2353 00010: FC CC BA 37 8B BC 13 43 BE 54 B3 8D F5 53 B7 A5 2355 ---------------------------Client--------------------------- 2357 Finished message: 2358 msg_type: 14 2359 length: 000020 2360 body: 2361 verify_data: B461C5AD25EA1E62B370BD1F1BCB1691 2362 FCCCBA378BBC1343BE54B38DF553B7A5 2364 00000: 14 00 00 20 B4 61 C5 AD 25 EA 1E 62 B3 70 BD 1F 2365 00010: 1B CB 16 91 FC CC BA 37 8B BC 13 43 BE 54 B3 8D 2366 00020: F5 53 B7 A5 2368 Record layer message: 2369 type: 16 2370 version: 2371 major: 03 2372 minor: 03 2373 length: 002C 2374 fragment: 0C630271D4DA39DD8D6BD040302D9B8F 2375 33D5F7B967EED155F7D65592892C03C7 2376 885C249B1225B184AB4D5DBF 2378 00000: 16 03 03 00 2C 0C 63 02 71 D4 DA 39 DD 8D 6B D0 2379 00010: 40 30 2D 9B 8F 33 D5 F7 B9 67 EE D1 55 F7 D6 55 2380 00020: 92 89 2C 03 C7 88 5C 24 9B 12 25 B1 84 AB 4D 5D 2381 00030: BF 2383 ---------------------------Server--------------------------- 2385 ChangeCipherSpec message: 2386 type: 01 2388 00000: 01 2390 Record layer message: 2391 type: 14 2392 version: 2393 major: 03 2394 minor: 03 2395 length: 0001 2396 fragment: 01 2398 00000: 14 03 03 00 01 01 2400 ---------------------------Server--------------------------- 2402 HASH(HM): 2403 00000: DB D7 D8 93 82 4A ED FD D5 FB 7B 75 4B 47 E1 E6 2404 00010: AF E0 77 DA E6 D1 13 63 42 07 C7 EE 0F C6 F3 B1 2406 server_verify_data: 2407 00000: 45 39 EC 8D 0A F7 B1 A6 20 41 AB 43 4A 43 77 71 2408 00010: D3 4C 47 19 D8 6E BB FD 0F 28 C3 E9 53 55 0C D0 2410 ---------------------------Server--------------------------- 2412 Finished message: 2413 msg_type: 14 2414 length: 000020 2415 body: 2416 verify_data: 4539EC8D0AF7B1A62041AB434A437771 2417 D34C4719D86EBBFD0F28C3E953550CD0 2419 00000: 14 00 00 20 45 39 EC 8D 0A F7 B1 A6 20 41 AB 43 2420 00010: 4A 43 77 71 D3 4C 47 19 D8 6E BB FD 0F 28 C3 E9 2421 00020: 53 55 0C D0 2423 Record layer message: 2424 type: 16 2425 version: 2427 major: 03 2428 minor: 03 2429 length: 002C 2430 fragment: E6A94A4BF70886566A2316811E57B483 2431 BB1E47950A1FF820A80DCA77A4DF9954 2432 2DAB6953F3ED03D95CCA4748 2434 00000: 16 03 03 00 2C E6 A9 4A 4B F7 08 86 56 6A 23 16 2435 00010: 81 1E 57 B4 83 BB 1E 47 95 0A 1F F8 20 A8 0D CA 2436 00020: 77 A4 DF 99 54 2D AB 69 53 F3 ED 03 D9 5C CA 47 2437 00030: 48 2439 ---------------------------Client--------------------------- 2441 Application data: 2442 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2443 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2445 Record layer message: 2446 type: 17 2447 version: 2448 major: 03 2449 minor: 03 2450 length: 0028 2451 fragment: 38807B6E5E0C3F4F7E0DBF7758031BF0 2452 7F100C4B63ADBC75F49BCBF428572D37 2453 7CAED097336DB203 2455 00000: 17 03 03 00 28 38 80 7B 6E 5E 0C 3F 4F 7E 0D BF 2456 00010: 77 58 03 1B F0 7F 10 0C 4B 63 AD BC 75 F4 9B CB 2457 00020: F4 28 57 2D 37 7C AE D0 97 33 6D B2 03 2459 ---------------------------Server--------------------------- 2461 Application data: 2462 00000: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 2463 00010: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 2465 Record layer message: 2466 type: 17 2467 version: 2468 major: 03 2469 minor: 03 2470 length: 0028 2471 fragment: 05B869E5C979C3B9D4837B8E39D9BBEE 2472 1BBD0052D3D48340D0CDE082B33BC07F 2473 4E742D1113249AD8 2475 00000: 17 03 03 00 28 05 B8 69 E5 C9 79 C3 B9 D4 83 7B 2476 00010: 8E 39 D9 BB EE 1B BD 00 52 D3 D4 83 40 D0 CD E0 2477 00020: 82 B3 3B C0 7F 4E 74 2D 11 13 24 9A D8 2479 ---------------------------Client--------------------------- 2481 close_notify alert: 2482 Alert: 2483 level: 01 2484 description: 00 2486 00000: 01 00 2488 Record layer message: 2489 type: 15 2490 version: 2491 major: 03 2492 minor: 03 2493 length: 000A 2494 fragment: 4F2A0807A0374E28C632 2496 00000: 15 03 03 00 0A 4F 2A 08 07 A0 37 4E 28 C6 32 2498 ---------------------------Server--------------------------- 2500 close_notify alert: 2501 Alert: 2502 level: 01 2503 description: 00 2505 00000: 01 00 2507 Record layer message: 2508 type: 15 2509 version: 2510 major: 03 2511 minor: 03 2512 length: 000A 2513 fragment: 999468B49AC5B0DE512C 2515 00000: 15 03 03 00 0A 99 94 68 B4 9A C5 B0 DE 51 2C 2517 A.1.3.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC ciphersuite 2519 Server certificate curve OID: 2520 id-tc26-gost-3410-2012-512-paramSetC, "1.2.643.7.1.2.1.2.3" 2522 Server public key Q_s: 2523 x = 0xF14589DA479AD972C66563669B3FF580 2524 92E6A30A288BF447CD9FF6C3133E9724 2525 7A9706B267703C9B4E239F0D7C7E3310 2526 C22D2752B35BD2E4FD39B8F11DEB833A 2528 y = 0xF305E95B36502D4E60A1059FB20AB30B 2529 FC7C95727F3A2C04B1DFDDB53B0413F2 2530 99F2DFE66A5E1CCB4101A7A01D612BE6 2531 BD78E1E3B3D567EBB16ABE587A11F4EA 2533 Server private key d_s: 2534 0x12FD7A70067479A0F66C59F9A25534AD 2535 FBC7ABFD3CC72D79806F8B402601644B 2536 3005ED365A2D8989A8CCAE640D5FC08D 2537 D27DFBBFE137CF528E1AC6D445192E01 2539 Client certificate curve OID: 2540 id-tc26-gost-3410-2012-256-paramSetA, "1.2.643.7.1.2.1.1.1" 2542 Client public key Q_c: 2543 x = 0x0F5DB18A9E15F324B778676025BFD7B5 2544 DF066566EABAA1C51CD879F87B0B4975 2546 y = 0x9EE5BBF18361F842D3F087DEC2943939 2547 E0FA2BFB4EDEC25A8D10ABB22C48F386 2549 Client private key d_c: 2550 0x0918AD3F7D209ABF89F1E8505DA894CE 2551 E10DA09D32E72E815D9C0ADA30B5A103 2553 ---------------------------Client--------------------------- 2555 ClientHello message: 2556 msg_type: 01 2557 length: 000040 2558 body: 2559 client_version: 2560 major: 03 2561 minor: 03 2563 random: 933EA21EC3802A561550EC78D6ED51AC 2564 2439D7E749C31BC3A3456165889684CA 2565 session_id: 2566 length: 00 2567 vector: -- 2568 cipher_suites: 2569 length: 0004 2570 vector: 2571 CipherSuite: C100 2572 CipherSuite: C101 2573 compression_methods: 2574 length: 01 2575 vector: 2576 CompressionMethod: 00 2577 extensions: 2578 length: 0013 2579 vector: 2580 Extension: /* signature_algorithms */ 2581 extension_type: 000D 2582 extension_data: 2583 length: 0006 2584 vector: 2585 supported_signature_algorithms: 2586 length: 0004 2587 vector: 2588 /* 1 pair of algorithms */ 2589 hash: 08 2590 signature: 2591 40 2592 /* 2 pair of algorithms */ 2593 hash: 08 2594 signature: 2595 41 2596 Extension: /* renegotiation_info */ 2597 extension_type: FF01 2598 extension_data: 2599 length: 0001 2600 vector: 2601 renegotiated_connection: 2602 length: 00 2603 vector: -- 2604 Extension: /* extended_master_secret */ 2605 extension_type: 0017 2606 extension_data: 2607 length: 0000 2608 vector: -- 2610 00000: 01 00 00 40 03 03 93 3E A2 1E C3 80 2A 56 15 50 2611 00010: EC 78 D6 ED 51 AC 24 39 D7 E7 49 C3 1B C3 A3 45 2612 00020: 61 65 88 96 84 CA 00 00 04 C1 00 C1 01 01 00 00 2613 00030: 13 00 0D 00 06 00 04 08 40 08 41 FF 01 00 01 00 2614 00040: 00 17 00 00 2616 Record layer message: 2617 type: 16 2618 version: 2619 major: 03 2620 minor: 03 2621 length: 0044 2622 fragment: 010000400303933EA21EC3802A561550 2623 EC78D6ED51AC2439D7E749C31BC3A345 2624 6165889684CA000004C100C101010000 2625 13000D0006000408400841FF01000100 2626 00170000 2628 00000: 16 03 03 00 44 01 00 00 40 