idnits 2.17.1 draft-smyshlyaev-tls12-gost-suites-12.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 5, 2021) is 1056 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'ChangeCipherSpec' is mentioned on line 400, but not defined -- Looks like a reference, but probably isn't: '0' on line 658 ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Smyshlyaev, Ed. 3 Internet-Draft CryptoPro 4 Intended status: Informational D. Belyavsky 5 Expires: December 7, 2021 Cryptocom 6 M. Saarinen 7 Independent Consultant 8 June 5, 2021 10 GOST Cipher Suites for Transport Layer Security (TLS) Protocol Version 11 1.2 12 draft-smyshlyaev-tls12-gost-suites-12 14 Abstract 16 This document specifies three new cipher suites for the Transport 17 Layer Security (TLS) protocol Version 1.2 to support the Russian 18 cryptographic standard algorithms (called GOST algorithms). 20 This specification is developed to facilitate implementations that 21 wish to support the GOST algorithms. This document does not imply 22 IETF endorsement of the cipher suites. 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at https://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on December 7, 2021. 41 Copyright Notice 43 Copyright (c) 2021 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents 48 (https://trustee.ietf.org/license-info) in effect on the date of 49 publication of this document. Please review these documents 50 carefully, as they describe your rights and restrictions with respect 51 to this document. Code Components extracted from this document must 52 include Simplified BSD License text as described in Section 4.e of 53 the Trust Legal Provisions and are provided without warranty as 54 described in the Simplified BSD License. 56 Table of Contents 58 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 59 2. Conventions Used in This Document . . . . . . . . . . . . . . 4 60 3. Basic Terms and Definitions . . . . . . . . . . . . . . . . . 4 61 4. Cipher Suite Definitions . . . . . . . . . . . . . . . . . . 5 62 4.1. Record Payload Protection . . . . . . . . . . . . . . . . 6 63 4.1.1. CTR_OMAC . . . . . . . . . . . . . . . . . . . . . . 7 64 4.1.2. CNT_IMIT . . . . . . . . . . . . . . . . . . . . . . 8 65 4.2. Key Exchange and Authentication . . . . . . . . . . . . . 9 66 4.2.1. Hello Messages . . . . . . . . . . . . . . . . . . . 10 67 4.2.2. Server Certificate . . . . . . . . . . . . . . . . . 11 68 4.2.3. CertificateRequest . . . . . . . . . . . . . . . . . 11 69 4.2.4. ClientKeyExchange . . . . . . . . . . . . . . . . . . 11 70 4.2.4.1. CTR_OMAC . . . . . . . . . . . . . . . . . . . . 12 71 4.2.4.2. CNT_IMIT . . . . . . . . . . . . . . . . . . . . 14 72 4.2.5. CertificateVerify . . . . . . . . . . . . . . . . . . 16 73 4.2.6. Finished . . . . . . . . . . . . . . . . . . . . . . 17 74 4.3. Cryptographic Algorithms . . . . . . . . . . . . . . . . 17 75 4.3.1. Block Cipher . . . . . . . . . . . . . . . . . . . . 17 76 4.3.2. MAC algorithm . . . . . . . . . . . . . . . . . . . . 17 77 4.3.3. Encryption algorithm . . . . . . . . . . . . . . . . 18 78 4.3.4. PRF and HASH algorithms . . . . . . . . . . . . . . . 18 79 4.3.5. SNMAX parameter . . . . . . . . . . . . . . . . . . . 18 80 5. New Values for the SignatureAlgorithm Registry . . . . . . . 18 81 6. New Values for the Supported Groups Registry . . . . . . . . 19 82 7. New Values for the ClientCertificateType Identifiers Registry 20 83 8. Additional Algorithms . . . . . . . . . . . . . . . . . . . . 21 84 8.1. TLSTREE . . . . . . . . . . . . . . . . . . . . . . . . . 21 85 8.1.1. Key Tree Parameters . . . . . . . . . . . . . . . . . 21 86 8.2. Key export and key import algorithms . . . . . . . . . . 22 87 8.2.1. KExp15 and KImp15 Algorithms . . . . . . . . . . . . 22 88 8.2.2. KExp28147 and KImp28147 Algorithms . . . . . . . . . 23 89 8.3. Key Exchange Generation Algorithms . . . . . . . . . . . 24 90 8.3.1. KEG Algorithm . . . . . . . . . . . . . . . . . . . . 24 91 8.3.2. KEG_28147 Algorithm . . . . . . . . . . . . . . . . . 26 92 8.4. gostIMIT28147 . . . . . . . . . . . . . . . . . . . . . . 27 93 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27 94 10. Historical considerations . . . . . . . . . . . . . . . . . . 29 95 11. Security Considerations . . . . . . . . . . . . . . . . . . . 30 96 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 30 97 12.1. Normative References . . . . . . . . . . . . . . . . . . 30 98 12.2. Informative References . . . . . . . . . . . . . . . . . 32 99 Appendix A. Test Examples . . . . . . . . . . . . . . . . . . . 33 100 A.1. Test Examples for CTR_OMAC cipher suites . . . . . . . . 33 101 A.1.1. TLSTREE Examples . . . . . . . . . . . . . . . . . . 33 102 A.1.1.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 103 ciphersuite . . . . . . . . . . . . . . . . . . . 33 104 A.1.1.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC 105 ciphersuite . . . . . . . . . . . . . . . . . . . 35 106 A.1.2. Record Examples . . . . . . . . . . . . . . . . . . . 37 107 A.1.2.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 108 ciphersuite . . . . . . . . . . . . . . . . . . . 37 109 A.1.2.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC 110 ciphersuite . . . . . . . . . . . . . . . . . . . 40 111 A.1.3. Handshake Examples . . . . . . . . . . . . . . . . . 43 112 A.1.3.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 113 ciphersuite . . . . . . . . . . . . . . . . . . . 43 114 A.1.3.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC 115 ciphersuite . . . . . . . . . . . . . . . . . . . 57 116 A.2. Test Examples for CNT_IMIT cipher suites . . . . . . . . 76 117 A.2.1. Record Examples . . . . . . . . . . . . . . . . . . . 76 118 A.2.2. Handshake Examples . . . . . . . . . . . . . . . . . 77 119 Appendix B. Contributors . . . . . . . . . . . . . . . . . . . . 90 120 Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 91 121 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 91 123 1. Introduction 125 This document specifies three new cipher suites for the Transport 126 Layer Security (TLS) Protocol Version 1.2 [RFC5246] to support the 127 set of Russian cryptographic standard algorithms (called GOST 128 algorithms). These cipher suites use the same hash algorithm GOST R 129 34.11-2012 [GOST3411-2012] (the English version can be found in 130 [RFC6986]) and the same signature algorithm GOST R 34.10-2012 131 [GOST3410-2012] (the English version can be found in [RFC7091]) but 132 use different encryption and MAC algorithms, so they are divided into 133 two types: the CTR_OMAC cipher suites and the CNT_IMIT cipher suite. 135 The CTR_OMAC cipher suites use the GOST R 34.12-2015 [GOST3412-2015] 136 block ciphers (the English version can be found in [RFC7801]). 138 The CNT_IMIT cipher suite uses the GOST 28147-89 [GOST28147-89] block 139 cipher (the English version can be found in [RFC5830]). 141 This document specifies cipher suites only for the TLS protocol 142 version 1.2. The cipher suites for the TLS protocol version 1.3 143 [RFC8446] to support the set of Russian cryptographic standard 144 algorithms are specified in a separate document [DraftGostTLS13]. 146 2. Conventions Used in This Document 148 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 149 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 150 "OPTIONAL" in this document are to be interpreted as described in BCP 151 14 [RFC2119] [RFC8174] when, and only when, they appear in all 152 capitals, as shown here. 154 3. Basic Terms and Definitions 156 This document uses the following terms and definitions for the sets 157 and operations on the elements of these sets: 159 B_t the set of byte strings of length t, t >= 0, for t = 0 the 160 B_t set consists of a single empty string of zero length. If 161 A is an element of B_t, then A = (a_1, a_2, ... , a_t), where 162 a_1, a_2, ... , a_t are in {0, ... , 255}; 164 B* the set of all byte strings of a finite length (hereinafter 165 referred to as strings), including the empty string; 167 A[i..j] the string A[i..j] = (a_i, a_{i+1}, ... , a_j) in B_{j-i+1} 168 where A = (a_1, ... , a_t) in B_t and 1<=i<=j<=t; 170 |A| the length of the byte string A in bytes; 172 A | C concatenation of strings A and C both belonging to B*, i.e., 173 a string in B_{|A|+|C|}, where the left substring in B_|A| is 174 equal to A, and the right substring in B_|C| is equal to C; 176 A XOR C bitwise exclusive-or of byte strings A and C both belonging 177 to B_t (i.e. both are of length t bytes), i.e., a string in 178 B_t such that if A = (a_1, a_2, ... , a_t), C = (c_1, c_2, 179 ... , c_t) then A XOR C = (a_1 (xor) c_1, a_2 (xor) c_2, ... 180 , a_t (xor) c_t) where (xor) is bitwise exclusive-or of 181 bytes; 183 i & j bitwise AND of integers i and j; 185 STR_t the transformation that maps an integer i = 256^{t-1} * i_1 + 186 ... + 256 * i_{t-1} + i_t into the byte string STR_t(i) = 187 (i_1, ... , i_t) in B_t (the interpretation of the integer as 188 a byte string in big-endian format); 190 str_t the transformation that maps an integer i = 256^{t-1} * i_t + 191 ... + 256 * i_2 + i_1 into the byte string str_t(i) = (i_1, 192 ... , i_t) in B_t (the interpretation of the integer as a 193 byte string in little-endian format); 195 INT the transformation that maps a string a = (a_1, ... , a_t) in 196 B_t into the integer INT(a) = 256^{t-1} * a_1 + ... + 256 * 197 a_{t-1} + a_t (the interpretation of the byte string in big- 198 endian format as an integer); 200 int the transformation that maps a string a = (a_1, ... , a_t) in 201 B_t into the integer int(a) = 256^{t-1} * a_t + ... + 256 * 202 a_2 + a_1 (the interpretation of the byte string in little- 203 endian format as an integer); 205 k the length of the block cipher key in bytes; 207 n the length of the block cipher block in bytes; 209 Q_c the public key stored in the client's certificate; 211 d_c the private key that corresponds to the Q_c key; 213 Q_s the public key stored in the server's certificate; 215 d_s the private key that corresponds to the Q_s key; 217 q_s an order of a cyclic subgroup of elliptic curve points group 218 containing point Q_s; 220 P_s the point of order q_s that belongs to the same curve as Q_s; 222 r_c the random string contained in ClientHello.random field (see 223 [RFC5246]); 225 r_s the random string contained in ServerHello.random field (see 226 [RFC5246]). 