idnits 2.17.1 draft-smyshlyaev-tls12-gost-suites-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (November 28, 2019) is 1605 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'ChangeCipherSpec' is mentioned on line 382, but not defined -- Looks like a reference, but probably isn't: '0' on line 657 ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Smyshlyaev, Ed. 3 Internet-Draft CryptoPro 4 Intended status: Informational D. Belyavsky 5 Expires: May 31, 2020 Cryptocom 6 M. Saarinen 7 Independent Consultant 8 November 28, 2019 10 GOST Cipher Suites for Transport Layer Security (TLS) Protocol Version 11 1.2 12 draft-smyshlyaev-tls12-gost-suites-07 14 Abstract 16 This document specifies a set of cipher suites for the Transport 17 Layer Security (TLS) protocol Version 1.2 to support the Russian 18 cryptographic standard algorithms. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at https://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on May 31, 2020. 37 Copyright Notice 39 Copyright (c) 2019 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (https://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 55 2. Conventions Used in This Document . . . . . . . . . . . . . . 4 56 3. Basic Terms and Definitions . . . . . . . . . . . . . . . . . 4 57 4. Cipher Suite Definitions . . . . . . . . . . . . . . . . . . 5 58 4.1. Record Payload Protection . . . . . . . . . . . . . . . . 5 59 4.1.1. CTR_OMAC . . . . . . . . . . . . . . . . . . . . . . 6 60 4.1.2. CNT_IMIT . . . . . . . . . . . . . . . . . . . . . . 7 61 4.2. Key Exchange and Authentication . . . . . . . . . . . . . 8 62 4.2.1. Hello Messages . . . . . . . . . . . . . . . . . . . 10 63 4.2.2. Server Certificate . . . . . . . . . . . . . . . . . 11 64 4.2.3. CertificateRequest . . . . . . . . . . . . . . . . . 11 65 4.2.4. ClientKeyExchange . . . . . . . . . . . . . . . . . . 12 66 4.2.4.1. CTR_OMAC . . . . . . . . . . . . . . . . . . . . 12 67 4.2.4.2. CNT_IMIT . . . . . . . . . . . . . . . . . . . . 14 68 4.2.5. CertificateVerify . . . . . . . . . . . . . . . . . . 16 69 4.2.6. Finished . . . . . . . . . . . . . . . . . . . . . . 16 70 4.3. Cryptographic Algorithms . . . . . . . . . . . . . . . . 17 71 4.3.1. Block Cipher . . . . . . . . . . . . . . . . . . . . 17 72 4.3.2. MAC algorithm . . . . . . . . . . . . . . . . . . . . 17 73 4.3.3. Encryption algorithm . . . . . . . . . . . . . . . . 18 74 4.3.4. PRF and HASH algorithms . . . . . . . . . . . . . . . 18 75 4.3.5. SNMAX parameter . . . . . . . . . . . . . . . . . . . 18 76 5. New Values for the SignatureAlgorithm Registry . . . . . . . 18 77 6. New Values for the Supported Groups Registry . . . . . . . . 19 78 7. New Values for the ClientCertificateType Identifiers Registry 20 79 8. Additional Algorithms . . . . . . . . . . . . . . . . . . . . 21 80 8.1. TLSTREE . . . . . . . . . . . . . . . . . . . . . . . . . 21 81 8.1.1. Key Tree Parameters . . . . . . . . . . . . . . . . . 21 82 8.2. Key export and key import algorithms . . . . . . . . . . 22 83 8.2.1. KExp15 and KImp15 Algorithms . . . . . . . . . . . . 22 84 8.2.2. KExp28147 and KImp28147 Algorithms . . . . . . . . . 23 85 8.3. Key Exchange Generation Algorithms . . . . . . . . . . . 24 86 8.3.1. KEG Algorithm . . . . . . . . . . . . . . . . . . . . 24 87 8.3.2. KEG_28147 Algorithm . . . . . . . . . . . . . . . . . 26 88 8.4. gostIMIT28147 . . . . . . . . . . . . . . . . . . . . . . 27 89 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27 90 10. Historical considerations . . . . . . . . . . . . . . . . . . 29 91 11. Security Considerations . . . . . . . . . . . . . . . . . . . 30 92 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 30 93 12.1. Normative References . . . . . . . . . . . . . . . . . . 30 94 12.2. Informative References . . . . . . . . . . . . . . . . . 32 95 Appendix A. Test Examples . . . . . . . . . . . . . . . . . . . 33 96 A.1. Test Examples for CTR_OMAC cipher suites . . . . . . . . 33 97 A.1.1. TLSTREE Examples . . . . . . . . . . . . . . . . . . 33 98 A.1.1.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 99 ciphersuite . . . . . . . . . . . . . . . . . . . 33 100 A.1.1.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC 101 ciphersuite . . . . . . . . . . . . . . . . . . . 35 102 A.1.2. Record Examples . . . . . . . . . . . . . . . . . . . 37 103 A.1.2.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 104 ciphersuite . . . . . . . . . . . . . . . . . . . 37 105 A.1.2.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC 106 ciphersuite . . . . . . . . . . . . . . . . . . . 40 107 A.1.3. Handshake Examples . . . . . . . . . . . . . . . . . 43 108 A.1.3.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 109 ciphersuite . . . . . . . . . . . . . . . . . . . 43 110 A.1.3.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC 111 ciphersuite . . . . . . . . . . . . . . . . . . . 57 112 A.2. Test Examples for CNT_IMIT cipher suites . . . . . . . . 75 113 A.2.1. Record Examples . . . . . . . . . . . . . . . . . . . 75 114 A.2.2. Handshake Examples . . . . . . . . . . . . . . . . . 77 115 Appendix B. Contributors . . . . . . . . . . . . . . . . . . . . 90 116 Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 90 117 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 90 119 1. Introduction 121 This document specifies three new cipher suites for the Transport 122 Layer Security (TLS) Protocol Version 1.2 [RFC5246] to support the 123 set of Russian cryptographic standard algorithms (called GOST 124 algorithms). These cipher suites use the same hash algorithm GOST R 125 34.11-2012 [GOST3411-2012] (the English version can be found in 126 [RFC6986]) and the same signature algorithm GOST R 34.10-2012 127 [GOST3410-2012] (the English version can be found in [RFC7091]) but 128 use different encryption and MAC algorithms, so they are divided into 129 two types: the CTR_OMAC cipher suites and the CNT_IMIT cipher suite. 131 The CTR_OMAC cipher suites use the GOST R 34.12-2015 [GOST3412-2015] 132 block ciphers (the English version can be found in [RFC7801]) and 133 have the following values: 135 TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC = {0xC1, 0x00}; 136 TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC = {0xC1, 0x01}. 138 The CNT_IMIT cipher suite uses the GOST 28147-89 [GOST28147-89] block 139 cipher (the English version can be found in [RFC5830]) and has the 140 following value: 142 TLS_GOSTR341112_256_WITH_28147_CNT_IMIT = {0xC1, 0x02}. 144 2. Conventions Used in This Document 146 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 147 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 148 document are to be interpreted as described in [RFC2119]. 150 3. Basic Terms and Definitions 152 This document uses the following terms and definitions for the sets 153 and operations on the elements of these sets: 155 B_t the set of byte strings of length t, t >= 0, for t = 0 the 156 B_t set consists of a single empty string of zero length. If 157 A is an element of B_t, then A = (a_1, a_2, ... , a_t), where 158 a_1, a_2, ... , a_t are in {0, ... , 255}; 160 B* the set of all byte strings of a finite length (hereinafter 161 referred to as strings), including the empty string; 163 A[i..j] the string A[i..j] = (a_i, a_{i+1}, ... , a_j) in B_{j-i+1} 164 where A = (a_1, ... , a_t) in B_t and 1<=i<=j<=t; 166 |A| the byte length of the byte string A; 168 A | C concatenation of strings A and C both belonging to B*, i.e., 169 a string in B_{|A|+|C|}, where the left substring in B_|A| is 170 equal to A, and the right substring in B_|C| is equal to C; 172 A XOR C bitwise exclusive-or of strings A and C both belonging to 173 B_t, i.e., a string in B_t such that if A = (a_1, a_2, ... , 174 a_t), C = (c_1, c_2, ... , c_t) then A XOR C = (a_1 (xor) 175 c_1, a_2 (xor) c_2, ... , a_t (xor) c_t) where (xor) is 176 bitwise exclusive-or of bytes; 178 i & j bitwise AND of integers i and j; 180 STR_t the transformation that maps an integer i = 256^{t-1} * i_1 + 181 ... + 256 * i_{t-1} + i_t into the byte string STR_t(i) = 182 (i_1, ... , i_t) in B_t (the interpretation of the integer as 183 a byte string in big-endian format); 185 str_t the transformation that maps an integer i = 256^{t-1} * i_t + 186 ... + 256 * i_2 + i_1 into the byte string str_t(i) = (i_1, 187 ... , i_t) in B_t (the interpretation of the integer as a 188 byte string in little-endian format); 190 INT the transformation that maps a string a = (a_1, ... , a_t) in 191 B_t into the integer INT(a) = 256^{t-1} * a_1 + ... + 256 * 192 a_{t-1} + a_t (the interpretation of the byte string in big- 193 endian format as an integer); 195 int the transformation that maps a string a = (a_1, ... , a_t) in 196 B_t into the integer int(a) = 256^{t-1} * a_t + ... + 256 * 197 a_2 + a_1 (the interpretation of the byte string in little- 198 endian format as an integer); 200 k the byte-length of the block cipher key; 202 n the byte-length of the block cipher block; 204 Q_c the public key stored in the client's certificate; 206 d_c the private key that corresponds to the Q_c key; 208 Q_s the public key stored in the server's certificate; 210 d_s the private key that corresponds to the Q_s key; 212 q_s subgroup order of group of points of the elliptic curve that 213 corresponds to Q_s; 215 P_s the point of order q_s that belongs to the same curve as Q_s; 217 r_c the random string contained in ClientHello.random field (see 218 [RFC5246]); 220 r_s the random string contained in ServerHello.random field (see 221 [RFC5246]). 223 4. Cipher Suite Definitions 225 4.1. Record Payload Protection 227 All of the cipher suites described in this document MUST use the 228 "null" compression method (see Section 6.2.2 of [RFC5246] and 229 Section 4.2.1). Note that the CompressionMethod.null operation is an 230 identity operation; no fields are altered. 232 All of the cipher suites described in this document use the stream 233 cipher (see Section 4.3.3) to protect records. The TLSCiphertext 234 structure for the CTR_OMAC and CNT_IMIT cipher suites is specified in 235 accordance with the Standard Stream Cipher case (see Section 6.2.3.1 236 of [RFC5246]): 238 struct { 239 ContentType type; 240 ProtocolVersion version; 241 uint16 length; 242 GenericStreamCipher fragment; 243 } TLSCiphertext; 245 where TLSCiphertext.fragment is generated in accordance with 246 Section 4.1.1 or Section 4.1.2. 248 The connection key material is a key material that consists of the 249 sender_write_key (either the client_write_key or the 250 server_write_key), the sender_write_MAC_key (either the 251 client_write_MAC_key or the server_write_MAC_key) and the 252 sender_write_IV (either the client_write_IV or the server_write_IV) 253 parameters that are generated in accordance with Section 6.3 of 254 [RFC5246]. 256 The record key material is a key material that is generated from the 257 connection key material and is used to protect a record with the 258 certain sequence number. Note that in the cipher suites defined in 259 this document the record key material can be equal to the connection 260 key material. 262 In this section the TLSCiphertext.fragment generation is described 263 for one particular endpoint (server or client) with the corresponding 264 connection key material and record key material. 266 4.1.1. CTR_OMAC 268 In case of the CTR_OMAC cipher suites the record key material differs 269 from the connection key material and for the certain sequence number 270 seqnum consists of: 272 o K_ENC_seqnum in B_k; 274 o K_MAC_seqnum in B_k; 276 o IV_seqnum in B_{n/2}. 278 The K_ENC_seqnum and K_MAC_seqnum values are calculated using the 279 TLSTREE function defined in Section 8.1 and the connection key 280 material. IV_seqnum is calculated by adding seqnum value to 281 sender_write_IV modulo 2^{(n/2)*8}: 283 o K_ENC_seqnum = TLSTREE(sender_write_key, seqnum); 284 o K_MAC_seqnum = TLSTREE(sender_write_MAC_key, seqnum); 286 o IV_seqnum = STR_{n/2}((INT(sender_write_IV) + seqnum) mod 287 2^{(n/2)*8}). 289 The TLSCiphertext.fragment that corresponds to the certain sequence 290 number seqnum is equal to the ENCValue_seqnum value that is 291 calculated as follows: 293 1. The MAC value (MACValue_seqnum) is generated using the MAC 294 algorithm (see Section 4.3.2) similar to Section 6.2.3.1 of [RFC5246] 295 except the sender_write_MAC_key is replaced by the K_MAC_seqnum key: 297 MACData_seqnum = STR_8(seqnum) | type_seqnum | version_seqnum | 298 length_seqnum | fragment_seqnum; 300 MACValue_seqnum = MAC(K_MAC_seqnum, MACData_seqnum), 302 where type_seqnum, version_seqnum, length_seqnum, fragment_seqnum are 303 the TLSCompressed.type, TLSCompressed.version, TLSCompressed.length 304 and TLSCompressed.fragment values of the record with the seqnum 305 sequence number. 307 2. The entire data with the MACValue is encrypted with the ENC 308 stream cipher (see Section 4.3.3): 310 ENCData_seqnum = fragment_seqnum | MACValue_seqnum; 312 ENCValue_seqnum = ENC(K_ENC_seqnum, IV_seqnum, ENCData_seqnum). 314 4.1.2. CNT_IMIT 316 In case of the CNT_IMIT cipher suite the record key material is equal 317 to the connection key material and consists of: 319 o sender_write_key in B_k; 321 o sender_write_MAC_key in B_k; 323 o sender_write_IV in B_n. 325 The TLSCiphertext.fragment that corresponds to the certain sequence 326 number seqnum is equal to the ENCValue_seqnum value that is 327 calculated as follows: 329 1. The MAC value (MACValue_seqnum) is generated by the MAC algorithm 330 (see Section 4.3.2) as follows: 332 MACData_i = STR_8(i) | type_i | version_i | length_i | fragment_i, 333 i in {0, ... , seqnum}; 335 MACValue_seqnum = MAC(sender_write_MAC_key, MACData_0 | ... | 336 MACData_seqnum), 338 where type_i, version_i, length_i, fragment_i are the 339 TLSCompressed.type, TLSCompressed.version, TLSCompressed.length and 340 TLSCompressed.fragment values of the record with the i sequence 341 number. 343 Implementation note: Due to the use of the CBC-MAC based mode it is 344 not necessarily to store all previous fragments MACData_0, ... , 345 MACData{i-1} to generate the MACValue_i fragment for the i-th record. 346 It's enough to know only the intermediate internal state of the MAC 347 algorithm. 349 2. The entire data with the MACValue is encrypted with the ENC 350 stream cipher (see Section 4.3.3): 352 ENCData_i = fragment_i | MACValue_i, i in {0, ... , seqnum}; 354 ENCValue_0 | ... | ENCValue_seqnum = ENC(sender_write_key, 355 sender_write_IV, ENCData_0 | ... | ENCData_seqnum), 357 where |ENCValue_i| = |ENCData_i|, i in {0, ... , seqnum}. 359 Implementation note: Due to the use of the stream cipher it is not 360 necessarily to store all previous fragments ENCData_0, ... , 361 ENCData{i-1} to generate the ENCValue_i fragment for the i-th record. 362 It's enough to know only the intermediate internal state of the ENC 363 stream cipher. 365 4.2. Key Exchange and Authentication 367 All of the cipher suites described in this document use ECDHE based 368 schema to share the TLS premaster secret. 370 Client Server 372 ClientHello --------> 373 ServerHello 374 Certificate 375 CertificateRequest* 376 <-------- ServerHelloDone 377 Certificate* 378 ClientKeyExchange 379 CertificateVerify* 380 [ChangeCipherSpec] 381 Finished --------> 382 [ChangeCipherSpec] 383 <-------- Finished 384 Application Data <-------> Application Data 386 Figure 1: Message flow for a full handshake. 388 * Indicates optional messages that are sent for 389 the client authentication. 391 Figure 1 shows all messages involved in the TLS key establishment 392 protocol (full handshake). A ServerKeyExchange MUST NOT be sent (the 393 server's certificate contains enough data to allow client to exchange 394 the premaster secret). 396 The server side of the channel is always authenticated; the client 397 side is optionally authenticated. The server is authenticated by 398 proving that it knows the premaster secret that is encrypted with the 399 public key Q_s from the server's certificate. The client is 400 authenticated via its signature over the handshake transcript. 402 In general the key exchange process for both CTR_OMAC and CNT_IMIT 403 cipher suites consists of the following steps: 405 1. The client generates the ephemeral key pair (d_eph, Q_eph) that 406 corresponds to the server's public key Q_s stored in its 407 certificate. 409 2. The client generates the premaster secret PS. The PS value is 410 chosen from B_32 at random. 412 3. Using d_eph and Q_s the client generates the export key material 413 (see Section 4.2.4.1 and Section 4.2.4.2) for the particular key 414 export algorithm (see Section 8.2.1 and Section 8.2.2) to 415 generate the export representation PSExp of the PS value. 417 4. The client sends its ephemeral public key Q_eph and PSExp value 418 in the ClientKeyExchange message. 420 5. Using its private key d_s the server generates the import key 421 material (see Section 4.2.4.1 and Section 4.2.4.2) for the 422 particular key import algorithm (see Section 8.2.1 and 423 Section 8.2.2) to extract the premaster secret PS from the export 424 representation PSExp. 426 The proposed cipher suites specify the ClientHello, ServerHello, 427 ServerCertificate, CertificateRequest, ClientKeyExchange, 428 CertificateVerify and Finished handshake messages, that are described 429 in further detail below. 431 4.2.1. Hello Messages 433 The ClientHello message is generated in accordance with the following 434 requirements: 436 o The ClientHello.compression_methods field SHOULD contain exactly 437 one byte, set to zero, which corresponds to the "null" compression 438 method. 440 o The ClientHello.extensions field SHOULD contain the 441 signature_algorithms extension (see [RFC5246]) with the values 442 defined in Section 5. 444 If the negotiated cipher suite is one of CTR_OMAC/CTR_IMIT and the 445 client implementation does not support generating the 446 signature_algorithms extension with the appropriate values, the 447 server MUST either abort the connection or ignore this extension 448 and behave as if the client had sent the signature_algorithms 449 extension with the values {0x08, 0x40} and {0x08, 0x41}. 