03 03 93 3E A2 1E C3 2629 00010: 80 2A 56 15 50 EC 78 D6 ED 51 AC 24 39 D7 E7 49 2630 00020: C3 1B C3 A3 45 61 65 88 96 84 CA 00 00 04 C1 00 2631 00030: C1 01 01 00 00 13 00 0D 00 06 00 04 08 40 08 41 2632 00040: FF 01 00 01 00 00 17 00 00 2634 ---------------------------Server--------------------------- 2636 msg_type: 02 2637 length: 000041 2638 body: 2639 server_version: 2640 major: 03 2641 minor: 03 2642 random: 933EA21E49C31BC3A3456165889684CA 2643 A5576CE7924A24F58113808DBD9EF856 2644 session_id: 2645 length: 10 2646 vector: C3802A561550EC78D6ED51AC2439D7E7 2647 cipher_suite: 2648 CipherSuite: C100 2649 compression_method: 2650 CompressionMethod: 00 2651 extensions: 2652 length: 0009 2653 vector: 2654 Extension: /* renegotiation_info */ 2655 extension_type: FF01 2656 extension_data: 2657 length: 0001 2658 vector: 2659 renegotiated_connection: 2660 length: 00 2661 vector: -- 2662 Extension: /* extended_master_secret */ 2663 extension_type: 0017 2664 extension_data: 2665 length: 0000 2666 vector: -- 2668 00000: 02 00 00 41 03 03 93 3E A2 1E 49 C3 1B C3 A3 45 2669 00010: 61 65 88 96 84 CA A5 57 6C E7 92 4A 24 F5 81 13 2670 00020: 80 8D BD 9E F8 56 10 C3 80 2A 56 15 50 EC 78 D6 2671 00030: ED 51 AC 24 39 D7 E7 C1 00 00 00 09 FF 01 00 01 2672 00040: 00 00 17 00 00 2674 Record layer message: 2675 type: 16 2676 version: 2677 major: 03 2678 minor: 03 2679 length: 0045 2680 fragment: 020000410303933EA21E49C31BC3A345 2681 6165889684CAA5576CE7924A24F58113 2682 808DBD9EF85610C3802A561550EC78D6 2683 ED51AC2439D7E7C100000009FF010001 2684 0000170000 2686 00000: 16 03 03 00 45 02 00 00 41 03 03 93 3E A2 1E 49 2687 00010: C3 1B C3 A3 45 61 65 88 96 84 CA A5 57 6C E7 92 2688 00020: 4A 24 F5 81 13 80 8D BD 9E F8 56 10 C3 80 2A 56 2689 00030: 15 50 EC 78 D6 ED 51 AC 24 39 D7 E7 C1 00 00 00 2690 00040: 09 FF 01 00 01 00 00 17 00 00 2692 ---------------------------Server--------------------------- 2694 Certificate message: 2695 msg_type: 0B 2696 length: 00024C 2697 body: 2698 certificate_list: 2699 length: 000249 2700 vector: 2701 ASN.1Cert: 2702 length: 000246 2703 vector: 30820242308201AEA003020102020101 2704 300A06082A850307010103033042312C 2705 302A06092A864886F70D010901161D74 2706 . . . 2707 371AF83C5BC58B366DFEFA7345D50317 2708 867C177AC84AC07EE8612164629AB7BD 2709 C48AA0F64A741FE7298E82C5BFCE8672 2710 029F875391F7 2712 00000: 0B 00 02 4C 00 02 49 00 02 46 30 82 02 42 30 82 2713 00010: 01 AE A0 03 02 01 02 02 01 01 30 0A 06 08 2A 85 2714 00020: 03 07 01 01 03 03 30 42 31 2C 30 2A 06 09 2A 86 2715 00030: 48 86 F7 0D 01 09 01 16 1D 74 6C 73 31 32 5F 73 2716 00040: 65 72 76 65 72 35 31 32 43 40 63 72 79 70 74 6F 2717 00050: 70 72 6F 2E 72 75 31 12 30 10 06 03 55 04 03 13 2718 00060: 09 53 65 72 76 65 72 35 31 32 30 1E 17 0D 31 37 2719 00070: 30 35 32 35 30 39 32 35 31 38 5A 17 0D 33 30 30 2720 00080: 35 30 31 30 39 32 35 31 38 5A 30 42 31 2C 30 2A 2721 00090: 06 09 2A 86 48 86 F7 0D 01 09 01 16 1D 74 6C 73 2722 000A0: 31 32 5F 73 65 72 76 65 72 35 31 32 43 40 63 72 2723 000B0: 79 70 74 6F 70 72 6F 2E 72 75 31 12 30 10 06 03 2724 000C0: 55 04 03 13 09 53 65 72 76 65 72 35 31 32 30 81 2725 000D0: AA 30 21 06 08 2A 85 03 07 01 01 01 02 30 15 06 2726 000E0: 09 2A 85 03 07 01 02 01 02 03 06 08 2A 85 03 07 2727 000F0: 01 01 02 03 03 81 84 00 04 81 80 3A 83 EB 1D F1 2728 00100: B8 39 FD E4 D2 5B B3 52 27 2D C2 10 33 7E 7C 0D 2729 00110: 9F 23 4E 9B 3C 70 67 B2 06 97 7A 24 97 3E 13 C3 2730 00120: F6 9F CD 47 F4 8B 28 0A A3 E6 92 80 F5 3F 9B 66 2731 00130: 63 65 C6 72 D9 9A 47 DA 89 45 F1 EA F4 11 7A 58 2732 00140: BE 6A B1 EB 67 D5 B3 E3 E1 78 BD E6 2B 61 1D A0 2733 00150: A7 01 41 CB 1C 5E 6A E6 DF F2 99 F2 13 04 3B B5 2734 00160: DD DF B1 04 2C 3A 7F 72 95 7C FC 0B B3 0A B2 9F 2735 00170: 05 A1 60 4E 2D 50 36 5B E9 05 F3 A3 43 30 41 30 2736 00180: 1D 06 03 55 1D 0E 04 16 04 14 87 9C C6 5A 0F 4A 2737 00190: 89 CB 4A 58 49 DF 05 61 56 9B AA DC 11 69 30 0B 2738 001A0: 06 03 55 1D 0F 04 04 03 02 03 28 30 13 06 03 55 2739 001B0: 1D 25 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 2740 001C0: 30 0A 06 08 2A 85 03 07 01 01 03 03 03 81 81 00 2741 001D0: 35 BE 38 51 EC B6 E9 2D 32 40 01 81 0F 8C 89 03 2742 001E0: 52 42 F4 05 46 9F 4C 4E CB 05 02 7C 57 E2 71 52 2743 001F0: 12 AF D7 CD BB 0C ED 7A 8B 4D 33 42 CC 50 1A BD 2744 00200: 99 99 75 A5 8A DE 0E 58 4F CA 35 F5 2E 45 58 B7 2745 00210: 31 1D 49 D0 A0 51 32 79 F7 39 37 1A F8 3C 5B C5 2746 00220: 8B 36 6D FE FA 73 45 D5 03 17 86 7C 17 7A C8 4A 2747 00230: C0 7E E8 61 21 64 62 9A B7 BD C4 8A A0 F6 4A 74 2748 00240: 1F E7 29 8E 82 C5 BF CE 86 72 02 9F 87 53 91 F7 2750 Record layer message: 2751 type: 16 2752 version: 2754 major: 03 2755 minor: 03 2756 length: 0250 2757 fragment: 0B00024C000249000246308202423082 2758 01AEA003020102020101300A06082A85 2759 0307010103033042312C302A06092A86 2760 . . . 2761 8B366DFEFA7345D50317867C177AC84A 2762 C07EE8612164629AB7BDC48AA0F64A74 2763 1FE7298E82C5BFCE8672029F875391F7 2765 00000: 16 03 03 02 50 0B 00 02 4C 00 02 49 00 02 46 30 2766 00010: 82 02 42 30 82 01 AE A0 03 02 01 02 02 01 01 30 2767 00020: 0A 06 08 2A 85 03 07 01 01 03 03 30 42 31 2C 30 2768 00030: 2A 06 09 2A 86 48 86 F7 0D 01 09 01 16 1D 74 6C 2769 00040: 73 31 32 5F 73 65 72 76 65 72 35 31 32 43 40 63 2770 00050: 72 79 70 74 6F 70 72 6F 2E 72 75 31 12 30 10 06 2771 00060: 03 55 04 03 13 09 53 65 72 76 65 72 35 31 32 30 2772 00070: 1E 17 0D 31 37 30 35 32 35 30 39 32 35 31 38 5A 2773 00080: 17 0D 33 30 30 35 30 31 30 39 32 35 31 38 5A 30 2774 00090: 42 31 2C 30 2A 06 09 2A 86 48 86 F7 0D 01 09 01 2775 000A0: 16 1D 74 6C 73 31 32 5F 73 65 72 76 65 72 35 31 2776 000B0: 32 43 40 63 72 79 70 74 6F 70 72 6F 2E 72 75 31 2777 000C0: 12 30 10 06 03 55 04 03 13 09 53 65 72 76 65 72 2778 000D0: 35 31 32 30 81 AA 30 21 06 08 2A 85 03 07 01 01 2779 000E0: 01 02 30 15 06 09 2A 85 03 07 01 02 01 02 03 06 2780 000F0: 08 2A 85 03 07 01 01 02 03 03 81 84 00 04 81 80 2781 00100: 3A 83 EB 1D F1 B8 39 FD E4 D2 5B B3 52 27 2D C2 2782 00110: 10 33 7E 7C 0D 9F 23 4E 9B 3C 70 67 B2 06 97 7A 2783 00120: 24 97 3E 13 C3 F6 9F CD 47 F4 8B 28 0A A3 E6 92 2784 00130: 80 F5 3F 9B 66 63 65 C6 72 D9 9A 47 DA 89 45 F1 2785 00140: EA F4 11 7A 58 BE 6A B1 EB 67 D5 B3 E3 E1 78 BD 2786 00150: E6 2B 61 1D A0 A7 01 41 CB 1C 5E 6A E6 DF F2 99 2787 00160: F2 13 04 3B B5 DD DF B1 04 2C 3A 7F 72 95 7C FC 2788 00170: 0B B3 0A B2 9F 05 A1 60 4E 2D 50 36 5B E9 05 F3 2789 00180: A3 43 30 41 30 1D 06 03 55 1D 0E 04 16 04 14 87 2790 00190: 9C C6 5A 0F 4A 89 CB 4A 58 49 DF 05 61 56 9B AA 2791 001A0: DC 11 69 30 0B 06 03 55 1D 0F 04 04 03 02 03 28 2792 001B0: 30 13 06 03 55 1D 25 04 0C 30 0A 06 08 2B 06 01 2793 001C0: 05 05 07 03 01 30 0A 06 08 2A 85 03 07 01 01 03 2794 001D0: 03 03 81 81 00 35 BE 38 51 EC B6 E9 2D 32 40 01 2795 001E0: 81 0F 8C 89 03 52 42 F4 05 46 9F 4C 4E CB 05 02 2796 001F0: 7C 57 E2 71 52 12 AF D7 CD BB 0C ED 7A 8B 4D 33 2797 00200: 42 CC 50 1A BD 99 99 75 A5 8A DE 0E 58 4F CA 35 2798 00210: F5 2E 45 58 B7 31 1D 49 D0 A0 51 32 79 F7 39 37 2799 00220: 1A F8 3C 5B C5 8B 36 6D FE FA 73 45 D5 