228 4. Cipher Suite Definitions 230 This document specifies the CTR_OMAC cipher suites and the CNT_IMIT 231 cipher suite. 233 The CTR_OMAC cipher suites have the following values: 235 TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC = {0xC1, 0x00}; 236 TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC = {0xC1, 0x01}. 238 The CNT_IMIT cipher suite has the following value: 240 TLS_GOSTR341112_256_WITH_28147_CNT_IMIT = {0xC1, 0x02}. 242 4.1. Record Payload Protection 244 The compression method (see Section 6.2.2 of [RFC5246]) MUST be 245 "null" in all of the cipher suites described in this document. This 246 compression method is negotiated according to Section 4.2.1. Note 247 that the CompressionMethod.null operation is an identity operation; 248 no fields of the TLSCompressed structure are altered. 250 All of the cipher suites described in this document use the stream 251 cipher (see Section 4.3.3) to protect records. The TLSCiphertext 252 structure for the CTR_OMAC and CNT_IMIT cipher suites is specified in 253 accordance with the Standard Stream Cipher case (see Section 6.2.3.1 254 of [RFC5246]): 256 struct { 257 ContentType type; 258 ProtocolVersion version; 259 uint16 length; 260 GenericStreamCipher fragment; 261 } TLSCiphertext; 263 where TLSCiphertext.fragment is generated in accordance with 264 Section 4.1.1 when the CTR_OMAC cipher suite is used and 265 Section 4.1.2 when the CNT_IMIT cipher suite is used. 267 The connection key material is a key material that consists of the 268 sender_write_key (either the client_write_key or the 269 server_write_key), the sender_write_MAC_key (either the 270 client_write_MAC_key or the server_write_MAC_key) and the 271 sender_write_IV (either the client_write_IV or the server_write_IV) 272 parameters that are generated in accordance with Section 6.3 of 273 [RFC5246]. 275 The record key material is a key material that is generated from the 276 connection key material and is used to protect a record with the 277 certain sequence number. Note that in some cipher suites defined in 278 this document the record key material can be equal to the connection 279 key material. 281 In this section the TLSCiphertext.fragment generation is described 282 for one particular endpoint (server or client) with the corresponding 283 connection key material and record key material. 285 4.1.1. CTR_OMAC 287 In case of the CTR_OMAC cipher suites the record key material differs 288 from the connection key material, and for the sequence number seqnum 289 consists of: 291 o K_ENC_seqnum in B_k; 293 o K_MAC_seqnum in B_k; 295 o IV_seqnum in B_{n/2}. 297 The K_ENC_seqnum and K_MAC_seqnum values are calculated using the 298 TLSTREE function defined in Section 8.1, the connection key material 299 and the sequence number seqnum. IV_seqnum is calculated by adding 300 seqnum value to sender_write_IV modulo 2^{(n/2)*8}: 302 o K_ENC_seqnum = TLSTREE(sender_write_key, seqnum); 304 o K_MAC_seqnum = TLSTREE(sender_write_MAC_key, seqnum); 306 o IV_seqnum = STR_{n/2}((INT(sender_write_IV) + seqnum) mod 307 2^{(n/2)*8}). 309 The TLSCiphertext.fragment that corresponds to the sequence number 310 seqnum is equal to the ENCValue_seqnum value that is calculated as 311 follows: 313 1. The MACValue_seqnum value is generated using the MAC algorithm 314 (see Section 4.3.2) similar to Section 6.2.3.1 of [RFC5246] except 315 the sender_write_MAC_key is replaced by the K_MAC_seqnum key: 317 MACValue_seqnum = MAC(K_MAC_seqnum, STR_8(seqnum) | type_seqnum | 318 version_seqnum | length_seqnum | fragment_seqnum), 320 where type_seqnum, version_seqnum, length_seqnum, fragment_seqnum are 321 the TLSCompressed.type, TLSCompressed.version, TLSCompressed.length 322 and TLSCompressed.fragment values of the record with the seqnum 323 sequence number. 325 2. The entire data with the MACValue is encrypted with the ENC 326 stream cipher (see Section 4.3.3): 328 ENCValue_seqnum = ENC(K_ENC_seqnum, IV_seqnum, fragment_seqnum | 329 MACValue_seqnum), 331 where fragment_seqnum is the TLSCompressed.fragment value of the 332 record with the seqnum sequence number. 334 4.1.2. CNT_IMIT 336 In case of the CNT_IMIT cipher suite the record key material is equal 337 to the connection key material and consists of: 339 o sender_write_key in B_k; 341 o sender_write_MAC_key in B_k; 343 o sender_write_IV in B_n. 345 The TLSCiphertext.fragment that corresponds to the sequence number 346 seqnum is equal to the ENCValue_seqnum value that is calculated as 347 follows: 349 1. The MACValue_seqnum value is generated by the MAC algorithm (see 350 Section 4.3.2) as follows: 352 MACValue_seqnum = MAC(sender_write_MAC_key, STR_8(0) | type_0 | 353 version_0 | length_0 | fragment_0 | ... | STR_8(seqnum) | 354 type_seqnum | version_seqnum | length_seqnum | fragment_seqnum), 356 where type_i, version_i, length_i, fragment_i, i in {0, ... , 357 seqnum}, are the TLSCompressed.type, TLSCompressed.version, 358 TLSCompressed.length and TLSCompressed.fragment values of the record 359 with the i sequence number. 361 Due to the use of the CBC-MAC based mode (see Section 4.3.2) 362 producing the MACValue_seqnum value does not mean processing all 363 previous records. It is enough to store only an intermediate 364 internal state of the MAC algorithm. 366 2. The entire data with the MACValue is encrypted with the ENC 367 stream cipher (see Section 4.3.3): 369 ENCValue_0 | ... | ENCValue_seqnum = ENC(sender_write_key, 370 sender_write_IV, fragment_0 | MACValue_0 | ... | fragment_seqnum | 371 MACValue_seqnum), 373 where the length of the byte string ENCValue_i in bytes is equal to 374 the length of the byte string (fragment_i | MACValue_i) in bytes, i 375 in {0, ... , seqnum}. 377 Due to the use of the stream cipher (see Section 4.3.3) producing the 378 ENCValue_seqnum value does not mean processing all previous records. 379 It is enough to store only an intermediate internal state of the ENC 380 stream cipher. 382 4.2. Key Exchange and Authentication 384 All of the cipher suites described in this document use a key 385 encapsulation mechanism based on Diffie-Hellman to share the TLS 386 premaster secret. 388 Client Server 390 ClientHello --------> 391 ServerHello 392 Certificate 393 CertificateRequest* 394 <-------- ServerHelloDone 395 Certificate* 396 ClientKeyExchange 397 CertificateVerify* 398 [ChangeCipherSpec] 399 Finished --------> 400 [ChangeCipherSpec] 401 <-------- Finished 402 Application Data <-------> Application Data 404 Figure 1: Message flow for a full handshake. 406 * Indicates optional messages that are sent for 407 the client authentication. 409 Note: To help avoid pipeline stalls, ChangeCipherSpec is an 410 independent TLS protocol content type, and is not actually 411 a TLS handshake message. 413 Figure 1 shows all messages involved in the TLS key establishment 414 protocol (full handshake). A ServerKeyExchange MUST NOT be sent (the 415 server's certificate contains enough data to allow client to exchange 416 the premaster secret). 418 The server side of the channel is always authenticated; the client 419 side is optionally authenticated. The server is authenticated by 420 proving that it knows the premaster secret that is encrypted with the 421 public key Q_s from the server's certificate. The client is 422 authenticated via its signature over the handshake transcript. 424 In general the key exchange process for both CTR_OMAC and CNT_IMIT 425 cipher suites consists of the following steps: 427 1. The client generates the ephemeral key pair (d_eph, Q_eph) that 428 corresponds to the server's public key Q_s stored in its 429 certificate. 431 2. The client generates the premaster secret PS. The PS value is 432 chosen from B_32 at random. 434 3. Using d_eph and Q_s the client generates the export key material 435 (see Section 4.2.4.1 and Section 4.2.4.2) for the particular key 436 export algorithm (see Section 8.2.1 and Section 8.2.2) to 437 generate the export representation PSExp of the PS value. 439 4. The client sends its ephemeral public key Q_eph and PSExp value 440 in the ClientKeyExchange message. 442 5. Using its private key d_s the server generates the import key 443 material (see Section 4.2.4.1 and Section 4.2.4.2) for the 444 particular key import algorithm (see Section 8.2.1 and 445 Section 8.2.2) to extract the premaster secret PS from the export 446 representation PSExp. 448 The cipher suites specified in this document define the ClientHello, 449 ServerHello, server Certificate, CertificateRequest, 450 ClientKeyExchange, CertificateVerify and Finished handshake messages, 451 that are described in further detail below. 453 4.2.1. Hello Messages 455 The ClientHello message is generated in accordance with 456 Section 7.4.1.2 of [RFC5246] and must meet the following 457 requirements: 459 o The ClientHello.compression_methods field MUST contain exactly one 460 byte, set to zero, which corresponds to the "null" compression 461 method. 463 o The ClientHello.extensions field MUST contain the 464 signature_algorithms extension (see [RFC5246]). 466 If the negotiated cipher suite is one of CTR_OMAC/CTR_IMIT and the 467 client implementation does not support generating the 468 signature_algorithms extension with the values defined in 469 Section 5, the server MUST either abort the connection or ignore 470 this extension and behave as if the client had sent the 471 signature_algorithms extension with the values {8, 64} and {8, 472 65}. 474 The ServerHello message is generated in accordance with 475 Section 7.4.1.3 of [RFC5246] and must meet the following 476 requirements: 478 o The ServerHello.compression_method field MUST contain exactly one 479 byte, set to zero, which corresponds to the "null" compression 480 method. 482 o The ServerHello.extensions field MUST NOT contain the 483 encrypt_then_mac extension (see [RFC7366]). 