451 o The ClientHello.extensions field is RECOMMENDED to contain the 452 extended_master_secret (see [RFC7627]) and the renegotiation_info 453 (see [RFC5746]) extensions. 455 o The ClientHello.extensions field MAY contain the supported_groups 456 extension (see [RFC8422] and [RFC7919]) with the values defined in 457 Section 6. 459 The ServerHello message is generated in accordance with the following 460 requirements: 462 o The ServerHello.compression_method field MUST contain exactly one 463 byte, set to zero, which corresponds to the "null" compression 464 method. 466 o The ServerHello.extensions field is RECOMMENDED to contain the 467 extended_master_secret (see [RFC7627]) and the renegotiation_info 468 (see [RFC5746]) extensions. 470 o The ServerHello.extensions field MUST NOT contain the 471 encrypt_then_mac extension (see [RFC7366]). 473 If the extended_master_secret extension is agreed, then the master 474 secret value MUST be calculated in accordance with [RFC7627]. 476 4.2.2. Server Certificate 478 This message is used to authentically convey the server's public key 479 Q_s to the client and is generated in accordance with Section 7.4.2 480 of [RFC5246]. 482 Note: If the client has used supported_groups extension, the public 483 key in the server's certificate MUST respect the client's choice of 484 elliptic curves. 486 Upon receiving this message the client validates the certificate 487 chain, extracts the server's public key, and checks that the key type 488 is appropriate for the negotiated key exchange algorithm. (A 489 possible reason for a fatal handshake failure is that the client's 490 capabilities for handling elliptic curves and point formats are 491 exceeded) 493 4.2.3. CertificateRequest 495 This message is sent when requesting client authentication and is 496 specified in accordance with [RFC5246] as follows. 498 struct { 499 ClientCertificateType certificate_types<1..2^8-1>; 500 SignatureAndHashAlgorithm 501 supported_signature_algorithms<2..2^16-2>; 502 DistinguishedName certificate_authorities<0..2^16-1>; 503 } CertificateRequest; 505 If the CTR_OMAC or CNT_IMIT cipher suite is negotiated, the 506 CertificateRequest message SHOULD meet the following requirements: 508 o the CertificateRequest.supported_signature_algorithm field SHOULD 509 contain only signature/hash algorithm pairs with the values {0x08, 510 0x40} or {0x08, 0x41} defined in Section 5; 512 o the CertificateRequest.certificate_types field SHOULD contain only 513 the gost_sign256 (0x43) or gost_sign512 (0x44) values defined in 514 Section 7. 516 4.2.4. ClientKeyExchange 518 The ClientKeyExchange message is defined as follows. 520 enum { vko_kdf_gost, vko_gost } KeyExchangeAlgorithm; 522 struct { 523 select (KeyExchangeAlgorithm) { 524 case vko_kdf_gost: GostKeyTransport; 525 case vko_gost: TLSGostKeyTransportBlob; 526 } exchange_keys; 527 } ClientKeyExchange; 529 The body of the ClientKeyExchange message consists of a 530 GostKeyTransport/TLSGostKeyTransportBlob structure that contains an 531 export representation of the premaster secret PS. 533 The GostKeyTransport structure corresponds to the CTR_OMAC cipher 534 suites and is described in Section 4.2.4.1 and the 535 TLSGostKeyTransportBlob corresponds to CNT_IMIT cipher suite and is 536 described in Section 4.2.4.2. 538 4.2.4.1. CTR_OMAC 540 In case of the CTR_OMAC cipher suites the body of the 541 ClientKeyExchange message consists of the GostKeyTransport structure 542 that is defined bellow. 544 The client generates the ClientKeyExchange message in accordance with 545 the following steps: 547 1. Generates the ephemeral key pair (Q_eph, d_eph), where: 549 d_eph is chosen from {1, ... , q_s - 1} at random; 551 Q_eph = d_eph * P_s. 553 2. Generates export keys (K_EXP_MAC and K_EXP_ENC) using the KEG 554 algorithm defined in Section 8.3.1: 556 H = HASH(r_c | r_s); 557 K_EXP_MAC | K_EXP_ENC = KEG(d_eph, Q_s, H). 559 3. Generates an export representation PSExp of the premaster secret 560 PS using the KExp15 algorithm defined in Section 8.2.1: 562 IV = H[25..24 + n / 2]; 564 PSExp = KExp15(PS, K_EXP_MAC, K_EXP_ENC, IV). 566 4. Generates the ClientKeyExchange message using the 567 GostKeyTransport structure that is defined as follows: 569 GostKeyTransport ::= SEQUENCE { 570 keyExp OCTET STRING, 571 ephemeralPublicKey SubjectPublicKeyInfo, 572 ukm OCTET STRING OPTIONAL 573 } 575 SubjectPublicKeyInfo ::= SEQUENCE { 576 algorithm AlgorithmIdentifier, 577 subjectPublicKey BITSTRING 578 } 579 AlgorithmIdentifier ::= SEQUENCE { 580 algorithm OBJECT IDENTIFIER, 581 parameters ANY OPTIONAL 582 } 584 where the keyExp field contains the PSExp value, the 585 ephemeralPublicKey field contains the Q_eph value and the ukm field 586 MUST be ignored by the server. 588 Upon receiving the ClientKeyExchange message, the server process it 589 as follows. 591 1. Checks the following three conditions. If either of these checks 592 fails, then the server MUST abort the handshake with an alert. 594 o Q_eph belongs to the same curve as server public key Q_s; 596 o Q_eph is not equal to zero point; 598 o q_s * Q_eph is equal to zero point. 600 2. Generates export keys (K_EXP_MAC and K_EXP_ENC) using the KEG 601 algorithm defined in Section 8.3.1: 603 H = HASH(r_c | r_s); 605 K_EXP_MAC | K_EXP_ENC = KEG(d_s, Q_eph, H). 607 3. Extracts the premaster secret PS from the export representation 608 PSExp using the KImp15 algorithm defined in Section 8.2.1: 610 IV = H[25..24 + n / 2]; 612 PS = KImp15(PSExp, K_EXP_MAC, K_EXP_ENC, IV). 614 4.2.4.2. CNT_IMIT 616 In case of the CNT_IMIT cipher suite the body of the 617 ClientKeyExchange message consists of a TLSGostKeyTransportBlob 618 structure that is defined bellow. 620 The client generates the ClientKeyExchange message in accordance with 621 the following steps: 623 1. Generates the ephemeral key pair (Q_eph, d_eph), where: 625 d_eph is chosen from {1, ... , q_s - 1} at random; 627 Q_eph = d_eph * P_s. 629 2. Generates export key (K_EXP) using the KEG_28147 algorithm 630 defined in Section 8.3.2: 632 H = HASH(r_c | r_s); 634 K_EXP = KEG_28147(d_eph, Q_s, H). 636 3. Generates an export representation PSExp of the premaster secret 637 PS using the KExp28147 algorithm defined in Section 8.2.2: 639 PSExp = IV | CEK_ENC | CEK_MAC = KExp28147(PS, K_EXP, H[1..8]). 641 4. Generates the ClientKeyExchange message using the 642 TLSGostKeyTransportBlob structure that is defined as follows: 644 TLSGostKeyTransportBlob ::= SEQUENCE { 645 keyBlob GostR3410-KeyTransport, 646 } 647 GostR3410-KeyTransport ::= SEQUENCE { 648 sessionEncryptedKey Gost28147-89-EncryptedKey, 649 transportParameters [0] IMPLICIT GostR3410-TransportParameters 650 } 651 Gost28147-89-EncryptedKey ::= SEQUENCE { 652 encryptedKey Gost28147-89-Key, 653 macKey Gost28147-89-MAC 654 } 655 GostR3410-TransportParameters ::= SEQUENCE { 656 encryptionParamSet OBJECT IDENTIFIER, 657 ephemeralPublicKey [0] IMPLICIT SubjectPublicKeyInfo, 658 ukm OCTET STRING 659 } 661 where Gost28147-89-EncryptedKey.encryptedKey field contains the 662 CEK_ENC value, the Gost28147-89-EncryptedKey.macKey field contains 663 the CEK_MAC value, and GostR3410-TransportParameters.ukm field 664 contains the IV value. 666 The keyBlob.transportParameters.ephemeralPublicKey field contains the 667 client ephemeral public key Q_eph. The encryptionParamSet contains 668 value 1.2.643.7.1.2.5.1.1 that corresponds to the id-tc26-gost- 669 28147-param-Z parameters set defined in [RFC7836]. 671 Upon receiving the ClientKeyExchange message, the server process it 672 as follows. 674 1. Checks the following three conditions. If either of these checks 675 fails, then the server MUST abort the handshake with an alert. 677 1. Q_eph belongs to the same curve as server public key Q_s; 679 2. Q_eph is not equal to zero point; 681 3. q_s * Q_eph is equal to zero point; 683 2. Generates export key (K_EXP) using the KEG_28147 algorithm 684 defined in Section 8.3.2: 686 H = HASH(r_c | r_s); 688 K_EXP = KEG_28147(d_s, Q_eph, H). 690 3. Extracts the premaster secret PS from the export representation 691 PSExp using the KImp28147 algorithm defined in Section 8.2.2: 693 PS = KImp28147(PSExp, K_EXP, H[1..8]). 695 4.2.5. CertificateVerify 697 Client generates the value sgn as follows: 699 sgn = SIGN_{d_c}(handshake_messages) = str_l(r) | str_l(s) 701 where SIGN_{d_c} is the GOST R 34.10-2012 [RFC7091] signature 702 algorithm, d_c is a client long-term private key that corresponds to 703 the client long-term public key Q_c from the client's certificate, l 704 = 32 for gostr34102012_256 value of the SignatureAndHashAlgorithm 705 field and l = 64 for gostr34102012_512 value of the 706 SignatureAndHashAlgorithm field. 708 Here handshake_messages refers to all handshake messages sent or 709 received, starting at client hello and up to CertificateVerify, but 710 not including, this message, including the type and length fields of 711 the handshake messages. 713 The TLS CertificateVerify message is specified as follows. 715 struct { 716 SignatureAndHashAlgorithm algorithm; 717 opaque signature<0..2^16-1>; 718 } CertificateVerify; 720 where SignatureAndHashAlgorithm structure is specified in Section 5 721 and CertificateVerify.signature field contains sgn value. 723 4.2.6. Finished 725 The TLS Finished message is specified as follows. 727 struct { 728 opaque verify_data[verify_data_length]; 729 } Finished; 731 verify_data = PRF(master_secret, finished_label, 732 HASH(handshake_messages))[0..verify_data_length-1]; 734 where the verify_data_length value is equal to 32 for the CTR_OMAC 735 cipher suites and is equal to 12 for the CNT_IMIT cipher suite. The 736 PRF function is defined in Section 4.3.4. 738 4.3. Cryptographic Algorithms 740 4.3.1. Block Cipher 742 The cipher suite TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC MUST 743 uses Kuznyechik [RFC7801] as a base block cipher for the encryption 744 and MAC algorithm. The block length n is 16 bytes and the key length 745 k is 32 bytes. 747 The cipher suite TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC MUST uses 748 Magma [GOST3412-2015] as a base block cipher for the encryption and 749 MAC algorithm. The block length n is 8 bytes and the key length k is 750 32 bytes. 752 The cipher suite TLS_GOSTR341112_256_WITH_28147_CNT_IMIT MUST uses 753 GOST 28147-89 as a base block cipher [RFC5830] with the set of 754 parameters id-tc26-gost-28147-param-Z defined in [RFC7836]. The 755 block length n is 8 bytes and the key length k is 32 bytes. 757 4.3.2. MAC algorithm 759 The CTR_OMAC cipher suites use the OMAC message authentication code 760 construction defined in [GOST3413-2015], which can be considered as 761 the CMAC mode defined in [CMAC] where Kuznyechik or Magma block 762 cipher (see Section 4.3.1) are used instead of AES block cipher (see 763 [IK2003] for more detail) as the MAC function. The resulting MAC 764 length is equal to the block length and the MAC key length is 32 765 bytes. 767 The CNT_IMIT cipher suite uses the message authentication code 768 function gostIMIT28147 defined in Section 8.4 with the initialization 769 vector IV = IV0, where IV0 in B_8 is a string of all zeros, with the 770 CryptoPro Key Meshing algorithm defined in [RFC4357]. The resulting 771 MAC length is 4 bytes and the MAC key length is 32 bytes. 773 4.3.3. Encryption algorithm 775 The CTR_OMAC cipher suites use the block cipher in CTR-ACPKM 776 encryption mode defined in [RFC8645] as the ENC function. The 777 section size N is 4 KB for 778 TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC cipher suite and 1 KB 779 for TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC cipher suite. The 780 initial counter nonce is defined as in Section 4.1. 782 The CNT_IMIT cipher suite uses the block cipher in counter encryption 783 mode (CNT) defined in Section 6 of [RFC5830] with the CryptoPro Key 784 Meshing algorithm defined in [RFC4357] as the ENC function. 786 4.3.4. PRF and HASH algorithms 788 The pseudorandom function (PRF) for all the cipher suites defined in 789 this document is the PRF_TLS_GOSTR3411_2012_256 function defined in 790 [RFC7836]. 792 The hash function HASH for all the cipher suites defined in this 793 document is the GOST R 34.11-2012 [RFC6986] hash algorithm with 794 32-byte (256-bit) hash code. 796 4.3.5. SNMAX parameter 798 The SNMAX parameter defines the maximal value of the sequence number 799 seqnum during one TLS 1.2 connection and is defined as follows: 801 +---------------------------------------------+--------------------+ 802 | CipherSuites | SNMAX | 803 +---------------------------------------------+--------------------+ 804 |TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC | SNMAX = 2^64 - 1 | 805 |TLS_GOSTR341112_256_WITH_28147_CNT_IMIT | | 806 +---------------------------------------------+--------------------+ 807 |TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC | SNMAX = 2^32 - 1 | 808 +---------------------------------------------+--------------------+ 809 Table 1 811 5. New Values for the SignatureAlgorithm Registry 813 The signature/hash algorithm pairs are used to indicate to the 814 server/client which algorithms can be used in digital signatures and 815 are defined by the SignatureAndHashAlgorithm structure (see 816 Section 7.4.1.4.1 of [RFC5246]) as follows: 818 struct { 819 HashAlgorithm hash; 820 SignatureAlgorithm signature; 821 } SignatureAndHashAlgorithm; 823 This document defines new values for the "SignatureAlgorithm 824 Registry" that can be used in the SignatureAndHashAlgorithm.signature 825 field for the particular signature/hash algorithm pair: 827 enum { 828 gostr34102012_256(0x40), 829 gostr34102012_512(0x41), 830 } SignatureAlgorithm; 832 where the gostr34102012_256 and gostr34102012_512 values correspond 833 to the GOST R 34.10-2012 [RFC7091] signature algorithm with 32-byte 834 (256-bit) and 64-byte (512-bit) key length respectively. 836 According to [RFC7091] the GOST R 34.10-2012 signature algorithm with 837 32-byte (256-bit) or 64-byte (512-bit) key length use the GOST R 838 34.11-2012 [RFC6986] hash algorithm with 32-byte (256-bit) or 64-byte 839 (512-bit) hash code respectively (the hash algorithm is intrinsic to 840 the signature algorithm). Therefore, if the 841 SignatureAndHashAlgorithm.signature field of a particular hash/ 842 signature pair listed in the Signature Algorithms Extension is equal 843 to the 0x40 (gostr34102012_256) or 0x41 (gostr34102012_512) value, 844 the SignatureAndHashAlgorithm.hash field of this pair MUST contain 845 the "Intrinsic" value 0x08 (see [RFC8422]). 847 6. New Values for the Supported Groups Registry 849 The Supported Groups Extension indicates the set of elliptic curves 850 supported by the client and is defined in [RFC8422] and [RFC7919]. 852 This document defines new values for the "Supported Groups" registry: 854 enum { 855 GC256A(0x22), GC256B(0x23), GC256C(0x24), GC256D(0x25), 856 GC512A(0x26), GC512B(0x27), GC512C(0x28), 857 } NamedGroup; 859 Where the values corresponds to the following curves: 861 +-------------+--------------------------------------+-----------+ 862 | Description | Curve Identifier Value | Reference | 863 +-------------+--------------------------------------+-----------+ 864 | GC256A | id-tc26-gost-3410-2012-256-paramSetA | RFC 7836 | 865 +-------------+--------------------------------------+-----------+ 866 | GC256B |id-GostR3410-2001-CryptoPro-A-ParamSet| RFC 4357 | 867 +-------------+--------------------------------------+-----------+ 868 | GC256C |id-GostR3410-2001-CryptoPro-B-ParamSet| RFC 4357 | 869 +-------------+--------------------------------------+-----------+ 870 | GC256D |id-GostR3410-2001-CryptoPro-C-ParamSet| RFC 4357 | 871 +-------------+--------------------------------------+-----------+ 872 | GC512A | id-tc26-gost-3410-12-512-paramSetA | RFC 7836 | 873 +-------------+--------------------------------------+-----------+ 874 | GC512B | id-tc26-gost-3410-12-512-paramSetB | RFC 7836 | 875 +-------------+--------------------------------------+-----------+ 876 | GC512C | id-tc26-gost-3410-2012-512-paramSetC | RFC 7836 | 877 +-------------+--------------------------------------+-----------+ 878 Table 2 880 7. New Values for the ClientCertificateType Identifiers Registry 882 The ClientCertificateType field of the CertificateRequest message 883 contains a list of the types of certificate types that the client may 884 offer and is defined in Section 7.4.4 of [RFC5246]. 886 This document defines new values for the "ClientCertificateType 887 Identifiers" registry: 889 enum { 890 gost_sign256(0x43), 891 gost_sign512(0x44), 892 } ClientCertificateType; 894 To use the gost_sign256 or gost_sign512 authentication mechanism, the 895 client MUST possess a certificate containing a GOST R 896 34.10-2012-capable public key that corresponds to the 32-byte 897 (256-bit) or 64-byte (512-bit) signature key respectively. 899 The client proves possession of the private key corresponding to the 900 certified key by including a signature in the CertificateVerify 901 message as described in Section 4.2.5. 903 8. Additional Algorithms 905 8.1. TLSTREE 907 The TLSTREE function is defined as follows: 909 TLSTREE(K_root, i) = KDF_3(KDF_2(KDF_1(K_root, STR_8(i & C_1)), 910 STR_8(i & C_2)), STR_8(i & C_3)), 912 where 914 o K_root in B_32; 916 o i in {0, 1, ... , 2^64 - 1}; 918 o C_1, C_2, C_3 are constants defined by the particular cipher suite 919 (see Section 8.1.1); 921 o KDF_j(K, D), j = 1, 2, 3, K in B_32, D in B_8, is the key 922 derivation function based on the KDF_GOSTR3411_2012_256 function 923 defined in [RFC7836]: 925 KDF_1(K, D) = KDF_GOSTR3411_2012_256(K, "level1", D); 926 KDF_2(K, D) = KDF_GOSTR3411_2012_256(K, "level2", D); 927 KDF_3(K, D) = KDF_GOSTR3411_2012_256(K, "level3", D). 929 8.1.1. Key Tree Parameters 931 The CTR_OMAC cipher suites use the TLSTREE function for the re-keying 932 approach. The constants for it are defined as in the table below. 