03 17 86 2800 00230: 7C 17 7A C8 4A C0 7E E8 61 21 64 62 9A B7 BD C4 2801 00240: 8A A0 F6 4A 74 1F E7 29 8E 82 C5 BF CE 86 72 02 2802 00250: 9F 87 53 91 F7 2804 ---------------------------Server--------------------------- 2806 CertificateRequest message: 2807 msg_type: 0D 2808 length: 00000B 2809 body: 2810 certificate_types: 2811 length: 02 2812 vector: 2813 /* gost_sign256 */ 2814 43 2815 /* gost_sign512 */ 2816 44 2817 supported_signature_algorithms: 2818 length: 0004 2819 vector: 2820 /* 1 pair of algorithms */ 2821 hash: 08 2822 signature: 40 2823 /* 2 pair of algorithms */ 2824 hash: 08 2825 signature: 41 2826 certificate_authorities: 2827 length: 0000 2828 vector: -- 2830 00000: 0D 00 00 0B 02 43 44 00 04 08 40 08 41 00 00 2832 Record layer message: 2833 type: 16 2834 version: 2835 major: 03 2836 minor: 03 2837 length: 000F 2838 fragment: 0D00000B0243440004084008410000 2840 00000: 16 03 03 00 0F 0D 00 00 0B 02 43 44 00 04 08 40 2841 00010: 08 41 00 00 2843 ---------------------------Server--------------------------- 2845 ServerHelloDone message: 2846 msg_type: 0E 2847 length: 000000 2848 body: -- 2850 00000: 0E 00 00 00 2852 Record layer message: 2853 type: 16 2854 version: 2855 major: 03 2856 minor: 03 2857 length: 0004 2858 fragment: 0E000000 2860 00000: 16 03 03 00 04 0E 00 00 00 2862 ---------------------------Client--------------------------- 2864 Certificate message: 2865 msg_type: 0B 2866 length: 0001EA 2867 body: 2868 certificate_list: 2869 length: 0001E7 2870 vector: 2871 ASN.1Cert: 2872 length: 0001E4 2873 vector: 308201E03082018DA003020102020101 2874 300A06082A850307010103023053312E 2875 302C06092A864886F70D010901161F74 2876 . . . 2877 C1CAB43AC01AFB0F3451BDC2DB188BBC 2878 B77884251CDF6037BA830F4B31D5E96F 2879 DC9BC1C95ABE658266C48402E070DE1F 2880 292724E8 2882 00000: 0B 00 01 EA 00 01 E7 00 01 E4 30 82 01 E0 30 82 2883 00010: 01 8D A0 03 02 01 02 02 01 01 30 0A 06 08 2A 85 2884 00020: 03 07 01 01 03 02 30 53 31 2E 30 2C 06 09 2A 86 2885 00030: 48 86 F7 0D 01 09 01 16 1F 74 6C 73 31 32 5F 63 2886 00040: 6C 69 65 6E 74 32 35 36 41 5F 45 40 63 72 79 70 2887 00050: 74 6F 70 72 6F 2E 72 75 31 21 30 1F 06 03 55 04 2888 00060: 03 1E 18 00 43 00 6C 00 69 00 65 00 6E 00 74 00 2889 00070: 32 00 35 00 36 00 41 00 5F 00 45 30 1E 17 0D 31 2890 00080: 37 30 35 32 35 30 39 33 31 31 38 5A 17 0D 33 30 2891 00090: 30 35 30 31 30 39 33 31 31 38 5A 30 53 31 2E 30 2892 000A0: 2C 06 09 2A 86 48 86 F7 0D 01 09 01 16 1F 74 6C 2893 000B0: 73 31 32 5F 63 6C 69 65 6E 74 32 35 36 41 5F 45 2894 000C0: 40 63 72 79 70 74 6F 70 72 6F 2E 72 75 31 21 30 2895 000D0: 1F 06 03 55 04 03 1E 18 00 43 00 6C 00 69 00 65 2896 000E0: 00 6E 00 74 00 32 00 35 00 36 00 41 00 5F 00 45 2897 000F0: 30 68 30 21 06 08 2A 85 03 07 01 01 01 01 30 15 2898 00100: 06 09 2A 85 03 07 01 02 01 01 01 06 08 2A 85 03 2899 00110: 07 01 01 02 02 03 43 00 04 40 75 49 0B 7B F8 79 2900 00120: D8 1C C5 A1 BA EA 66 65 06 DF B5 D7 BF 25 60 67 2901 00130: 78 B7 24 F3 15 9E 8A B1 5D 0F 86 F3 48 2C B2 AB 2902 00140: 10 8D 5A C2 DE 4E FB 2B FA E0 39 39 94 C2 DE 87 2903 00150: F0 D3 42 F8 61 83 F1 BB E5 9E A3 43 30 41 30 1D 2904 00160: 06 03 55 1D 0E 04 16 04 14 74 49 1E 77 30 D3 42 2905 00170: A6 28 0E 72 A1 13 9D D9 90 8B FA F1 03 30 0B 06 2906 00180: 03 55 1D 0F 04 04 03 02 07 80 30 13 06 03 55 1D 2907 00190: 25 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 02 30 2908 001A0: 0A 06 08 2A 85 03 07 01 01 03 02 03 41 00 1C 2D 2909 001B0: 35 22 B4 11 02 D6 20 1F 23 50 C1 CA B4 3A C0 1A 2910 001C0: FB 0F 34 51 BD C2 DB 18 8B BC B7 78 84 25 1C DF 2911 001D0: 60 37 BA 83 0F 4B 31 D5 E9 6F DC 9B C1 C9 5A BE 2912 001E0: 65 82 66 C4 84 02 E0 70 DE 1F 29 27 24 E8 2914 Record layer message: 2915 type: 16 2916 version: 2917 major: 03 2918 minor: 03 2919 length: 01EE 2920 fragment: 0B0001EA0001E70001E4308201E03082 2921 018DA003020102020101300A06082A85 2922 0307010103023053312E302C06092A86 2923 . . . 2924 3522B41102D6201F2350C1CAB43AC01A 2925 FB0F3451BDC2DB188BBCB77884251CDF 2926 6037BA830F4B31D5E96FDC9BC1C95ABE 2927 658266C48402E070DE1F292724E8 2929 00000: 16 03 03 01 EE 0B 00 01 EA 00 01 E7 00 01 E4 30 2930 00010: 82 01 E0 30 82 01 8D A0 03 02 01 02 02 01 01 30 2931 00020: 0A 06 08 2A 85 03 07 01 01 03 02 30 53 31 2E 30 2932 00030: 2C 06 09 2A 86 48 86 F7 0D 01 09 01 16 1F 74 6C 2933 00040: 73 31 32 5F 63 6C 69 65 6E 74 32 35 36 41 5F 45 2934 00050: 40 63 72 79 70 74 6F 70 72 6F 2E 72 75 31 21 30 2935 00060: 1F 06 03 55 04 03 1E 18 00 43 00 6C 00 69 00 65 2936 00070: 00 6E 00 74 00 32 00 35 00 36 00 41 00 5F 00 45 2937 00080: 30 1E 17 0D 31 37 30 35 32 35 30 39 33 31 31 38 2938 00090: 5A 17 0D 33 30 30 35 30 31 30 39 33 31 31 38 5A 2939 000A0: 30 53 31 2E 30 2C 06 09 2A 86 48 86 F7 0D 01 09 2940 000B0: 01 16 1F 74 6C 73 31 32 5F 63 6C 69 65 6E 74 32 2941 000C0: 35 36 41 5F 45 40 63 72 79 70 74 6F 70 72 6F 2E 2942 000D0: 72 75 31 21 30 1F 06 03 55 04 03 1E 18 00 43 00 2943 000E0: 6C 00 69 00 65 00 6E 00 74 00 32 00 35 00 36 00 2944 000F0: 41 00 5F 00 45 30 68 30 21 06 08 2A 85 03 07 01 2945 00100: 01 01 01 30 15 06 09 2A 85 03 07 01 02 01 01 01 2946 00110: 06 08 2A 85 03 07 01 01 02 02 03 43 00 04 40 75 2947 00120: 49 0B 7B F8 79 D8 1C C5 A1 BA EA 66 65 06 DF B5 2948 00130: D7 BF 25 60 67 78 B7 24 F3 15 9E 8A B1 5D 0F 86 2949 00140: F3 48 2C B2 AB 10 8D 5A C2 DE 4E FB 2B FA E0 39 2950 00150: 39 94 C2 DE 87 F0 D3 42 F8 61 83 F1 BB E5 9E A3 2951 00160: 43 30 41 30 1D 06 03 55 1D 0E 04 16 04 14 74 49 2952 00170: 1E 77 30 D3 42 A6 28 0E 72 A1 13 9D D9 90 8B FA 2953 00180: F1 03 30 0B 06 03 55 1D 0F 04 04 03 02 07 80 30 2954 00190: 13 06 03 55 1D 25 04 0C 30 0A 06 08 2B 06 01 05 2955 001A0: 05 07 03 02 30 0A 06 08 2A 85 03 07 01 01 03 02 2956 001B0: 03 41 00 1C 2D 35 22 B4 11 02 D6 20 1F 23 50 C1 2957 001C0: CA B4 3A C0 1A FB 0F 34 51 BD C2 DB 18 8B BC B7 2958 001D0: 78 84 25 1C DF 60 37 BA 83 0F 4B 31 D5 E9 6F DC 2959 001E0: 9B C1 C9 5A BE 65 82 66 C4 84 02 E0 70 DE 1F 29 2960 001F0: 27 24 E8 2962 ---------------------------Client--------------------------- 2964 PMS value: 2965 00000: A5 57 6C E7 92 4A 24 F5 81 13 80 8D BD 9E F8 56 2966 00010: F5 BD C3 B1 83 CE 5D AD CA 36 A5 3A A0 77 65 1D 2968 Random d_eph value: 2969 0x150ACD11B66DD695AD18418FA7A2DC63 2970 6B7E29DCA24536AABC826EE3175BB1FA 2971 DC3AA0D01D3092E120B0FCF7EB872F4B 2972 7E26EA17849D689222A48CF95A6E4831 2974 Q_eph ephemeral key: 2975 x = 0xC941BE5193189B476D5A0334114A3E04 2976 BBE5B37C738AE40F150B334135288664 2977 FEBFC5622818894A07B1F7AD60E28480 2978 B4B637B90EA7D4BA980186B605D75BC6 2980 y = 0xA154F7B93E8148652011F4FD52C9A06A 2981 6471ADB28D0A949AE26BC786DE874153 2982 ABC00B35164F3214A8A83C00ECE27831 2983 B093528456234EFE766224FC2A7E9ABE 2985 HASH (r_c | r_s): 2986 00000: C3 EF 04 28 D4 B7 A1 F4 C5 02 5F 2E 65 DD 2B 2E 2987 00010: A5 83 AE EF DB 67 C7 F4 21 4A 6A 29 8E 99 E3 25 2989 Export key generation. r value: 2991 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 2993 Export key generation. UKM value: 2994 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 2996 Export keys K_Exp_MAC | K_Exp_ENC used in KExp15 algorithm: 2997 00000: 7D AC 56 E4 8A 4D C1 70 FA A8 FC BA E2 0D B8 45 2998 00010: 45 0C CC C4 C6 32 8B DC 8D 01 15 7C EF A2 A5 F1 2999 00020: 1F 1C BA D8 86 61 66 F0 1F FA AB 01 52 E2 4B F4 3000 00030: 60 9D 5F 46 A5 C8 99 C7 87 90 0D 08 B9 FC AD 24 3002 IV: 3003 00000: 21 4A 6A 29 8E 99 E3 25 3005 PMSEXP: 3006 00000: 25 0D 1B 67 A2 70 AB 04 D3 F6 54 18 E1 D3 80 B4 3007 00010: CB 94 5F 0A 3D CA 51 50 0C F3 A1 BE F3 7F 76 C0 3008 00020: 73 41 A9 83 9C CF 6C BA 71 89 DA 61 EB 67 17 6C 3010 ---------------------------Client--------------------------- 3012 ClientKeyExchange message: 3013 msg_type: 10 3014 length: 0000E2 3015 body: 3016 exchange_keys: 3081DF0430250D1B67A270AB04D3F654 3017 18E1D380B4CB945F0A3DCA51500CF3A1 3018 BEF37F76C07341A9839CCF6CBA7189DA 3019 . . . 