485 4.2.2. Server Certificate 487 This message is used to authentically convey the server's public key 488 Q_s to the client and is generated in accordance with Section 7.4.2 489 of [RFC5246]. 491 Upon receiving this message the client validates the certificate 492 chain, extracts the server's public key, and checks that the key type 493 is appropriate for the negotiated key exchange algorithm. (A 494 possible reason for a fatal handshake failure is that the client's 495 capabilities for handling elliptic curves and point formats are 496 exceeded). 498 4.2.3. CertificateRequest 500 This message is sent by the server when requesting client 501 authentication and is generated in accordance with Section 7.4.4 of 502 [RFC5246]. 504 If the CTR_OMAC or CNT_IMIT cipher suite is negotiated, the 505 CertificateRequest message MUST meet the following requirements: 507 o the CertificateRequest.supported_signature_algorithm field MUST 508 contain only signature/hash algorithm pairs with the values {8, 509 64} or {0, 65} defined in Section 5; 511 o the CertificateRequest.certificate_types field MUST contain only 512 the gost_sign256 (67) or gost_sign512 (68) values defined in 513 Section 7. 515 4.2.4. ClientKeyExchange 517 The ClientKeyExchange message is defined as follows. 519 enum { vko_kdf_gost, vko_gost } KeyExchangeAlgorithm; 521 struct { 522 select (KeyExchangeAlgorithm) { 523 case vko_kdf_gost: GostKeyTransport; 524 case vko_gost: TLSGostKeyTransportBlob; 525 } exchange_keys; 526 } ClientKeyExchange; 528 The body of the ClientKeyExchange message consists of a 529 GostKeyTransport/TLSGostKeyTransportBlob structure that contains an 530 export representation of the premaster secret PS. 532 The GostKeyTransport structure corresponds to the CTR_OMAC cipher 533 suites and is described in Section 4.2.4.1 and the 534 TLSGostKeyTransportBlob corresponds to CNT_IMIT cipher suite and is 535 described in Section 4.2.4.2. 537 4.2.4.1. CTR_OMAC 539 In case of the CTR_OMAC cipher suites the body of the 540 ClientKeyExchange message consists of the GostKeyTransport structure 541 that is defined bellow. 543 The client generates the ClientKeyExchange message in accordance with 544 the following steps: 546 1. Generates the ephemeral key pair (Q_eph, d_eph), where: 548 d_eph is chosen from {1, ... , q_s - 1} at random; 550 Q_eph = d_eph * P_s. 552 2. Generates export keys (K_EXP_MAC and K_EXP_ENC) using the KEG 553 algorithm defined in Section 8.3.1: 555 H = HASH(r_c | r_s); 557 K_EXP_MAC | K_EXP_ENC = KEG(d_eph, Q_s, H). 559 3. Generates an export representation PSExp of the premaster secret 560 PS using the KExp15 algorithm defined in Section 8.2.1: 562 IV = H[25..24 + n / 2]; 564 PSExp = KExp15(PS, K_EXP_MAC, K_EXP_ENC, IV). 566 4. Generates the ClientKeyExchange message using the 567 GostKeyTransport structure that is defined as follows: 569 GostKeyTransport ::= SEQUENCE { 570 keyExp OCTET STRING, 571 ephemeralPublicKey SubjectPublicKeyInfo, 572 ukm OCTET STRING OPTIONAL 573 } 575 SubjectPublicKeyInfo ::= SEQUENCE { 576 algorithm AlgorithmIdentifier, 577 subjectPublicKey BIT STRING 578 } 579 AlgorithmIdentifier ::= SEQUENCE { 580 algorithm OBJECT IDENTIFIER, 581 parameters ANY OPTIONAL 582 } 584 where the keyExp field contains the PSExp value, the 585 ephemeralPublicKey field contains the Q_eph value and the ukm field 586 MUST be ignored by the server. 588 Upon receiving the ClientKeyExchange message, the server process it 589 as follows. 591 1. Checks the following three conditions. If either of these checks 592 fails, then the server MUST abort the handshake with an alert. 594 o Q_eph belongs to the same curve as server public key Q_s; 596 o Q_eph is not equal to zero point; 598 o q_s * Q_eph is equal to zero point. 600 2. Generates export keys (K_EXP_MAC and K_EXP_ENC) using the KEG 601 algorithm defined in Section 8.3.1: 603 H = HASH(r_c | r_s); 605 K_EXP_MAC | K_EXP_ENC = KEG(d_s, Q_eph, H). 607 3. Extracts the premaster secret PS from the export representation 608 PSExp using the KImp15 algorithm defined in Section 8.2.1: 610 IV = H[25..24 + n / 2]; 611 PS = KImp15(PSExp, K_EXP_MAC, K_EXP_ENC, IV). 613 4.2.4.2. CNT_IMIT 615 In case of the CNT_IMIT cipher suite the body of the 616 ClientKeyExchange message consists of a TLSGostKeyTransportBlob 617 structure that is defined bellow. 619 The client generates the ClientKeyExchange message in accordance with 620 the following steps: 622 1. Generates the ephemeral key pair (Q_eph, d_eph), where: 624 d_eph is chosen from {1, ... , q_s - 1} at random; 626 Q_eph = d_eph * P_s. 628 2. Generates export key (K_EXP) using the KEG_28147 algorithm 629 defined in Section 8.3.2: 631 H = HASH(r_c | r_s); 633 K_EXP = KEG_28147(d_eph, Q_s, H). 635 3. Generates an export representation PSExp of the premaster secret 636 PS using the KExp28147 algorithm defined in Section 8.2.2: 638 PSExp = IV | CEK_ENC | CEK_MAC = KExp28147(PS, K_EXP, H[1..8]). 640 4. Generates the ClientKeyExchange message using the 641 TLSGostKeyTransportBlob structure that is defined as follows: 643 TLSGostKeyTransportBlob ::= SEQUENCE { 644 keyBlob GostR3410-KeyTransport, 645 } 646 GostR3410-KeyTransport ::= SEQUENCE { 647 sessionEncryptedKey Gost28147-89-EncryptedKey, 648 transportParameters [0] IMPLICIT GostR3410-TransportParameters 649 OPTIONAL 650 } 651 Gost28147-89-EncryptedKey ::= SEQUENCE { 652 encryptedKey Gost28147-89-Key, 653 maskKey [0] IMPLICIT Gost28147-89-Key OPTIONAL, 654 macKey Gost28147-89-MAC 655 } 656 GostR3410-TransportParameters ::= SEQUENCE { 657 encryptionParamSet OBJECT IDENTIFIER, 658 ephemeralPublicKey [0] IMPLICIT SubjectPublicKeyInfo OPTIONAL, 659 ukm OCTET STRING 660 } 662 where GostR3410-KeyTransport, Gost28147-89-EncryptedKey and 663 GostR3410-TransportParameters are defined according to Section 4.2.1 664 of [RFC4490]. 666 In the context of this document the 667 GostR3410-KeyTransport.transportParameters field is always used, the 668 Gost28147-89-EncryptedKey.maskKey field is omitted, the 669 GostR3410-KeyTransport.transportParameters.ephemeralPublicKey field 670 is always used. 672 The Gost28147-89-EncryptedKey.encryptedKey field contains the CEK_ENC 673 value, the Gost28147-89-EncryptedKey.macKey field contains the 674 CEK_MAC value, and GostR3410-TransportParameters.ukm field contains 675 the IV value. 677 The keyBlob.transportParameters.ephemeralPublicKey field contains the 678 client ephemeral public key Q_eph. The encryptionParamSet contains 679 value 1.2.643.7.1.2.5.1.1 that corresponds to the id-tc26-gost- 680 28147-param-Z parameters set defined in [RFC7836]. 682 Upon receiving the ClientKeyExchange message, the server process it 683 as follows. 685 1. Checks the following three conditions. If either of these checks 686 fails, then the server MUST abort the handshake with an alert. 688 o Q_eph belongs to the same curve as server public key Q_s; 689 o Q_eph is not equal to zero point; 691 o q_s * Q_eph is equal to zero point; 693 2. Generates export key (K_EXP) using the KEG_28147 algorithm 694 defined in Section 8.3.2: 696 H = HASH(r_c | r_s); 698 K_EXP = KEG_28147(d_s, Q_eph, H). 700 3. Extracts the premaster secret PS from the export representation 701 PSExp using the KImp28147 algorithm defined in Section 8.2.2: 703 PS = KImp28147(PSExp, K_EXP, H[1..8]). 705 4.2.5. CertificateVerify 707 Client generates the value sgn as follows: 709 sgn = SIGN_{d_c}(handshake_messages) = str_l(r) | str_l(s) 711 where SIGN_{d_c} is the GOST R 34.10-2012 [RFC7091] signature 712 algorithm, d_c is a client long-term private key that corresponds to 713 the client long-term public key Q_c from the client's certificate, l 714 = 32 for gostr34102012_256 value of the SignatureAndHashAlgorithm 715 field and l = 64 for gostr34102012_512 value of the 716 SignatureAndHashAlgorithm field. 718 Here handshake_messages refers to all handshake messages sent or 719 received, starting at ClientHello and up to CertificateVerify, but 720 not including the last message, including the type and length fields 721 of the handshake messages. 723 The TLS CertificateVerify message is specified as follows. 725 struct { 726 SignatureAndHashAlgorithm algorithm; 727 opaque signature<0..2^16-1>; 728 } CertificateVerify; 730 where SignatureAndHashAlgorithm structure is specified in Section 5 731 and CertificateVerify.signature field contains sgn value. 733 4.2.6. Finished 735 The TLS Finished message is generated in accordance with 736 Section 7.4.9 of [RFC5246]. 738 The verify_data_length value is equal to 32 for the CTR_OMAC cipher 739 suites and is equal to 12 for the CNT_IMIT cipher suite. The PRF 740 function is defined in Section 4.3.4. 742 4.3. Cryptographic Algorithms 744 4.3.1. Block Cipher 746 The cipher suite TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC MUST 747 use Kuznyechik [RFC7801] as a base block cipher for the encryption 748 and MAC algorithm. The block length n is 16 bytes and the key length 749 k is 32 bytes. 751 The cipher suite TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC MUST use 752 Magma [GOST3412-2015] as a base block cipher for the encryption and 753 MAC algorithm. The block length n is 8 bytes and the key length k is 754 32 bytes. 756 The cipher suite TLS_GOSTR341112_256_WITH_28147_CNT_IMIT MUST use 757 GOST 28147-89 as a base block cipher [RFC5830] with the set of 758 parameters id-tc26-gost-28147-param-Z defined in [RFC7836]. The 759 block length n is 8 bytes and the key length k is 32 bytes. 761 4.3.2. MAC algorithm 763 The CTR_OMAC cipher suites use the OMAC message authentication code 764 construction defined in [GOST3413-2015], which can be considered as 765 the CMAC mode defined in [CMAC] where Kuznyechik or Magma block 766 cipher (see Section 4.3.1) are used instead of AES block cipher (see 767 [IK2003] for more detail) as the MAC function. The resulting MAC 768 length is equal to the block length and the MAC key length is 32 769 bytes. 771 The CNT_IMIT cipher suite uses the message authentication code 772 function gostIMIT28147 defined in Section 8.4 with the initialization 773 vector IV = IV0, where IV0 in B_8 is a string of all zeros, with the 774 CryptoPro Key Meshing algorithm defined in [RFC4357]. The resulting 775 MAC length is 4 bytes and the MAC key length is 32 bytes. 