934 +--------------------------------------------+----------------------+ 935 | CipherSuites | C_1, C_2, C_3 | 936 +--------------------------------------------+----------------------+ 937 |TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC|C_1=0xFFFFFFFF00000000| 938 | |C_2=0xFFFFFFFFFFF80000| 939 | |C_3=0xFFFFFFFFFFFFFFC0| 940 +--------------------------------------------+----------------------+ 941 |TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC |C_1=0xFFFFFFC000000000| 942 | |C_2=0xFFFFFFFFFE000000| 943 | |C_3=0xFFFFFFFFFFFFF000| 944 +--------------------------------------------+----------------------+ 945 Table 3 947 8.2. Key export and key import algorithms 949 8.2.1. KExp15 and KImp15 Algorithms 951 Algorithms KExp15 and KImp15 use the block cipher determined by the 952 particular cipher suite. 954 The KExp15 key export algorithm is defined as follows. 956 +------------------------------------------------------------+ 957 | KExp15(S, K_Exp_MAC, K_Exp_ENC, IV) | 958 |------------------------------------------------------------| 959 | Input: | 960 | - secret S to be exported, S in B*, | 961 | - key K_Exp_MAC in B_k, | 962 | - key K_Exp_ENC in B_k, | 963 | - IV in B_{n/2} | 964 | Output: | 965 | - export representation SExp in B_{|S|+n} | 966 |------------------------------------------------------------| 967 | 1. CEK_MAC = OMAC(K_Exp_MAC, IV | S), CEK_MAC in B_n | 968 | 2. SExp = CTR-Encrypt(K_Exp_ENC, IV, S | CEK_MAC) | 969 | 3. return SExp | 970 +------------------------------------------------------------+ 972 where the OMAC function is defined in [MODES], the CTR-Encrypt(K, IV, 973 S) function denotes the encryption of message S on key K and nonce IV 974 in the CTR mode with s = n (see [MODES]). 976 The KImp15 key import algorithm is defined as follows. 978 +-------------------------------------------------------------------+ 979 | KImp15(SExp, K_Exp_MAC, K_Exp_ENC, IV) | 980 |-------------------------------------------------------------------| 981 | Input: | 982 | - export representation SExp in B* | 983 | - key K_Exp_MAC in B_k, | 984 | - key K_Exp_ENC in B_k, | 985 | - IV in B_{n/2} | 986 | Output: | 987 | - secret S in B_{|SExp|-n} or FAIL | 988 |-------------------------------------------------------------------| 989 | 1. S | CEK_MAC = CTR-Decrypt(K_Exp_ENC, IV, SExp), CEK_MAC in B_n| 990 | 2. If CEK_MAC = OMAC(K_Exp_MAC, IV | S) | 991 | then return S; else return FAIL | 992 +-------------------------------------------------------------------+ 994 where the OMAC function is defined in [MODES], the CTR-Decrypt(K, IV, 995 S) function denotes the decryption of message S on key K and nonce IV 996 in the CTR mode (see [MODES]). 998 The keys K_Exp_MAC and K_Exp_ENC MUST be independent. For every pair 999 of keys (K_Exp_ENC, K_Exp_MAC) the IV values MUST be unique. For the 1000 import of key K with the KImp15 algorithm every IV value MUST be sent 1001 with the export key representation or be a preshared value. 1003 8.2.2. KExp28147 and KImp28147 Algorithms 1005 The KExp28147 key export algorithm is defined as follows. 1007 +----------------------------------------------------------------+ 1008 | KExp28147(S, K, IV) | 1009 |----------------------------------------------------------------| 1010 | Input: | 1011 | - secret S to be exported, S in B_32, | 1012 | - key K in B_32, | 1013 | - IV in B_8. | 1014 | Output: | 1015 | - export representation SExp in B_44 | 1016 |----------------------------------------------------------------| 1017 | 1. CEK_MAC = gost28147IMIT(IV, K, S), CEK_MAC in B_4 | 1018 | 2. CEK_ENC = ECB-Encrypt(K, S), CEK_ENC in B_32 | 1019 | 3. return SExp = IV | CEK_ENC | CEK_MAC | 1020 +----------------------------------------------------------------+ 1021 where the gost28147IMIT function is defined in Section 8.4, the ECB- 1022 Encrypt(K, S) function denotes the encryption of message S on key K 1023 with the block cipher GOST 28147-89 in the ECB mode (see [RFC5830]). 1025 The KImp28147 key import algorithm is defined as follows. 1027 +----------------------------------------------------------------+ 1028 | KImp28147(SExp, K, IV) | 1029 |----------------------------------------------------------------| 1030 | Input: | 1031 | - export representation SExp in B_44, | 1032 | - key K in B_32, | 1033 | - IV in B_8. | 1034 | Output: | 1035 | - imported secret S in B_32 or FAIL | 1036 |----------------------------------------------------------------| 1037 | 1. extract from SExp | 1038 | IV' = SExp[1..8], | 1039 | CEK_ENC = SExp[9..40], | 1040 | CEK_MAC = SExp[41..44] | 1041 | 2. if IV' != IV then return FAIL; else | 1042 | 3. S = ECB-Decrypt(K, CEK_ENC), S in B_32 | 1043 | 4. If CEK_MAC = gost28147IMIT(IV, K, S) | 1044 | then return S; else return FAIL | 1045 +----------------------------------------------------------------+ 1047 where the gost28147IMIT function is defined in Section 8.4, the ECB- 1048 Decrypt(CEK_ENC, M) function denotes the decryption of ciphertext 1049 CEK_ENC on key K with a block cipher GOST 28147-89 in the ECB mode 1050 (see [RFC5830]). 1052 8.3. Key Exchange Generation Algorithms 1054 8.3.1. KEG Algorithm 1056 The KEG algorithm is defined as follows: 1058 +----------------------------------------------------------------+ 1059 | KEG(d, Q, H) | 1060 |----------------------------------------------------------------| 1061 | Input: | 1062 | - private key d, | 1063 | - public key Q, | 1064 | - H in B_32. | 1065 | Output: | 1066 | - key material K in B_64. | 1067 |----------------------------------------------------------------| 1068 | 1. If m < 2^{256} | 1069 | return KEG_256(d, Q, H) | 1070 | 2. If m < 2^{512} | 1071 | return KEG_512(d, Q, H) | 1072 | 3. return FAIL | 1073 +----------------------------------------------------------------+ 1075 where m is the order of the used elliptic curve points group 1076 containing point Q, d in {1, ... , m - 1}. 1078 The KEG_256 algorithm is defined as follows: 1080 +----------------------------------------------------------------+ 1081 | KEG_256(d, Q, H) | 1082 |----------------------------------------------------------------| 1083 | Input: | 1084 | - private key d, | 1085 | - public key Q, | 1086 | - H in B_32. | 1087 | Output: | 1088 | - key material K in B_64. | 1089 |----------------------------------------------------------------| 1090 | 1. r = INT(H[1..16]) | 1091 | 2. If r = 0 | 1092 | UKM = 1; else UKM = r | 1093 | 3. K_EXP = VKO_256(d, Q, UKM) | 1094 | 4. seed = H[17..24] | 1095 | 5. return KDFTREE_256(K_EXP, "kdf tree", seed, 1) | 1096 +----------------------------------------------------------------+ 1098 where VKO_256 is the function VKO_GOSTR3410_2012_256 defined in 1099 [RFC7836] and KDFTREE_256 is the KDF_TREE_GOSTR3411_2012_256 function 1100 defined in [RFC7836] with the parameter L equal to 512. 1102 The KEG_512 algorithm is defined as follows: 1104 +----------------------------------------------------------------+ 1105 | KEG_512(d, Q, H) | 1106 |----------------------------------------------------------------| 1107 | Input: | 1108 | - private key d, | 1109 | - public key Q, | 1110 | - H in B_32. | 1111 | Output: | 1112 | - key material K in B_64. | 1113 |----------------------------------------------------------------| 1114 | 1. r = INT(H[1..16]) | 1115 | 2. If r = 0 | 1116 | UKM = 1; else UKM = r | 1117 | 3. return VKO_512(d, Q, UKM) | 1118 +----------------------------------------------------------------+ 1120 where VKO_512 is the VKO_GOSTR3410_2012_512 function defined in 1121 [RFC7836]. 1123 8.3.2. KEG_28147 Algorithm 1125 The KEG_28147 algorithm is defined as follows: 1127 +----------------------------------------------------------------+ 1128 | KEG_28147(d, Q, H) | 1129 |----------------------------------------------------------------| 1130 | Input: | 1131 | - private key d, | 1132 | - public key Q, | 1133 | - H in B_32. | 1134 | Output: | 1135 | - key material K in B_32. | 1136 |----------------------------------------------------------------| 1137 | 1. UKM = H[1..8] | 1138 | 2. R = VKO_256(d, Q, int(UKM)) | 1139 | 3. return K = CPDivers(UKM, R) | 1140 +----------------------------------------------------------------+ 1142 where the VKO_256 function is equal to the VKO_GOSTR3410_2012_256 1143 function defined in [RFC7836], the CPDivers function corresponds to 1144 the CryptoPro KEK Diversification Algorithm defined in [RFC4357], 1145 which takes as input the UKM value and the key value. 1147 8.4. gostIMIT28147 1149 gost28147IMIT(IV, K, M) is a MAC algorithm with 4 bytes output and is 1150 defined as follows: 1152 +----------------------------------------------------------------+ 1153 | gost28147IMIT(IV, K, M) | 1154 |----------------------------------------------------------------| 1155 | Input: | 1156 | - initial value IV in B_8, | 1157 | - key K in B_32, | 1158 | - message M in B*. | 1159 | Output: | 1160 | - MAC value T in B_4. | 1161 |----------------------------------------------------------------| 1162 | 1. M' = PAD(M) | 1163 | 2. M' = M'_0 | ... | M'_r, |M'_i| = 8, i in {0, ... , r} | 1164 | 3. M'' = (M'_0 XOR IV) | M'_1 | ... | M'_r | 1165 | 4. return K = MAC28147(K, M'') | 1166 +----------------------------------------------------------------+ 1168 where the PAD function is the padding function that adds m zero bytes 1169 to the end of the message, where m is the smallest, non-negative 1170 solution to the equation (|M| + m) mod 8 = 0, the MAC28147 function 1171 corresponds to Message Authentication Code Generation Mode defined in 1172 [RFC5830] with 4 byte length output. 1174 9. IANA Considerations 1176 IANA has added numbers {0xC1, 0x00}, {0xC1, 0x01} and {0xC1, 0x02} 1177 with the names TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC, 1178 TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC, 1179 TLS_GOSTR341112_256_WITH_28147_CNT_IMIT to the "TLS Cipher Suite" 1180 registry with this document as reference, as shown below. 1182 +-------------+-----------------------------+---------+----------+ 1183 | Value | Description | DTLS-OK | Reference| 1184 +-------------+-----------------------------+---------+----------+ 1185 | 0xC1, 0x00 | TLS_GOSTR341112_256_ | N | this RFC | 1186 | | _WITH_KUZNYECHIK_CTR_OMAC | | | 1187 +-------------+-----------------------------+---------+----------+ 1188 | 0xC1, 0x01 | TLS_GOSTR341112_256_ | N | this RFC | 1189 | | _WITH_MAGMA_CTR_OMAC | | | 1190 +-------------+-----------------------------+---------+----------+ 1191 | 0xC1, 0x02 | TLS_GOSTR341112_256_ | N | this RFC | 1192 | | _WITH_28147_CNT_IMIT | | | 1193 +-------------+-----------------------------+---------+----------+ 1194 Table 4 1196 IANA has added numbers 0x40, 0x41 with the names gostr34102012_256, 1197 gostr34102012_512, to the "TLS SignatureAlgorithm" registry, as shown 1198 below. 1200 +-----------+---------------------+---------+----------+ 1201 | Value | Description | DTLS-OK | Reference| 1202 +-----------+---------------------+---------+----------+ 1203 | 0x40 | gostr34102012_256 | Y | this RFC | 1204 +-----------+---------------------+---------+----------+ 1205 | 0x41 | gostr34102012_512 | Y | this RFC | 1206 +-----------+---------------------+---------+----------+ 1207 Table 5 1209 IANA has added numbers 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28 with 1210 the names GC256A, GC256B, GC256C, GC256D, GC512A, GC512B, GC512C to 1211 the "TLS Supported Groups" registry, as shown below. 1213 +-----------+----------------+---------+------------+-----------+ 1214 | Value | Description | DTLS-OK | Recomended | Reference | 1215 +-----------+----------------+---------+------------+-----------+ 1216 | 0x22 | GC256A | Y | N | this RFC | 1217 +-----------+----------------+---------+------------+-----------+ 1218 | 0x23 | GC256B | Y | N | this RFC | 1219 +-----------+----------------+---------+------------+-----------+ 1220 | 0x24 | GC256C | Y | N | this RFC | 1221 +-----------+----------------+---------+------------+-----------+ 1222 | 0x25 | GC256D | Y | N | this RFC | 1223 +-----------+----------------+---------+------------+-----------+ 1224 | 0x26 | GC512A | Y | N | this RFC | 1225 +-----------+----------------+---------+------------+-----------+ 1226 | 0x27 | GC512B | Y | N | this RFC | 1227 +-----------+----------------+---------+------------+-----------+ 1228 | 0x28 | GC512C | Y | N | this RFC | 1229 +-----------+----------------+---------+------------+-----------+ 1230 Table 6 1232 IANA has added numbers 0x43, 0x44 with the names gost_sign256, 1233 gost_sign512 to the "ClientCertificateType Identifiers" registry, as 1234 shown below. 1236 +-----------+---------------------+---------+----------+ 1237 | Value | Description | DTLS-OK | Reference| 1238 +-----------+---------------------+---------+----------+ 1239 | 0x43 | gost_sign256 | Y | this RFC | 1240 +-----------+---------------------+---------+----------+ 1241 | 0x44 | gost_sign512 | Y | this RFC | 1242 +-----------+---------------------+---------+----------+ 1243 Table 7 1245 10. Historical considerations 1247 Note that prior to the existence of this document implementations 1248 could use only the values from the Private Use space in order to use 1249 the GOST-based algorithms. So some old implementations can still use 1250 the old value {0x00, 0x81} instead of the {0xC1, 0x02} value to 1251 indicate the TLS_GOSTR341112_256_WITH_28147_CNT_IMIT cipher suite; 1252 one old value 0xEE instead of the values 0x40, 0x08 and 0x43 (to 1253 indicate the gostr34102012_256 signature algorithm, the Intrinsic 1254 hash algorithm and the gost_sign256 certificate type respectively); 1255 one old value 0xEF instead of the values 0x41, 0x08 and 0x44 (to 1256 indicate the gostr34102012_512 signature algorithm, the Intrinsic 1257 hash algorithm and the gost_sign512 certificate type respectively). 1259 Due to historical reasons in addition to the curve identifier values 1260 listed in Table 2 there exist some extra identifier values that 1261 correspond to the curves GC256B, GC256C and GC256D as follows. 1263 +-------------+-----------------------------------------+ 1264 | Description | Curve Identifier Values | 1265 +-------------+-----------------------------------------+ 1266 | GC256B |id-GostR3410_2001-CryptoPro-XchA-ParamSet| 1267 | |id-tc26-gost-3410-2012-256-paramSetB | 1268 +-------------+-----------------------------------------+ 1269 | GC256C |id-tc26-gost-3410-2012-256-paramSetC | 1270 +-------------+-----------------------------------------+ 1271 | GC256D |id-GostR3410-2001-CryptoPro-XchB-ParamSet| 1272 | |id-tc26-gost-3410-2012-256-paramSetD | 1273 +-------------+-----------------------------------------+ 1274 Table 8 1276 Client should be prepared to handle any of them correctly if 1277 corresponding group is included in the supported_groups extension. 1279 11. Security Considerations 1281 This entire document is about security considerations. 1283 12. References 1285 12.1. Normative References 1287 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1288 Requirement Levels", BCP 14, RFC 2119, 1289 DOI 10.17487/RFC2119, March 1997, 1290 . 1292 [RFC4357] Popov, V., Kurepkin, I., and S. Leontiev, "Additional 1293 Cryptographic Algorithms for Use with GOST 28147-89, GOST 1294 R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 1295 Algorithms", RFC 4357, DOI 10.17487/RFC4357, January 2006, 1296 . 1298 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 1299 (TLS) Protocol Version 1.2", RFC 5246, 1300 DOI 10.17487/RFC5246, August 2008, 1301 . 1303 [RFC5746] Rescorla, E., Ray, M., Dispensa, S., and N. Oskov, 1304 "Transport Layer Security (TLS) Renegotiation Indication 1305 Extension", RFC 5746, DOI 10.17487/RFC5746, February 2010, 1306 . 1308 [RFC5830] Dolmatov, V., Ed., "GOST 28147-89: Encryption, Decryption, 1309 and Message Authentication Code (MAC) Algorithms", 1310 RFC 5830, DOI 10.17487/RFC5830, March 2010, 1311 . 1313 [RFC6986] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.11-2012: 1314 Hash Function", RFC 6986, DOI 10.17487/RFC6986, August 1315 2013, . 1317 [RFC7091] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.10-2012: 1318 Digital Signature Algorithm", RFC 7091, 1319 DOI 10.17487/RFC7091, December 2013, 1320 . 1322 [RFC7366] Gutmann, P., "Encrypt-then-MAC for Transport Layer 1323 Security (TLS) and Datagram Transport Layer Security 1324 (DTLS)", RFC 7366, DOI 10.17487/RFC7366, September 2014, 1325 . 1327 [RFC7627] Bhargavan, K., Ed., Delignat-Lavaud, A., Pironti, A., 1328 Langley, A., and M. Ray, "Transport Layer Security (TLS) 1329 Session Hash and Extended Master Secret Extension", 1330 RFC 7627, DOI 10.17487/RFC7627, September 2015, 1331 . 1333 [RFC7801] Dolmatov, V., Ed., "GOST R 34.12-2015: Block Cipher 1334 "Kuznyechik"", RFC 7801, DOI 10.17487/RFC7801, March 2016, 1335 . 1337 [RFC7836] Smyshlyaev, S., Ed., Alekseev, E., Oshkin, I., Popov, V., 1338 Leontiev, S., Podobaev, V., and D. Belyavsky, "Guidelines 1339 on the Cryptographic Algorithms to Accompany the Usage of 1340 Standards GOST R 34.10-2012 and GOST R 34.11-2012", 1341 RFC 7836, DOI 10.17487/RFC7836, March 2016, 1342 . 1344 [RFC7919] Gillmor, D., "Negotiated Finite Field Diffie-Hellman 1345 Ephemeral Parameters for Transport Layer Security (TLS)", 1346 RFC 7919, DOI 10.17487/RFC7919, August 2016, 1347 . 1349 [RFC8422] Nir, Y., Josefsson, S., and M. Pegourie-Gonnard, "Elliptic 1350 Curve Cryptography (ECC) Cipher Suites for Transport Layer 1351 Security (TLS) Versions 1.2 and Earlier", RFC 8422, 1352 DOI 10.17487/RFC8422, August 2018, 1353 . 1355 [RFC8645] Smyshlyaev, S., Ed., "Re-keying Mechanisms for Symmetric 1356 Keys", RFC 8645, DOI 10.17487/RFC8645, August 2019, 1357 . 1359 12.2. Informative References 1361 [CMAC] Dworkin, M., "Recommendation for Block Cipher Modes of 1362 Operation: the CMAC Mode for Authentication", NIST Special 1363 Publication 800-38B, 2005. 1365 [GOST28147-89] 1366 Government Committee of the USSR for Standards, 1367 "Cryptographic Protection for Data Processing System, 1368 Gosudarstvennyi Standard of USSR (In Russian)", 1369 GOST 28147-89, 1989. 