3020 93B03178E2EC003CA8A814324F16350B 3021 C0AB534187DE86C76BE29A940A8DB2AD 3022 71646AA0C952FDF411206548813EB9F7 3023 54A1 3025 00000: 10 00 00 E2 30 81 DF 04 30 25 0D 1B 67 A2 70 AB 3026 00010: 04 D3 F6 54 18 E1 D3 80 B4 CB 94 5F 0A 3D CA 51 3027 00020: 50 0C F3 A1 BE F3 7F 76 C0 73 41 A9 83 9C CF 6C 3028 00030: BA 71 89 DA 61 EB 67 17 6C 30 81 AA 30 21 06 08 3029 00040: 2A 85 03 07 01 01 01 02 30 15 06 09 2A 85 03 07 3030 00050: 01 02 01 02 03 06 08 2A 85 03 07 01 01 02 03 03 3031 00060: 81 84 00 04 81 80 C6 5B D7 05 B6 86 01 98 BA D4 3032 00070: A7 0E B9 37 B6 B4 80 84 E2 60 AD F7 B1 07 4A 89 3033 00080: 18 28 62 C5 BF FE 64 86 28 35 41 33 0B 15 0F E4 3034 00090: 8A 73 7C B3 E5 BB 04 3E 4A 11 34 03 5A 6D 47 9B 3035 000A0: 18 93 51 BE 41 C9 BE 9A 7E 2A FC 24 62 76 FE 4E 3036 000B0: 23 56 84 52 93 B0 31 78 E2 EC 00 3C A8 A8 14 32 3037 000C0: 4F 16 35 0B C0 AB 53 41 87 DE 86 C7 6B E2 9A 94 3038 000D0: 0A 8D B2 AD 71 64 6A A0 C9 52 FD F4 11 20 65 48 3039 000E0: 81 3E B9 F7 54 A1 3041 Record layer message: 3042 type: 16 3043 version: 3044 major: 03 3045 minor: 03 3046 length: 00E6 3047 fragment: 100000E23081DF0430250D1B67A270AB 3048 04D3F65418E1D380B4CB945F0A3DCA51 3049 500CF3A1BEF37F76C07341A9839CCF6C 3050 . . . 3051 2356845293B03178E2EC003CA8A81432 3052 4F16350BC0AB534187DE86C76BE29A94 3053 0A8DB2AD71646AA0C952FDF411206548 3054 813EB9F754A1 3056 00000: 16 03 03 00 E6 10 00 00 E2 30 81 DF 04 30 25 0D 3057 00010: 1B 67 A2 70 AB 04 D3 F6 54 18 E1 D3 80 B4 CB 94 3058 00020: 5F 0A 3D CA 51 50 0C F3 A1 BE F3 7F 76 C0 73 41 3059 00030: A9 83 9C CF 6C BA 71 89 DA 61 EB 67 17 6C 30 81 3060 00040: AA 30 21 06 08 2A 85 03 07 01 01 01 02 30 15 06 3061 00050: 09 2A 85 03 07 01 02 01 02 03 06 08 2A 85 03 07 3062 00060: 01 01 02 03 03 81 84 00 04 81 80 C6 5B D7 05 B6 3063 00070: 86 01 98 BA D4 A7 0E B9 37 B6 B4 80 84 E2 60 AD 3064 00080: F7 B1 07 4A 89 18 28 62 C5 BF FE 64 86 28 35 41 3065 00090: 33 0B 15 0F E4 8A 73 7C B3 E5 BB 04 3E 4A 11 34 3066 000A0: 03 5A 6D 47 9B 18 93 51 BE 41 C9 BE 9A 7E 2A FC 3067 000B0: 24 62 76 FE 4E 23 56 84 52 93 B0 31 78 E2 EC 00 3068 000C0: 3C A8 A8 14 32 4F 16 35 0B C0 AB 53 41 87 DE 86 3069 000D0: C7 6B E2 9A 94 0A 8D B2 AD 71 64 6A A0 C9 52 FD 3070 000E0: F4 11 20 65 48 81 3E B9 F7 54 A1 3072 ---------------------------Server--------------------------- 3074 PMSEXP extracted: 3075 00000: 25 0D 1B 67 A2 70 AB 04 D3 F6 54 18 E1 D3 80 B4 3076 00010: CB 94 5F 0A 3D CA 51 50 0C F3 A1 BE F3 7F 76 C0 3077 00020: 73 41 A9 83 9C CF 6C BA 71 89 DA 61 EB 67 17 6C 3079 HASH(r_c | r_s): 3080 00000: C3 EF 04 28 D4 B7 A1 F4 C5 02 5F 2E 65 DD 2B 2E 3081 00010: A5 83 AE EF DB 67 C7 F4 21 4A 6A 29 8E 99 E3 25 3083 Export key generation. r value: 3085 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 3087 Export key generation. UKM value: 3088 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 3090 Export keys K_Exp_MAC | K_Exp_ENC used in KImp15 algorithm: 3091 00000: 7D AC 56 E4 8A 4D C1 70 FA A8 FC BA E2 0D B8 45 3092 00010: 45 0C CC C4 C6 32 8B DC 8D 01 15 7C EF A2 A5 F1 3093 00020: 1F 1C BA D8 86 61 66 F0 1F FA AB 01 52 E2 4B F4 3094 00030: 60 9D 5F 46 A5 C8 99 C7 87 90 0D 08 B9 FC AD 24 3096 IV: 3097 00000: 21 4A 6A 29 8E 99 E3 25 3099 PMS: 3100 00000: A5 57 6C E7 92 4A 24 F5 81 13 80 8D BD 9E F8 56 3101 00010: F5 BD C3 B1 83 CE 5D AD CA 36 A5 3A A0 77 65 1D 3103 ---------------------------Client--------------------------- 3105 Random value k used in signature generation: 3106 0x163962EEA268203E7C6B3F70BF8D4A36 3107 34CE6E2CFC424687951D70ACE0B4292A 3109 Signature value sgn_c = SIGN_d_c(HM): 3110 00000: F7 1F 43 62 45 5B C5 5B A8 9A 8F AF 01 82 88 EC 3111 00010: 00 B3 27 17 48 2E 76 24 B2 57 D9 79 7C 8F F6 02 3112 00020: E3 15 FD BD 8D E5 6D 08 54 18 04 0E 1B 61 BB F6 3113 00030: B3 01 AC 26 3D 50 03 8B 30 31 13 DB 36 17 50 3A 3115 ---------------------------Client--------------------------- 3117 CertificateVerify message: 3118 msg_type: 0F 3119 length: 000044 3120 body: 3121 algorithm: 3122 hash: 08 3123 signature: 40 3124 signature: 3125 length: 0040 3126 vector: F71F4362455BC55BA89A8FAF018288EC 3127 00B32717482E7624B257D9797C8FF602 3128 E315FDBD8DE56D085418040E1B61BBF6 3129 B301AC263D50038B303113DB3617503A 3131 00000: 0F 00 00 44 08 40 00 40 F7 1F 43 62 45 5B C5 5B 3132 00010: A8 9A 8F AF 01 82 88 EC 00 B3 27 17 48 2E 76 24 3133 00020: B2 57 D9 79 7C 8F F6 02 E3 15 FD BD 8D E5 6D 08 3134 00030: 54 18 04 0E 1B 61 BB F6 B3 01 AC 26 3D 50 03 8B 3135 00040: 30 31 13 DB 36 17 50 3A 3137 Record layer message: 3138 type: 16 3139 version: 3140 major: 03 3141 minor: 03 3142 length: 0048 3143 fragment: 0F00004408400040F71F4362455BC55B 3144 A89A8FAF018288EC00B32717482E7624 3145 B257D9797C8FF602E315FDBD8DE56D08 3146 5418040E1B61BBF6B301AC263D50038B 3147 303113DB3617503A 3149 00000: 16 03 03 00 48 0F 00 00 44 08 40 00 40 F7 1F 43 3150 00010: 62 45 5B C5 5B A8 9A 8F AF 01 82 88 EC 00 B3 27 3151 00020: 17 48 2E 76 24 B2 57 D9 79 7C 8F F6 02 E3 15 FD 3152 00030: BD 8D E5 6D 08 54 18 04 0E 1B 61 BB F6 B3 01 AC 3153 00040: 26 3D 50 03 8B 30 31 13 DB 36 17 50 3A 3155 ---------------------------Client--------------------------- 3157 HASH(HM): 3158 00000: 9D 64 0D D8 B2 54 6B 87 05 CC 3E 67 F3 BB 83 2F 3159 00010: 89 2A 5B D5 D4 5C A0 44 85 01 14 C2 E6 56 02 69 3161 MS: 3162 00000: E3 18 17 B0 EC 7F 3B C9 4A 8B C4 5F 89 12 DE C5 3163 00010: 71 2A 7A 34 78 56 31 C0 4B AE 81 43 EE 17 90 B4 3164 00020: C9 D3 68 0F 6C 9D E1 70 74 58 C8 75 62 4D B6 ED 3166 Client connection key material 3167 K_write_MAC|K_read_MAC|K_write_ENC|K_read_ENC|IV_write|IV_read: 3168 00000: 50 52 5D 33 4E F7 00 6C 1D ED B8 B8 08 EA 03 CC 3169 00010: CF 1F CB 3D 33 65 F9 72 E1 7C 7C 31 4E DD 97 90 3170 00020: 6C 74 35 22 0A A1 B0 C6 DE 6A 1B 0F AC 29 B6 17 3171 00030: 9E B3 23 86 62 25 E0 7F 30 4C A1 D1 27 75 86 29 3172 00040: 7B 97 20 5D 7A 08 C2 CD 7F 60 3C 09 46 75 E6 C4 3173 00050: CC 15 F2 84 0D 9A EC 63 F0 2A FF 51 DB D5 74 D2 3174 00060: 76 6C 77 2B 83 2F CE 58 CB 4D E5 49 88 77 A6 7A 3175 00070: A4 51 40 B2 ED 52 6E 61 65 0A 28 1B 32 56 35 BC 3176 00080: CB 8E F9 4C 5B DF 5B 9F 47 48 B9 5B F1 B0 E0 BF 3177 ---------------------------Server--------------------------- 3179 HASH(HM): 3180 00000: 9D 64 0D D8 B2 54 6B 87 