777 4.3.3. Encryption algorithm 779 The CTR_OMAC cipher suites use the block cipher in CTR-ACPKM 780 encryption mode defined in [RFC8645] as the ENC function. The 781 section size N is 4 KB for 782 TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC cipher suite and 1 KB 783 for TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC cipher suite. 785 The CNT_IMIT cipher suite uses the block cipher in counter encryption 786 mode (CNT) defined in Section 6 of [RFC5830] with the CryptoPro Key 787 Meshing algorithm defined in [RFC4357] as the ENC function. 789 4.3.4. PRF and HASH algorithms 791 The pseudorandom function (PRF) for all the cipher suites defined in 792 this document is the PRF_TLS_GOSTR3411_2012_256 function defined in 793 [RFC7836]. 795 The hash function HASH for all the cipher suites defined in this 796 document is the GOST R 34.11-2012 [RFC6986] hash algorithm with 797 32-byte (256-bit) hash code. 799 4.3.5. SNMAX parameter 801 The SNMAX parameter defines the maximal value of the sequence number 802 seqnum during one TLS 1.2 connection and is defined as follows: 804 +---------------------------------------------+--------------------+ 805 | CipherSuites | SNMAX | 806 +---------------------------------------------+--------------------+ 807 |TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC | SNMAX = 2^64 - 1 | 808 |TLS_GOSTR341112_256_WITH_28147_CNT_IMIT | | 809 +---------------------------------------------+--------------------+ 810 |TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC | SNMAX = 2^32 - 1 | 811 +---------------------------------------------+--------------------+ 812 Table 1 814 5. New Values for the SignatureAlgorithm Registry 816 The signature/hash algorithm pairs are used to indicate to the 817 server/client which algorithms can be used in digital signatures and 818 are defined by the SignatureAndHashAlgorithm structure (see 819 Section 7.4.1.4.1 of [RFC5246]). 821 This document defines new values for the "SignatureAlgorithm 822 Registry" that can be used in the SignatureAndHashAlgorithm.signature 823 field for the particular signature/hash algorithm pair: 825 enum { 826 gostr34102012_256(64), 827 gostr34102012_512(65), 828 } SignatureAlgorithm; 830 where the gostr34102012_256 and gostr34102012_512 values correspond 831 to the GOST R 34.10-2012 [RFC7091] signature algorithm with 32-byte 832 (256-bit) and 64-byte (512-bit) key length respectively. 834 According to [RFC7091] the GOST R 34.10-2012 signature algorithm with 835 32-byte (256-bit) or 64-byte (512-bit) key length use the GOST R 836 34.11-2012 [RFC6986] hash algorithm with 32-byte (256-bit) or 64-byte 837 (512-bit) hash code respectively (the hash algorithm is intrinsic to 838 the signature algorithm). Therefore, if the 839 SignatureAndHashAlgorithm.signature field of a particular hash/ 840 signature pair listed in the Signature Algorithms Extension is equal 841 to the 64 (gostr34102012_256) or 65 (gostr34102012_512) value, the 842 SignatureAndHashAlgorithm.hash field of this pair MUST contain the 843 "Intrinsic" value 8 (see [RFC8422]). 845 6. New Values for the Supported Groups Registry 847 The Supported Groups Extension indicates the set of elliptic curves 848 supported by the client and is defined in [RFC8422] and [RFC7919]. 850 This document defines new values for the "Supported Groups" registry: 852 enum { 853 GC256A(34), GC256B(35), GC256C(36), GC256D(37), 854 GC512A(38), GC512B(39), GC512C(40), 855 } NamedGroup; 857 Where the values corresponds to the following curves: 859 +-------------+--------------------------------------+-----------+ 860 | Description | Curve Identifier Value | Reference | 861 +-------------+--------------------------------------+-----------+ 862 | GC256A | id-tc26-gost-3410-2012-256-paramSetA | RFC 7836 | 863 +-------------+--------------------------------------+-----------+ 864 | GC256B |id-GostR3410-2001-CryptoPro-A-ParamSet| RFC 4357 | 865 +-------------+--------------------------------------+-----------+ 866 | GC256C |id-GostR3410-2001-CryptoPro-B-ParamSet| RFC 4357 | 867 +-------------+--------------------------------------+-----------+ 868 | GC256D |id-GostR3410-2001-CryptoPro-C-ParamSet| RFC 4357 | 869 +-------------+--------------------------------------+-----------+ 870 | GC512A | id-tc26-gost-3410-12-512-paramSetA | RFC 7836 | 871 +-------------+--------------------------------------+-----------+ 872 | GC512B | id-tc26-gost-3410-12-512-paramSetB | RFC 7836 | 873 +-------------+--------------------------------------+-----------+ 874 | GC512C | id-tc26-gost-3410-2012-512-paramSetC | RFC 7836 | 875 +-------------+--------------------------------------+-----------+ 876 Table 2 878 7. New Values for the ClientCertificateType Identifiers Registry 880 The ClientCertificateType field of the CertificateRequest message 881 contains a list of the types of certificate types that the client may 882 offer and is defined in Section 7.4.4 of [RFC5246]. 884 This document defines new values for the "ClientCertificateType 885 Identifiers" registry: 887 enum { 888 gost_sign256(67), 889 gost_sign512(68), 890 } ClientCertificateType; 892 To use the gost_sign256 or gost_sign512 authentication mechanism, the 893 client MUST possess a certificate containing a GOST R 894 34.10-2012-capable public key that corresponds to the 32-byte 895 (256-bit) or 64-byte (512-bit) signature key respectively. 897 The client proves possession of the private key corresponding to the 898 certified key by including a signature in the CertificateVerify 899 message as described in Section 4.2.5. 901 8. Additional Algorithms 903 8.1. TLSTREE 905 The TLSTREE function is defined as follows: 907 TLSTREE(K_root, i) = KDF_3(KDF_2(KDF_1(K_root, STR_8(i & C_1)), 908 STR_8(i & C_2)), STR_8(i & C_3)), 910 where 912 o K_root in B_32; 914 o i in {0, 1, ... , 2^64 - 1}; 916 o C_1, C_2, C_3 are constants defined by the particular cipher suite 917 (see Section 8.1.1); 919 o KDF_j(K, D), j = 1, 2, 3, K in B_32, D in B_8, is the key 920 derivation function based on the KDF_GOSTR3411_2012_256 function 921 defined in [RFC7836]: 923 KDF_1(K, D) = KDF_GOSTR3411_2012_256(K, "level1", D); 924 KDF_2(K, D) = KDF_GOSTR3411_2012_256(K, "level2", D); 925 KDF_3(K, D) = KDF_GOSTR3411_2012_256(K, "level3", D). 927 8.1.1. Key Tree Parameters 929 The CTR_OMAC cipher suites use the TLSTREE function for the re-keying 930 approach. The constants for it are defined as in the table below. 932 +--------------------------------------------+----------------------+ 933 | CipherSuites | C_1, C_2, C_3 | 934 +--------------------------------------------+----------------------+ 935 |TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC|C_1=0xFFFFFFFF00000000| 936 | |C_2=0xFFFFFFFFFFF80000| 937 | |C_3=0xFFFFFFFFFFFFFFC0| 938 +--------------------------------------------+----------------------+ 939 |TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC |C_1=0xFFFFFFC000000000| 940 | |C_2=0xFFFFFFFFFE000000| 941 | |C_3=0xFFFFFFFFFFFFF000| 942 +--------------------------------------------+----------------------+ 943 Table 3 945 8.2. Key export and key import algorithms 947 8.2.1. KExp15 and KImp15 Algorithms 949 Algorithms KExp15 and KImp15 use the block cipher determined by the 950 particular cipher suite. 952 The KExp15 key export algorithm is defined as follows. 954 +------------------------------------------------------------+ 955 | KExp15(S, K_Exp_MAC, K_Exp_ENC, IV) | 956 |------------------------------------------------------------| 957 | Input: | 958 | - secret S to be exported, S in B*, | 959 | - key K_Exp_MAC in B_k, | 960 | - key K_Exp_ENC in B_k, | 961 | - IV in B_{n/2} | 962 | Output: | 963 | - export representation SExp in B_{|S|+n} | 964 |------------------------------------------------------------| 965 | 1. CEK_MAC = OMAC(K_Exp_MAC, IV | S), CEK_MAC in B_n | 966 | 2. SExp = CTR-Encrypt(K_Exp_ENC, IV, S | CEK_MAC) | 967 | 3. return SExp | 968 +------------------------------------------------------------+ 970 where the OMAC function is defined in [MODES], the CTR-Encrypt(K, IV, 971 S) function denotes the encryption of message S on key K and nonce IV 972 in the CTR mode with s = n (see [MODES]). 974 The KImp15 key import algorithm is defined as follows. 976 +-------------------------------------------------------------------+ 977 | KImp15(SExp, K_Exp_MAC, K_Exp_ENC, IV) | 978 |-------------------------------------------------------------------| 979 | Input: | 980 | - export representation SExp in B* | 981 | - key K_Exp_MAC in B_k, | 982 | - key K_Exp_ENC in B_k, | 983 | - IV in B_{n/2} | 984 | Output: | 985 | - secret S in B_{|SExp|-n} or FAIL | 986 |-------------------------------------------------------------------| 987 | 1. S | CEK_MAC = CTR-Decrypt(K_Exp_ENC, IV, SExp), CEK_MAC in B_n| 988 | 2. If CEK_MAC = OMAC(K_Exp_MAC, IV | S) | 989 | then return S; else return FAIL | 990 +-------------------------------------------------------------------+ 992 where the OMAC function is defined in [MODES], the CTR-Decrypt(K, IV, 993 S) function denotes the decryption of message S on key K and nonce IV 994 in the CTR mode (see [MODES]). 996 The keys K_Exp_MAC and K_Exp_ENC MUST be independent. For every pair 997 of keys (K_Exp_ENC, K_Exp_MAC) the IV values MUST be unique. For the 998 import of key K with the KImp15 algorithm every IV value MUST be sent 999 with the export key representation or be a preshared value. 1001 8.2.2. KExp28147 and KImp28147 Algorithms 1003 The KExp28147 key export algorithm is defined as follows. 1005 +----------------------------------------------------------------+ 1006 | KExp28147(S, K, IV) | 1007 |----------------------------------------------------------------| 1008 | Input: | 1009 | - secret S to be exported, S in B_32, | 1010 | - key K in B_32, | 1011 | - IV in B_8. | 1012 | Output: | 1013 | - export representation SExp in B_44 | 1014 |----------------------------------------------------------------| 1015 | 1. CEK_MAC = gost28147IMIT(IV, K, S), CEK_MAC in B_4 | 1016 | 2. CEK_ENC = ECB-Encrypt(K, S), CEK_ENC in B_32 | 1017 | 3. return SExp = IV | CEK_ENC | CEK_MAC | 1018 +----------------------------------------------------------------+ 1019 where the gost28147IMIT function is defined in Section 8.4, the ECB- 1020 Encrypt(K, S) function denotes the encryption of message S on key K 1021 with the block cipher GOST 28147-89 in the ECB mode (see [RFC5830]). 