1371 [GOST3410-2012] 1372 Federal Agency on Technical Regulating and Metrology, 1373 "Information technology. Cryptographic data security. 1374 Signature and verification processes of [electronic] 1375 digital signature", GOST R 34.10-2012, 2012. 1377 [GOST3411-2012] 1378 Federal Agency on Technical Regulating and Metrology, 1379 "Information technology. Cryptographic Data Security. 1380 Hashing function", GOST R 34.11-2012, 2012. 1382 [GOST3412-2015] 1383 Federal Agency on Technical Regulating and Metrology, 1384 "Information technology. Cryptographic data security. 1385 Block ciphers", GOST R 34.12-2015, 2015. 1387 [GOST3413-2015] 1388 Federal Agency on Technical Regulating and Metrology, 1389 "Information technology. Cryptographic data security. 1390 Modes of operation for block ciphers", GOST R 34.13-2015, 1391 2015. 1393 [IK2003] Iwata T., Kurosawa K. (2003), "OMAC: One-Key CBC MAC.", 1394 FSE 2003. Lecture Notes in Computer Science, vol 2887. 1395 Springer, Berlin, Heidelberg, 2003. 1397 [MODES] Dworkin, M., "Recommendation for Block Cipher Modes of 1398 Operation: Methods and Techniques", NIST Special 1399 Publication 800-38A, December 2001. 1401 Appendix A. Test Examples 1403 A.1. Test Examples for CTR_OMAC cipher suites 1405 A.1.1. TLSTREE Examples 1407 A.1.1.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC ciphersuite 1409 TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 1410 *********************************************** 1411 Root Key K_root: 1412 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 1413 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 1415 seqnum = 0 1416 First level key from Divers_1: 1417 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1418 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1420 Second level key from Divers_2: 1421 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1422 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1424 The resulting key from Divers 3: 1425 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1426 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1428 seqnum = 4095 1429 First level key from Divers_1: 1430 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1431 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1433 Second level key from Divers_2: 1434 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1435 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1437 The resulting key from Divers 3: 1438 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1439 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1441 seqnum = 4096 1442 First level key from Divers_1: 1443 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1444 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1446 Second level key from Divers_2: 1447 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1448 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1450 The resulting key from Divers 3: 1451 FB 30 EE 53 CF CF 89 D7 48 FC 0C 72 EF 16 0B 8B 1452 53 CB BB FD 03 12 82 B0 26 21 4A B2 E0 77 58 FF 1454 seqnum = 33554431 1455 First level key from Divers_1: 1456 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1457 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1459 Second level key from Divers_2: 1460 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1461 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1463 The resulting key from Divers 3: 1464 B8 5B 36 DC 22 82 32 6B C0 35 C5 72 DC 93 F1 8D 1465 83 AA 01 74 F3 94 20 9A 51 3B B3 74 DC 09 35 AE 1467 seqnum = 33554432 1468 First level key from Divers_1: 1469 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1470 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1472 Second level key from Divers_2: 1473 3F EA 59 38 DA 2B F8 DD C4 7E C1 DC 55 61 89 66 1474 79 02 BE 42 0D F4 C3 7D AF 21 75 3B CB 1D C7 F3 1476 The resulting key from Divers 3: 1477 0F D7 C0 9E FD F8 E8 15 73 EE CC F8 6E 4B 95 E3 1478 AF 7F 34 DA B1 17 7C FD 7D B9 7B 6D A9 06 40 8A 1480 seqnum = 274877906943 1481 First level key from Divers_1: 1482 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1483 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1485 Second level key from Divers_2: 1486 AB F3 A5 37 98 3A 1B 98 40 06 6D E6 8A 49 BF 25 1487 97 7E E5 C3 F5 2D 33 3E 3C 22 0F 1D 15 C5 08 93 1489 The resulting key from Divers 3: 1490 48 0F 99 72 BA F2 5D 4C 36 9A 96 AF 91 BC A4 55 1491 3F 79 D8 F0 C5 61 8B 19 FD 44 CF DC 57 FA 37 33 1492 seqnum = 274877906944 1493 First level key from Divers_1: 1494 15 60 0D 9E 8F A6 85 54 CF 15 2D C7 4F BC 42 51 1495 17 B0 3E 09 76 BB 28 EA 98 24 C3 B7 0F 28 CB D8 1497 Second level key from Divers_2: 1498 6C C2 8E B0 93 24 72 12 5C 7A D3 F8 09 73 B3 C8 1499 C4 13 7D A5 73 BC 17 1A 24 ED D4 A3 71 F1 F8 73 1501 The resulting key from Divers 3: 1502 25 28 C1 C6 A8 F0 92 7B F2 BE 27 BB 78 D2 7F 21 1503 46 D6 55 93 B0 C7 17 3A 06 CB 9D 88 DF 92 32 65 1505 A.1.1.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC ciphersuite 1507 TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC 1508 *********************************************** 1509 Root Key K_root: 1510 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 1511 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 1513 seqnum = 0 1514 First level key from Divers_1: 1515 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1516 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1518 Second level key from Divers_2: 1519 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1520 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1522 The resulting key from Divers 3: 1523 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1524 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1526 seqnum = 63 1527 First level key from Divers_1: 1528 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1529 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1531 Second level key from Divers_2: 1532 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1533 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1535 The resulting key from Divers 3: 1536 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1537 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1539 seqnum = 64 1540 First level key from Divers_1: 1541 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1542 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1544 Second level key from Divers_2: 1545 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1546 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1548 The resulting key from Divers 3: 1549 AE BE 1E F4 18 71 3B F0 44 B9 FC D9 E5 72 D4 37 1550 FB 38 B5 D8 29 56 7A 6F 79 18 39 6D 9F 4E 09 6B 1552 seqnum = 524287 1553 First level key from Divers_1: 1554 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1555 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1557 Second level key from Divers_2: 1558 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1559 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1561 The resulting key from Divers 3: 1562 6F 18 D4 00 3E A2 CB 30 F5 FE C1 93 A2 34 F0 7D 1563 7C 43 94 98 7F 50 75 8D E2 2B 22 0D 8A 10 51 06 1565 seqnum = 524288 1566 First level key from Divers_1: 1567 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1568 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1570 Second level key from Divers_2: 1571 F6 59 EB 85 EE BD 2A 8D CC 1B B3 F7 C6 00 57 FF 1572 6D 33 B6 0F 74 65 DD 42 B5 11 2C F3 A6 B1 AB 66 1574 The resulting key from Divers 3: 1575 E5 4B 16 41 5B 3B 66 3E 78 0B 06 2D 24 F7 36 C4 1576 49 54 63 C3 A8 91 E1 FA 46 F7 AE 99 FF F9 F3 78 1578 seqnum = 4294967295 1579 First level key from Divers_1: 1580 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1581 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1583 Second level key from Divers_2: 1584 F4 BC 10 1A BB 68 86 2A 8C E3 1E A0 0D DF A7 FE 1585 B8 29 10 F1 24 F4 B1 E2 9E A8 3B E0 06 C2 26 8D 1587 The resulting key from Divers 3: 1588 CF 60 09 04 C7 1E 7B 88 A4 9A C8 E2 45 77 4B 3D 1589 BE ED FB 81 DE 9A 0E 2F 4E 46 C3 56 07 BC 2F 04 1591 seqnum = 4294967296 1592 First level key from Divers_1: 1593 55 CC 95 E0 D1 FB 54 85 AF 8E F6 9A CD 72 B2 32 1594 79 7C D2 E8 5D 86 CD FD 1D E5 5B D1 FA 14 37 78 1596 Second level key from Divers_2: 1597 72 16 91 E1 01 C4 28 96 A6 40 AE 18 3F BB 44 5B 1598 76 37 9C 57 E1 FD 8A 7D 49 A6 23 E4 23 8C 0E 1D 1600 The resulting key from Divers 3: 1601 16 18 0B 24 64 54 00 B8 36 14 38 37 D8 6A AC 93 1602 95 2A E3 EB 82 44 D5 EC 2A B0 2C FF 30 78 11 38 1604 A.1.2. Record Examples 1606 A.1.2.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC ciphersuite 1608 TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 1609 ******************************************************** 1610 It is assumed that during Handshake following keys were established: 1612 - MAC key: 1613 00000: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 1614 00010: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 1615 - Encryption key: 1616 00000: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 1617 00010: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 1618 - IV: 1619 00000: 00 00 00 00 1620 --------------------------------------------------------- 1621 seqnum = 0 1623 Application data: 1624 00000: 00 00 00 00 00 00 00 1626 TLSPlaintext: 1627 00000: 17 03 03 00 07 00 00 00 00 00 00 00 1629 K_MAC_0: 1631 00000: 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1632 00010: 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1634 MAC value: 1635 00000: F3 3E B6 89 6F EC E2 86 1637 K_ENC_0: 1638 00000: 58 AF BE 9A 4C 31 98 AA AB AA 26 92 C4 19 F1 79 1639 00010: 7C 9B 92 DE B3 CC 74 46 B3 63 57 71 13 F0 FB 56 1641 IV_0: 1642 00000: 00 00 00 00 1644 TLSCiphertext: 1645 00000: 17 03 03 00 0F 9B 42 0D A8 6F AF 36 7F 05 14 43 1646 00010: CE 9C 10 72 1647 --------------------------------------------------------- 1648 seqnum = 4095 1650 Application data: 1651 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1652 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1653 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1654 . . . 1655 003D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1656 003E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1657 003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1659 TLSPlaintext: 1660 00000: 17 03 03 04 00 00 00 00 00 00 00 00 00 00 00 00 1661 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1662 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1663 . . . 1664 003D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1665 003E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1666 003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1667 00400: 00 00 00 00 00 1669 K_MAC_4095: 1670 00000: 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1671 00010: 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1673 MAC value: 1674 00000: 58 D3 BB 60 8F BC 98 B8 1676 K_ENC_4095: 1677 00000: 58 AF BE 9A 4C 31 98 AA AB AA 26 92 C4 19 F1 79 1678 00010: 7C 9B 92 DE B3 CC 74 46 B3 63 57 71 13 F0 FB 56 1679 IV_4095: 1680 00000: 00 00 0F FF 1682 TLSCiphertext: 1683 00000: 17 03 03 04 08 B7 11 43 8B 16 20 1F 3C 49 33 95 1684 00010: 21 C9 C8 CA 75 66 D4 C2 0F D3 3E 58 1F 80 07 DC 1685 00020: 76 04 3E 2B 35 C8 E8 4B B2 55 08 27 66 13 59 6F 1686 . . . 1687 003D0: E7 77 70 BF 45 17 E1 F8 DD 1B 2C 05 64 AD 68 FC 1688 003E0: 4A 88 9A 48 B8 B1 FF 0E A4 E1 BB 70 4D 56 A4 75 1689 003F0: 2F 51 A5 82 CC 54 1A 80 8F 8C 8B 62 97 68 88 C8 1690 00400: 10 59 DE 41 27 63 A3 E0 99 9A CD DA 77 1692 --------------------------------------------------------- 1693 seqnum = 4096 1695 Application data: 1696 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1697 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1698 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1699 . . . 1700 007D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1701 007E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1702 007F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1704 TLSPlaintext: 1705 00000: 17 03 03 08 00 00 00 00 00 00 00 00 00 00 00 00 1706 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1707 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1708 . . . 1709 007D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1710 007E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1711 007F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1712 00800: 00 00 00 00 00 1714 K_MAC_4096: 1715 00000: FB 30 EE 53 CF CF 89 D7 48 FC 0C 72 EF 16 0B 8B 1716 00010: 53 CB BB FD 03 12 82 B0 26 21 4A B2 E0 77 58 FF 1718 MAC value: 1719 00000: 50 55 A2 6A BE 19 63 81 1721 K_ENC_4096: 1722 00000: ED F2 FD 02 47 71 60 23 83 09 00 2D 1D 57 DF 9F 1723 00010: D2 ED 18 D6 45 66 C7 6F 4B F0 3D 3A BF 7B BB 1E 1725 IV_4096: 1726 00000: 00 00 10 00 1727 TLSCiphertext: 1728 00000: 17 03 03 08 08 99 95 26 07 03 47 1D ED A2 E6 55 1729 00010: B6 B3 93 83 5E 33 8B 1E D0 0E DD 22 47 A2 FB 88 1730 00020: FB B7 A8 94 80 62 08 8A F3 2C AE B6 AA 2C 4F 2A 1731 . . . 1732 007D0: 7F 0B 24 61 E7 5F E1 06 34 B8 4D C5 70 35 72 5A 1733 007E0: CA 4F 0C BC A9 B0 6C B9 F7 6F BD 2F 80 46 2B 8D 1734 007F0: 77 5E BD 41 6F 63 41 39 AC 89 C2 ED 3D F1 9F E2 1735 00800: 4E F8 C0 5A A8 90 93 1B 01 86 FD 7D DF 1737 A.1.2.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC ciphersuite 1739 TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC 1740 *********************************************** 1741 It is assumed that during Handshake following keys were established: 1743 - MAC key: 1744 00000: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 1745 00010: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 1746 - Encryption key: 1747 00000: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 1748 00010: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 1749 - IV: 1750 00000: 00 00 00 00 00 00 00 00 1752 --------------------------------------------------------- 1753 seqnum = 0 1755 Application data: 1756 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1758 TLSPlaintext: 1759 00000: 17 03 03 00 0F 00 00 00 00 00 00 00 00 00 00 00 1760 00010: 00 00 00 00 1762 K_MAC_0: 1763 00000: 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1764 00010: 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1766 MAC value: 1767 00000: FD 17 19 DD 95 08 37 EB 7C 7B B8 F5 00 37 99 81 1769 K_ENC_0: 1770 00000: 58 AF BE 9A 4C 31 98 AA AB AA 26 92 C4 19 F1 79 1771 00010: 7C 9B 92 DE B3 CC 74 46 B3 63 57 71 13 F0 FB 56 1772 IV_0: 1773 00000: 00 00 00 00 00 00 00 00 1775 TLSCiphertext: 1776 00000: 17 03 03 00 1F 4D 1A 30 52 36 57 3B FF C1 4E 46 1777 00010: DC BE 74 6D B6 C9 9A 17 5A 81 C4 71 1E 2F 84 C3 1778 00020: 92 C5 40 7C 1780 --------------------------------------------------------- 1781 seqnum = 63 1783 Application data: 1784 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1785 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1786 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1787 . . . 1788 00FD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1789 00FE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1790 00FF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1792 TLSPlaintext: 1793 00000: 17 03 03 10 00 00 00 00 00 00 00 00 00 00 00 00 1794 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1795 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1796 . . . 1797 00FD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1798 00FE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1799 00FF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1800 01000: 00 00 00 00 00 1802 K_MAC_63: 1803 00000: 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1804 00010: 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1806 Mac value: 1807 00000: 98 46 27 61 D0 26 24 4A 2C 0B 7D 1B CC CB E7 B0 1809 K_ENC_63: 1810 00000: 58 AF BE 9A 4C 31 98 AA AB AA 26 92 C4 19 F1 79 1811 00010: 7C 9B 92 DE B3 CC 74 46 B3 63 57 71 13 F0 FB 56 1813 IV_63: 1814 00000: 00 00 00 00 00 00 00 3F 1816 TLSCiphertext: 1817 00000: 17 03 03 10 10 12 93 51 D2 6E 14 07 13 A2 1B 37 1818 00010: 68 24 A2 23 17 CD C0 D8 8E 01 CF A3 FE 21 41 5F 1819 00020: 5C 5E 05 86 9C CF 38 A5 1B C2 E0 ED 68 94 46 A8 1820 . . . 1821 00FE0: 19 AD 99 8C 06 25 21 E6 7B 63 59 A4 F5 C8 16 F9 1822 00FF0: 47 6B A7 13 26 82 BB A8 CE 0B ED AD 65 E4 20 A2 1823 01000: 97 B6 E2 C6 1F A4 06 D9 B8 CA 36 FD 9F CD 3A EE 1824 01010: 24 78 F4 D1 96 1826 --------------------------------------------------------- 1827 seqnum = 64 1829 Application data: 1830 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1831 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1832 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1833 . . . 1834 01FD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1835 01FE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1836 01FF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1838 TLSPlaintext: 1839 00000: 17 03 03 20 00 00 00 00 00 00 00 00 00 00 00 00 1840 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1841 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1842 . . . 1843 01FD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1844 01FE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1845 01FF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1846 02000: 00 00 00 00 00 1848 K_MAC_64: 1849 00000: AE BE 1E F4 18 71 3B F0 44 B9 FC D9 E5 72 D4 37 1850 00010: FB 38 B5 D8 29 56 7A 6F 79 18 39 6D 9F 4E 09 6B 1852 Mac value: 1853 00000: EA C3 97 87 84 2B 1D BD 60 80 CC 3F BF AE 5C 2F 1855 K_ENC_64: 1856 00000: 64 F5 5A FC 37 A1 74 D9 53 3E 70 8B CD 14 FA 4A 1857 00010: EE C3 7B C0 E3 2B A4 99 01 B4 66 9E 96 A6 3D 96 1859 IV_64: 1860 00000: 00 00 00 00 00 00 00 40 1862 TLSCiphertext: 1863 00000: 17 03 03 20 10 E6 66 BB 98 AC 5B 0F 39 31 D8 55 1864 00010: 1B 93 36 85 96 EE F0 EB A8 26 9C B8 BD AA E7 EB 1865 00020: 80 C8 30 D7 5A B7 D4 6C 25 06 DC 8B 83 E1 F2 D3 1866 . . . 1867 01FE0: B3 02 67 2C CB 02 86 CD 40 48 FB D5 38 1A 65 55 1868 01FF0: 26 11 25 51 01 4F A8 ED F5 C2 1B 7D 1D B3 9D 6B 1869 02000: AD EC 0D 7C 07 05 34 8B 5C 55 6C 4D 50 81 69 1A 1870 02010: A9 EC 36 F8 B5 1872 A.1.3. Handshake Examples 1874 A.1.3.