05 CC 3E 67 F3 BB 83 2F 3181 00010: 89 2A 5B D5 D4 5C A0 44 85 01 14 C2 E6 56 02 69 3183 MS: 3184 00000: E3 18 17 B0 EC 7F 3B C9 4A 8B C4 5F 89 12 DE C5 3185 00010: 71 2A 7A 34 78 56 31 C0 4B AE 81 43 EE 17 90 B4 3186 00020: C9 D3 68 0F 6C 9D E1 70 74 58 C8 75 62 4D B6 ED 3188 Server connection key material 3189 K_read_MAC|K_write_MAC|K_read_ENC|K_write_ENC|IV_read|IV_write: 3190 00000: 50 52 5D 33 4E F7 00 6C 1D ED B8 B8 08 EA 03 CC 3191 00010: CF 1F CB 3D 33 65 F9 72 E1 7C 7C 31 4E DD 97 90 3192 00020: 6C 74 35 22 0A A1 B0 C6 DE 6A 1B 0F AC 29 B6 17 3193 00030: 9E B3 23 86 62 25 E0 7F 30 4C A1 D1 27 75 86 29 3194 00040: 7B 97 20 5D 7A 08 C2 CD 7F 60 3C 09 46 75 E6 C4 3195 00050: CC 15 F2 84 0D 9A EC 63 F0 2A FF 51 DB D5 74 D2 3196 00060: 76 6C 77 2B 83 2F CE 58 CB 4D E5 49 88 77 A6 7A 3197 00070: A4 51 40 B2 ED 52 6E 61 65 0A 28 1B 32 56 35 BC 3198 00080: CB 8E F9 4C 5B DF 5B 9F 47 48 B9 5B F1 B0 E0 BF 3200 ---------------------------Client--------------------------- 3202 ChangeCipherSpec message: 3203 type: 01 3205 00000: 01 3207 Record layer message: 3208 type: 14 3209 version: 3210 major: 03 3211 minor: 03 3212 length: 0001 3213 fragment: 01 3215 00000: 14 03 03 00 01 01 3217 ---------------------------Client--------------------------- 3219 HASH(HM): 3220 00000: 9D 64 0D D8 B2 54 6B 87 05 CC 3E 67 F3 BB 83 2F 3221 00010: 89 2A 5B D5 D4 5C A0 44 85 01 14 C2 E6 56 02 69 3222 client_verify_data: 3223 00000: 62 DA B6 48 52 0C 44 96 2D 1E 60 29 70 57 FA E1 3224 00010: F3 01 E0 8A 68 A2 36 CA F0 EE 2A 2C 81 1B 14 EC 3226 ---------------------------Client--------------------------- 3228 Finished message: 3229 msg_type: 14 3230 length: 000020 3231 body: 3232 verify_data: 62DAB648520C44962D1E60297057FAE1 3233 F301E08A68A236CAF0EE2A2C811B14EC 3235 00000: 14 00 00 20 62 DA B6 48 52 0C 44 96 2D 1E 60 29 3236 00010: 70 57 FA E1 F3 01 E0 8A 68 A2 36 CA F0 EE 2A 2C 3237 00020: 81 1B 14 EC 3239 Record layer message: 3240 type: 16 3241 version: 3242 major: 03 3243 minor: 03 3244 length: 0034 3245 fragment: 4DC53D65A479742A92EC2D98E3287F22 3246 4C0382DCCE405A32BF671EB5AEB09611 3247 CA72AE8AE792116CEB1B77A9E135783D 3248 A0709535 3250 00000: 16 03 03 00 34 4D C5 3D 65 A4 79 74 2A 92 EC 2D 3251 00010: 98 E3 28 7F 22 4C 03 82 DC CE 40 5A 32 BF 67 1E 3252 00020: B5 AE B0 96 11 CA 72 AE 8A E7 92 11 6C EB 1B 77 3253 00030: A9 E1 35 78 3D A0 70 95 35 3255 ---------------------------Server--------------------------- 3257 ChangeCipherSpec message: 3258 type: 01 3260 00000: 01 3262 Record layer message: 3263 type: 14 3264 version: 3265 major: 03 3266 minor: 03 3267 length: 0001 3268 fragment: 01 3270 00000: 14 03 03 00 01 01 3272 ---------------------------Server--------------------------- 3274 HASH(HM): 3275 00000: C1 62 4B ED F2 83 75 1A 28 9B 90 9E 3E C5 00 14 3276 00010: 2B 7E 7B 76 46 CD 37 68 15 3B 87 D9 C5 F6 AA 07 3278 server_verify_data: 3279 00000: B3 38 7A B1 8B 9E F0 74 8A B7 14 B0 10 DC B5 27 3280 00010: 75 02 EF AF 7D 70 A6 1D 70 11 4E 9C 06 C5 D7 52 3282 ---------------------------Server--------------------------- 3284 Finished message: 3285 msg_type: 14 3286 length: 000020 3287 body: 3288 verify_data: B3387AB18B9EF0748AB714B010DCB527 3289 7502EFAF7D70A61D70114E9C06C5D752 3291 00000: 14 00 00 20 B3 38 7A B1 8B 9E F0 74 8A B7 14 B0 3292 00010: 10 DC B5 27 75 02 EF AF 7D 70 A6 1D 70 11 4E 9C 3293 00020: 06 C5 D7 52 3295 Record layer message: 3296 type: 16 3297 version: 3298 major: 03 3299 minor: 03 3300 length: 0034 3301 fragment: F9887C36F91DCBD3520D944F249AA466 3302 F9D55CA04EB61DB418529BB58889FB82 3303 74F05644ABA588B8F248C31C511E4C1E 3304 229F9EA6 3306 00000: 16 03 03 00 34 F9 88 7C 36 F9 1D CB D3 52 0D 94 3307 00010: 4F 24 9A A4 66 F9 D5 5C A0 4E B6 1D B4 18 52 9B 3308 00020: B5 88 89 FB 82 74 F0 56 44 AB A5 88 B8 F2 48 C3 3309 00030: 1C 51 1E 4C 1E 22 9F 9E A6 3311 ---------------------------Client--------------------------- 3312 Application data: 3313 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3314 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3316 Record layer message: 3317 type: 17 3318 version: 3319 major: 03 3320 minor: 03 3321 length: 0030 3322 fragment: F14F06FB8557408846080690E7A5525D 3323 1C6E9C901D24025486AB79728BF63D06 3324 5C09C27233006D65CFF0B5BA87504969 3326 00000: 17 03 03 00 30 F1 4F 06 FB 85 57 40 88 46 08 06 3327 00010: 90 E7 A5 52 5D 1C 6E 9C 90 1D 24 02 54 86 AB 79 3328 00020: 72 8B F6 3D 06 5C 09 C2 72 33 00 6D 65 CF F0 B5 3329 00030: BA 87 50 49 69 3331 ---------------------------Server--------------------------- 3333 Application data: 3334 00000: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3335 00010: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3337 Record layer message: 3338 type: 17 3339 version: 3340 major: 03 3341 minor: 03 3342 length: 0030 3343 fragment: 1561E52A8B6DB258746FFE18F3CDCB11 3344 1D0173AF2E5C13741C99BFF13B47CD32 3345 B3CED856A9506E706A2340D5841AB114 3347 00000: 17 03 03 00 30 15 61 E5 2A 8B 6D B2 58 74 6F FE 3348 00010: 18 F3 CD CB 11 1D 01 73 AF 2E 5C 13 74 1C 99 BF 3349 00020: F1 3B 47 CD 32 B3 CE D8 56 A9 50 6E 70 6A 23 40 3350 00030: D5 84 1A B1 14 3352 ---------------------------Client--------------------------- 3354 close_notify alert: 3355 Alert: 3356 level: 01 3357 description: 00 3359 00000: 01 00 3361 Record layer message: 3362 type: 15 3363 version: 3364 major: 03 3365 minor: 03 3366 length: 0012 3367 fragment: E530C164642A078CEF528CB465E9DA7E 3368 AD4D 3370 00000: 15 03 03 00 12 E5 30 C1 64 64 2A 07 8C EF 52 8C 3371 00010: B4 65 E9 DA 7E AD 4D 3373 ---------------------------Server--------------------------- 3375 close_notify alert: 3376 Alert: 3377 level: 01 3378 description: 00 3380 00000: 01 00 3382 Record layer message: 3383 type: 15 3384 version: 3385 major: 03 3386 minor: 03 3387 length: 0012 3388 fragment: EB62E5AB78BF2A4B678920A11027EC43 3389 0C3F 3391 00000: 15 03 03 00 12 EB 62 E5 AB 78 BF 2A 4B 67 89 20 3392 00010: A1 10 27 EC 43 0C 3F 3394 A.2. Test Examples for CNT_IMIT cipher suites 3396 A.2.1. Record Examples 3398 It is assumed that during Handshake following keys were established: 3400 - MAC key: 3401 00000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 3402 00010: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 3403 - Encryption key: 3405 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3406 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3407 - IV: 3408 00000: 00 00 00 00 00 00 00 00 3410 --------------------------------------------------------- 3411 seqnum = 0 3413 Application data: 3414 00000: 00 00 00 00 00 00 00 3416 Plaintext: 3417 00000: 17 03 03 00 07 00 00 00 00 00 00 00 3419 MAC: 3420 00000: 30 01 34 a1 3422 Ciphertext: 3423 00000: 17 03 03 00 0b 86 71 cd bf 3c 1a ae 0f 62 4b 04 3425 --------------------------------------------------------- 3426 seqnum = 1 3428 Application data: 3430 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3431 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3432 .... 