1023 The KImp28147 key import algorithm is defined as follows. 1025 +----------------------------------------------------------------+ 1026 | KImp28147(SExp, K, IV) | 1027 |----------------------------------------------------------------| 1028 | Input: | 1029 | - export representation SExp in B_44, | 1030 | - key K in B_32, | 1031 | - IV in B_8. | 1032 | Output: | 1033 | - imported secret S in B_32 or FAIL | 1034 |----------------------------------------------------------------| 1035 | 1. extract from SExp | 1036 | IV' = SExp[1..8], | 1037 | CEK_ENC = SExp[9..40], | 1038 | CEK_MAC = SExp[41..44] | 1039 | 2. if IV' != IV then return FAIL; else | 1040 | 3. S = ECB-Decrypt(K, CEK_ENC), S in B_32 | 1041 | 4. If CEK_MAC = gost28147IMIT(IV, K, S) | 1042 | then return S; else return FAIL | 1043 +----------------------------------------------------------------+ 1045 where the gost28147IMIT function is defined in Section 8.4, the ECB- 1046 Decrypt(CEK_ENC, M) function denotes the decryption of ciphertext 1047 CEK_ENC on key K with a block cipher GOST 28147-89 in the ECB mode 1048 (see [RFC5830]). 1050 8.3. Key Exchange Generation Algorithms 1052 8.3.1. KEG Algorithm 1054 The KEG algorithm is defined as follows: 1056 +----------------------------------------------------------------+ 1057 | KEG(d, Q, H) | 1058 |----------------------------------------------------------------| 1059 | Input: | 1060 | - private key d, | 1061 | - public key Q, | 1062 | - H in B_32. | 1063 | Output: | 1064 | - key material K in B_64. | 1065 |----------------------------------------------------------------| 1066 | 1. If q * Q is not equal to zero point | 1067 | return FAIL | 1068 | 2. If 2^{254} < q < 2^{256} | 1069 | return KEG_256(d, Q, H) | 1070 | 3. If 2^{508} < q < 2^{512} | 1071 | return KEG_512(d, Q, H) | 1072 | 4. return FAIL | 1073 +----------------------------------------------------------------+ 1075 where q is an order of a cyclic subgroup of elliptic curve points 1076 group containing point Q, d in {1, ... , q - 1}. 1078 The KEG_256 algorithm is defined as follows: 1080 +----------------------------------------------------------------+ 1081 | KEG_256(d, Q, H) | 1082 |----------------------------------------------------------------| 1083 | Input: | 1084 | - private key d, | 1085 | - public key Q, | 1086 | - H in B_32. | 1087 | Output: | 1088 | - key material K in B_64. | 1089 |----------------------------------------------------------------| 1090 | 1. r = INT(H[1..16]) | 1091 | 2. If r = 0 | 1092 | UKM = 1; else UKM = r | 1093 | 3. K_EXP = VKO_256(d, Q, UKM) | 1094 | 4. seed = H[17..24] | 1095 | 5. return KDFTREE_256(K_EXP, "kdf tree", seed, 1) | 1096 +----------------------------------------------------------------+ 1098 where VKO_256 is the function VKO_GOSTR3410_2012_256 defined in 1099 [RFC7836] and KDFTREE_256 is the KDF_TREE_GOSTR3411_2012_256 function 1100 defined in [RFC7836] with the parameter L equal to 512. 1102 The KEG_512 algorithm is defined as follows: 1104 +----------------------------------------------------------------+ 1105 | KEG_512(d, Q, H) | 1106 |----------------------------------------------------------------| 1107 | Input: | 1108 | - private key d, | 1109 | - public key Q, | 1110 | - H in B_32. | 1111 | Output: | 1112 | - key material K in B_64. | 1113 |----------------------------------------------------------------| 1114 | 1. r = INT(H[1..16]) | 1115 | 2. If r = 0 | 1116 | UKM = 1; else UKM = r | 1117 | 3. return VKO_512(d, Q, UKM) | 1118 +----------------------------------------------------------------+ 1120 where VKO_512 is the VKO_GOSTR3410_2012_512 function defined in 1121 [RFC7836]. 1123 8.3.2. KEG_28147 Algorithm 1125 The KEG_28147 algorithm is defined as follows: 1127 +----------------------------------------------------------------+ 1128 | KEG_28147(d, Q, H) | 1129 |----------------------------------------------------------------| 1130 | Input: | 1131 | - private key d, | 1132 | - public key Q, | 1133 | - H in B_32. | 1134 | Output: | 1135 | - key material K in B_32. | 1136 |----------------------------------------------------------------| 1137 | 1. If q * Q is not equal to zero point | 1138 | return FAIL | 1139 | 2. UKM = H[1..8] | 1140 | 3. R = VKO_256(d, Q, int(UKM)) | 1141 | 4. return K = CPDivers(UKM, R) | 1142 +----------------------------------------------------------------+ 1144 where the VKO_256 function is equal to the VKO_GOSTR3410_2012_256 1145 function defined in [RFC7836], the CPDivers function corresponds to 1146 the CryptoPro KEK Diversification Algorithm defined in [RFC4357], 1147 which takes as input the UKM value and the key value. 1149 8.4. gostIMIT28147 1151 gost28147IMIT(IV, K, M) is a MAC algorithm with 4 bytes output and is 1152 defined as follows: 1154 +----------------------------------------------------------------+ 1155 | gost28147IMIT(IV, K, M) | 1156 |----------------------------------------------------------------| 1157 | Input: | 1158 | - initial value IV in B_8, | 1159 | - key K in B_32, | 1160 | - message M in B*. | 1161 | Output: | 1162 | - MAC value T in B_4. | 1163 |----------------------------------------------------------------| 1164 | 1. M' = PAD(M) | 1165 | 2. M' = M'_0 | ... | M'_r, |M'_i| = 8, i in {0, ... , r} | 1166 | 3. M'' = (M'_0 XOR IV) | M'_1 | ... | M'_r | 1167 | 4. return T = MAC28147(K, M'') | 1168 +----------------------------------------------------------------+ 1170 where the PAD function is the padding function that adds m zero bytes 1171 to the end of the message, where m is the smallest, non-negative 1172 solution to the equation (|M| + m) mod 8 = 0, the MAC28147 function 1173 corresponds to Message Authentication Code Generation Mode defined in 1174 [RFC5830] with 4 byte length output. 1176 9. IANA Considerations 1178 IANA is asked to update the registry entries to reference this 1179 document when it is published as an RFC. 1181 IANA has added numbers {0xC1, 0x00}, {0xC1, 0x01} and {0xC1, 0x02} 1182 with the names TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC, 1183 TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC, 1184 TLS_GOSTR341112_256_WITH_28147_CNT_IMIT to the "TLS Cipher Suite" 1185 registry with this document as reference, as shown below. 1187 +-------------+-----------------------------+---------+----------+ 1188 | Value | Description | DTLS-OK | Reference| 1189 +-------------+-----------------------------+---------+----------+ 1190 | 0xC1, 0x00 | TLS_GOSTR341112_256_ | N | this RFC | 1191 | | _WITH_KUZNYECHIK_CTR_OMAC | | | 1192 +-------------+-----------------------------+---------+----------+ 1193 | 0xC1, 0x01 | TLS_GOSTR341112_256_ | N | this RFC | 1194 | | _WITH_MAGMA_CTR_OMAC | | | 1195 +-------------+-----------------------------+---------+----------+ 1196 | 0xC1, 0x02 | TLS_GOSTR341112_256_ | N | this RFC | 1197 | | _WITH_28147_CNT_IMIT | | | 1198 +-------------+-----------------------------+---------+----------+ 1199 Table 4 1201 IANA has added numbers 64, 65 with the names gostr34102012_256, 1202 gostr34102012_512, to the "TLS SignatureAlgorithm" registry, as shown 1203 below. 1205 +-----------+---------------------+---------+----------+ 1206 | Value | Description | DTLS-OK | Reference| 1207 +-----------+---------------------+---------+----------+ 1208 | 64 | gostr34102012_256 | Y | this RFC | 1209 +-----------+---------------------+---------+----------+ 1210 | 65 | gostr34102012_512 | Y | this RFC | 1211 +-----------+---------------------+---------+----------+ 1212 Table 5 1214 IANA has added numbers 34, 35, 36, 37, 38, 39, 40 with the names 1215 GC256A, GC256B, GC256C, GC256D, GC512A, GC512B, GC512C to the "TLS 1216 Supported Groups" registry, as shown below. 1218 +-----------+----------------+---------+------------+-----------+ 1219 | Value | Description | DTLS-OK | Recomended | Reference | 1220 +-----------+----------------+---------+------------+-----------+ 1221 | 34 | GC256A | Y | N | this RFC | 1222 +-----------+----------------+---------+------------+-----------+ 1223 | 35 | GC256B | Y | N | this RFC | 1224 +-----------+----------------+---------+------------+-----------+ 1225 | 36 | GC256C | Y | N | this RFC | 1226 +-----------+----------------+---------+------------+-----------+ 1227 | 37 | GC256D | Y | N | this RFC | 1228 +-----------+----------------+---------+------------+-----------+ 1229 | 38 | GC512A | Y | N | this RFC | 1230 +-----------+----------------+---------+------------+-----------+ 1231 | 39 | GC512B | Y | N | this RFC | 1232 +-----------+----------------+---------+------------+-----------+ 1233 | 40 | GC512C | Y | N | this RFC | 1234 +-----------+----------------+---------+------------+-----------+ 1235 Table 6 1237 IANA has added numbers 67, 68 with the names gost_sign256, 1238 gost_sign512 to the "ClientCertificateType Identifiers" registry, as 1239 shown below. 1241 +-----------+---------------------+---------+----------+ 1242 | Value | Description | DTLS-OK | Reference| 1243 +-----------+---------------------+---------+----------+ 1244 | 67 | gost_sign256 | Y | this RFC | 1245 +-----------+---------------------+---------+----------+ 1246 | 68 | gost_sign512 | Y | this RFC | 1247 +-----------+---------------------+---------+----------+ 1248 Table 7 1250 10. Historical considerations 1252 Note that prior to the existence of this document implementations 1253 could use only the values from the Private Use space in order to use 1254 the GOST-based algorithms. So some old implementations can still use 1255 the old value {0x00, 0x81} instead of the {0xC1, 0x02} value to 1256 indicate the TLS_GOSTR341112_256_WITH_28147_CNT_IMIT cipher suite; 1257 one old value 0xEE instead of the values 64, 8 and 67 (to indicate 1258 the gostr34102012_256 signature algorithm, the Intrinsic hash 1259 algorithm and the gost_sign256 certificate type respectively); one 1260 old value 0xEF instead of the values 65, 8 and 68 (to indicate the 1261 gostr34102012_512 signature algorithm, the Intrinsic hash algorithm 1262 and the gost_sign512 certificate type respectively). 