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC ciphersuite 1876 Server certificate curve OID: 1877 id-GostR3410-2001-CryptoPro-A-ParamSet, "1.2.643.2.2.35.1" 1879 Server public key Q_s: 1880 x = 0x6531D4A72E655BFC9DFB94293B260702 1881 82FABF10D5C49B7366148C60E0BF8167 1883 y = 0x37F8CC71DC5D917FC4A66F7826E72750 1884 8270B4FFC266C26CD4363E77B553A5B8 1886 Server private key d_s: 1887 0x5F308355DFD6A8ACAEE0837B100A3B1F 1888 6D63FB29B78EF27D3967757F0527144C 1890 ---------------------------Client--------------------------- 1892 ClientHello message: 1893 msg_type: 01 1894 length: 000040 1895 body: 1896 client_version: 1897 major: 03 1898 minor: 03 1899 random: 933EA21EC3802A561550EC78D6ED51AC 1900 2439D7E749C31BC3A3456165889684CA 1901 session_id: 1902 length: 00 1903 vector: -- 1904 cipher_suites: 1905 length: 0004 1906 vector: 1907 CipherSuite: C100 1908 CipherSuite: C101 1909 compression_methods: 1910 length: 01 1911 vector: 1912 CompressionMethod: 00 1913 extensions: 1914 length: 0013 1915 vector: 1916 Extension: /* signature_algorithms */ 1917 extension_type: 000D 1918 extension_data: 1919 length: 0006 1920 vector: 1921 supported_signature_algorithms: 1922 length: 0004 1923 vector: 1924 /* 1 pair of algorithms */ 1925 hash: 08 1926 signature: 1927 40 1928 /* 2 pair of algorithms */ 1929 hash: 08 1930 signature: 1931 41 1932 Extension: /* renegotiation_info */ 1933 extension_type: FF01 1934 extension_data: 1935 length: 0001 1936 vector: 1937 renegotiated_connection: 1938 length: 00 1939 vector: -- 1940 Extension: /* extended_master_secret */ 1941 extension_type: 0017 1942 extension_data: 1943 length: 0000 1944 vector: -- 1946 00000: 01 00 00 40 03 03 93 3E A2 1E C3 80 2A 56 15 50 1947 00010: EC 78 D6 ED 51 AC 24 39 D7 E7 49 C3 1B C3 A3 45 1948 00020: 61 65 88 96 84 CA 00 00 04 C1 00 C1 01 01 00 00 1949 00030: 13 00 0D 00 06 00 04 08 40 08 41 FF 01 00 01 00 1950 00040: 00 17 00 00 1952 Record layer message: 1953 type: 16 1954 version: 1955 major: 03 1956 minor: 03 1957 length: 0044 1958 fragment: 010000400303933EA21EC3802A561550 1959 EC78D6ED51AC2439D7E749C31BC3A345 1960 6165889684CA000004C100C101010000 1961 13000D0006000408400841FF01000100 1962 00170000 1964 00000: 16 03 03 00 44 01 00 00 40 03 03 93 3E A2 1E C3 1965 00010: 80 2A 56 15 50 EC 78 D6 ED 51 AC 24 39 D7 E7 49 1966 00020: C3 1B C3 A3 45 61 65 88 96 84 CA 00 00 04 C1 00 1967 00030: C1 01 01 00 00 13 00 0D 00 06 00 04 08 40 08 41 1968 00040: FF 01 00 01 00 00 17 00 00 1970 ---------------------------Server--------------------------- 1972 ServerHello message: 1973 msg_type: 02 1974 length: 000041 1975 body: 1976 server_version: 1977 major: 03 1978 minor: 03 1979 random: 933EA21E49C31BC3A3456165889684CA 1980 A5576CE7924A24F58113808DBD9EF856 1981 session_id: 1982 length: 10 1983 vector: C3802A561550EC78D6ED51AC2439D7E7 1984 cipher_suite: 1985 CipherSuite: C101 1986 compression_method: 1987 CompressionMethod: 00 1988 extensions: 1989 length: 0009 1990 vector: 1991 Extension: /* renegotiation_info */ 1992 extension_type: FF01 1993 extension_data: 1994 length: 0001 1995 vector: 1996 renegotiated_connection: 1997 length: 00 1998 vector: -- 1999 Extension: /* extended_master_secret */ 2000 extension_type: 0017 2001 extension_data: 2002 length: 0000 2003 vector: -- 2005 00000: 02 00 00 41 03 03 93 3E A2 1E 49 C3 1B C3 A3 45 2006 00010: 61 65 88 96 84 CA A5 57 6C E7 92 4A 24 F5 81 13 2007 00020: 80 8D BD 9E F8 56 10 C3 80 2A 56 15 50 EC 78 D6 2008 00030: ED 51 AC 24 39 D7 E7 C1 01 00 00 09 FF 01 00 01 2009 00040: 00 00 17 00 00 2011 Record layer message: 2012 type: 16 2013 version: 2014 major: 03 2015 minor: 03 2016 length: 0045 2017 fragment: 020000410303933EA21E49C31BC3A345 2018 6165889684CAA5576CE7924A24F58113 2019 808DBD9EF85610C3802A561550EC78D6 2020 ED51AC2439D7E7C101000009FF010001 2021 0000170000 2023 00000: 16 03 03 00 45 02 00 00 41 03 03 93 3E A2 1E 49 2024 00010: C3 1B C3 A3 45 61 65 88 96 84 CA A5 57 6C E7 92 2025 00020: 4A 24 F5 81 13 80 8D BD 9E F8 56 10 C3 80 2A 56 2026 00030: 15 50 EC 78 D6 ED 51 AC 24 39 D7 E7 C1 01 00 00 2027 00040: 09 FF 01 00 01 00 00 17 00 00 2029 ---------------------------Server--------------------------- 2031 Certificate message: 2032 msg_type: 0B 2033 length: 0001DB 2034 body: 2035 certificate_list: 2036 length: 0001D8 2037 vector: 2038 ASN.1Cert: 2039 length: 0001D5 2040 vector: 308201D13082017EA003020102020833 2041 FBB2C0E9575A46300A06082A85030701 2042 010302301F311D301B06035504030C14 2043 . . . 2044 797990E4B5452CF82FE1F19EE237B754 2045 CBCD5078D752A28013DFFC8224AD114B 2046 BD7C1BB71E480AD6EEF9857A8C99C595 2047 9053EEDFE9 2049 00000: 0B 00 01 DB 00 01 D8 00 01 D5 30 82 01 D1 30 82 2050 00010: 01 7E A0 03 02 01 02 02 08 33 FB B2 C0 E9 57 5A 2051 00020: 46 30 0A 06 08 2A 85 03 07 01 01 03 02 30 1F 31 2052 00030: 1D 30 1B 06 03 55 04 03 0C 14 74 65 73 74 5F 73 2053 00040: 65 6C 66 73 69 67 6E 65 64 5F 63 65 72 74 30 1E 2054 00050: 17 0D 31 39 30 36 32 37 31 35 32 34 30 38 5A 17 2055 00060: 0D 32 30 31 32 31 38 31 35 33 34 30 38 5A 30 1F 2056 00070: 31 1D 30 1B 06 03 55 04 03 0C 14 74 65 73 74 5F 2057 00080: 73 65 6C 66 73 69 67 6E 65 64 5F 63 65 72 74 30 2058 00090: 66 30 1F 06 08 2A 85 03 07 01 01 01 01 30 13 06 2059 000A0: 07 2A 85 03 02 02 23 01 06 08 2A 85 03 07 01 01 2060 000B0: 02 02 03 43 00 04 40 67 81 BF E0 60 8C 14 66 73 2061 000C0: 9B C4 D5 10 BF FA 82 02 07 26 3B 29 94 FB 9D FC 2062 000D0: 5B 65 2E A7 D4 31 65 B8 A5 53 B5 77 3E 36 D4 6C 2063 000E0: C2 66 C2 FF B4 70 82 50 27 E7 26 78 6F A6 C4 7F 2064 000F0: 91 5D DC 71 CC F8 37 A3 81 96 30 81 93 30 1D 06 2065 00100: 03 55 1D 0E 04 16 04 14 E7 D0 0B B8 4D 8D 24 18 2066 00110: 29 3E 05 C1 7C E7 77 98 D4 8D 30 16 30 0E 06 03 2067 00120: 55 1D 0F 01 01 FF 04 04 03 02 01 C6 30 12 06 03 2068 00130: 55 1D 13 01 01 FF 04 08 30 06 01 01 FF 02 01 01 2069 00140: 30 4E 06 03 55 1D 23 04 47 30 45 80 14 E7 D0 0B 2070 00150: B8 4D 8D 24 18 29 3E 05 C1 7C E7 77 98 D4 8D 30 2071 00160: 16 A1 23 A4 21 30 1F 31 1D 30 1B 06 03 55 04 03 2072 00170: 0C 14 74 65 73 74 5F 73 65 6C 66 73 69 67 6E 65 2073 00180: 64 5F 63 65 72 74 82 08 33 FB B2 C0 E9 57 5A 46 2074 00190: 30 0A 06 08 2A 85 03 07 01 01 03 02 03 41 00 E2 2075 001A0: 88 44 F9 F1 C8 55 E2 DB 5B 19 79 79 90 E4 B5 45 2076 001B0: 2C F8 2F E1 F1 9E E2 37 B7 54 CB CD 50 78 D7 52 2077 001C0: A2 80 13 DF FC 82 24 AD 11 4B BD 7C 1B B7 1E 48 2078 001D0: 0A D6 EE F9 85 7A 8C 99 C5 95 90 53 EE DF E9 2080 Record layer message: 2081 type: 16 2082 version: 2083 major: 03 2084 minor: 03 2085 length: 01DF 2086 fragment: 0B0001DB0001D80001D5308201D13082 2087 017EA003020102020833FBB2C0E9575A 2088 46300A06082A85030701010302301F31 2089 . . . 2090 8844F9F1C855E2DB5B19797990E4B545 2091 2CF82FE1F19EE237B754CBCD5078D752 2092 A28013DFFC8224AD114BBD7C1BB71E48 2093 0AD6EEF9857A8C99C5959053EEDFE9 2095 00000: 16 03 03 01 DF 0B 00 01 DB 00 01 D8 00 01 D5 30 2096 00010: 82 01 D1 30 82 01 7E A0 03 02 01 02 02 08 33 FB 2097 00020: B2 C0 E9 57 5A 46 30 0A 06 08 2A 85 03 07 01 01 2098 00030: 03 02 30 1F 31 1D 30 1B 06 03 55 04 03 0C 14 74 2099 00040: 65 73 74 5F 73 65 6C 66 73 69 67 6E 65 64 5F 63 2100 00050: 65 72 74 30 1E 17 0D 31 39 30 36 32 37 31 35 32 2101 00060: 34 30 38 5A 17 0D 32 30 31 32 31 38 31 35 33 34 2102 00070: 30 38 5A 30 1F 31 1D 30 1B 06 03 55 04 03 0C 14 2103 00080: 74 65 73 74 5F 73 65 6C 66 73 69 67 6E 65 64 5F 2104 00090: 63 65 72 74 30 66 30 1F 06 08 2A 85 03 07 01 01 2105 000A0: 01 01 30 13 06 07 2A 85 03 02 02 23 01 06 08 2A 2106 000B0: 85 03 07 01 01 02 02 03 43 00 04 40 67 81 BF E0 2107 000C0: 60 8C 14 66 73 9B C4 D5 10 BF FA 82 02 07 26 3B 2108 000D0: 29 94 FB 9D FC 5B 65 2E A7 D4 31 65 B8 A5 53 B5 2109 000E0: 77 3E 36 D4 6C C2 66 C2 FF B4 70 82 50 27 E7 26 2110 000F0: 78 6F A6 C4 7F 91 5D DC 71 CC F8 37 A3 81 96 30 2111 00100: 81 93 30 1D 06 03 55 1D 0E 04 16 04 14 E7 D0 0B 2112 00110: B8 4D 8D 24 18 29 3E 05 C1 7C E7 77 98 D4 8D 30 2113 00120: 16 30 0E 06 03 55 1D 0F 01 01 FF 04 04 03 02 01 2114 00130: C6 30 12 06 03 55 1D 13 01 01 FF 04 08 30 06 01 2115 00140: 01 FF 02 01 01 30 4E 06 03 55 1D 23 04 47 30 45 2116 00150: 80 14 E7 D0 0B B8 4D 8D 24 18 29 3E 05 C1 7C E7 2117 00160: 77 98 D4 8D 30 16 A1 23 A4 21 30 1F 31 1D 30 1B 2118 00170: 06 03 55 04 03 0C 14 74 65 73 74 5F 73 65 6C 66 2119 00180: 73 69 67 6E 65 64 5F 63 65 72 74 82 08 33 FB B2 2120 00190: C0 E9 57 5A 46 30 0A 06 08 2A 85 03 07 01 01 03 2121 001A0: 02 03 41 00 E2 88 44 F9 F1 C8 55 E2 DB 5B 19 79 2122 001B0: 79 90 E4 B5 45 2C F8 2F E1 F1 9E E2 37 B7 54 CB 2123 001C0: CD 50 78 D7 52 A2 80 13 DF FC 82 24 AD 11 4B BD 2124 001D0: 7C 1B B7 1E 48 0A D6 EE F9 85 7A 8C 99 C5 95 90 2125 001E0: 53 EE DF E9 2127 ---------------------------Server--------------------------- 2129 ServerHelloDone message: 2130 msg_type: 0E 2131 length: 000000 2132 body: -- 2134 00000: 0E 00 00 00 2136 Record layer message:: 2137 type: 16 2138 version: 2139 major: 03 2140 minor: 03 2141 length: 0004 2142 fragment: 0E000000 2144 00000: 16 03 03 00 04 0E 00 00 00 2146 ---------------------------Client--------------------------- 2147 PMS: 2148 00000: A5 57 6C E7 92 4A 24 F5 81 13 80 8D BD 9E F8 56 2149 00010: F5 BD C3 B1 83 CE 5D AD CA 36 A5 3A A0 77 65 1D 2151 Random d_eph value: 2152 0xA5C77C7482373DE16CE4A6F73CCE7F78 2153 471493FF2C0709B8B706C9E8A25E6C1E 2155 Q_eph ephemeral key: 2156 x = 0xA8F36D63D262A203978F1B3B6795CDBB 2157 F1AE7FB8EF7F47F1F18871C198E00793 2159 y = 0x34CA5D6B4485640EA195435993BEB1F8 2160 B016ED610496B5CC175AC2EA1F14F887 2162 HASH (r_c | r_s): 2163 00000: C3 EF 04 28 D4 B7 A1 F4 C5 02 5F 2E 65 DD 2B 2E 2164 00010: A5 83 AE EF DB 67 C7 F4 21 4A 6A 29 8E 99 E3 25 2166 Export key generation. r value: 2167 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 2169 Export key generation. UKM value: 2170 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 2172 seed: 2173 00000: A5 83 AE EF DB 67 C7 F4 2175 K_EXP: 2176 00000: 1E 58 54 90 E8 65 FF D1 8F 18 D7 C0 A0 4D 0E E8 2177 00010: 4F 1A 5D 79 7C EF AD A0 1B 1E 3B 7F DB 90 E0 29 2179 Export keys K_Exp_MAC | K_Exp_ENC used in KExp15 algorithm: 2180 00000: 2D 8B A8 C8 4C B2 32 FF 41 F1 0C 3A D9 24 13 42 2181 00010: 23 25 4F 71 E5 69 6D 3D 29 C3 E4 C9 DA A6 B2 93 2182 00020: 84 9E B6 34 0B FF AE 69 28 A3 C3 E4 FF 92 EC CB 2183 00030: 1E 8F 0C F7 A1 88 36 8E 6B 74 8E 52 EA 37 8B 0C 2185 IV: 2186 00000: 21 4A 6A 29 2188 PMSEXP: 2189 00000: D7 F0 F0 42 23 67 86 7B 25 FA 42 33 A9 54 F5 8B 2190 00010: DE 92 E9 C9 BB FB 88 16 C9 9F 15 E6 39 87 22 A0 2191 00020: B2 B7 BF E8 49 3E 9A 5C 2193 ---------------------------Client--------------------------- 2194 ClientKeyExchange message: 2195 msg_type: 10 2196 length: 000095 2197 body: 2198 exchange_keys: 3081920428D7F0F0422367867B25FA42 2199 33A954F58BDE92E9C9BBFB8816C99F15 2200 E6398722A0B2B7BFE8493E9A5C306630 2201 . . . 2202 EFB87FAEF1BBCD95673B1B8F9703A262 2203 D2636DF3A887F8141FEAC25A17CCB596 2204 0461ED16B0F8B1BE93594395A10E6485 2205 446B5DCA34 2207 00000: 10 00 00 95 30 81 92 04 28 D7 F0 F0 42 23 67 86 2208 00010: 7B 25 FA 42 33 A9 54 F5 8B DE 92 E9 C9 BB FB 88 2209 00020: 16 C9 9F 15 E6 39 87 22 A0 B2 B7 BF E8 49 3E 9A 2210 00030: 5C 30 66 30 1F 06 08 2A 85 03 07 01 01 01 01 30 2211 00040: 13 06 07 2A 85 03 02 02 23 01 06 08 2A 85 03 07 2212 00050: 01 01 02 02 03 43 00 04 40 93 07 E0 98 C1 71 88 2213 00060: F1 F1 47 7F EF B8 7F AE F1 BB CD 95 67 3B 1B 8F 2214 00070: 97 03 A2 62 D2 63 6D F3 A8 87 F8 14 1F EA C2 5A 2215 00080: 17 CC B5 96 04 61 ED 16 B0 F8 B1 BE 93 59 43 95 2216 00090: A1 0E 64 85 44 6B 5D CA 34 2218 Record layer message: 2219 type: 16 2220 version: 2221 major: 03 2222 minor: 03 2223 length: 0099 2224 fragment: 100000953081920428D7F0F042236786 2225 7B25FA4233A954F58BDE92E9C9BBFB88 2226 16C99F15E6398722A0B2B7BFE8493E9A 2227 . . . 2228 F1F1477FEFB87FAEF1BBCD95673B1B8F 2229 9703A262D2636DF3A887F8141FEAC25A 2230 17CCB5960461ED16B0F8B1BE93594395 2231 A10E6485446B5DCA34 2233 00000: 16 03 03 00 99 10 00 00 95 30 81 92 04 28 D7 F0 2234 00010: F0 42 23 67 86 7B 25 FA 42 33 A9 54 F5 8B DE 92 2235 00020: E9 C9 BB FB 88 16 C9 9F 15 E6 39 87 22 A0 B2 B7 2236 00030: BF E8 49 3E 9A 5C 30 66 30 1F 06 08 2A 85 03 07 2237 00040: 01 01 01 01 30 13 06 07 2A 85 03 02 02 23 01 06 2238 00050: 08 2A 85 03 07 01 01 02 02 03 43 00 04 40 93 07 2239 00060: E0 98 C1 71 88 F1 F1 47 7F EF B8 7F AE F1 BB CD 2240 00070: 95 67 3B 1B 8F 97 03 A2 62 D2 63 6D F3 A8 87 F8 2241 00080: 14 1F EA C2 5A 17 CC B5 96 04 61 ED 16 B0 F8 B1 2242 00090: BE 93 59 43 95 A1 0E 64 85 44 6B 5D CA 34 2244 ---------------------------Server--------------------------- 2246 PMSEXP extracted: 2247 00000: D7 F0 F0 42 23 67 86 7B 25 FA 42 33 A9 54 F5 8B 2248 00010: DE 92 E9 C9 BB FB 88 16 C9 9F 15 E6 39 87 22 A0 2249 00020: B2 B7 BF E8 49 3E 9A 5C 2251 HASH(r_c | r_s): 2252 00000: C3 EF 04 28 D4 B7 A1 F4 C5 02 5F 2E 65 DD 2B 2E 2253 00010: A5 83 AE EF DB 67 C7 F4 21 4A 6A 29 8E 99 E3 25 2255 Export key generation. r value: 2256 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 2258 Export key generation. UKM value: 2259 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 2261 seed: 2262 00000: A5 83 AE EF DB 67 C7 F4 2264 K_EXP: 2265 00000: 1E 58 54 90 E8 65 FF D1 8F 18 D7 C0 A0 4D 0E E8 2266 00010: 4F 1A 5D 79 7C EF AD A0 1B 1E 3B 7F DB 90 E0 29 2268 Import keys K_Imp_MAC | K_Imp_ENC used in KImp15 algorithm: 2269 00000: 2D 8B A8 C8 4C B2 32 FF 41 F1 0C 3A D9 24 13 42 2270 00010: 23 25 4F 71 E5 69 6D 3D 29 C3 E4 C9 DA A6 B2 93 2271 00020: 84 9E B6 34 0B FF AE 69 28 A3 C3 E4 FF 92 EC CB 2272 00030: 1E 8F 0C F7 A1 88 36 8E 6B 74 8E 52 EA 37 8B 0C 2274 IV: 2275 00000: 21 4A 6A 29 2277 PMS: 2278 00000: A5 57 6C E7 92 4A 24 F5 81 13 80 8D BD 9E F8 56 2279 00010: F5 BD C3 B1 83 CE 5D AD CA 36 A5 3A A0 77 65 1D 2281 ---------------------------Client--------------------------- 2283 HASH(HM): 2284 00000: 7E 1F 59 D3 64 9D B6 09 00 EA 4F 8A 58 5A 65 7A 2285 00010: 92 77 B3 04 50 58 4C F5 43 51 19 8C DE A3 0C 49 2287 MS: 2289 00000: FD D2 7C B4 04 AD 4E 44 49 68 4F 7C 55 90 E9 E7 2290 00010: 02 EF 41 01 93 3B 52 77 A4 A9 6D F5 00 B0 7C C3 2291 00020: 32 4F D8 A6 D9 07 CB B0 3D F3 FB 33 1F 1C 4D 0C 2293 Client connection key material 2294 K_write_MAC|K_read_MAC|K_write_ENC|K_read_ENC|IV_write|IV_read: 2295 00000: DD 4E 10 17 E3 09 1F FD 86 75 65 8A 78 00 90 09 2296 00010: 3B BE 69 EC A6 93 31 5C A8 5B E0 A6 14 3D C9 F8 2297 00020: 1D 64 D0 23 46 5F 8B EA 17 F8 12 F8 C2 D8 BF C0 2298 00030: D9 BB AB A7 B4 DF D3 A1 7C E0 E1 3B 2D 63 65 F3 2299 00040: FC 8B 34 59 CF 54 FE 44 9A 04 07 64 53 73 08 00 2300 00050: 75 10 32 55 9D 07 B6 C4 EA C6 75 48 71 BC 97 8A 2301 00060: B9 0E 2A EE 98 77 14 BB D8 F7 57 AE F7 84 FF 24 2302 00070: 47 B3 94 2E B4 3E 26 35 73 1C 4C 28 22 D0 2D 79 2303 00080: 2B 6A 81 3F 93 ED A6 FA 2305 ---------------------------Server--------------------------- 2307 HASH(HM): 2308 00000: 7E 1F 59 D3 64 9D B6 09 00 EA 4F 8A 58 5A 65 7A 2309 00010: 92 77 B3 04 50 58 4C F5 43 51 19 8C DE A3 0C 49 2311 MS: 2312 00000: FD D2 7C B4 04 AD 4E 44 49 68 4F 7C 55 90 E9 E7 2313 00010: 02 EF 41 01 93 3B 52 77 A4 A9 6D F5 00 B0 7C C3 2314 00020: 32 4F D8 A6 D9 07 CB B0 3D F3 FB 33 1F 1C 4D 0C 2316 Server connection key material 2317 K_read_MAC|K_write_MAC|K_read_ENC|K_write_ENC|IV_read|IV_write: 2318 00000: DD 4E 10 17 E3 09 1F FD 86 75 65 8A 78 00 90 09 2319 00010: 3B BE 69 EC A6 93 31 5C A8 5B E0 A6 14 3D C9 F8 2320 00020: 1D 64 D0 23 46 5F 8B EA 17 F8 12 F8 C2 D8 BF C0 2321 00030: D9 BB AB A7 B4 DF D3 A1 7C E0 E1 3B 2D 63 65 F3 2322 00040: FC 8B 34 59 CF 54 FE 44 9A 04 07 64 53 73 08 00 2323 00050: 75 10 32 55 9D 07 B6 C4 EA C6 75 48 71 BC 97 8A 2324 00060: B9 0E 2A EE 98 77 14 BB D8 F7 57 AE F7 84 FF 24 2325 00070: 47 B3 94 2E B4 3E 26 35 73 1C 4C 28 22 D0 2D 79 2326 00080: 2B 6A 81 3F 93 ED A6 FA 2328 ---------------------------Client--------------------------- 2330 ChangeCipherSpec message: 2331 type: 01 2333 00000: 01 2334 Record layer message: 2335 type: 14 2336 version: 2337 major: 03 2338 minor: 03 2339 length: 0001 2340 fragment: 01 2342 00000: 14 03 03 00 01 01 2344 ---------------------------Client--------------------------- 2346 HASH(HM): 2347 00000: 7E 1F 59 D3 64 9D B6 09 00 EA 4F 8A 58 5A 65 7A 2348 00010: 92 77 B3 04 50 58 4C F5 43 51 19 8C DE A3 0C 49 2350 client_verify_data: 2351 00000: B4 61 C5 AD 25 EA 1E 62 B3 70 BD 1F 1B CB 16 91 2352 00010: FC CC BA 37 8B BC 13 43 BE 54 B3 8D F5 53 B7 A5 2354 ---------------------------Client--------------------------- 2356 Finished message: 2357 msg_type: 14 2358 length: 000020 2359 body: 2360 verify_data: B461C5AD25EA1E62B370BD1F1BCB1691 2361 FCCCBA378BBC1343BE54B38DF553B7A5 2363 00000: 14 00 00 20 B4 61 C5 AD 25 EA 1E 62 B3 70 BD 1F 2364 00010: 1B CB 16 91 FC CC BA 37 8B BC 13 43 BE 54 B3 8D 2365 00020: F5 53 B7 A5 2367 Record layer message: 2368 type: 16 2369 version: 2370 major: 03 2371 minor: 03 2372 length: 002C 2373 fragment: 0C630271D4DA39DD8D6BD040302D9B8F 2374 33D5F7B967EED155F7D65592892C03C7 2375 885C249B1225B184AB4D5DBF 2377 00000: 16 03 03 00 2C 0C 63 02 71 D4 DA 39 DD 8D 6B D0 2378 00010: 40 30 2D 9B 8F 33 D5 F7 B9 67 EE D1 55 F7 D6 55 2379 00020: 92 89 2C 03 C7 88 5C 24 9B 12 25 B1 84 AB 4D 5D 2380 00030: BF 2382 ---------------------------Server--------------------------- 2384 ChangeCipherSpec message: 2385 type: 01 2387 00000: 01 2389 Record layer message: 2390 type: 14 2391 version: 2392 major: 03 2393 minor: 03 2394 length: 0001 2395 fragment: 01 2397 00000: 14 03 03 00 01 01 2399 ---------------------------Server--------------------------- 2401 HASH(HM): 2402 00000: DB D7 D8 93 82 4A ED FD D5 FB 7B 75 4B 47 E1 E6 2403 00010: AF E0 77 DA E6 D1 13 63 42 07 C7 EE 0F C6 F3 B1 2405 server_verify_data: 2406 00000: 45 39 EC 8D 0A F7 B1 A6 20 41 AB 43 4A 43 77 71 2407 00010: D3 4C 47 19 D8 6E BB FD 0F 28 C3 E9 53 55 0C D0 2409 ---------------------------Server--------------------------- 2411 Finished message: 2412 msg_type: 14 2413 length: 000020 2414 body: 2415 verify_data: 4539EC8D0AF7B1A62041AB434A437771 2416 D34C4719D86EBBFD0F28C3E953550CD0 2418 00000: 14 00 00 20 45 39 EC 8D 0A F7 B1 A6 20 41 AB 43 2419 00010: 4A 43 77 71 D3 4C 47 19 D8 6E BB FD 0F 28 C3 E9 2420 00020: 53 55 0C D0 2422 Record layer message: 2423 type: 16 2424 version: 2426 major: 03 2427 minor: 03 2428 length: 002C 2429 fragment: E6A94A4BF70886566A2316811E57B483 2430 BB1E47950A1FF820A80DCA77A4DF9954 2431 2DAB6953F3ED03D95CCA4748 2433 00000: 16 03 03 00 2C E6 A9 4A 4B F7 08 86 56 6A 23 16 2434 00010: 81 1E 57 B4 83 BB 1E 47 95 0A 1F F8 20 A8 0D CA 2435 00020: 77 A4 DF 99 54 2D AB 69 53 F3 ED 03 D9 5C CA 47 2436 00030: 48 2438 ---------------------------Client--------------------------- 2440 Application data: 2441 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2442 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2444 Record layer message: 2445 type: 17 2446 version: 2447 major: 03 2448 minor: 03 2449 length: 0028 2450 fragment: 38807B6E5E0C3F4F7E0DBF7758031BF0 2451 7F100C4B63ADBC75F49BCBF428572D37 2452 7CAED097336DB203 2454 00000: 17 03 03 00 28 38 80 7B 6E 5E 0C 3F 4F 7E 0D BF 2455 00010: 77 58 03 1B F0 7F 10 0C 4B 63 AD BC 75 F4 9B CB 2456 00020: F4 28 57 2D 37 7C AE D0 97 33 6D B2 03 2458 ---------------------------Server--------------------------- 2460 Application data: 2461 00000: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 2462 00010: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 2464 Record layer message: 2465 type: 17 2466 version: 2467 major: 03 2468 minor: 03 2469 length: 0028 2470 fragment: 05B869E5C979C3B9D4837B8E39D9BBEE 2471 1BBD0052D3D48340D0CDE082B33BC07F 2472 4E742D1113249AD8 2474 00000: 17 03 03 00 28 05 B8 69 E5 C9 79 C3 B9 D4 83 7B 2475 00010: 8E 39 D9 BB EE 1B BD 00 52 D3 D4 83 40 D0 CD E0 2476 00020: 82 B3 3B C0 7F 4E 74 2D 11 13 24 9A D8 2478 ---------------------------Client--------------------------- 2480 close_notify alert: 2481 Alert: 2482 level: 01 2483 description: 00 2485 00000: 01 00 2487 Record layer message: 2488 type: 15 2489 version: 2490 major: 03 2491 minor: 03 2492 length: 000A 2493 fragment: 4F2A0807A0374E28C632 2495 00000: 15 03 03 00 0A 4F 2A 08 07 A0 37 4E 28 C6 32 2497 ---------------------------Server--------------------------- 2499 close_notify alert: 2500 Alert: 2501 level: 01 2502 description: 00 2504 00000: 01 00 2506 Record layer message: 2507 type: 15 2508 version: 2509 major: 03 2510 minor: 03 2511 length: 000A 2512 fragment: 999468B49AC5B0DE512C 2514 00000: 15 03 03 00 0A 99 94 68 B4 9A C5 B0 DE 51 2C 2516 A.1.3.