3433 007f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3435 Plaintext: 3436 00000: 17 03 03 08 00 00 00 00 00 00 00 00 00 00 00 00 3437 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3438 .... 3439 007f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3440 00804: 00 00 00 00 00 3442 MAC: 3443 00000: f7 c3 8b 8a 3445 Ciphertext: 3446 00000: 17 03 03 08 04 cf aa 0c b4 2f a5 a4 7a 13 3d 73 3447 00010: b9 f2 c0 b0 4f 8c a2 55 52 f8 56 bc be 6a 58 fa 3448 .... 3449 007f0: 3e e2 c7 6f a2 30 a0 44 be 21 dc 8e 1a 96 f9 a8 3450 00804: 88 1f ad 83 45 96 96 84 47 3452 A.2.2. Handshake Examples 3454 Server certificate curve OID: 3455 id-tc26-gost-3410-12-512-paramSetA, "1.2.643.7.1.2.1.2.1" 3457 Server public key Q_s: 3458 x = 0x16DB0566C0278AC8204143994824236D 3459 97F36A13D5433E990B2EAC859D2E9B7A 3460 E054794655389158B8242923E3841B14 3461 24FD89F221701C89D9A3BF6A9F946795 3463 y = 0xD01E80DEC5BD23C8BC6B85F12BBB1635 3464 A5AE7AD50DE24FB8FD02CB285A4AE65A 3465 7D6FBB99AAFFDA80629826F2F7F73282 3466 220444761615A06D082077C4A00FD4CF 3468 Server private key d_s: 3469 0x5F1E83AFA2C4CB2C5633C51380E84E37 3470 4B013EE7C238330709080CE914B442D4 3471 34EB016D23FB63FEDC18B62D9DA93D26 3472 B3B9CE6F663B383303BD5930ED41608B 3474 ---------------------------Client--------------------------- 3476 ClientHello message: 3477 msg_type: 01 3478 length: 00003a 3479 body: 3480 client_version: 3481 major: 03 3482 minor: 03 3483 random: 6A523D6880DCC2DC75CCC43CFD04B616 3484 F5C3757B8077B76A9B504949FD3BFDB8 3485 session_id: 3486 length: 00 3487 vector: -- 3488 cipher_suites: 3489 length: 0002 3490 vector: 3491 CipherSuite: C102 3492 compression_methods: 3493 length: 01 3494 vector: 3495 CompressionMethod: 00 3496 extensions: 3497 length: 000F 3498 Extension: /* signature_algorithms */ 3499 extension_type: 000D 3500 extension_data: 3501 length: 0006 3502 vector: 3503 supported_signature_algorithms: 3504 length: 0004 3505 vector: 3506 /* 1 pair of algorithms */ 3507 hash: 08 3508 signature: 3509 41 3510 /* 2 pair of algorithms */ 3511 hash: 08 3512 signature: 3513 40 3514 Extension: /* renegotiation_info */ 3515 extension_type: FF01 3516 extension_data: 3517 length: 0001 3518 vector: 3519 renegotiated_connection: 3520 length: 00 3521 vector: -- 3523 00000: 01 00 00 3A 03 03 6A 52 3D 68 80 DC C2 DC 75 CC 3524 00010: C4 3C FD 04 B6 16 F5 C3 75 7B 80 77 B7 6A 9B 50 3525 00020: 49 49 FD 3B FD B8 00 00 02 C1 02 01 00 00 0F 00 3526 00030: 0D 00 06 00 04 08 41 08 40 FF 01 00 01 00 3528 Record layer message: 3529 type: 16 3530 version: 3531 major: 03 3532 minor: 03 3533 length: 003e 3534 fragment: 0100003A03036A523D6880DCC2DC75CC 3535 C43CFD04B616F5C3757B8077B76A9B50 3536 4949FD3BFDB8000002C1020100000F00 3537 0D0006000408410840FF01000100 3539 00000: 16 03 03 00 3E 01 00 00 3A 03 03 6A 52 3D 68 80 3540 00010: DC C2 DC 75 CC C4 3C FD 04 B6 16 F5 C3 75 7B 80 3541 00020: 77 B7 6A 9B 50 49 49 FD 3B FD B8 00 00 02 C1 02 3542 00030: 01 00 00 0F 00 0D 00 06 00 04 08 41 08 40 FF 01 3543 00040: 00 01 00 3544 ---------------------------Server--------------------------- 3546 ServerHello message: 3547 msg_type: 02 3548 length: 00004D 3549 body: 3550 client_version: 3551 major: 03 3552 minor: 03 3553 random: FE92C9516D0E1A67A04C33CD7F2C90B1 3554 5E76DCC30815C19F92A6D100915AF2DB 3555 session_id: 3556 length: 20 3557 vector: 12AAA5E5779014711CCD6D265BDEE519 3558 1026431C83768EE5EB5A157F940BE9FB 3559 cipher_suite: 3560 CipherSuite: C102 3561 compression_method: 3562 CompressionMethod: 00 3563 extensions: 3564 length: 0005 3565 Extension: /* renegotiation_info */ 3566 extension_type: FF01 3567 extension_data: 3568 length: 0001 3569 vector: 3570 renegotiated_connection: 3571 length: 00 3572 vector: -- 3574 00000: 02 00 00 4D 03 03 FE 92 C9 51 6D 0E 1A 67 A0 4C 3575 00010: 33 CD 7F 2C 90 B1 5E 76 DC C3 08 15 C1 9F 92 A6 3576 00020: D1 00 91 5A F2 DB 20 12 AA A5 E5 77 90 14 71 1C 3577 00030: CD 6D 26 5B DE E5 19 10 26 43 1C 83 76 8E E5 EB 3578 00040: 5A 15 7F 94 0B E9 FB C1 02 00 00 05 FF 01 00 01 3579 00050: 00 3581 Record layer message: 3582 type: 16 3583 version: 3584 major: 03 3585 minor: 03 3586 length: 0051 3587 fragment: 0200004D0303FE92C9516D0E1A67A04C 3588 33CD7F2C90B15E76DCC30815C19F92A6 3589 D100915AF2DB2012AAA5E5779014711C 3590 CD6D265BDEE5191026431C83768EE5EB 3591 5A157F940BE9FBC102000005FF010001 3592 00 3594 00000: 16 03 03 00 51 02 00 00 4D 03 03 FE 92 C9 51 6D 3595 00010: 0E 1A 67 A0 4C 33 CD 7F 2C 90 B1 5E 76 DC C3 08 3596 00020: 15 C1 9F 92 A6 D1 00 91 5A F2 DB 20 12 AA A5 E5 3597 00030: 77 90 14 71 1C CD 6D 26 5B DE E5 19 10 26 43 1C 3598 00040: 83 76 8E E5 EB 5A 15 7F 94 0B E9 FB C1 02 00 00 3599 00050: 05 FF 01 00 01 00 3601 ---------------------------Server--------------------------- 3603 Certificate message: 3604 msg_type: 0B 3605 length: 000266 3606 body: 3607 certificate_list: 3608 length: 000263 3609 vector: 3610 ASN.1Cert: 3611 length: 000260 3612 vector: 3082025C308201C8A003020102021478 3613 94DC9D920977809191642F1DAEDC26BA 3614 3B5104300A06082A8503070101030330 3615 . . . 3616 6C12D51F99C98A4A9904F0EA5486FED7 3617 FF66AB8EB2425E1ACEAE8A758BDF843B 3618 E1A8F6FEBF673015FED7AB86533DBF20 3620 00000: 0B 00 02 66 00 02 63 00 02 60 30 82 02 5C 30 82 3621 00010: 01 C8 A0 03 02 01 02 02 14 78 94 DC 9D 92 09 77 3622 00020: 80 91 91 64 2F 1D AE DC 26 BA 3B 51 04 30 0A 06 3623 00030: 08 2A 85 03 07 01 01 03 03 30 19 31 17 30 15 06 3624 00040: 03 55 04 03 13 0E 43 41 20 43 65 72 74 69 66 69 3625 00050: 63 61 74 65 30 1E 17 0D 31 38 30 31 30 32 30 30 3626 00060: 30 30 31 31 5A 17 0D 32 32 30 31 30 32 30 30 30 3627 00070: 30 32 31 5A 30 21 31 1F 30 1D 06 03 55 04 03 13 3628 00080: 16 53 65 72 76 65 72 20 35 31 32 20 43 65 72 74 3629 00090: 69 66 69 63 61 74 65 30 81 AA 30 21 06 08 2A 85 3630 000a0: 03 07 01 01 01 02 30 15 06 09 2A 85 03 07 01 02 3631 000b0: 01 02 01 06 08 2A 85 03 07 01 01 02 03 03 81 84 3632 000c0: 00 04 81 80 95 67 94 9F 6A BF A3 D9 89 1C 70 21 3633 000d0: F2 89 FD 24 14 1B 84 E3 23 29 24 B8 58 91 38 55 3634 000e0: 46 79 54 E0 7A 9B 2E 9D 85 AC 2E 0B 99 3E 43 D5 3635 000f0: 13 6A F3 97 6D 23 24 48 99 43 41 20 C8 8A 27 C0 3636 00100: 66 05 DB 16 CF D4 0F A0 C4 77 20 08 6D A0 15 16 3637 00110: 76 44 04 22 82 32 F7 F7 F2 26 98 62 80 DA FF AA 3638 00120: 99 BB 6F 7D 5A E6 4A 5A 28 CB 02 FD B8 4F E2 0D 3639 00130: D5 7A AE A5 35 16 BB 2B F1 85 6B BC C8 23 BD C5 3640 00140: DE 80 1E D0 A3 81 93 30 81 90 30 0C 06 03 55 1D 3641 00150: 13 01 01 FF 04 02 30 00 30 1A 06 03 55 1D 11 04 3642 00160: 13 30 11 82 09 6C 6F 63 61 6C 68 6F 73 74 87 04 3643 00170: 7F 00 00 01 30 13 06 03 55 1D 25 04 0C 30 0A 06 3644 00180: 08 2B 06 01 05 05 07 03 01 30 0F 06 03 55 1D 0F 3645 00190: 01 01 FF 04 05 03 03 07 B0 00 30 1D 06 03 55 1D 3646 001a0: 0E 04 16 04 14 AE 46 41 1B FD B3 08 C3 39 03 47 3647 001b0: 57 57 2B 0F BF A3 6F 9A 99 30 1F 06 03 55 1D 23 3648 001c0: 04 18 30 16 80 14 7F 7B 7A 15 61 A6 F2 18 A2 E3 3649 001d0: 48 3B C6 39 D9 7F 42 DB 6D AF 30 0A 06 08 2A 85 3650 001e0: 03 07 01 01 03 03 03 81 81 00 9C 49 78 F7 1B AB 3651 001f0: 54 8A 25 6D 2A 18 7C A8 4D 72 4F E1 EF A7 E5 36 3652 00200: 67 2E 79 1F 8A 0C B6 74 1E B1 63 E2 96 37 8C 5B 3653 00210: 82 83 EE DA B4 1B A4 22 1E BC E2 05 F6 F8 79 CF 3654 00220: EB F0 AD E9 36 07 0F B2 40 E5 0D 04 37 03 7F 2A 3655 00230: EC 99 C7 CD 23 9F 6F 20 25 A8 6C 12 D5 1F 99 C9 3656 00240: 8A 4A 99 04 F0 EA 54 86 FE D7 FF 66 AB 8E B2 42 3657 00250: 5E 1A CE AE 8A 75 8B DF 84 3B E1 A8 F6 FE BF 67 3658 00260: 30 15 FE D7 AB 86 53 3D BF 20 3660 Record layer message: 3661 type: 16 3662 version: 3663 major: 03 3664 minor: 03 3665 length: 026A 3666 fragment: 0B0002660002630002603082025C3082 3667 01C8A00302010202147894DC9D920977 3668 809191642F1DAEDC26BA3B5104300A06 3669 . . . 