1264 Due to historical reasons in addition to the curve identifier values 1265 listed in Table 2 there exist some extra identifier values that 1266 correspond to the curves GC256B, GC256C and GC256D as follows. 1268 +-------------+-----------------------------------------+ 1269 | Description | Curve Identifier Values | 1270 +-------------+-----------------------------------------+ 1271 | GC256B |id-GostR3410_2001-CryptoPro-XchA-ParamSet| 1272 | |id-tc26-gost-3410-2012-256-paramSetB | 1273 +-------------+-----------------------------------------+ 1274 | GC256C |id-tc26-gost-3410-2012-256-paramSetC | 1275 +-------------+-----------------------------------------+ 1276 | GC256D |id-GostR3410-2001-CryptoPro-XchB-ParamSet| 1277 | |id-tc26-gost-3410-2012-256-paramSetD | 1278 +-------------+-----------------------------------------+ 1279 Table 8 1281 Client should be prepared to handle any of them correctly if 1282 corresponding group is included in the supported_groups extension 1283 (see [RFC8422] and [RFC7919]). 1285 11. Security Considerations 1287 This entire document is about security considerations. 1289 12. References 1291 12.1. Normative References 1293 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1294 Requirement Levels", BCP 14, RFC 2119, 1295 DOI 10.17487/RFC2119, March 1997, 1296 . 1298 [RFC4357] Popov, V., Kurepkin, I., and S. Leontiev, "Additional 1299 Cryptographic Algorithms for Use with GOST 28147-89, GOST 1300 R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 1301 Algorithms", RFC 4357, DOI 10.17487/RFC4357, January 2006, 1302 . 1304 [RFC4490] Leontiev, S., Ed. and G. Chudov, Ed., "Using the GOST 1305 28147-89, GOST R 34.11-94, GOST R 34.10-94, and GOST R 1306 34.10-2001 Algorithms with Cryptographic Message Syntax 1307 (CMS)", RFC 4490, DOI 10.17487/RFC4490, May 2006, 1308 . 1310 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 1311 (TLS) Protocol Version 1.2", RFC 5246, 1312 DOI 10.17487/RFC5246, August 2008, 1313 . 1315 [RFC5746] Rescorla, E., Ray, M., Dispensa, S., and N. Oskov, 1316 "Transport Layer Security (TLS) Renegotiation Indication 1317 Extension", RFC 5746, DOI 10.17487/RFC5746, February 2010, 1318 . 1320 [RFC5830] Dolmatov, V., Ed., "GOST 28147-89: Encryption, Decryption, 1321 and Message Authentication Code (MAC) Algorithms", 1322 RFC 5830, DOI 10.17487/RFC5830, March 2010, 1323 . 1325 [RFC6986] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.11-2012: 1326 Hash Function", RFC 6986, DOI 10.17487/RFC6986, August 1327 2013, . 1329 [RFC7091] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.10-2012: 1330 Digital Signature Algorithm", RFC 7091, 1331 DOI 10.17487/RFC7091, December 2013, 1332 . 1334 [RFC7366] Gutmann, P., "Encrypt-then-MAC for Transport Layer 1335 Security (TLS) and Datagram Transport Layer Security 1336 (DTLS)", RFC 7366, DOI 10.17487/RFC7366, September 2014, 1337 . 1339 [RFC7627] Bhargavan, K., Ed., Delignat-Lavaud, A., Pironti, A., 1340 Langley, A., and M. Ray, "Transport Layer Security (TLS) 1341 Session Hash and Extended Master Secret Extension", 1342 RFC 7627, DOI 10.17487/RFC7627, September 2015, 1343 . 1345 [RFC7801] Dolmatov, V., Ed., "GOST R 34.12-2015: Block Cipher 1346 "Kuznyechik"", RFC 7801, DOI 10.17487/RFC7801, March 2016, 1347 . 1349 [RFC7836] Smyshlyaev, S., Ed., Alekseev, E., Oshkin, I., Popov, V., 1350 Leontiev, S., Podobaev, V., and D. Belyavsky, "Guidelines 1351 on the Cryptographic Algorithms to Accompany the Usage of 1352 Standards GOST R 34.10-2012 and GOST R 34.11-2012", 1353 RFC 7836, DOI 10.17487/RFC7836, March 2016, 1354 . 1356 [RFC7919] Gillmor, D., "Negotiated Finite Field Diffie-Hellman 1357 Ephemeral Parameters for Transport Layer Security (TLS)", 1358 RFC 7919, DOI 10.17487/RFC7919, August 2016, 1359 . 1361 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1362 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1363 May 2017, . 1365 [RFC8422] Nir, Y., Josefsson, S., and M. Pegourie-Gonnard, "Elliptic 1366 Curve Cryptography (ECC) Cipher Suites for Transport Layer 1367 Security (TLS) Versions 1.2 and Earlier", RFC 8422, 1368 DOI 10.17487/RFC8422, August 2018, 1369 . 1371 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 1372 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 1373 . 1375 [RFC8645] Smyshlyaev, S., Ed., "Re-keying Mechanisms for Symmetric 1376 Keys", RFC 8645, DOI 10.17487/RFC8645, August 2019, 1377 . 1379 12.2. Informative References 1381 [CMAC] Dworkin, M., "Recommendation for Block Cipher Modes of 1382 Operation: the CMAC Mode for Authentication", NIST Special 1383 Publication 800-38B, 2005. 1385 [DraftGostTLS13] 1386 Smyshlyaev, S., Alekseev, E., Griboedova, E., and A. 1387 Babueva, "GOST Cipher Suites for Transport Layer Security 1388 (TLS) Protocol Version 1.3", 2020, 1389 . 1392 [GOST28147-89] 1393 Government Committee of the USSR for Standards, 1394 "Cryptographic Protection for Data Processing System, 1395 Gosudarstvennyi Standard of USSR (In Russian)", 1396 GOST 28147-89, 1989. 1398 [GOST3410-2012] 1399 Federal Agency on Technical Regulating and Metrology, 1400 "Information technology. Cryptographic data security. 1401 Signature and verification processes of [electronic] 1402 digital signature", GOST R 34.10-2012, 2012. 1404 [GOST3411-2012] 1405 Federal Agency on Technical Regulating and Metrology, 1406 "Information technology. Cryptographic Data Security. 1407 Hashing function", GOST R 34.11-2012, 2012. 1409 [GOST3412-2015] 1410 Federal Agency on Technical Regulating and Metrology, 1411 "Information technology. Cryptographic data security. 1412 Block ciphers", GOST R 34.12-2015, 2015. 1414 [GOST3413-2015] 1415 Federal Agency on Technical Regulating and Metrology, 1416 "Information technology. Cryptographic data security. 1417 Modes of operation for block ciphers", GOST R 34.13-2015, 1418 2015. 1420 [IK2003] Iwata T., Kurosawa K. (2003), "OMAC: One-Key CBC MAC.", 1421 FSE 2003. Lecture Notes in Computer Science, vol 2887. 1422 Springer, Berlin, Heidelberg, 2003. 1424 [MODES] Dworkin, M., "Recommendation for Block Cipher Modes of 1425 Operation: Methods and Techniques", NIST Special 1426 Publication 800-38A, December 2001. 1428 Appendix A. Test Examples 1430 A.1. Test Examples for CTR_OMAC cipher suites 1432 A.1.1. TLSTREE Examples 1434 A.1.1.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC ciphersuite 1436 TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 1437 *********************************************** 1438 Root Key K_root: 1439 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 1440 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 1442 seqnum = 0 1443 First level key from Divers_1: 1444 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1445 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1447 Second level key from Divers_2: 1448 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1449 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1450 The resulting key from Divers 3: 1451 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1452 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1454 seqnum = 4095 1455 First level key from Divers_1: 1456 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1457 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1459 Second level key from Divers_2: 1460 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1461 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1463 The resulting key from Divers 3: 1464 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1465 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1467 seqnum = 4096 1468 First level key from Divers_1: 1469 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1470 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1472 Second level key from Divers_2: 1473 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1474 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1476 The resulting key from Divers 3: 1477 FB 30 EE 53 CF CF 89 D7 48 FC 0C 72 EF 16 0B 8B 1478 53 CB BB FD 03 12 82 B0 26 21 4A B2 E0 77 58 FF 1480 seqnum = 33554431 1481 First level key from Divers_1: 1482 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1483 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1485 Second level key from Divers_2: 1486 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1487 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1489 The resulting key from Divers 3: 1490 B8 5B 36 DC 22 82 32 6B C0 35 C5 72 DC 93 F1 8D 1491 83 AA 01 74 F3 94 20 9A 51 3B B3 74 DC 09 35 AE 1493 seqnum = 33554432 1494 First level key from Divers_1: 1495 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1496 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1497 Second level key from Divers_2: 1498 3F EA 59 38 DA 2B F8 DD C4 7E C1 DC 55 61 89 66 1499 79 02 BE 42 0D F4 C3 7D AF 21 75 3B CB 1D C7 F3 1501 The resulting key from Divers 3: 1502 0F D7 C0 9E FD F8 E8 15 73 EE CC F8 6E 4B 95 E3 1503 AF 7F 34 DA B1 17 7C FD 7D B9 7B 6D A9 06 40 8A 1505 seqnum = 274877906943 1506 First level key from Divers_1: 1507 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1508 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1510 Second level key from Divers_2: 1511 AB F3 A5 37 98 3A 1B 98 40 06 6D E6 8A 49 BF 25 1512 97 7E E5 C3 F5 2D 33 3E 3C 22 0F 1D 15 C5 08 93 1514 The resulting key from Divers 3: 1515 48 0F 99 72 BA F2 5D 4C 36 9A 96 AF 91 BC A4 55 1516 3F 79 D8 F0 C5 61 8B 19 FD 44 CF DC 57 FA 37 33 1518 seqnum = 274877906944 1519 First level key from Divers_1: 1520 15 60 0D 9E 8F A6 85 54 CF 15 2D C7 4F BC 42 51 1521 17 B0 3E 09 76 BB 28 EA 98 24 C3 B7 0F 28 CB D8 1523 Second level key from Divers_2: 1524 6C C2 8E B0 93 24 72 12 5C 7A D3 F8 09 73 B3 C8 1525 C4 13 7D A5 73 BC 17 1A 24 ED D4 A3 71 F1 F8 73 1527 The resulting key from Divers 3: 1528 25 28 C1 C6 A8 F0 92 7B F2 BE 27 BB 78 D2 7F 21 1529 46 D6 55 93 B0 C7 17 3A 06 CB 9D 88 DF 92 32 65 1531 A.1.1.