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC ciphersuite 2518 Server certificate curve OID: 2519 id-tc26-gost-3410-2012-512-paramSetC, "1.2.643.7.1.2.1.2.3" 2521 Server public key Q_s: 2522 x = 0xF14589DA479AD972C66563669B3FF580 2523 92E6A30A288BF447CD9FF6C3133E9724 2524 7A9706B267703C9B4E239F0D7C7E3310 2525 C22D2752B35BD2E4FD39B8F11DEB833A 2527 y = 0xF305E95B36502D4E60A1059FB20AB30B 2528 FC7C95727F3A2C04B1DFDDB53B0413F2 2529 99F2DFE66A5E1CCB4101A7A01D612BE6 2530 BD78E1E3B3D567EBB16ABE587A11F4EA 2532 Server private key d_s: 2533 0x12FD7A70067479A0F66C59F9A25534AD 2534 FBC7ABFD3CC72D79806F8B402601644B 2535 3005ED365A2D8989A8CCAE640D5FC08D 2536 D27DFBBFE137CF528E1AC6D445192E01 2538 Client certificate curve OID: 2539 id-tc26-gost-3410-2012-256-paramSetA, "1.2.643.7.1.2.1.1.1" 2541 Client public key Q_c: 2542 x = 0x0F5DB18A9E15F324B778676025BFD7B5 2543 DF066566EABAA1C51CD879F87B0B4975 2545 y = 0x9EE5BBF18361F842D3F087DEC2943939 2546 E0FA2BFB4EDEC25A8D10ABB22C48F386 2548 Client private key d_c: 2549 0x0918AD3F7D209ABF89F1E8505DA894CE 2550 E10DA09D32E72E815D9C0ADA30B5A103 2552 ---------------------------Client--------------------------- 2554 ClientHello message: 2555 msg_type: 01 2556 length: 000040 2557 body: 2558 client_version: 2559 major: 03 2560 minor: 03 2562 random: 933EA21EC3802A561550EC78D6ED51AC 2563 2439D7E749C31BC3A3456165889684CA 2564 session_id: 2565 length: 00 2566 vector: -- 2567 cipher_suites: 2568 length: 0004 2569 vector: 2570 CipherSuite: C100 2571 CipherSuite: C101 2572 compression_methods: 2573 length: 01 2574 vector: 2575 CompressionMethod: 00 2576 extensions: 2577 length: 0013 2578 vector: 2579 Extension: /* signature_algorithms */ 2580 extension_type: 000D 2581 extension_data: 2582 length: 0006 2583 vector: 2584 supported_signature_algorithms: 2585 length: 0004 2586 vector: 2587 /* 1 pair of algorithms */ 2588 hash: 08 2589 signature: 2590 40 2591 /* 2 pair of algorithms */ 2592 hash: 08 2593 signature: 2594 41 2595 Extension: /* renegotiation_info */ 2596 extension_type: FF01 2597 extension_data: 2598 length: 0001 2599 vector: 2600 renegotiated_connection: 2601 length: 00 2602 vector: -- 2603 Extension: /* extended_master_secret */ 2604 extension_type: 0017 2605 extension_data: 2606 length: 0000 2607 vector: -- 2609 00000: 01 00 00 40 03 03 93 3E A2 1E C3 80 2A 56 15 50 2610 00010: EC 78 D6 ED 51 AC 24 39 D7 E7 49 C3 1B C3 A3 45 2611 00020: 61 65 88 96 84 CA 00 00 04 C1 00 C1 01 01 00 00 2612 00030: 13 00 0D 00 06 00 04 08 40 08 41 FF 01 00 01 00 2613 00040: 00 17 00 00 2615 Record layer message: 2616 type: 16 2617 version: 2618 major: 03 2619 minor: 03 2620 length: 0044 2621 fragment: 010000400303933EA21EC3802A561550 2622 EC78D6ED51AC2439D7E749C31BC3A345 2623 6165889684CA000004C100C101010000 2624 13000D0006000408400841FF01000100 2625 00170000 2627 00000: 16 03 03 00 44 01 00 00 40 03 03 93 3E A2 1E C3 2628 00010: 80 2A 56 15 50 EC 78 D6 ED 51 AC 24 39 D7 E7 49 2629 00020: C3 1B C3 A3 45 61 65 88 96 84 CA 00 00 04 C1 00 2630 00030: C1 01 01 00 00 13 00 0D 00 06 00 04 08 40 08 41 2631 00040: FF 01 00 01 00 00 17 00 00 2633 ---------------------------Server--------------------------- 2635 msg_type: 02 2636 length: 000041 2637 body: 2638 server_version: 2639 major: 03 2640 minor: 03 2641 random: 933EA21E49C31BC3A3456165889684CA 2642 A5576CE7924A24F58113808DBD9EF856 2643 session_id: 2644 length: 10 2645 vector: C3802A561550EC78D6ED51AC2439D7E7 2646 cipher_suite: 2647 CipherSuite: C100 2648 compression_method: 2649 CompressionMethod: 00 2650 extensions: 2651 length: 0009 2652 vector: 2653 Extension: /* renegotiation_info */ 2654 extension_type: FF01 2655 extension_data: 2656 length: 0001 2657 vector: 2658 renegotiated_connection: 2659 length: 00 2660 vector: -- 2661 Extension: /* extended_master_secret */ 2662 extension_type: 0017 2663 extension_data: 2664 length: 0000 2665 vector: -- 2667 00000: 02 00 00 41 03 03 93 3E A2 1E 49 C3 1B C3 A3 45 2668 00010: 61 65 88 96 84 CA A5 57 6C E7 92 4A 24 F5 81 13 2669 00020: 80 8D BD 9E F8 56 10 C3 80 2A 56 15 50 EC 78 D6 2670 00030: ED 51 AC 24 39 D7 E7 C1 00 00 00 09 FF 01 00 01 2671 00040: 00 00 17 00 00 2673 Record layer message: 2674 type: 16 2675 version: 2676 major: 03 2677 minor: 03 2678 length: 0045 2679 fragment: 020000410303933EA21E49C31BC3A345 2680 6165889684CAA5576CE7924A24F58113 2681 808DBD9EF85610C3802A561550EC78D6 2682 ED51AC2439D7E7C100000009FF010001 2683 0000170000 2685 00000: 16 03 03 00 45 02 00 00 41 03 03 93 3E A2 1E 49 2686 00010: C3 1B C3 A3 45 61 65 88 96 84 CA A5 57 6C E7 92 2687 00020: 4A 24 F5 81 13 80 8D BD 9E F8 56 10 C3 80 2A 56 2688 00030: 15 50 EC 78 D6 ED 51 AC 24 39 D7 E7 C1 00 00 00 2689 00040: 09 FF 01 00 01 00 00 17 00 00 2691 ---------------------------Server--------------------------- 2693 Certificate message: 2694 msg_type: 0B 2695 length: 00024C 2696 body: 2697 certificate_list: 2698 length: 000249 2699 vector: 2700 ASN.1Cert: 2701 length: 000246 2702 vector: 30820242308201AEA003020102020101 2703 300A06082A850307010103033042312C 2704 302A06092A864886F70D010901161D74 2705 . . . 2706 371AF83C5BC58B366DFEFA7345D50317 2707 867C177AC84AC07EE8612164629AB7BD 2708 C48AA0F64A741FE7298E82C5BFCE8672 2709 029F875391F7 2711 00000: 0B 00 02 4C 00 02 49 00 02 46 30 82 02 42 30 82 2712 00010: 01 AE A0 03 02 01 02 02 01 01 30 0A 06 08 2A 85 2713 00020: 03 07 01 01 03 03 30 42 31 2C 30 2A 06 09 2A 86 2714 00030: 48 86 F7 0D 01 09 01 16 1D 74 6C 73 31 32 5F 73 2715 00040: 65 72 76 65 72 35 31 32 43 40 63 72 79 70 74 6F 2716 00050: 70 72 6F 2E 72 75 31 12 30 10 06 03 55 04 03 13 2717 00060: 09 53 65 72 76 65 72 35 31 32 30 1E 17 0D 31 37 2718 00070: 30 35 32 35 30 39 32 35 31 38 5A 17 0D 33 30 30 2719 00080: 35 30 31 30 39 32 35 31 38 5A 30 42 31 2C 30 2A 2720 00090: 06 09 2A 86 48 86 F7 0D 01 09 01 16 1D 74 6C 73 2721 000A0: 31 32 5F 73 65 72 76 65 72 35 31 32 43 40 63 72 2722 000B0: 79 70 74 6F 70 72 6F 2E 72 75 31 12 30 10 06 03 2723 000C0: 55 04 03 13 09 53 65 72 76 65 72 35 31 32 30 81 2724 000D0: AA 30 21 06 08 2A 85 03 07 01 01 01 02 30 15 06 2725 000E0: 09 2A 85 03 07 01 02 01 02 03 06 08 2A 85 03 07 2726 000F0: 01 01 02 03 03 81 84 00 04 81 80 3A 83 EB 1D F1 2727 00100: B8 39 FD E4 D2 5B B3 52 27 2D C2 10 33 7E 7C 0D 2728 00110: 9F 23 4E 9B 3C 70 67 B2 06 97 7A 24 97 3E 13 C3 2729 00120: F6 9F CD 47 F4 8B 28 0A A3 E6 92 80 F5 3F 9B 66 2730 00130: 63 65 C6 72 D9 9A 47 DA 89 45 F1 EA F4 11 7A 58 2731 00140: BE 6A B1 EB 67 D5 B3 E3 E1 78 BD E6 2B 61 1D A0 2732 00150: A7 01 41 CB 1C 5E 6A E6 DF F2 99 F2 13 04 3B B5 2733 00160: DD DF B1 04 2C 3A 7F 72 95 7C FC 0B B3 0A B2 9F 2734 00170: 05 A1 60 4E 2D 50 36 5B E9 05 F3 A3 43 30 41 30 2735 00180: 1D 06 03 55 1D 0E 04 16 04 14 87 9C C6 5A 0F 4A 2736 00190: 89 CB 4A 58 49 DF 05 61 56 9B AA DC 11 69 30 0B 2737 001A0: 06 03 55 1D 0F 04 04 03 02 03 28 30 13 06 03 55 2738 001B0: 1D 25 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 2739 001C0: 30 0A 06 08 2A 85 03 07 01 01 03 03 03 81 81 00 2740 001D0: 35 BE 38 51 EC B6 E9 2D 32 40 01 81 0F 8C 89 03 2741 001E0: 52 42 F4 05 46 9F 4C 4E CB 05 02 7C 57 E2 71 52 2742 001F0: 12 AF D7 CD BB 0C ED 7A 8B 4D 33 42 CC 50 1A BD 2743 00200: 99 99 75 A5 8A DE 0E 58 4F CA 35 F5 2E 45 58 B7 2744 00210: 31 1D 49 D0 A0 51 32 79 F7 39 37 1A F8 3C 5B C5 2745 00220: 8B 36 6D FE FA 73 45 D5 03 17 86 7C 17 7A C8 4A 2746 00230: C0 7E E8 61 21 64 62 9A B7 BD C4 8A A0 F6 4A 74 2747 00240: 1F E7 29 8E 82 C5 BF CE 86 72 02 9F 87 53 91 F7 2749 Record layer message: 2750 type: 16 2751 version: 2753 major: 03 2754 minor: 03 2755 length: 0250 2756 fragment: 0B00024C000249000246308202423082 2757 01AEA003020102020101300A06082A85 2758 0307010103033042312C302A06092A86 2759 . . . 2760 8B366DFEFA7345D50317867C177AC84A 2761 C07EE8612164629AB7BDC48AA0F64A74 2762 1FE7298E82C5BFCE8672029F875391F7 2764 00000: 16 03 03 02 50 0B 00 02 4C 00 02 49 00 02 46 30 2765 00010: 82 02 42 30 82 01 AE A0 03 02 01 02 02 01 01 30 2766 00020: 0A 06 08 2A 85 03 07 01 01 03 03 30 42 31 2C 30 2767 00030: 2A 06 09 2A 86 48 86 F7 0D 01 09 01 16 1D 74 6C 2768 00040: 73 31 32 5F 73 65 72 76 65 72 35 31 32 43 40 63 2769 00050: 72 79 70 74 6F 70 72 6F 2E 72 75 31 12 30 10 06 2770 00060: 03 55 04 03 13 09 53 65 72 76 65 72 35 31 32 30 2771 00070: 1E 17 0D 31 37 30 35 32 35 30 39 32 35 31 38 5A 2772 00080: 17 0D 33 30 30 35 30 31 30 39 32 35 31 38 5A 30 2773 00090: 42 31 2C 30 2A 06 09 2A 86 48 86 F7 0D 01 09 01 2774 000A0: 16 1D 74 6C 73 31 32 5F 73 65 72 76 65 72 35 31 2775 000B0: 32 43 40 63 72 79 70 74 6F 70 72 6F 2E 72 75 31 2776 000C0: 12 30 10 06 03 55 04 03 13 09 53 65 72 76 65 72 2777 000D0: 35 31 32 30 81 AA 30 21 06 08 2A 85 03 07 01 01 2778 000E0: 01 02 30 15 06 09 2A 85 03 07 01 02 01 02 03 06 2779 000F0: 08 2A 85 03 07 01 01 02 03 03 81 84 00 04 81 80 2780 00100: 3A 83 EB 1D F1 B8 39 FD E4 D2 5B B3 52 27 2D C2 2781 00110: 10 33 7E 7C 0D 9F 23 4E 9B 3C 70 67 B2 06 97 7A 2782 00120: 24 97 3E 13 C3 F6 9F CD 47 F4 8B 28 0A A3 E6 92 2783 00130: 80 F5 3F 9B 66 63 65 C6 72 D9 9A 47 DA 89 45 F1 2784 00140: EA F4 11 7A 58 BE 6A B1 EB 67 D5 B3 E3 E1 78 BD 2785 00150: E6 2B 61 1D A0 A7 01 41 CB 1C 5E 6A E6 DF F2 99 2786 00160: F2 13 04 3B B5 DD DF B1 04 2C 3A 7F 72 95 7C FC 2787 00170: 0B B3 0A B2 9F 05 A1 60 4E 2D 50 36 5B E9 05 F3 2788 00180: A3 43 30 41 30 1D 06 03 55 1D 0E 04 16 04 14 87 2789 00190: 9C C6 5A 0F 4A 89 CB 4A 58 49 DF 05 61 56 9B AA 2790 001A0: DC 11 69 30 0B 06 03 55 1D 0F 04 04 03 02 03 28 2791 001B0: 30 13 06 03 55 1D 25 04 0C 30 0A 06 08 2B 06 01 2792 001C0: 05 05 07 03 01 30 0A 06 08 2A 85 03 07 01 01 03 2793 001D0: 03 03 81 81 00 35 BE 38 51 EC B6 E9 2D 32 40 01 2794 001E0: 81 0F 8C 89 03 52 42 F4 05 46 9F 4C 4E CB 05 02 2795 001F0: 7C 57 E2 71 52 12 AF D7 CD BB 0C ED 7A 8B 4D 33 2796 00200: 42 CC 50 1A BD 99 99 75 A5 8A DE 0E 58 4F CA 35 2797 00210: F5 2E 45 58 B7 31 1D 49 D0 A0 51 32 79 F7 39 37 2798 00220: 1A F8 3C 5B C5 8B 36 6D FE FA 73 45 D5 03 17 86 2799 00230: 7C 17 7A C8 4A C0 7E E8 61 21 64 62 9A B7 BD C4 2800 00240: 8A A0 F6 4A 74 1F E7 29 8E 82 C5 BF CE 86 72 02 2801 00250: 9F 87 53 91 F7 2803 ---------------------------Server--------------------------- 2805 CertificateRequest message: 2806 msg_type: 0D 2807 length: 00000B 2808 body: 2809 certificate_types: 2810 length: 02 2811 vector: 2812 /* gost_sign256 */ 2813 43 2814 /* gost_sign512 */ 2815 44 2816 supported_signature_algorithms: 2817 length: 0004 2818 vector: 2819 /* 1 pair of algorithms */ 2820 hash: 08 2821 signature: 40 2822 /* 2 pair of algorithms */ 2823 hash: 08 2824 signature: 41 2825 certificate_authorities: 2826 length: 0000 2827 vector: -- 2829 00000: 0D 00 00 0B 02 43 44 00 04 08 40 08 41 00 00 2831 Record layer message: 2832 type: 16 2833 version: 2834 major: 03 2835 minor: 03 2836 length: 000F 2837 fragment: 0D00000B0243440004084008410000 2839 00000: 16 03 03 00 0F 0D 00 00 0B 02 43 44 00 04 08 40 2840 00010: 08 41 00 00 2842 ---------------------------Server--------------------------- 2844 ServerHelloDone message: 2845 msg_type: 0E 2846 length: 000000 2847 body: -- 2849 00000: 0E 00 00 00 2851 Record layer message: 2852 type: 16 2853 version: 2854 major: 03 2855 minor: 03 2856 length: 0004 2857 fragment: 0E000000 2859 00000: 16 03 03 00 04 0E 00 00 00 2861 ---------------------------Client--------------------------- 2863 Certificate message: 2864 msg_type: 0B 2865 length: 0001EA 2866 body: 2867 certificate_list: 2868 length: 0001E7 2869 vector: 2870 ASN.1Cert: 2871 length: 0001E4 2872 vector: 308201E03082018DA003020102020101 2873 300A06082A850307010103023053312E 2874 302C06092A864886F70D010901161F74 2875 . . . 2876 C1CAB43AC01AFB0F3451BDC2DB188BBC 2877 B77884251CDF6037BA830F4B31D5E96F 2878 DC9BC1C95ABE658266C48402E070DE1F 2879 292724E8 2881 00000: 0B 00 01 EA 00 01 E7 00 01 E4 30 82 01 E0 30 82 2882 00010: 01 8D A0 03 02 01 02 02 01 01 30 0A 06 08 2A 85 2883 00020: 03 07 01 01 03 02 30 53 31 2E 30 2C 06 09 2A 86 2884 00030: 48 86 F7 0D 01 09 01 16 1F 74 6C 73 31 32 5F 63 2885 00040: 6C 69 65 6E 74 32 35 36 41 5F 45 40 63 72 79 70 2886 00050: 74 6F 70 72 6F 2E 72 75 31 21 30 1F 06 03 55 04 2887 00060: 03 1E 18 00 43 00 6C 00 69 00 65 00 6E 00 74 00 2888 00070: 32 00 35 00 36 00 41 00 5F 00 45 30 1E 17 0D 31 2889 00080: 37 30 35 32 35 30 39 33 31 31 38 5A 17 0D 33 30 2890 00090: 30 35 30 31 30 39 33 31 31 38 5A 30 53 31 2E 30 2891 000A0: 2C 06 09 2A 86 48 86 F7 0D 01 09 01 16 1F 74 6C 2892 000B0: 73 31 32 5F 63 6C 69 65 6E 74 32 35 36 41 5F 45 2893 000C0: 40 63 72 79 70 74 6F 70 72 6F 2E 72 75 31 21 30 2894 000D0: 1F 06 03 55 04 03 1E 18 00 43 00 6C 00 69 00 65 2895 000E0: 00 6E 00 74 00 32 00 35 00 36 00 41 00 5F 00 45 2896 000F0: 30 68 30 21 06 08 2A 85 03 07 01 01 01 01 30 15 2897 00100: 06 09 2A 85 03 07 01 02 01 01 01 06 08 2A 85 03 2898 00110: 07 01 01 02 02 03 43 00 04 40 75 49 0B 7B F8 79 2899 00120: D8 1C C5 A1 BA EA 66 65 06 DF B5 D7 BF 25 60 67 2900 00130: 78 B7 24 F3 15 9E 8A B1 5D 0F 86 F3 48 2C B2 AB 2901 00140: 10 8D 5A C2 DE 4E FB 2B FA E0 39 39 94 C2 DE 87 2902 00150: F0 D3 42 F8 61 83 F1 BB E5 9E A3 43 30 41 30 1D 2903 00160: 06 03 55 1D 0E 04 16 04 14 74 49 1E 77 30 D3 42 2904 00170: A6 28 0E 72 A1 13 9D D9 90 8B FA F1 03 30 0B 06 2905 00180: 03 55 1D 0F 04 04 03 02 07 80 30 13 06 03 55 1D 2906 00190: 25 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 02 30 2907 001A0: 0A 06 08 2A 85 03 07 01 01 03 02 03 41 00 1C 2D 2908 001B0: 35 22 B4 11 02 D6 20 1F 23 50 C1 CA B4 3A C0 1A 2909 001C0: FB 0F 34 51 BD C2 DB 18 8B BC B7 78 84 25 1C DF 2910 001D0: 60 37 BA 83 0F 4B 31 D5 E9 6F DC 9B C1 C9 5A BE 2911 001E0: 65 82 66 C4 84 02 E0 70 DE 1F 29 27 24 E8 2913 Record layer message: 2914 type: 16 2915 version: 2916 major: 03 2917 minor: 03 2918 length: 01EE 2919 fragment: 0B0001EA0001E70001E4308201E03082 2920 018DA003020102020101300A06082A85 2921 0307010103023053312E302C06092A86 2922 . . . 2923 3522B41102D6201F2350C1CAB43AC01A 2924 FB0F3451BDC2DB188BBCB77884251CDF 2925 6037BA830F4B31D5E96FDC9BC1C95ABE 2926 658266C48402E070DE1F292724E8 2928 00000: 16 03 03 01 EE 0B 00 01 EA 00 01 E7 00 01 E4 30 2929 00010: 82 01 E0 30 82 01 8D A0 03 02 01 02 02 01 01 30 2930 00020: 0A 06 08 2A 85 03 07 01 01 03 02 30 53 31 2E 30 2931 00030: 2C 06 09 2A 86 48 86 F7 0D 01 09 01 16 1F 74 6C 2932 00040: 73 31 32 5F 63 6C 69 65 6E 74 32 35 36 41 5F 45 2933 00050: 40 63 72 79 70 74 6F 70 72 6F 2E 72 75 31 21 30 2934 00060: 1F 06 03 55 04 03 1E 18 00 43 00 6C 00 69 00 65 2935 00070: 00 6E 00 74 00 32 00 35 00 36 00 41 00 5F 00 45 2936 00080: 30 1E 17 0D 31 37 30 35 32 35 30 39 33 31 31 38 2937 00090: 5A 17 0D 33 30 30 35 30 31 30 39 33 31 31 38 5A 2938 000A0: 30 53 31 2E 30 2C 06 09 2A 86 48 86 F7 0D 01 09 2939 000B0: 01 16 1F 74 6C 73 31 32 5F 63 6C 69 65 6E 74 32 2940 000C0: 35 36 41 5F 45 40 63 72 79 70 74 6F 70 72 6F 2E 2941 000D0: 72 75 31 21 30 1F 06 03 55 04 03 1E 18 00 43 00 2942 000E0: 6C 00 69 00 65 00 6E 00 74 00 32 00 35 00 36 00 2943 000F0: 41 00 5F 00 45 30 68 30 21 06 08 2A 85 03 07 01 2944 00100: 01 01 01 30 15 06 09 2A 85 03 07 01 02 01 01 01 2945 00110: 06 08 2A 85 03 07 01 01 02 02 03 43 00 04 40 75 2946 00120: 49 0B 7B F8 79 D8 1C C5 A1 BA EA 66 65 06 DF B5 2947 00130: D7 BF 25 60 67 78 B7 24 F3 15 9E 8A B1 5D 0F 86 2948 00140: F3 48 2C B2 AB 10 8D 5A C2 DE 4E FB 2B FA E0 39 2949 00150: 39 94 C2 DE 87 F0 D3 42 F8 61 83 F1 BB E5 9E A3 2950 00160: 43 30 41 30 1D 06 03 55 1D 0E 04 16 04 14 74 49 2951 00170: 1E 77 30 D3 42 A6 28 0E 72 A1 13 9D D9 90 8B FA 2952 00180: F1 03 30 0B 06 03 55 1D 0F 04 04 03 02 07 80 30 2953 00190: 13 06 03 55 1D 25 04 0C 30 0A 06 08 2B 06 01 05 2954 001A0: 05 07 03 02 30 0A 06 08 2A 85 03 07 01 01 03 02 2955 001B0: 03 41 00 1C 2D 35 22 B4 11 02 D6 20 1F 23 50 C1 2956 001C0: CA B4 3A C0 1A FB 0F 34 51 BD C2 DB 18 8B BC B7 2957 001D0: 78 84 25 1C DF 60 37 BA 83 0F 4B 31 D5 E9 6F DC 2958 001E0: 9B C1 C9 5A BE 65 82 66 C4 84 02 E0 70 DE 1F 29 2959 001F0: 27 24 E8 2961 ---------------------------Client--------------------------- 2963 PMS value: 2964 00000: A5 57 6C E7 92 4A 24 F5 81 13 80 8D BD 9E F8 56 2965 00010: F5 BD C3 B1 83 CE 5D AD CA 36 A5 3A A0 77 65 1D 2967 Random d_eph value: 2968 0x150ACD11B66DD695AD18418FA7A2DC63 2969 6B7E29DCA24536AABC826EE3175BB1FA 2970 DC3AA0D01D3092E120B0FCF7EB872F4B 2971 7E26EA17849D689222A48CF95A6E4831 2973 Q_eph ephemeral key: 2974 x = 0xC941BE5193189B476D5A0334114A3E04 2975 BBE5B37C738AE40F150B334135288664 2976 FEBFC5622818894A07B1F7AD60E28480 2977 B4B637B90EA7D4BA980186B605D75BC6 2979 y = 0xA154F7B93E8148652011F4FD52C9A06A 2980 6471ADB28D0A949AE26BC786DE874153 2981 ABC00B35164F3214A8A83C00ECE27831 2982 B093528456234EFE766224FC2A7E9ABE 2984 HASH (r_c | r_s): 2985 00000: C3 EF 04 28 D4 B7 A1 F4 C5 02 5F 2E 65 DD 2B 2E 2986 00010: A5 83 AE EF DB 67 C7 F4 21 4A 6A 29 8E 99 E3 25 2988 Export key generation. r value: 2990 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 2992 Export key generation. UKM value: 2993 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 2995 Export keys K_Exp_MAC | K_Exp_ENC used in KExp15 algorithm: 2996 00000: 7D AC 56 E4 8A 4D C1 70 FA A8 FC BA E2 0D B8 45 2997 00010: 45 0C CC C4 C6 32 8B DC 8D 01 15 7C EF A2 A5 F1 2998 00020: 1F 1C BA D8 86 61 66 F0 1F FA AB 01 52 E2 4B F4 2999 00030: 60 9D 5F 46 A5 C8 99 C7 87 90 0D 08 B9 FC AD 24 3001 IV: 3002 00000: 21 4A 6A 29 8E 99 E3 25 3004 PMSEXP: 3005 00000: 25 0D 1B 67 A2 70 AB 04 D3 F6 54 18 E1 D3 80 B4 3006 00010: CB 94 5F 0A 3D CA 51 50 0C F3 A1 BE F3 7F 76 C0 3007 00020: 73 41 A9 83 9C CF 6C BA 71 89 DA 61 EB 67 17 6C 3009 ---------------------------Client--------------------------- 3011 ClientKeyExchange message: 3012 msg_type: 10 3013 length: 0000E2 3014 body: 3015 exchange_keys: 3081DF0430250D1B67A270AB04D3F654 3016 18E1D380B4CB945F0A3DCA51500CF3A1 3017 BEF37F76C07341A9839CCF6CBA7189DA 3018 . . . 