3670 EC99C7CD239F6F2025A86C12D51F99C9 3671 8A4A9904F0EA5486FED7FF66AB8EB242 3672 5E1ACEAE8A758BDF843BE1A8F6FEBF67 3673 3015FED7AB86533DBF20 3675 00000: 16 03 03 02 6A 0B 00 02 66 00 02 63 00 02 60 30 3676 00010: 82 02 5C 30 82 01 C8 A0 03 02 01 02 02 14 78 94 3677 00020: DC 9D 92 09 77 80 91 91 64 2F 1D AE DC 26 BA 3B 3678 00030: 51 04 30 0A 06 08 2A 85 03 07 01 01 03 03 30 19 3679 00040: 31 17 30 15 06 03 55 04 03 13 0E 43 41 20 43 65 3680 00050: 72 74 69 66 69 63 61 74 65 30 1E 17 0D 31 38 30 3681 00060: 31 30 32 30 30 30 30 31 31 5A 17 0D 32 32 30 31 3682 00070: 30 32 30 30 30 30 32 31 5A 30 21 31 1F 30 1D 06 3683 00080: 03 55 04 03 13 16 53 65 72 76 65 72 20 35 31 32 3684 00090: 20 43 65 72 74 69 66 69 63 61 74 65 30 81 AA 30 3685 000a0: 21 06 08 2A 85 03 07 01 01 01 02 30 15 06 09 2A 3686 000b0: 85 03 07 01 02 01 02 01 06 08 2A 85 03 07 01 01 3687 000c0: 02 03 03 81 84 00 04 81 80 95 67 94 9F 6A BF A3 3688 000d0: D9 89 1C 70 21 F2 89 FD 24 14 1B 84 E3 23 29 24 3689 000e0: B8 58 91 38 55 46 79 54 E0 7A 9B 2E 9D 85 AC 2E 3690 000f0: 0B 99 3E 43 D5 13 6A F3 97 6D 23 24 48 99 43 41 3691 00100: 20 C8 8A 27 C0 66 05 DB 16 CF D4 0F A0 C4 77 20 3692 00110: 08 6D A0 15 16 76 44 04 22 82 32 F7 F7 F2 26 98 3693 00120: 62 80 DA FF AA 99 BB 6F 7D 5A E6 4A 5A 28 CB 02 3694 00130: FD B8 4F E2 0D D5 7A AE A5 35 16 BB 2B F1 85 6B 3695 00140: BC C8 23 BD C5 DE 80 1E D0 A3 81 93 30 81 90 30 3696 00150: 0C 06 03 55 1D 13 01 01 FF 04 02 30 00 30 1A 06 3697 00160: 03 55 1D 11 04 13 30 11 82 09 6C 6F 63 61 6C 68 3698 00170: 6F 73 74 87 04 7F 00 00 01 30 13 06 03 55 1D 25 3699 00180: 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 30 0F 3700 00190: 06 03 55 1D 0F 01 01 FF 04 05 03 03 07 B0 00 30 3701 001a0: 1D 06 03 55 1D 0E 04 16 04 14 AE 46 41 1B FD B3 3702 001b0: 08 C3 39 03 47 57 57 2B 0F BF A3 6F 9A 99 30 1F 3703 001c0: 06 03 55 1D 23 04 18 30 16 80 14 7F 7B 7A 15 61 3704 001d0: A6 F2 18 A2 E3 48 3B C6 39 D9 7F 42 DB 6D AF 30 3705 001e0: 0A 06 08 2A 85 03 07 01 01 03 03 03 81 81 00 9C 3706 001f0: 49 78 F7 1B AB 54 8A 25 6D 2A 18 7C A8 4D 72 4F 3707 00200: E1 EF A7 E5 36 67 2E 79 1F 8A 0C B6 74 1E B1 63 3708 00210: E2 96 37 8C 5B 82 83 EE DA B4 1B A4 22 1E BC E2 3709 00220: 05 F6 F8 79 CF EB F0 AD E9 36 07 0F B2 40 E5 0D 3710 00230: 04 37 03 7F 2A EC 99 C7 CD 23 9F 6F 20 25 A8 6C 3711 00240: 12 D5 1F 99 C9 8A 4A 99 04 F0 EA 54 86 FE D7 FF 3712 00250: 66 AB 8E B2 42 5E 1A CE AE 8A 75 8B DF 84 3B E1 3713 00260: A8 F6 FE BF 67 30 15 FE D7 AB 86 53 3D BF 20 3715 ---------------------------Server--------------------------- 3717 ServerHelloDone message: 3718 msg_type: 0E 3719 length: 000000 3720 body: -- 3722 00000: 0E 00 00 00 3724 Record layer message:: 3725 type: 16 3726 version: 3727 major: 03 3728 minor: 03 3729 length: 0004 3730 fragment: 0E000000 3732 00000: 16 03 03 00 04 0E 00 00 00 3733 ---------------------------Client--------------------------- 3735 PMS: 3736 00000: CE 0D D6 B6 70 42 12 15 2B E4 69 5A 7E 89 F6 4C 3737 00010: 89 29 A4 0D BF 0A 5A 55 C2 CE 00 2B 06 BA B6 2F 3739 Random d_eph value: 3740 0xC96486B1A3732389A162F5AD0145D537 3741 43C9AC27D42ACF1091CE7EF67E6C3CCA 3742 0F6C879B2DA3C1607648BAEB96471BD2 3743 078DF5CAAA4FA83ECC0FFD6D3C8E5D56 3745 Q_eph ephemeral key: 3746 x = 0x4B9CB381BCC737E493E43B2D7FD95BFE 3747 2AEF6BE8F6224882E5E559ADA08170DC 3748 49A815B3A1B3B323D2B50195153CFC60 3749 DD6139C3770C5762A6A7719FABF84BFB 3751 y = 0x95CEF28392C846A5EEFCB51C84E4960A 3752 77B77D0D85EBD22061BFDA0013C5AB6C 3753 42DDD04973F65D2AEB8A5427A53D6872 3754 CF2D68F5F722C4640D7AAF2E0194FBD0 3756 HASH(r_c | r_s): 3757 00000: FB F3 9D 10 E8 00 AF 70 E7 AA 22 C1 10 DA 94 A9 3758 00010: 9A 58 98 D8 45 27 C7 CB DE C1 1E 53 39 90 6A 1A 3760 K_EXP: 3761 00000: 3F D9 99 D1 68 4A 15 CC 9B DD 5A 35 06 7A F6 98 3762 00010: 17 15 00 22 E0 95 54 AC 79 1A 60 F1 61 F5 53 49 3764 IV: 3765 00000: FB F3 9D 10 E8 00 AF 70 3767 CEK_ENC: 3768 00000: D6 22 D1 67 A5 64 2E 29 52 5A 29 5C B9 F2 8F 96 3769 00010: F2 8B 0E FA A7 D3 A2 BE E1 49 B0 11 78 C2 DF D5 3771 CEK_MAC: 3772 00000: 4C 93 36 57 3774 PMSEXP: 3775 00000: FB F3 9D 10 E8 00 AF 70 D6 22 D1 67 A5 64 2E 29 3776 00010: 52 5A 29 5C B9 F2 8F 96 F2 8B 0E FA A7 D3 A2 BE 3777 00020: E1 49 B0 11 78 C2 DF D5 4C 93 36 57 3779 ---------------------------Client--------------------------- 3780 ClientKeyExchange message: 3781 msg_type: 10 3782 length: 0000F5 3783 body: 3784 exchange_keys: 3081F23081EF30280420D622D167A564 3785 2E29525A295CB9F28F96F28B0EFAA7D3 3786 A2BEE149B01178C2DFD504044C933657 3787 . . . 3788 DABF6120D2EB850D7DB7770A96E4841C 3789 B5FCEEA546C89283F2CE950408FBF39D 3790 10E800AF70 3792 00000: 10 00 00 F5 30 81 F2 30 81 EF 30 28 04 20 D6 22 3793 00010: D1 67 A5 64 2E 29 52 5A 29 5C B9 F2 8F 96 F2 8B 3794 00020: 0E FA A7 D3 A2 BE E1 49 B0 11 78 C2 DF D5 04 04 3795 00030: 4C 93 36 57 A0 81 C2 06 09 2A 85 03 07 01 02 05 3796 00040: 01 01 A0 81 AA 30 21 06 08 2A 85 03 07 01 01 01 3797 00050: 02 30 15 06 09 2A 85 03 07 01 02 01 02 01 06 08 3798 00060: 2A 85 03 07 01 01 02 03 03 81 84 00 04 81 80 FB 3799 00070: 4B F8 AB 9F 71 A7 A6 62 57 0C 77 C3 39 61 DD 60 3800 00080: FC 3C 15 95 01 B5 D2 23 B3 B3 A1 B3 15 A8 49 DC 3801 00090: 70 81 A0 AD 59 E5 E5 82 48 22 F6 E8 6B EF 2A FE 3802 000A0: 5B D9 7F 2D 3B E4 93 E4 37 C7 BC 81 B3 9C 4B D0 3803 000B0: FB 94 01 2E AF 7A 0D 64 C4 22 F7 F5 68 2D CF 72 3804 000C0: 68 3D A5 27 54 8A EB 2A 5D F6 73 49 D0 DD 42 6C 3805 000D0: AB C5 13 00 DA BF 61 20 D2 EB 85 0D 7D B7 77 0A 3806 000E0: 96 E4 84 1C B5 FC EE A5 46 C8 92 83 F2 CE 95 04 3807 000F0: 08 FB F3 9D 10 E8 00 AF 70 3809 Record layer message: 3810 type: 16 3811 version: 3812 major: 03 3813 minor: 03 3814 length: 00F9 3815 fragment: 100000F53081F23081EF30280420D622 3816 D167A5642E29525A295CB9F28F96F28B 3817 0EFAA7D3A2BEE149B01178C2DFD50404 3818 . . . 