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC ciphersuite 1533 TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC 1534 *********************************************** 1535 Root Key K_root: 1536 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 1537 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 1539 seqnum = 0 1540 First level key from Divers_1: 1541 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1542 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1544 Second level key from Divers_2: 1545 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1546 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1548 The resulting key from Divers 3: 1549 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1550 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1552 seqnum = 63 1553 First level key from Divers_1: 1554 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1555 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1557 Second level key from Divers_2: 1558 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1559 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1561 The resulting key from Divers 3: 1562 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1563 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1565 seqnum = 64 1566 First level key from Divers_1: 1567 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1568 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1570 Second level key from Divers_2: 1571 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1572 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1574 The resulting key from Divers 3: 1575 AE BE 1E F4 18 71 3B F0 44 B9 FC D9 E5 72 D4 37 1576 FB 38 B5 D8 29 56 7A 6F 79 18 39 6D 9F 4E 09 6B 1578 seqnum = 524287 1579 First level key from Divers_1: 1580 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1581 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1583 Second level key from Divers_2: 1584 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1585 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1587 The resulting key from Divers 3: 1588 6F 18 D4 00 3E A2 CB 30 F5 FE C1 93 A2 34 F0 7D 1589 7C 43 94 98 7F 50 75 8D E2 2B 22 0D 8A 10 51 06 1590 seqnum = 524288 1591 First level key from Divers_1: 1592 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1593 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1595 Second level key from Divers_2: 1596 F6 59 EB 85 EE BD 2A 8D CC 1B B3 F7 C6 00 57 FF 1597 6D 33 B6 0F 74 65 DD 42 B5 11 2C F3 A6 B1 AB 66 1599 The resulting key from Divers 3: 1600 E5 4B 16 41 5B 3B 66 3E 78 0B 06 2D 24 F7 36 C4 1601 49 54 63 C3 A8 91 E1 FA 46 F7 AE 99 FF F9 F3 78 1603 seqnum = 4294967295 1604 First level key from Divers_1: 1605 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1606 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1608 Second level key from Divers_2: 1609 F4 BC 10 1A BB 68 86 2A 8C E3 1E A0 0D DF A7 FE 1610 B8 29 10 F1 24 F4 B1 E2 9E A8 3B E0 06 C2 26 8D 1612 The resulting key from Divers 3: 1613 CF 60 09 04 C7 1E 7B 88 A4 9A C8 E2 45 77 4B 3D 1614 BE ED FB 81 DE 9A 0E 2F 4E 46 C3 56 07 BC 2F 04 1616 seqnum = 4294967296 1617 First level key from Divers_1: 1618 55 CC 95 E0 D1 FB 54 85 AF 8E F6 9A CD 72 B2 32 1619 79 7C D2 E8 5D 86 CD FD 1D E5 5B D1 FA 14 37 78 1621 Second level key from Divers_2: 1622 72 16 91 E1 01 C4 28 96 A6 40 AE 18 3F BB 44 5B 1623 76 37 9C 57 E1 FD 8A 7D 49 A6 23 E4 23 8C 0E 1D 1625 The resulting key from Divers 3: 1626 16 18 0B 24 64 54 00 B8 36 14 38 37 D8 6A AC 93 1627 95 2A E3 EB 82 44 D5 EC 2A B0 2C FF 30 78 11 38 1629 A.1.2. Record Examples 1631 A.1.2.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC ciphersuite 1633 TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 1634 ******************************************************** 1635 It is assumed that during Handshake following keys were established: 1637 - MAC key: 1638 00000: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 1639 00010: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 1640 - Encryption key: 1641 00000: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 1642 00010: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 1643 - IV: 1644 00000: 00 00 00 00 1645 --------------------------------------------------------- 1646 seqnum = 0 1648 Application data: 1649 00000: 00 00 00 00 00 00 00 1651 TLSPlaintext: 1652 00000: 17 03 03 00 07 00 00 00 00 00 00 00 1654 K_MAC_0: 1655 00000: 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1656 00010: 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1658 MAC value: 1659 00000: F3 3E B6 89 6F EC E2 86 1661 K_ENC_0: 1662 00000: 58 AF BE 9A 4C 31 98 AA AB AA 26 92 C4 19 F1 79 1663 00010: 7C 9B 92 DE B3 CC 74 46 B3 63 57 71 13 F0 FB 56 1665 IV_0: 1666 00000: 00 00 00 00 1668 TLSCiphertext: 1669 00000: 17 03 03 00 0F 9B 42 0D A8 6F AF 36 7F 05 14 43 1670 00010: CE 9C 10 72 1671 --------------------------------------------------------- 1672 seqnum = 4095 1674 Application data: 1675 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1676 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1677 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1678 . . . 1679 003D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1680 003E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1681 003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1682 TLSPlaintext: 1683 00000: 17 03 03 04 00 00 00 00 00 00 00 00 00 00 00 00 1684 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1685 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1686 . . . 1687 003D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1688 003E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1689 003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1690 00400: 00 00 00 00 00 1692 K_MAC_4095: 1693 00000: 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1694 00010: 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1696 MAC value: 1697 00000: 58 D3 BB 60 8F BC 98 B8 1699 K_ENC_4095: 1700 00000: 58 AF BE 9A 4C 31 98 AA AB AA 26 92 C4 19 F1 79 1701 00010: 7C 9B 92 DE B3 CC 74 46 B3 63 57 71 13 F0 FB 56 1703 IV_4095: 1704 00000: 00 00 0F FF 1706 TLSCiphertext: 1707 00000: 17 03 03 04 08 B7 11 43 8B 16 20 1F 3C 49 33 95 1708 00010: 21 C9 C8 CA 75 66 D4 C2 0F D3 3E 58 1F 80 07 DC 1709 00020: 76 04 3E 2B 35 C8 E8 4B B2 55 08 27 66 13 59 6F 1710 . . . 1711 003D0: E7 77 70 BF 45 17 E1 F8 DD 1B 2C 05 64 AD 68 FC 1712 003E0: 4A 88 9A 48 B8 B1 FF 0E A4 E1 BB 70 4D 56 A4 75 1713 003F0: 2F 51 A5 82 CC 54 1A 80 8F 8C 8B 62 97 68 88 C8 1714 00400: 10 59 DE 41 27 63 A3 E0 99 9A CD DA 77 1716 --------------------------------------------------------- 1717 seqnum = 4096 1719 Application data: 1720 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1721 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1722 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1723 . . . 1724 007D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1725 007E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1726 007F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1728 TLSPlaintext: 1729 00000: 17 03 03 08 00 00 00 00 00 00 00 00 00 00 00 00 1730 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1731 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1732 . . . 1733 007D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1734 007E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1735 007F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1736 00800: 00 00 00 00 00 1738 K_MAC_4096: 1739 00000: FB 30 EE 53 CF CF 89 D7 48 FC 0C 72 EF 16 0B 8B 1740 00010: 53 CB BB FD 03 12 82 B0 26 21 4A B2 E0 77 58 FF 1742 MAC value: 1743 00000: 50 55 A2 6A BE 19 63 81 1745 K_ENC_4096: 1746 00000: ED F2 FD 02 47 71 60 23 83 09 00 2D 1D 57 DF 9F 1747 00010: D2 ED 18 D6 45 66 C7 6F 4B F0 3D 3A BF 7B BB 1E 1749 IV_4096: 1750 00000: 00 00 10 00 1752 TLSCiphertext: 1753 00000: 17 03 03 08 08 99 95 26 07 03 47 1D ED A2 E6 55 1754 00010: B6 B3 93 83 5E 33 8B 1E D0 0E DD 22 47 A2 FB 88 1755 00020: FB B7 A8 94 80 62 08 8A F3 2C AE B6 AA 2C 4F 2A 1756 . . . 1757 007D0: 7F 0B 24 61 E7 5F E1 06 34 B8 4D C5 70 35 72 5A 1758 007E0: CA 4F 0C BC A9 B0 6C B9 F7 6F BD 2F 80 46 2B 8D 1759 007F0: 77 5E BD 41 6F 63 41 39 AC 89 C2 ED 3D F1 9F E2 1760 00800: 4E F8 C0 5A A8 90 93 1B 01 86 FD 7D DF 1762 A.1.2.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC ciphersuite 1764 TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC 1765 *********************************************** 1766 It is assumed that during Handshake following keys were established: 1768 - MAC key: 1769 00000: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 1770 00010: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 1771 - Encryption key: 1772 00000: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 1773 00010: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 1774 - IV: 1776 00000: 00 00 00 00 00 00 00 00 1778 --------------------------------------------------------- 1779 seqnum = 0 1781 Application data: 1782 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1784 TLSPlaintext: 1785 00000: 17 03 03 00 0F 00 00 00 00 00 00 00 00 00 00 00 1786 00010: 00 00 00 00 1788 K_MAC_0: 1789 00000: 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1790 00010: 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1792 MAC value: 1793 00000: FD 17 19 DD 95 08 37 EB 7C 7B B8 F5 00 37 99 81 1795 K_ENC_0: 1796 00000: 58 AF BE 9A 4C 31 98 AA AB AA 26 92 C4 19 F1 79 1797 00010: 7C 9B 92 DE B3 CC 74 46 B3 63 57 71 13 F0 FB 56 1799 IV_0: 1800 00000: 00 00 00 00 00 00 00 00 1802 TLSCiphertext: 1803 00000: 17 03 03 00 1F 4D 1A 30 52 36 57 3B FF C1 4E 46 1804 00010: DC BE 74 6D B6 C9 9A 17 5A 81 C4 71 1E 2F 84 C3 1805 00020: 92 C5 40 7C 1807 --------------------------------------------------------- 1808 seqnum = 63 1810 Application data: 1811 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1812 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1813 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1814 . . . 