3019 93B03178E2EC003CA8A814324F16350B 3020 C0AB534187DE86C76BE29A940A8DB2AD 3021 71646AA0C952FDF411206548813EB9F7 3022 54A1 3024 00000: 10 00 00 E2 30 81 DF 04 30 25 0D 1B 67 A2 70 AB 3025 00010: 04 D3 F6 54 18 E1 D3 80 B4 CB 94 5F 0A 3D CA 51 3026 00020: 50 0C F3 A1 BE F3 7F 76 C0 73 41 A9 83 9C CF 6C 3027 00030: BA 71 89 DA 61 EB 67 17 6C 30 81 AA 30 21 06 08 3028 00040: 2A 85 03 07 01 01 01 02 30 15 06 09 2A 85 03 07 3029 00050: 01 02 01 02 03 06 08 2A 85 03 07 01 01 02 03 03 3030 00060: 81 84 00 04 81 80 C6 5B D7 05 B6 86 01 98 BA D4 3031 00070: A7 0E B9 37 B6 B4 80 84 E2 60 AD F7 B1 07 4A 89 3032 00080: 18 28 62 C5 BF FE 64 86 28 35 41 33 0B 15 0F E4 3033 00090: 8A 73 7C B3 E5 BB 04 3E 4A 11 34 03 5A 6D 47 9B 3034 000A0: 18 93 51 BE 41 C9 BE 9A 7E 2A FC 24 62 76 FE 4E 3035 000B0: 23 56 84 52 93 B0 31 78 E2 EC 00 3C A8 A8 14 32 3036 000C0: 4F 16 35 0B C0 AB 53 41 87 DE 86 C7 6B E2 9A 94 3037 000D0: 0A 8D B2 AD 71 64 6A A0 C9 52 FD F4 11 20 65 48 3038 000E0: 81 3E B9 F7 54 A1 3040 Record layer message: 3041 type: 16 3042 version: 3043 major: 03 3044 minor: 03 3045 length: 00E6 3046 fragment: 100000E23081DF0430250D1B67A270AB 3047 04D3F65418E1D380B4CB945F0A3DCA51 3048 500CF3A1BEF37F76C07341A9839CCF6C 3049 . . . 3050 2356845293B03178E2EC003CA8A81432 3051 4F16350BC0AB534187DE86C76BE29A94 3052 0A8DB2AD71646AA0C952FDF411206548 3053 813EB9F754A1 3055 00000: 16 03 03 00 E6 10 00 00 E2 30 81 DF 04 30 25 0D 3056 00010: 1B 67 A2 70 AB 04 D3 F6 54 18 E1 D3 80 B4 CB 94 3057 00020: 5F 0A 3D CA 51 50 0C F3 A1 BE F3 7F 76 C0 73 41 3058 00030: A9 83 9C CF 6C BA 71 89 DA 61 EB 67 17 6C 30 81 3059 00040: AA 30 21 06 08 2A 85 03 07 01 01 01 02 30 15 06 3060 00050: 09 2A 85 03 07 01 02 01 02 03 06 08 2A 85 03 07 3061 00060: 01 01 02 03 03 81 84 00 04 81 80 C6 5B D7 05 B6 3062 00070: 86 01 98 BA D4 A7 0E B9 37 B6 B4 80 84 E2 60 AD 3063 00080: F7 B1 07 4A 89 18 28 62 C5 BF FE 64 86 28 35 41 3064 00090: 33 0B 15 0F E4 8A 73 7C B3 E5 BB 04 3E 4A 11 34 3065 000A0: 03 5A 6D 47 9B 18 93 51 BE 41 C9 BE 9A 7E 2A FC 3066 000B0: 24 62 76 FE 4E 23 56 84 52 93 B0 31 78 E2 EC 00 3067 000C0: 3C A8 A8 14 32 4F 16 35 0B C0 AB 53 41 87 DE 86 3068 000D0: C7 6B E2 9A 94 0A 8D B2 AD 71 64 6A A0 C9 52 FD 3069 000E0: F4 11 20 65 48 81 3E B9 F7 54 A1 3071 ---------------------------Server--------------------------- 3073 PMSEXP extracted: 3074 00000: 25 0D 1B 67 A2 70 AB 04 D3 F6 54 18 E1 D3 80 B4 3075 00010: CB 94 5F 0A 3D CA 51 50 0C F3 A1 BE F3 7F 76 C0 3076 00020: 73 41 A9 83 9C CF 6C BA 71 89 DA 61 EB 67 17 6C 3078 HASH(r_c | r_s): 3079 00000: C3 EF 04 28 D4 B7 A1 F4 C5 02 5F 2E 65 DD 2B 2E 3080 00010: A5 83 AE EF DB 67 C7 F4 21 4A 6A 29 8E 99 E3 25 3082 Export key generation. r value: 3084 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 3086 Export key generation. UKM value: 3087 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 3089 Export keys K_Exp_MAC | K_Exp_ENC used in KImp15 algorithm: 3090 00000: 7D AC 56 E4 8A 4D C1 70 FA A8 FC BA E2 0D B8 45 3091 00010: 45 0C CC C4 C6 32 8B DC 8D 01 15 7C EF A2 A5 F1 3092 00020: 1F 1C BA D8 86 61 66 F0 1F FA AB 01 52 E2 4B F4 3093 00030: 60 9D 5F 46 A5 C8 99 C7 87 90 0D 08 B9 FC AD 24 3095 IV: 3096 00000: 21 4A 6A 29 8E 99 E3 25 3098 PMS: 3099 00000: A5 57 6C E7 92 4A 24 F5 81 13 80 8D BD 9E F8 56 3100 00010: F5 BD C3 B1 83 CE 5D AD CA 36 A5 3A A0 77 65 1D 3102 ---------------------------Client--------------------------- 3104 Random value k used in signature generation: 3105 0x163962EEA268203E7C6B3F70BF8D4A36 3106 34CE6E2CFC424687951D70ACE0B4292A 3108 Signature value sgn_c = SIGN_d_c(HM): 3109 00000: F7 1F 43 62 45 5B C5 5B A8 9A 8F AF 01 82 88 EC 3110 00010: 00 B3 27 17 48 2E 76 24 B2 57 D9 79 7C 8F F6 02 3111 00020: E3 15 FD BD 8D E5 6D 08 54 18 04 0E 1B 61 BB F6 3112 00030: B3 01 AC 26 3D 50 03 8B 30 31 13 DB 36 17 50 3A 3114 ---------------------------Client--------------------------- 3116 CertificateVerify message: 3117 msg_type: 0F 3118 length: 000044 3119 body: 3120 algorithm: 3121 hash: 08 3122 signature: 40 3123 signature: 3124 length: 0040 3125 vector: F71F4362455BC55BA89A8FAF018288EC 3126 00B32717482E7624B257D9797C8FF602 3127 E315FDBD8DE56D085418040E1B61BBF6 3128 B301AC263D50038B303113DB3617503A 3130 00000: 0F 00 00 44 08 40 00 40 F7 1F 43 62 45 5B C5 5B 3131 00010: A8 9A 8F AF 01 82 88 EC 00 B3 27 17 48 2E 76 24 3132 00020: B2 57 D9 79 7C 8F F6 02 E3 15 FD BD 8D E5 6D 08 3133 00030: 54 18 04 0E 1B 61 BB F6 B3 01 AC 26 3D 50 03 8B 3134 00040: 30 31 13 DB 36 17 50 3A 3136 Record layer message: 3137 type: 16 3138 version: 3139 major: 03 3140 minor: 03 3141 length: 0048 3142 fragment: 0F00004408400040F71F4362455BC55B 3143 A89A8FAF018288EC00B32717482E7624 3144 B257D9797C8FF602E315FDBD8DE56D08 3145 5418040E1B61BBF6B301AC263D50038B 3146 303113DB3617503A 3148 00000: 16 03 03 00 48 0F 00 00 44 08 40 00 40 F7 1F 43 3149 00010: 62 45 5B C5 5B A8 9A 8F AF 01 82 88 EC 00 B3 27 3150 00020: 17 48 2E 76 24 B2 57 D9 79 7C 8F F6 02 E3 15 FD 3151 00030: BD 8D E5 6D 08 54 18 04 0E 1B 61 BB F6 B3 01 AC 3152 00040: 26 3D 50 03 8B 30 31 13 DB 36 17 50 3A 3154 ---------------------------Client--------------------------- 3156 HASH(HM): 3157 00000: 9D 64 0D D8 B2 54 6B 87 05 CC 3E 67 F3 BB 83 2F 3158 00010: 89 2A 5B D5 D4 5C A0 44 85 01 14 C2 E6 56 02 69 3160 MS: 3161 00000: E3 18 17 B0 EC 7F 3B C9 4A 8B C4 5F 89 12 DE C5 3162 00010: 71 2A 7A 34 78 56 31 C0 4B AE 81 43 EE 17 90 B4 3163 00020: C9 D3 68 0F 6C 9D E1 70 74 58 C8 75 62 4D B6 ED 3165 Client connection key material 3166 K_write_MAC|K_read_MAC|K_write_ENC|K_read_ENC|IV_write|IV_read: 3167 00000: 50 52 5D 33 4E F7 00 6C 1D ED B8 B8 08 EA 03 CC 3168 00010: CF 1F CB 3D 33 65 F9 72 E1 7C 7C 31 4E DD 97 90 3169 00020: 6C 74 35 22 0A A1 B0 C6 DE 6A 1B 0F AC 29 B6 17 3170 00030: 9E B3 23 86 62 25 E0 7F 30 4C A1 D1 27 75 86 29 3171 00040: 7B 97 20 5D 7A 08 C2 CD 7F 60 3C 09 46 75 E6 C4 3172 00050: CC 15 F2 84 0D 9A EC 63 F0 2A FF 51 DB D5 74 D2 3173 00060: 76 6C 77 2B 83 2F CE 58 CB 4D E5 49 88 77 A6 7A 3174 00070: A4 51 40 B2 ED 52 6E 61 65 0A 28 1B 32 56 35 BC 3175 00080: CB 8E F9 4C 5B DF 5B 9F 47 48 B9 5B F1 B0 E0 BF 3176 ---------------------------Server--------------------------- 3178 HASH(HM): 3179 00000: 9D 64 0D D8 B2 54 6B 87 05 CC 3E 67 F3 BB 83 2F 3180 00010: 89 2A 5B D5 D4 5C A0 44 85 01 14 C2 E6 56 02 69 3182 MS: 3183 00000: E3 18 17 B0 EC 7F 3B C9 4A 8B C4 5F 89 12 DE C5 3184 00010: 71 2A 7A 34 78 56 31 C0 4B AE 81 43 EE 17 90 B4 3185 00020: C9 D3 68 0F 6C 9D E1 70 74 58 C8 75 62 4D B6 ED 3187 Server connection key material 3188 K_read_MAC|K_write_MAC|K_read_ENC|K_write_ENC|IV_read|IV_write: 3189 00000: 50 52 5D 33 4E F7 00 6C 1D ED B8 B8 08 EA 03 CC 3190 00010: CF 1F CB 3D 33 65 F9 72 E1 7C 7C 31 4E DD 97 90 3191 00020: 6C 74 35 22 0A A1 B0 C6 DE 6A 1B 0F AC 29 B6 17 3192 00030: 9E B3 23 86 62 25 E0 7F 30 4C A1 D1 27 75 86 29 3193 00040: 7B 97 20 5D 7A 08 C2 CD 7F 60 3C 09 46 75 E6 C4 3194 00050: CC 15 F2 84 0D 9A EC 63 F0 2A FF 51 DB D5 74 D2 3195 00060: 76 6C 77 2B 83 2F CE 58 CB 4D E5 49 88 77 A6 7A 3196 00070: A4 51 40 B2 ED 52 6E 61 65 0A 28 1B 32 56 35 BC 3197 00080: CB 8E F9 4C 5B DF 5B 9F 47 48 B9 5B F1 B0 E0 BF 3199 ---------------------------Client--------------------------- 3201 ChangeCipherSpec message: 3202 type: 01 3204 00000: 01 3206 Record layer message: 3207 type: 14 3208 version: 3209 major: 03 3210 minor: 03 3211 length: 0001 3212 fragment: 01 3214 00000: 14 03 03 00 01 01 3216 ---------------------------Client--------------------------- 3218 HASH(HM): 3219 00000: 9D 64 0D D8 B2 54 6B 87 05 CC 3E 67 F3 BB 83 2F 3220 00010: 89 2A 5B D5 D4 5C A0 44 85 01 14 C2 E6 56 02 69 3221 client_verify_data: 3222 00000: 62 DA B6 48 52 0C 44 96 2D 1E 60 29 70 57 FA E1 3223 00010: F3 01 E0 8A 68 A2 36 CA F0 EE 2A 2C 81 1B 14 EC 3225 ---------------------------Client--------------------------- 3227 Finished message: 3228 msg_type: 14 3229 length: 000020 3230 body: 3231 verify_data: 62DAB648520C44962D1E60297057FAE1 3232 F301E08A68A236CAF0EE2A2C811B14EC 3234 00000: 14 00 00 20 62 DA B6 48 52 0C 44 96 2D 1E 60 29 3235 00010: 70 57 FA E1 F3 01 E0 8A 68 A2 36 CA F0 EE 2A 2C 3236 00020: 81 1B 14 EC 3238 Record layer message: 3239 type: 16 3240 version: 3241 major: 03 3242 minor: 03 3243 length: 0034 3244 fragment: 4DC53D65A479742A92EC2D98E3287F22 3245 4C0382DCCE405A32BF671EB5AEB09611 3246 CA72AE8AE792116CEB1B77A9E135783D 3247 A0709535 3249 00000: 16 03 03 00 34 4D C5 3D 65 A4 79 74 2A 92 EC 2D 3250 00010: 98 E3 28 7F 22 4C 03 82 DC CE 40 5A 32 BF 67 1E 3251 00020: B5 AE B0 96 11 CA 72 AE 8A E7 92 11 6C EB 1B 77 3252 00030: A9 E1 35 78 3D A0 70 95 35 3254 ---------------------------Server--------------------------- 3256 ChangeCipherSpec message: 3257 type: 01 3259 00000: 01 3261 Record layer message: 3262 type: 14 3263 version: 3264 major: 03 3265 minor: 03 3266 length: 0001 3267 fragment: 01 3269 00000: 14 03 03 00 01 01 3271 ---------------------------Server--------------------------- 3273 HASH(HM): 3274 00000: C1 62 4B ED F2 83 75 1A 28 9B 90 9E 3E C5 00 14 3275 00010: 2B 7E 7B 76 46 CD 37 68 15 3B 87 D9 C5 F6 AA 07 3277 server_verify_data: 3278 00000: B3 38 7A B1 8B 9E F0 74 8A B7 14 B0 10 DC B5 27 3279 00010: 75 02 EF AF 7D 70 A6 1D 70 11 4E 9C 06 C5 D7 52 3281 ---------------------------Server--------------------------- 3283 Finished message: 3284 msg_type: 14 3285 length: 000020 3286 body: 3287 verify_data: B3387AB18B9EF0748AB714B010DCB527 3288 7502EFAF7D70A61D70114E9C06C5D752 3290 00000: 14 00 00 20 B3 38 7A B1 8B 9E F0 74 8A B7 14 B0 3291 00010: 10 DC B5 27 75 02 EF AF 7D 70 A6 1D 70 11 4E 9C 3292 00020: 06 C5 D7 52 3294 Record layer message: 3295 type: 16 3296 version: 3297 major: 03 3298 minor: 03 3299 length: 0034 3300 fragment: F9887C36F91DCBD3520D944F249AA466 3301 F9D55CA04EB61DB418529BB58889FB82 3302 74F05644ABA588B8F248C31C511E4C1E 3303 229F9EA6 3305 00000: 16 03 03 00 34 F9 88 7C 36 F9 1D CB D3 52 0D 94 3306 00010: 4F 24 9A A4 66 F9 D5 5C A0 4E B6 1D B4 18 52 9B 3307 00020: B5 88 89 FB 82 74 F0 56 44 AB A5 88 B8 F2 48 C3 3308 00030: 1C 51 1E 4C 1E 22 9F 9E A6 3310 ---------------------------Client--------------------------- 3311 Application data: 3312 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3313 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3315 Record layer message: 3316 type: 17 3317 version: 3318 major: 03 3319 minor: 03 3320 length: 0030 3321 fragment: F14F06FB8557408846080690E7A5525D 3322 1C6E9C901D24025486AB79728BF63D06 3323 5C09C27233006D65CFF0B5BA87504969 3325 00000: 17 03 03 00 30 F1 4F 06 FB 85 57 40 88 46 08 06 3326 00010: 90 E7 A5 52 5D 1C 6E 9C 90 1D 24 02 54 86 AB 79 3327 00020: 72 8B F6 3D 06 5C 09 C2 72 33 00 6D 65 CF F0 B5 3328 00030: BA 87 50 49 69 3330 ---------------------------Server--------------------------- 3332 Application data: 3333 00000: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3334 00010: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3336 Record layer message: 3337 type: 17 3338 version: 3339 major: 03 3340 minor: 03 3341 length: 0030 3342 fragment: 1561E52A8B6DB258746FFE18F3CDCB11 3343 1D0173AF2E5C13741C99BFF13B47CD32 3344 B3CED856A9506E706A2340D5841AB114 3346 00000: 17 03 03 00 30 15 61 E5 2A 8B 6D B2 58 74 6F FE 3347 00010: 18 F3 CD CB 11 1D 01 73 AF 2E 5C 13 74 1C 99 BF 3348 00020: F1 3B 47 CD 32 B3 CE D8 56 A9 50 6E 70 6A 23 40 3349 00030: D5 84 1A B1 14 3351 ---------------------------Client--------------------------- 3353 close_notify alert: 3354 Alert: 3355 level: 01 3356 description: 00 3358 00000: 01 00 3360 Record layer message: 3361 type: 15 3362 version: 3363 major: 03 3364 minor: 03 3365 length: 0012 3366 fragment: E530C164642A078CEF528CB465E9DA7E 3367 AD4D 3369 00000: 15 03 03 00 12 E5 30 C1 64 64 2A 07 8C EF 52 8C 3370 00010: B4 65 E9 DA 7E AD 4D 3372 ---------------------------Server--------------------------- 3374 close_notify alert: 3375 Alert: 3376 level: 01 3377 description: 00 3379 00000: 01 00 3381 Record layer message: 3382 type: 15 3383 version: 3384 major: 03 3385 minor: 03 3386 length: 0012 3387 fragment: EB62E5AB78BF2A4B678920A11027EC43 3388 0C3F 3390 00000: 15 03 03 00 12 EB 62 E5 AB 78 BF 2A 4B 67 89 20 3391 00010: A1 10 27 EC 43 0C 3F 3393 A.2. Test Examples for CNT_IMIT cipher suites 3395 A.2.1. Record Examples 3397 It is assumed that during Handshake following keys were established: 3399 - MAC key: 3400 00000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 3401 00010: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 3402 - Encryption key: 3404 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3405 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3406 - IV: 3407 00000: 00 00 00 00 00 00 00 00 3409 --------------------------------------------------------- 3410 seqnum = 0 3412 Application data: 3413 00000: 00 00 00 00 00 00 00 3415 Plaintext: 3416 00000: 17 03 03 00 07 00 00 00 00 00 00 00 3418 MAC: 3419 00000: 30 01 34 a1 3421 Ciphertext: 3422 00000: 17 03 03 00 0b 86 71 cd bf 3c 1a ae 0f 62 4b 04 3424 --------------------------------------------------------- 3425 seqnum = 1 3427 Application data: 3429 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3430 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3431 .... 3432 007f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3434 Plaintext: 3435 00000: 17 03 03 08 00 00 00 00 00 00 00 00 00 00 00 00 3436 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3437 .... 3438 007f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3439 00804: 00 00 00 00 00 3441 MAC: 3442 00000: f7 c3 8b 8a 3444 Ciphertext: 3445 00000: 17 03 03 08 04 cf aa 0c b4 2f a5 a4 7a 13 3d 73 3446 00010: b9 f2 c0 b0 4f 8c a2 55 52 f8 56 bc be 6a 58 fa 3447 .... 3448 007f0: 3e e2 c7 6f a2 30 a0 44 be 21 dc 8e 1a 96 f9 a8 3449 00804: 88 1f ad 83 45 96 96 84 47 3451 A.2.2. Handshake Examples 3453 Server certificate curve OID: 3454 id-tc26-gost-3410-12-512-paramSetA, "1.2.643.7.1.2.1.2.1" 3456 Server public key Q_s: 3457 x = 0x16DB0566C0278AC8204143994824236D 3458 97F36A13D5433E990B2EAC859D2E9B7A 3459 E054794655389158B8242923E3841B14 3460 24FD89F221701C89D9A3BF6A9F946795 3462 y = 0xD01E80DEC5BD23C8BC6B85F12BBB1635 3463 A5AE7AD50DE24FB8FD02CB285A4AE65A 3464 7D6FBB99AAFFDA80629826F2F7F73282 3465 220444761615A06D082077C4A00FD4CF 3467 Server private key d_s: 3468 0x5F1E83AFA2C4CB2C5633C51380E84E37 3469 4B013EE7C238330709080CE914B442D4 3470 34EB016D23FB63FEDC18B62D9DA93D26 3471 B3B9CE6F663B383303BD5930ED41608B 3473 ---------------------------Client--------------------------- 3475 ClientHello message: 3476 msg_type: 01 3477 length: 00003a 3478 body: 3479 client_version: 3480 major: 03 3481 minor: 03 3482 random: 6A523D6880DCC2DC75CCC43CFD04B616 3483 F5C3757B8077B76A9B504949FD3BFDB8 3484 session_id: 3485 length: 00 3486 vector: -- 3487 cipher_suites: 3488 length: 0002 3489 vector: 3490 CipherSuite: C102 3491 compression_methods: 3492 length: 01 3493 vector: 3494 CompressionMethod: 00 3495 extensions: 3496 length: 000F 3497 Extension: /* signature_algorithms */ 3498 extension_type: 000D 3499 extension_data: 3500 length: 0006 3501 vector: 3502 supported_signature_algorithms: 3503 length: 0004 3504 vector: 3505 /* 1 pair of algorithms */ 3506 hash: 08 3507 signature: 3508 41 3509 /* 2 pair of algorithms */ 3510 hash: 08 3511 signature: 3512 40 3513 Extension: /* renegotiation_info */ 3514 extension_type: FF01 3515 extension_data: 3516 length: 0001 3517 vector: 3518 renegotiated_connection: 3519 length: 00 3520 vector: -- 3522 00000: 01 00 00 3A 03 03 6A 52 3D 68 80 DC C2 DC 75 CC 3523 00010: C4 3C FD 04 B6 16 F5 C3 75 7B 80 77 B7 6A 9B 50 3524 00020: 49 49 FD 3B FD B8 00 00 02 C1 02 01 00 00 0F 00 3525 00030: 0D 00 06 00 04 08 41 08 40 FF 01 00 01 00 3527 Record layer message: 3528 type: 16 3529 version: 3530 major: 03 3531 minor: 03 3532 length: 003e 3533 fragment: 0100003A03036A523D6880DCC2DC75CC 3534 C43CFD04B616F5C3757B8077B76A9B50 3535 4949FD3BFDB8000002C1020100000F00 3536 0D0006000408410840FF01000100 3538 00000: 16 03 03 00 3E 01 00 00 3A 03 03 6A 52 3D 68 80 3539 00010: DC C2 DC 75 CC C4 3C FD 04 B6 16 F5 C3 75 7B 80 3540 00020: 77 B7 6A 9B 50 49 49 FD 3B FD B8 00 00 02 C1 02 3541 00030: 01 00 00 0F 00 0D 00 06 00 04 08 41 08 40 FF 01 3542 00040: 00 01 00 3543 ---------------------------Server--------------------------- 3545 ServerHello message: 3546 msg_type: 02 3547 length: 00004D 3548 body: 3549 client_version: 3550 major: 03 3551 minor: 03 3552 random: FE92C9516D0E1A67A04C33CD7F2C90B1 3553 5E76DCC30815C19F92A6D100915AF2DB 3554 session_id: 3555 length: 20 3556 vector: 12AAA5E5779014711CCD6D265BDEE519 3557 1026431C83768EE5EB5A157F940BE9FB 3558 cipher_suite: 3559 CipherSuite: C102 3560 compression_method: 3561 CompressionMethod: 00 3562 extensions: 3563 length: 0005 3564 Extension: /* renegotiation_info */ 3565 extension_type: FF01 3566 extension_data: 3567 length: 0001 3568 vector: 3569 renegotiated_connection: 3570 length: 00 3571 vector: -- 3573 00000: 02 00 00 4D 03 03 FE 92 C9 51 6D 0E 1A 67 A0 4C 3574 00010: 33 CD 7F 2C 90 B1 5E 76 DC C3 08 15 C1 9F 92 A6 3575 00020: D1 00 91 5A F2 DB 20 12 AA A5 E5 77 90 14 71 1C 3576 00030: CD 6D 26 5B DE E5 19 10 26 43 1C 83 76 8E E5 EB 3577 00040: 5A 15 7F 94 0B E9 FB C1 02 00 00 05 FF 01 00 01 3578 00050: 00 3580 Record layer message: 3581 type: 16 3582 version: 3583 major: 03 3584 minor: 03 3585 length: 0051 3586 fragment: 0200004D0303FE92C9516D0E1A67A04C 3587 33CD7F2C90B15E76DCC30815C19F92A6 3588 D100915AF2DB2012AAA5E5779014711C 3589 CD6D265BDEE5191026431C83768EE5EB 3590 5A157F940BE9FBC102000005FF010001 3591 00 3593 00000: 16 03 03 00 51 02 00 00 4D 03 03 FE 92 C9 51 6D 3594 00010: 0E 1A 67 A0 4C 33 CD 7F 2C 90 B1 5E 76 DC C3 08 3595 00020: 15 C1 9F 92 A6 D1 00 91 5A F2 DB 20 12 AA A5 E5 3596 00030: 77 90 14 71 1C CD 6D 26 5B DE E5 19 10 26 43 1C 3597 00040: 83 76 8E E5 EB 5A 15 7F 94 0B E9 FB C1 02 00 00 3598 00050: 05 FF 01 00 01 00 3600 ---------------------------Server--------------------------- 3602 Certificate message: 3603 msg_type: 0B 3604 length: 000266 3605 body: 3606 certificate_list: 3607 length: 000263 3608 vector: 3609 ASN.1Cert: 3610 length: 000260 3611 vector: 3082025C308201C8A003020102021478 3612 94DC9D920977809191642F1DAEDC26BA 3613 3B5104300A06082A8503070101030330 3614 . . . 