3819 ABC51300DABF6120D2EB850D7DB7770A 3820 96E4841CB5FCEEA546C89283F2CE9504 3821 08FBF39D10E800AF70 3823 00000: 16 03 03 00 F9 10 00 00 F5 30 81 F2 30 81 EF 30 3824 00010: 28 04 20 D6 22 D1 67 A5 64 2E 29 52 5A 29 5C B9 3825 00020: F2 8F 96 F2 8B 0E FA A7 D3 A2 BE E1 49 B0 11 78 3826 00030: C2 DF D5 04 04 4C 93 36 57 A0 81 C2 06 09 2A 85 3827 00040: 03 07 01 02 05 01 01 A0 81 AA 30 21 06 08 2A 85 3828 00050: 03 07 01 01 01 02 30 15 06 09 2A 85 03 07 01 02 3829 00060: 01 02 01 06 08 2A 85 03 07 01 01 02 03 03 81 84 3830 00070: 00 04 81 80 FB 4B F8 AB 9F 71 A7 A6 62 57 0C 77 3831 00080: C3 39 61 DD 60 FC 3C 15 95 01 B5 D2 23 B3 B3 A1 3832 00090: B3 15 A8 49 DC 70 81 A0 AD 59 E5 E5 82 48 22 F6 3833 000A0: E8 6B EF 2A FE 5B D9 7F 2D 3B E4 93 E4 37 C7 BC 3834 000B0: 81 B3 9C 4B D0 FB 94 01 2E AF 7A 0D 64 C4 22 F7 3835 000C0: F5 68 2D CF 72 68 3D A5 27 54 8A EB 2A 5D F6 73 3836 000D0: 49 D0 DD 42 6C AB C5 13 00 DA BF 61 20 D2 EB 85 3837 000E0: 0D 7D B7 77 0A 96 E4 84 1C B5 FC EE A5 46 C8 92 3838 000F0: 83 F2 CE 95 04 08 FB F3 9D 10 E8 00 AF 70 3840 ---------------------------Client--------------------------- 3842 HASH(HM): 3843 00000: F8 D6 FE EB 17 64 4D 17 B0 38 36 A6 51 EB 87 69 3844 00010: BD EA A2 D3 EB 18 47 F6 91 91 42 7C 30 D0 17 8E 3846 MS: 3847 00000: BE 57 46 C8 BB B7 84 7E 97 8F D4 C9 4F 52 34 52 3848 00010: 44 2C 8E B1 72 FD E6 28 1C 18 C5 44 63 B1 F9 4C 3849 00020: 2B D9 81 40 05 41 6D BB 0F 90 A5 7E A4 E0 6B 50 3851 Client connection key material 3852 K_write_MAC|K_read_MAC|K_write_ENC|K_read_ENC|IV_write|IV_read: 3853 00000: F3 37 F6 A8 6F F3 1F CA 52 EA 64 7C DE E3 B7 83 3854 00010: 34 AB 77 B5 7F E0 DB 2F C0 C8 71 EC DC AC A5 A8 3855 00020: FB A0 4C 21 32 82 3A 24 96 EF 93 6F 0E BC F3 0E 3856 00030: A0 CB 7E AF 6C A7 94 75 4F 1F 45 B1 77 22 DE B4 3857 00040: 4E 5B C3 2D 44 30 AF 58 93 11 6A CF 81 A3 BE 0C 3858 00050: 90 D2 EA 8E 76 E0 84 07 28 BA F5 E2 B2 F9 40 C0 3859 00060: AE 18 26 7B B6 34 C1 6A 1D 1A C1 24 73 50 95 4B 3860 00070: 2F EE 9B 77 F3 0D 18 D5 54 01 2B 43 78 60 87 0A 3861 00080: D9 21 A8 4B 07 FF 98 AF 8C 82 38 6B 91 FB BA 64 3863 ---------------------------Server--------------------------- 3865 PMSEXP extracted: 3866 00000: FB F3 9D 10 E8 00 AF 70 D6 22 D1 67 A5 64 2E 29 3867 00010: 52 5A 29 5C B9 F2 8F 96 F2 8B 0E FA A7 D3 A2 BE 3868 00020: E1 49 B0 11 78 C2 DF D5 4C 93 36 57 3870 HASH(r_c | r_s): 3871 00000: FB F3 9D 10 E8 00 AF 70 E7 AA 22 C1 10 DA 94 A9 3872 00010: 9A 58 98 D8 45 27 C7 CB DE C1 1E 53 39 90 6A 1A 3873 K_EXP: 3874 00000: 3F D9 99 D1 68 4A 15 CC 9B DD 5A 35 06 7A F6 98 3875 00010: 17 15 00 22 E0 95 54 AC 79 1A 60 F1 61 F5 53 49 3877 PMS: 3878 00000: CE 0D D6 B6 70 42 12 15 2B E4 69 5A 7E 89 F6 4C 3879 00010: 89 29 A4 0D BF 0A 5A 55 C2 CE 00 2B 06 BA B6 2F 3881 ---------------------------Server--------------------------- 3883 HASH(HM): 3884 00000: F8 D6 FE EB 17 64 4D 17 B0 38 36 A6 51 EB 87 69 3885 00010: BD EA A2 D3 EB 18 47 F6 91 91 42 7C 30 D0 17 8E 3887 MS: 3888 00000: BE 57 46 C8 BB B7 84 7E 97 8F D4 C9 4F 52 34 52 3889 00010: 44 2C 8E B1 72 FD E6 28 1C 18 C5 44 63 B1 F9 4C 3890 00020: 2B D9 81 40 05 41 6D BB 0F 90 A5 7E A4 E0 6B 50 3892 Client connection key material 3893 K_read_MAC|K_write_MAC|K_read_ENC|K_write_ENC|IV_read|IV_write: 3894 00000: F3 37 F6 A8 6F F3 1F CA 52 EA 64 7C DE E3 B7 83 3895 00010: 34 AB 77 B5 7F E0 DB 2F C0 C8 71 EC DC AC A5 A8 3896 00020: FB A0 4C 21 32 82 3A 24 96 EF 93 6F 0E BC F3 0E 3897 00030: A0 CB 7E AF 6C A7 94 75 4F 1F 45 B1 77 22 DE B4 3898 00040: 4E 5B C3 2D 44 30 AF 58 93 11 6A CF 81 A3 BE 0C 3899 00050: 90 D2 EA 8E 76 E0 84 07 28 BA F5 E2 B2 F9 40 C0 3900 00060: AE 18 26 7B B6 34 C1 6A 1D 1A C1 24 73 50 95 4B 3901 00070: 2F EE 9B 77 F3 0D 18 D5 54 01 2B 43 78 60 87 0A 3902 00080: D9 21 A8 4B 07 FF 98 AF 8C 82 38 6B 91 FB BA 64 3904 ---------------------------Client--------------------------- 3906 ChangeCipherSpec message: 3907 type: 01 3909 00000: 01 3911 Record layer message: 3912 type: 14 3913 version: 3914 major: 03 3915 minor: 03 3916 length: 0001 3917 fragment: 01 3919 00000: 14 03 03 00 01 01 3920 ---------------------------Client--------------------------- 3922 HASH(HM): 3923 00000: F8 D6 FE EB 17 64 4D 17 B0 38 36 A6 51 EB 87 69 3924 00010: BD EA A2 D3 EB 18 47 F6 91 91 42 7C 30 D0 17 8E 3926 Finished message: 3927 msg_type: 14 3928 length: 00000C 3929 body: 3930 verify_data: D3EE1DEA725CD7080C744311 3932 00000: 14 00 00 0C D3 EE 1D EA 72 5C D7 08 0C 74 43 11 3934 Record layer message: 3935 type: 16 3936 version: 3937 major: 03 3938 minor: 03 3939 length: 0014 3940 fragment: 8854A0ED0CCBDAE076FA7D22D763A8D1 3941 AF701BBB 3943 00000: 16 03 03 00 14 88 54 A0 ED 0C CB DA E0 76 FA 7D 3944 00010: 22 D7 63 A8 D1 AF 70 1B BB 3946 ---------------------------Server--------------------------- 3948 ChangeCipherSpec message: 3949 type: 01 3951 00000: 01 3953 Record layer message: 3954 type: 14 3955 version: 3956 major: 03 3957 minor: 03 3958 length: 0001 3959 fragment: 01 3961 00000: 14 03 03 00 01 01 3963 ---------------------------Server--------------------------- 3965 HASH(HM): 3967 00000: 9C 9F C4 E3 32 5B 5F B3 70 B9 94 2A 71 D2 6E F0 3968 00010: 10 71 D8 A5 A1 8F 69 E8 C2 0B 70 CC 90 E9 A9 46 3970 Finished message: 3971 msg_type: 14 3972 length: 00000C 3973 body: 3974 verify_data: D6A2A697E9F23DB0F9017A79 3976 00000: 14 00 00 0C D6 A2 A6 97 E9 F2 3D B0 F9 01 7A 79 3978 Record layer message: 3979 type: 16 3980 version: 3981 major: 03 3982 minor: 03 3983 length: 0014 3984 fragment: 7BDDBB3C0A6A4A9E302B468CCD5CF786 3985 665FFEBC 3987 00000: 16 03 03 00 14 7B DD BB 3C 0A 6A 4A 9E 30 2B 46 3988 00010: 8C CD 5C F7 86 66 5F FE BC 3990 ---------------------------Client--------------------------- 3992 Application data: 3993 00000: 48 45 4C 4F 0A 3995 Record layer message: 3996 type: 17 3997 version: 3998 major: 03 3999 minor: 03 4000 length: 0009 4001 fragment: A8951D9389D1AEFE3B 4003 00000: 17 03 03 00 09 A8 95 1D 93 89 D1 AE FE 3B 4005 ---------------------------Server--------------------------- 4007 Application data: 4008 00000: 48 45 4C 4F 0A 4010 Record layer message: 4011 type: 17 4012 version: 4013 major: 03 4014 minor: 03 4015 length: 0009 4016 fragment: 0F368E5CEC86B4F8D7 4018 00000: 17 03 03 00 09 0F 36 8E 5C EC 86 B4 F8 D7 4020 ---------------------------Client--------------------------- 4022 close_notify alert: 4023 Alert: 4024 level: 01 4025 description: 00 4027 00000: 01 00 4029 Record layer message: 4030 type: 15 4031 version: 4032 major: 03 4033 minor: 03 4034 length: 0006 4035 fragment: F91FCD98F309 4037 00000: 15 03 03 00 06 F9 1F CD 98 F3 09 4039 ---------------------------Server--------------------------- 4041 close_notify alert: 4042 Alert: 4043 level: 01 4044 description: 00 4046 00000: 01 00 4048 Record layer message: 4049 type: 15 4050 version: 4051 major: 03 4052 minor: 03 4053 length: 0006 4054 fragment: 117B57AD5FED 4056 00000: 15 03 03 00 06 11 7B 57 AD 5F ED 4058 Appendix B. Contributors 4060 o Evgeny Alekseev 4061 CryptoPro 4062 alekseev@cryptopro.ru 4064 o Ekaterina Smyshlyaeva 4065 CryptoPro 4066 ess@cryptopro.ru 4068 o Grigory Sedov 4069 CryptoPro 4070 sedovgk@cryptopro.ru 4072 o Dmitry Eremin-Solenikov 4073 Auriga 4074 dbaryshkov@gmail.com 4076 Appendix C. Acknowledgments 4078 Authors' Addresses 4080 Stanislav Smyshlyaev (editor) 4081 CryptoPro 4082 18, Suschevsky val 4083 Moscow 127018 4084 Russian Federation 4086 Phone: +7 (495) 995-48-20 4087 Email: svs@cryptopro.ru 4089 Dmitry Belyavsky 4090 Cryptocom 4091 14/2 Kedrova st 4092 Moscow 117218 4093 Russian Federation 4095 Email: beldmit@gmail.com 4097 Markku-Juhani O. Saarinen 4098 Independent Consultant 4100 Email: mjos@iki.fi