3615 6C12D51F99C98A4A9904F0EA5486FED7 3616 FF66AB8EB2425E1ACEAE8A758BDF843B 3617 E1A8F6FEBF673015FED7AB86533DBF20 3619 00000: 0B 00 02 66 00 02 63 00 02 60 30 82 02 5C 30 82 3620 00010: 01 C8 A0 03 02 01 02 02 14 78 94 DC 9D 92 09 77 3621 00020: 80 91 91 64 2F 1D AE DC 26 BA 3B 51 04 30 0A 06 3622 00030: 08 2A 85 03 07 01 01 03 03 30 19 31 17 30 15 06 3623 00040: 03 55 04 03 13 0E 43 41 20 43 65 72 74 69 66 69 3624 00050: 63 61 74 65 30 1E 17 0D 31 38 30 31 30 32 30 30 3625 00060: 30 30 31 31 5A 17 0D 32 32 30 31 30 32 30 30 30 3626 00070: 30 32 31 5A 30 21 31 1F 30 1D 06 03 55 04 03 13 3627 00080: 16 53 65 72 76 65 72 20 35 31 32 20 43 65 72 74 3628 00090: 69 66 69 63 61 74 65 30 81 AA 30 21 06 08 2A 85 3629 000a0: 03 07 01 01 01 02 30 15 06 09 2A 85 03 07 01 02 3630 000b0: 01 02 01 06 08 2A 85 03 07 01 01 02 03 03 81 84 3631 000c0: 00 04 81 80 95 67 94 9F 6A BF A3 D9 89 1C 70 21 3632 000d0: F2 89 FD 24 14 1B 84 E3 23 29 24 B8 58 91 38 55 3633 000e0: 46 79 54 E0 7A 9B 2E 9D 85 AC 2E 0B 99 3E 43 D5 3634 000f0: 13 6A F3 97 6D 23 24 48 99 43 41 20 C8 8A 27 C0 3635 00100: 66 05 DB 16 CF D4 0F A0 C4 77 20 08 6D A0 15 16 3636 00110: 76 44 04 22 82 32 F7 F7 F2 26 98 62 80 DA FF AA 3637 00120: 99 BB 6F 7D 5A E6 4A 5A 28 CB 02 FD B8 4F E2 0D 3638 00130: D5 7A AE A5 35 16 BB 2B F1 85 6B BC C8 23 BD C5 3639 00140: DE 80 1E D0 A3 81 93 30 81 90 30 0C 06 03 55 1D 3640 00150: 13 01 01 FF 04 02 30 00 30 1A 06 03 55 1D 11 04 3641 00160: 13 30 11 82 09 6C 6F 63 61 6C 68 6F 73 74 87 04 3642 00170: 7F 00 00 01 30 13 06 03 55 1D 25 04 0C 30 0A 06 3643 00180: 08 2B 06 01 05 05 07 03 01 30 0F 06 03 55 1D 0F 3644 00190: 01 01 FF 04 05 03 03 07 B0 00 30 1D 06 03 55 1D 3645 001a0: 0E 04 16 04 14 AE 46 41 1B FD B3 08 C3 39 03 47 3646 001b0: 57 57 2B 0F BF A3 6F 9A 99 30 1F 06 03 55 1D 23 3647 001c0: 04 18 30 16 80 14 7F 7B 7A 15 61 A6 F2 18 A2 E3 3648 001d0: 48 3B C6 39 D9 7F 42 DB 6D AF 30 0A 06 08 2A 85 3649 001e0: 03 07 01 01 03 03 03 81 81 00 9C 49 78 F7 1B AB 3650 001f0: 54 8A 25 6D 2A 18 7C A8 4D 72 4F E1 EF A7 E5 36 3651 00200: 67 2E 79 1F 8A 0C B6 74 1E B1 63 E2 96 37 8C 5B 3652 00210: 82 83 EE DA B4 1B A4 22 1E BC E2 05 F6 F8 79 CF 3653 00220: EB F0 AD E9 36 07 0F B2 40 E5 0D 04 37 03 7F 2A 3654 00230: EC 99 C7 CD 23 9F 6F 20 25 A8 6C 12 D5 1F 99 C9 3655 00240: 8A 4A 99 04 F0 EA 54 86 FE D7 FF 66 AB 8E B2 42 3656 00250: 5E 1A CE AE 8A 75 8B DF 84 3B E1 A8 F6 FE BF 67 3657 00260: 30 15 FE D7 AB 86 53 3D BF 20 3659 Record layer message: 3660 type: 16 3661 version: 3662 major: 03 3663 minor: 03 3664 length: 026A 3665 fragment: 0B0002660002630002603082025C3082 3666 01C8A00302010202147894DC9D920977 3667 809191642F1DAEDC26BA3B5104300A06 3668 . . . 3669 EC99C7CD239F6F2025A86C12D51F99C9 3670 8A4A9904F0EA5486FED7FF66AB8EB242 3671 5E1ACEAE8A758BDF843BE1A8F6FEBF67 3672 3015FED7AB86533DBF20 3674 00000: 16 03 03 02 6A 0B 00 02 66 00 02 63 00 02 60 30 3675 00010: 82 02 5C 30 82 01 C8 A0 03 02 01 02 02 14 78 94 3676 00020: DC 9D 92 09 77 80 91 91 64 2F 1D AE DC 26 BA 3B 3677 00030: 51 04 30 0A 06 08 2A 85 03 07 01 01 03 03 30 19 3678 00040: 31 17 30 15 06 03 55 04 03 13 0E 43 41 20 43 65 3679 00050: 72 74 69 66 69 63 61 74 65 30 1E 17 0D 31 38 30 3680 00060: 31 30 32 30 30 30 30 31 31 5A 17 0D 32 32 30 31 3681 00070: 30 32 30 30 30 30 32 31 5A 30 21 31 1F 30 1D 06 3682 00080: 03 55 04 03 13 16 53 65 72 76 65 72 20 35 31 32 3683 00090: 20 43 65 72 74 69 66 69 63 61 74 65 30 81 AA 30 3684 000a0: 21 06 08 2A 85 03 07 01 01 01 02 30 15 06 09 2A 3685 000b0: 85 03 07 01 02 01 02 01 06 08 2A 85 03 07 01 01 3686 000c0: 02 03 03 81 84 00 04 81 80 95 67 94 9F 6A BF A3 3687 000d0: D9 89 1C 70 21 F2 89 FD 24 14 1B 84 E3 23 29 24 3688 000e0: B8 58 91 38 55 46 79 54 E0 7A 9B 2E 9D 85 AC 2E 3689 000f0: 0B 99 3E 43 D5 13 6A F3 97 6D 23 24 48 99 43 41 3690 00100: 20 C8 8A 27 C0 66 05 DB 16 CF D4 0F A0 C4 77 20 3691 00110: 08 6D A0 15 16 76 44 04 22 82 32 F7 F7 F2 26 98 3692 00120: 62 80 DA FF AA 99 BB 6F 7D 5A E6 4A 5A 28 CB 02 3693 00130: FD B8 4F E2 0D D5 7A AE A5 35 16 BB 2B F1 85 6B 3694 00140: BC C8 23 BD C5 DE 80 1E D0 A3 81 93 30 81 90 30 3695 00150: 0C 06 03 55 1D 13 01 01 FF 04 02 30 00 30 1A 06 3696 00160: 03 55 1D 11 04 13 30 11 82 09 6C 6F 63 61 6C 68 3697 00170: 6F 73 74 87 04 7F 00 00 01 30 13 06 03 55 1D 25 3698 00180: 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 30 0F 3699 00190: 06 03 55 1D 0F 01 01 FF 04 05 03 03 07 B0 00 30 3700 001a0: 1D 06 03 55 1D 0E 04 16 04 14 AE 46 41 1B FD B3 3701 001b0: 08 C3 39 03 47 57 57 2B 0F BF A3 6F 9A 99 30 1F 3702 001c0: 06 03 55 1D 23 04 18 30 16 80 14 7F 7B 7A 15 61 3703 001d0: A6 F2 18 A2 E3 48 3B C6 39 D9 7F 42 DB 6D AF 30 3704 001e0: 0A 06 08 2A 85 03 07 01 01 03 03 03 81 81 00 9C 3705 001f0: 49 78 F7 1B AB 54 8A 25 6D 2A 18 7C A8 4D 72 4F 3706 00200: E1 EF A7 E5 36 67 2E 79 1F 8A 0C B6 74 1E B1 63 3707 00210: E2 96 37 8C 5B 82 83 EE DA B4 1B A4 22 1E BC E2 3708 00220: 05 F6 F8 79 CF EB F0 AD E9 36 07 0F B2 40 E5 0D 3709 00230: 04 37 03 7F 2A EC 99 C7 CD 23 9F 6F 20 25 A8 6C 3710 00240: 12 D5 1F 99 C9 8A 4A 99 04 F0 EA 54 86 FE D7 FF 3711 00250: 66 AB 8E B2 42 5E 1A CE AE 8A 75 8B DF 84 3B E1 3712 00260: A8 F6 FE BF 67 30 15 FE D7 AB 86 53 3D BF 20 3714 ---------------------------Server--------------------------- 3716 ServerHelloDone message: 3717 msg_type: 0E 3718 length: 000000 3719 body: -- 3721 00000: 0E 00 00 00 3723 Record layer message:: 3724 type: 16 3725 version: 3726 major: 03 3727 minor: 03 3728 length: 0004 3729 fragment: 0E000000 3731 00000: 16 03 03 00 04 0E 00 00 00 3732 ---------------------------Client--------------------------- 3734 PMS: 3735 00000: CE 0D D6 B6 70 42 12 15 2B E4 69 5A 7E 89 F6 4C 3736 00010: 89 29 A4 0D BF 0A 5A 55 C2 CE 00 2B 06 BA B6 2F 3738 Random d_eph value: 3739 0xC96486B1A3732389A162F5AD0145D537 3740 43C9AC27D42ACF1091CE7EF67E6C3CCA 3741 0F6C879B2DA3C1607648BAEB96471BD2 3742 078DF5CAAA4FA83ECC0FFD6D3C8E5D56 3744 Q_eph ephemeral key: 3745 x = 0x4B9CB381BCC737E493E43B2D7FD95BFE 3746 2AEF6BE8F6224882E5E559ADA08170DC 3747 49A815B3A1B3B323D2B50195153CFC60 3748 DD6139C3770C5762A6A7719FABF84BFB 3750 y = 0x95CEF28392C846A5EEFCB51C84E4960A 3751 77B77D0D85EBD22061BFDA0013C5AB6C 3752 42DDD04973F65D2AEB8A5427A53D6872 3753 CF2D68F5F722C4640D7AAF2E0194FBD0 3755 HASH(r_c | r_s): 3756 00000: FB F3 9D 10 E8 00 AF 70 E7 AA 22 C1 10 DA 94 A9 3757 00010: 9A 58 98 D8 45 27 C7 CB DE C1 1E 53 39 90 6A 1A 3759 K_EXP: 3760 00000: 3F D9 99 D1 68 4A 15 CC 9B DD 5A 35 06 7A F6 98 3761 00010: 17 15 00 22 E0 95 54 AC 79 1A 60 F1 61 F5 53 49 3763 IV: 3764 00000: FB F3 9D 10 E8 00 AF 70 3766 CEK_ENC: 3767 00000: D6 22 D1 67 A5 64 2E 29 52 5A 29 5C B9 F2 8F 96 3768 00010: F2 8B 0E FA A7 D3 A2 BE E1 49 B0 11 78 C2 DF D5 3770 CEK_MAC: 3771 00000: 4C 93 36 57 3773 PMSEXP: 3774 00000: FB F3 9D 10 E8 00 AF 70 D6 22 D1 67 A5 64 2E 29 3775 00010: 52 5A 29 5C B9 F2 8F 96 F2 8B 0E FA A7 D3 A2 BE 3776 00020: E1 49 B0 11 78 C2 DF D5 4C 93 36 57 3778 ---------------------------Client--------------------------- 3779 ClientKeyExchange message: 3780 msg_type: 10 3781 length: 0000F5 3782 body: 3783 exchange_keys: 3081F23081EF30280420D622D167A564 3784 2E29525A295CB9F28F96F28B0EFAA7D3 3785 A2BEE149B01178C2DFD504044C933657 3786 . . . 3787 DABF6120D2EB850D7DB7770A96E4841C 3788 B5FCEEA546C89283F2CE950408FBF39D 3789 10E800AF70 3791 00000: 10 00 00 F5 30 81 F2 30 81 EF 30 28 04 20 D6 22 3792 00010: D1 67 A5 64 2E 29 52 5A 29 5C B9 F2 8F 96 F2 8B 3793 00020: 0E FA A7 D3 A2 BE E1 49 B0 11 78 C2 DF D5 04 04 3794 00030: 4C 93 36 57 A0 81 C2 06 09 2A 85 03 07 01 02 05 3795 00040: 01 01 A0 81 AA 30 21 06 08 2A 85 03 07 01 01 01 3796 00050: 02 30 15 06 09 2A 85 03 07 01 02 01 02 01 06 08 3797 00060: 2A 85 03 07 01 01 02 03 03 81 84 00 04 81 80 FB 3798 00070: 4B F8 AB 9F 71 A7 A6 62 57 0C 77 C3 39 61 DD 60 3799 00080: FC 3C 15 95 01 B5 D2 23 B3 B3 A1 B3 15 A8 49 DC 3800 00090: 70 81 A0 AD 59 E5 E5 82 48 22 F6 E8 6B EF 2A FE 3801 000A0: 5B D9 7F 2D 3B E4 93 E4 37 C7 BC 81 B3 9C 4B D0 3802 000B0: FB 94 01 2E AF 7A 0D 64 C4 22 F7 F5 68 2D CF 72 3803 000C0: 68 3D A5 27 54 8A EB 2A 5D F6 73 49 D0 DD 42 6C 3804 000D0: AB C5 13 00 DA BF 61 20 D2 EB 85 0D 7D B7 77 0A 3805 000E0: 96 E4 84 1C B5 FC EE A5 46 C8 92 83 F2 CE 95 04 3806 000F0: 08 FB F3 9D 10 E8 00 AF 70 3808 Record layer message: 3809 type: 16 3810 version: 3811 major: 03 3812 minor: 03 3813 length: 00F9 3814 fragment: 100000F53081F23081EF30280420D622 3815 D167A5642E29525A295CB9F28F96F28B 3816 0EFAA7D3A2BEE149B01178C2DFD50404 3817 . . . 3818 ABC51300DABF6120D2EB850D7DB7770A 3819 96E4841CB5FCEEA546C89283F2CE9504 3820 08FBF39D10E800AF70 3822 00000: 16 03 03 00 F9 10 00 00 F5 30 81 F2 30 81 EF 30 3823 00010: 28 04 20 D6 22 D1 67 A5 64 2E 29 52 5A 29 5C B9 3824 00020: F2 8F 96 F2 8B 0E FA A7 D3 A2 BE E1 49 B0 11 78 3825 00030: C2 DF D5 04 04 4C 93 36 57 A0 81 C2 06 09 2A 85 3826 00040: 03 07 01 02 05 01 01 A0 81 AA 30 21 06 08 2A 85 3827 00050: 03 07 01 01 01 02 30 15 06 09 2A 85 03 07 01 02 3828 00060: 01 02 01 06 08 2A 85 03 07 01 01 02 03 03 81 84 3829 00070: 00 04 81 80 FB 4B F8 AB 9F 71 A7 A6 62 57 0C 77 3830 00080: C3 39 61 DD 60 FC 3C 15 95 01 B5 D2 23 B3 B3 A1 3831 00090: B3 15 A8 49 DC 70 81 A0 AD 59 E5 E5 82 48 22 F6 3832 000A0: E8 6B EF 2A FE 5B D9 7F 2D 3B E4 93 E4 37 C7 BC 3833 000B0: 81 B3 9C 4B D0 FB 94 01 2E AF 7A 0D 64 C4 22 F7 3834 000C0: F5 68 2D CF 72 68 3D A5 27 54 8A EB 2A 5D F6 73 3835 000D0: 49 D0 DD 42 6C AB C5 13 00 DA BF 61 20 D2 EB 85 3836 000E0: 0D 7D B7 77 0A 96 E4 84 1C B5 FC EE A5 46 C8 92 3837 000F0: 83 F2 CE 95 04 08 FB F3 9D 10 E8 00 AF 70 3839 ---------------------------Client--------------------------- 3841 HASH(HM): 3842 00000: F8 D6 FE EB 17 64 4D 17 B0 38 36 A6 51 EB 87 69 3843 00010: BD EA A2 D3 EB 18 47 F6 91 91 42 7C 30 D0 17 8E 3845 MS: 3846 00000: BE 57 46 C8 BB B7 84 7E 97 8F D4 C9 4F 52 34 52 3847 00010: 44 2C 8E B1 72 FD E6 28 1C 18 C5 44 63 B1 F9 4C 3848 00020: 2B D9 81 40 05 41 6D BB 0F 90 A5 7E A4 E0 6B 50 3850 Client connection key material 3851 K_write_MAC|K_read_MAC|K_write_ENC|K_read_ENC|IV_write|IV_read: 3852 00000: F3 37 F6 A8 6F F3 1F CA 52 EA 64 7C DE E3 B7 83 3853 00010: 34 AB 77 B5 7F E0 DB 2F C0 C8 71 EC DC AC A5 A8 3854 00020: FB A0 4C 21 32 82 3A 24 96 EF 93 6F 0E BC F3 0E 3855 00030: A0 CB 7E AF 6C A7 94 75 4F 1F 45 B1 77 22 DE B4 3856 00040: 4E 5B C3 2D 44 30 AF 58 93 11 6A CF 81 A3 BE 0C 3857 00050: 90 D2 EA 8E 76 E0 84 07 28 BA F5 E2 B2 F9 40 C0 3858 00060: AE 18 26 7B B6 34 C1 6A 1D 1A C1 24 73 50 95 4B 3859 00070: 2F EE 9B 77 F3 0D 18 D5 54 01 2B 43 78 60 87 0A 3860 00080: D9 21 A8 4B 07 FF 98 AF 8C 82 38 6B 91 FB BA 64 3862 ---------------------------Server--------------------------- 3864 PMSEXP extracted: 3865 00000: FB F3 9D 10 E8 00 AF 70 D6 22 D1 67 A5 64 2E 29 3866 00010: 52 5A 29 5C B9 F2 8F 96 F2 8B 0E FA A7 D3 A2 BE 3867 00020: E1 49 B0 11 78 C2 DF D5 4C 93 36 57 3869 HASH(r_c | r_s): 3870 00000: FB F3 9D 10 E8 00 AF 70 E7 AA 22 C1 10 DA 94 A9 3871 00010: 9A 58 98 D8 45 27 C7 CB DE C1 1E 53 39 90 6A 1A 3872 K_EXP: 3873 00000: 3F D9 99 D1 68 4A 15 CC 9B DD 5A 35 06 7A F6 98 3874 00010: 17 15 00 22 E0 95 54 AC 79 1A 60 F1 61 F5 53 49 3876 PMS: 3877 00000: CE 0D D6 B6 70 42 12 15 2B E4 69 5A 7E 89 F6 4C 3878 00010: 89 29 A4 0D BF 0A 5A 55 C2 CE 00 2B 06 BA B6 2F 3880 ---------------------------Server--------------------------- 3882 HASH(HM): 3883 00000: F8 D6 FE EB 17 64 4D 17 B0 38 36 A6 51 EB 87 69 3884 00010: BD EA A2 D3 EB 18 47 F6 91 91 42 7C 30 D0 17 8E 3886 MS: 3887 00000: BE 57 46 C8 BB B7 84 7E 97 8F D4 C9 4F 52 34 52 3888 00010: 44 2C 8E B1 72 FD E6 28 1C 18 C5 44 63 B1 F9 4C 3889 00020: 2B D9 81 40 05 41 6D BB 0F 90 A5 7E A4 E0 6B 50 3891 Client connection key material 3892 K_read_MAC|K_write_MAC|K_read_ENC|K_write_ENC|IV_read|IV_write: 3893 00000: F3 37 F6 A8 6F F3 1F CA 52 EA 64 7C DE E3 B7 83 3894 00010: 34 AB 77 B5 7F E0 DB 2F C0 C8 71 EC DC AC A5 A8 3895 00020: FB A0 4C 21 32 82 3A 24 96 EF 93 6F 0E BC F3 0E 3896 00030: A0 CB 7E AF 6C A7 94 75 4F 1F 45 B1 77 22 DE B4 3897 00040: 4E 5B C3 2D 44 30 AF 58 93 11 6A CF 81 A3 BE 0C 3898 00050: 90 D2 EA 8E 76 E0 84 07 28 BA F5 E2 B2 F9 40 C0 3899 00060: AE 18 26 7B B6 34 C1 6A 1D 1A C1 24 73 50 95 4B 3900 00070: 2F EE 9B 77 F3 0D 18 D5 54 01 2B 43 78 60 87 0A 3901 00080: D9 21 A8 4B 07 FF 98 AF 8C 82 38 6B 91 FB BA 64 3903 ---------------------------Client--------------------------- 3905 ChangeCipherSpec message: 3906 type: 01 3908 00000: 01 3910 Record layer message: 3911 type: 14 3912 version: 3913 major: 03 3914 minor: 03 3915 length: 0001 3916 fragment: 01 3918 00000: 14 03 03 00 01 01 3919 ---------------------------Client--------------------------- 3921 HASH(HM): 3922 00000: F8 D6 FE EB 17 64 4D 17 B0 38 36 A6 51 EB 87 69 3923 00010: BD EA A2 D3 EB 18 47 F6 91 91 42 7C 30 D0 17 8E 3925 Finished message: 3926 msg_type: 14 3927 length: 00000C 3928 body: 3929 verify_data: D3EE1DEA725CD7080C744311 3931 00000: 14 00 00 0C D3 EE 1D EA 72 5C D7 08 0C 74 43 11 3933 Record layer message: 3934 type: 16 3935 version: 3936 major: 03 3937 minor: 03 3938 length: 0014 3939 fragment: 8854A0ED0CCBDAE076FA7D22D763A8D1 3940 AF701BBB 3942 00000: 16 03 03 00 14 88 54 A0 ED 0C CB DA E0 76 FA 7D 3943 00010: 22 D7 63 A8 D1 AF 70 1B BB 3945 ---------------------------Server--------------------------- 3947 ChangeCipherSpec message: 3948 type: 01 3950 00000: 01 3952 Record layer message: 3953 type: 14 3954 version: 3955 major: 03 3956 minor: 03 3957 length: 0001 3958 fragment: 01 3960 00000: 14 03 03 00 01 01 3962 ---------------------------Server--------------------------- 3964 HASH(HM): 3966 00000: 9C 9F C4 E3 32 5B 5F B3 70 B9 94 2A 71 D2 6E F0 3967 00010: 10 71 D8 A5 A1 8F 69 E8 C2 0B 70 CC 90 E9 A9 46 3969 Finished message: 3970 msg_type: 14 3971 length: 00000C 3972 body: 3973 verify_data: D6A2A697E9F23DB0F9017A79 3975 00000: 14 00 00 0C D6 A2 A6 97 E9 F2 3D B0 F9 01 7A 79 3977 Record layer message: 3978 type: 16 3979 version: 3980 major: 03 3981 minor: 03 3982 length: 0014 3983 fragment: 7BDDBB3C0A6A4A9E302B468CCD5CF786 3984 665FFEBC 3986 00000: 16 03 03 00 14 7B DD BB 3C 0A 6A 4A 9E 30 2B 46 3987 00010: 8C CD 5C F7 86 66 5F FE BC 3989 ---------------------------Client--------------------------- 3991 Application data: 3992 00000: 48 45 4C 4F 0A 3994 Record layer message: 3995 type: 17 3996 version: 3997 major: 03 3998 minor: 03 3999 length: 0009 4000 fragment: A8951D9389D1AEFE3B 4002 00000: 17 03 03 00 09 A8 95 1D 93 89 D1 AE FE 3B 4004 ---------------------------Server--------------------------- 4006 Application data: 4007 00000: 48 45 4C 4F 0A 4009 Record layer message: 4010 type: 17 4011 version: 4012 major: 03 4013 minor: 03 4014 length: 0009 4015 fragment: 0F368E5CEC86B4F8D7 4017 00000: 17 03 03 00 09 0F 36 8E 5C EC 86 B4 F8 D7 4019 ---------------------------Client--------------------------- 4021 close_notify alert: 4022 Alert: 4023 level: 01 4024 description: 00 4026 00000: 01 00 4028 Record layer message: 4029 type: 15 4030 version: 4031 major: 03 4032 minor: 03 4033 length: 0006 4034 fragment: F91FCD98F309 4036 00000: 15 03 03 00 06 F9 1F CD 98 F3 09 4038 ---------------------------Server--------------------------- 4040 close_notify alert: 4041 Alert: 4042 level: 01 4043 description: 00 4045 00000: 01 00 4047 Record layer message: 4048 type: 15 4049 version: 4050 major: 03 4051 minor: 03 4052 length: 0006 4053 fragment: 117B57AD5FED 4055 00000: 15 03 03 00 06 11 7B 57 AD 5F ED 4057 Appendix B. Contributors 4059 o Evgeny Alekseev 4060 CryptoPro 4061 alekseev@cryptopro.ru 4063 o Ekaterina Smyshlyaeva 4064 CryptoPro 4065 ess@cryptopro.ru 4067 o Grigory Sedov 4068 CryptoPro 4069 sedovgk@cryptopro.ru 4071 o Dmitry Eremin-Solenikov 4072 Auriga 4073 dbaryshkov@gmail.com 4075 Appendix C. Acknowledgments 4077 Authors' Addresses 4079 Stanislav Smyshlyaev (editor) 4080 CryptoPro 4081 18, Suschevsky val 4082 Moscow 127018 4083 Russian Federation 4085 Phone: +7 (495) 995-48-20 4086 Email: svs@cryptopro.ru 4088 Dmitry Belyavsky 4089 Cryptocom 4090 14/2 Kedrova st 4091 Moscow 117218 4092 Russian Federation 4094 Email: beldmit@gmail.com 4096 Markku-Juhani O. Saarinen 4097 Independent Consultant 4099 Email: mjos@iki.fi