1815 00FD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1816 00FE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1817 00FF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1819 TLSPlaintext: 1820 00000: 17 03 03 10 00 00 00 00 00 00 00 00 00 00 00 00 1821 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1822 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1823 . . . 1825 00FD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1826 00FE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1827 00FF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1828 01000: 00 00 00 00 00 1830 K_MAC_63: 1831 00000: 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1832 00010: 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1834 Mac value: 1835 00000: 98 46 27 61 D0 26 24 4A 2C 0B 7D 1B CC CB E7 B0 1837 K_ENC_63: 1838 00000: 58 AF BE 9A 4C 31 98 AA AB AA 26 92 C4 19 F1 79 1839 00010: 7C 9B 92 DE B3 CC 74 46 B3 63 57 71 13 F0 FB 56 1841 IV_63: 1842 00000: 00 00 00 00 00 00 00 3F 1844 TLSCiphertext: 1845 00000: 17 03 03 10 10 12 93 51 D2 6E 14 07 13 A2 1B 37 1846 00010: 68 24 A2 23 17 CD C0 D8 8E 01 CF A3 FE 21 41 5F 1847 00020: 5C 5E 05 86 9C CF 38 A5 1B C2 E0 ED 68 94 46 A8 1848 . . . 1849 00FE0: 19 AD 99 8C 06 25 21 E6 7B 63 59 A4 F5 C8 16 F9 1850 00FF0: 47 6B A7 13 26 82 BB A8 CE 0B ED AD 65 E4 20 A2 1851 01000: 97 B6 E2 C6 1F A4 06 D9 B8 CA 36 FD 9F CD 3A EE 1852 01010: 24 78 F4 D1 96 1854 --------------------------------------------------------- 1855 seqnum = 64 1857 Application data: 1858 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1859 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1860 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1861 . . . 1862 01FD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1863 01FE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1864 01FF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1866 TLSPlaintext: 1867 00000: 17 03 03 20 00 00 00 00 00 00 00 00 00 00 00 00 1868 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1869 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1870 . . . 1871 01FD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1872 01FE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1873 01FF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1874 02000: 00 00 00 00 00 1876 K_MAC_64: 1877 00000: AE BE 1E F4 18 71 3B F0 44 B9 FC D9 E5 72 D4 37 1878 00010: FB 38 B5 D8 29 56 7A 6F 79 18 39 6D 9F 4E 09 6B 1880 Mac value: 1881 00000: EA C3 97 87 84 2B 1D BD 60 80 CC 3F BF AE 5C 2F 1883 K_ENC_64: 1884 00000: 64 F5 5A FC 37 A1 74 D9 53 3E 70 8B CD 14 FA 4A 1885 00010: EE C3 7B C0 E3 2B A4 99 01 B4 66 9E 96 A6 3D 96 1887 IV_64: 1888 00000: 00 00 00 00 00 00 00 40 1890 TLSCiphertext: 1891 00000: 17 03 03 20 10 E6 66 BB 98 AC 5B 0F 39 31 D8 55 1892 00010: 1B 93 36 85 96 EE F0 EB A8 26 9C B8 BD AA E7 EB 1893 00020: 80 C8 30 D7 5A B7 D4 6C 25 06 DC 8B 83 E1 F2 D3 1894 . . . 1895 01FE0: B3 02 67 2C CB 02 86 CD 40 48 FB D5 38 1A 65 55 1896 01FF0: 26 11 25 51 01 4F A8 ED F5 C2 1B 7D 1D B3 9D 6B 1897 02000: AD EC 0D 7C 07 05 34 8B 5C 55 6C 4D 50 81 69 1A 1898 02010: A9 EC 36 F8 B5 1900 A.1.3. Handshake Examples 1902 The ClientHello.extensions and the ServerHello.extensions fields 1903 contain the extended_master_secret extension (see [RFC7627]) and the 1904 renegotiation_info extension (see [RFC5746]) in the following 1905 examples. 1907 A.1.3.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC ciphersuite 1909 Server certificate curve OID: 1910 id-GostR3410-2001-CryptoPro-A-ParamSet, "1.2.643.2.2.35.1" 1912 Server public key Q_s: 1913 x = 0x6531D4A72E655BFC9DFB94293B260702 1914 82FABF10D5C49B7366148C60E0BF8167 1916 y = 0x37F8CC71DC5D917FC4A66F7826E72750 1917 8270B4FFC266C26CD4363E77B553A5B8 1919 Server private key d_s: 1920 0x5F308355DFD6A8ACAEE0837B100A3B1F 1921 6D63FB29B78EF27D3967757F0527144C 1923 ---------------------------Client--------------------------- 1925 ClientHello message: 1926 msg_type: 01 1927 length: 000040 1928 body: 1929 client_version: 1930 major: 03 1931 minor: 03 1932 random: 933EA21EC3802A561550EC78D6ED51AC 1933 2439D7E749C31BC3A3456165889684CA 1934 session_id: 1935 length: 00 1936 vector: -- 1937 cipher_suites: 1938 length: 0004 1939 vector: 1940 CipherSuite: C100 1941 CipherSuite: C101 1942 compression_methods: 1943 length: 01 1944 vector: 1945 CompressionMethod: 00 1946 extensions: 1947 length: 0013 1948 vector: 1949 Extension: /* signature_algorithms */ 1950 extension_type: 000D 1951 extension_data: 1952 length: 0006 1953 vector: 1954 supported_signature_algorithms: 1955 length: 0004 1956 vector: 1957 /* 1 pair of algorithms */ 1958 hash: 08 1959 signature: 1960 40 1961 /* 2 pair of algorithms */ 1962 hash: 08 1963 signature: 1965 41 1966 Extension: /* renegotiation_info */ 1967 extension_type: FF01 1968 extension_data: 1969 length: 0001 1970 vector: 1971 renegotiated_connection: 1972 length: 00 1973 vector: -- 1974 Extension: /* extended_master_secret */ 1975 extension_type: 0017 1976 extension_data: 1977 length: 0000 1978 vector: -- 1980 00000: 01 00 00 40 03 03 93 3E A2 1E C3 80 2A 56 15 50 1981 00010: EC 78 D6 ED 51 AC 24 39 D7 E7 49 C3 1B C3 A3 45 1982 00020: 61 65 88 96 84 CA 00 00 04 C1 00 C1 01 01 00 00 1983 00030: 13 00 0D 00 06 00 04 08 40 08 41 FF 01 00 01 00 1984 00040: 00 17 00 00 1986 Record layer message: 1987 type: 16 1988 version: 1989 major: 03 1990 minor: 03 1991 length: 0044 1992 fragment: 010000400303933EA21EC3802A561550 1993 EC78D6ED51AC2439D7E749C31BC3A345 1994 6165889684CA000004C100C101010000 1995 13000D0006000408400841FF01000100 1996 00170000 1998 00000: 16 03 03 00 44 01 00 00 40 03 03 93 3E A2 1E C3 1999 00010: 80 2A 56 15 50 EC 78 D6 ED 51 AC 24 39 D7 E7 49 2000 00020: C3 1B C3 A3 45 61 65 88 96 84 CA 00 00 04 C1 00 2001 00030: C1 01 01 00 00 13 00 0D 00 06 00 04 08 40 08 41 2002 00040: FF 01 00 01 00 00 17 00 00 2004 ---------------------------Server--------------------------- 2006 ServerHello message: 2007 msg_type: 02 2008 length: 000041 2009 body: 2010 server_version: 2011 major: 03 2012 minor: 03 2013 random: 933EA21E49C31BC3A3456165889684CA 2014 A5576CE7924A24F58113808DBD9EF856 2015 session_id: 2016 length: 10 2017 vector: C3802A561550EC78D6ED51AC2439D7E7 2018 cipher_suite: 2019 CipherSuite: C101 2020 compression_method: 2021 CompressionMethod: 00 2022 extensions: 2023 length: 0009 2024 vector: 2025 Extension: /* renegotiation_info */ 2026 extension_type: FF01 2027 extension_data: 2028 length: 0001 2029 vector: 2030 renegotiated_connection: 2031 length: 00 2032 vector: -- 2033 Extension: /* extended_master_secret */ 2034 extension_type: 0017 2035 extension_data: 2036 length: 0000 2037 vector: -- 2039 00000: 02 00 00 41 03 03 93 3E A2 1E 49 C3 1B C3 A3 45 2040 00010: 61 65 88 96 84 CA A5 57 6C E7 92 4A 24 F5 81 13 2041 00020: 80 8D BD 9E F8 56 10 C3 80 2A 56 15 50 EC 78 D6 2042 00030: ED 51 AC 24 39 D7 E7 C1 01 00 00 09 FF 01 00 01 2043 00040: 00 00 17 00 00 2045 Record layer message: 2046 type: 16 2047 version: 2048 major: 03 2049 minor: 03 2050 length: 0045 2051 fragment: 020000410303933EA21E49C31BC3A345 2052 6165889684CAA5576CE7924A24F58113 2053 808DBD9EF85610C3802A561550EC78D6 2054 ED51AC2439D7E7C101000009FF010001 2055 0000170000 2057 00000: 16 03 03 00 45 02 00 00 41 03 03 93 3E A2 1E 49 2058 00010: C3 1B C3 A3 45 61 65 88 96 84 CA A5 57 6C E7 92 2059 00020: 4A 24 F5 81 13 80 8D BD 9E F8 56 10 C3 80 2A 56 2060 00030: 15 50 EC 78 D6 ED 51 AC 24 39 D7 E7 C1 01 00 00 2061 00040: 09 FF 01 00 01 00 00 17 00 00 2063 ---------------------------Server--------------------------- 2065 Certificate message: 2066 msg_type: 0B 2067 length: 0001DB 2068 body: 2069 certificate_list: 2070 length: 0001D8 2071 vector: 2072 ASN.1Cert: 2073 length: 0001D5 2074 vector: 308201D13082017EA003020102020833 2075 FBB2C0E9575A46300A06082A85030701 2076 010302301F311D301B06035504030C14 2077 . . . 2078 797990E4B5452CF82FE1F19EE237B754 2079 CBCD5078D752A28013DFFC8224AD114B 2080 BD7C1BB71E480AD6EEF9857A8C99C595 2081 9053EEDFE9 2083 00000: 0B 00 01 DB 00 01 D8 00 01 D5 30 82 01 D1 30 82 2084 00010: 01 7E A0 03 02 01 02 02 08 33 FB B2 C0 E9 57 5A 2085 00020: 46 30 0A 06 08 2A 85 03 07 01 01 03 02 30 1F 31 2086 00030: 1D 30 1B 06 03 55 04 03 0C 14 74 65 73 74 5F 73 2087 00040: 65 6C 66 73 69 67 6E 65 64 5F 63 65 72 74 30 1E 2088 00050: 17 0D 31 39 30 36 32 37 31 35 32 34 30 38 5A 17 2089 00060: 0D 32 30 31 32 31 38 31 35 33 34 30 38 5A 30 1F 2090 00070: 31 1D 30 1B 06 03 55 04 03 0C 14 74 65 73 74 5F 2091 00080: 73 65 6C 66 73 69 67 6E 65 64 5F 63 65 72 74 30 2092 00090: 66 30 1F 06 08 2A 85 03 07 01 01 01 01 30 13 06 2093 000A0: 07 2A 85 03 02 02 23 01 06 08 2A 85 03 07 01 01 2094 000B0: 02 02 03 43 00 04 40 67 81 BF E0 60 8C 14 66 73 2095 000C0: 9B C4 D5 10 BF FA 82 02 07 26 3B 29 94 FB 9D FC 2096 000D0: 5B 65 2E A7 D4 31 65 B8 A5 53 B5 77 3E 36 D4 6C 2097 000E0: C2 66 C2 FF B4 70 82 50 27 E7 26 78 6F A6 C4 7F 2098 000F0: 91 5D DC 71 CC F8 37 A3 81 96 30 81 93 30 1D 06 2099 00100: 03 55 1D 0E 04 16 04 14 E7 D0 0B B8 4D 8D 24 18 2100 00110: 29 3E 05 C1 7C E7 77 98 D4 8D 30 16 30 0E 06 03 2101 00120: 55 1D 0F 01 01 FF 04 04 03 02 01 C6 30 12 06 03 2102 00130: 55 1D 13 01 01 FF 04 08 30 06 01 01 FF 02 01 01 2103 00140: 30 4E 06 03 55 1D 23 04 47 30 45 80 14 E7 D0 0B 2104 00150: B8 4D 8D 24 18 29 3E 05 C1 7C E7 77 98 D4 8D 30 2105 00160: 16 A1 23 A4 21 30 1F 31 1D 30 1B 06 03 55 04 03 2106 00170: 0C 14 74 65 73 74 5F 73 65 6C 66 73 69 67 6E 65 2107 00180: 64 5F 63 65 72 74 82 08 33 FB B2 C0 E9 57 5A 46 2108 00190: 30 0A 06 08 2A 85 03 07 01 01 03 02 03 41 00 E2 2109 001A0: 88 44 F9 F1 C8 55 E2 DB 5B 19 79 79 90 E4 B5 45 2110 001B0: 2C F8 2F E1 F1 9E E2 37 B7 54 CB CD 50 78 D7 52 2111 001C0: A2 80 13 DF FC 82 24 AD 11 4B BD 7C 1B B7 1E 48 2112 001D0: 0A D6 EE F9 85 7A 8C 99 C5 95 90 53 EE DF E9 2114 Record layer message: 2115 type: 16 2116 version: 2117 major: 03 2118 minor: 03 2119 length: 01DF 2120 fragment: 0B0001DB0001D80001D5308201D13082 2121 017EA003020102020833FBB2C0E9575A 2122 46300A06082A85030701010302301F31 2123 . . . 2124 8844F9F1C855E2DB5B19797990E4B545 2125 2CF82FE1F19EE237B754CBCD5078D752 2126 A28013DFFC8224AD114BBD7C1BB71E48 2127 0AD6EEF9857A8C99C5959053EEDFE9 2129 00000: 16 03 03 01 DF 0B 00 01 DB 00 01 D8 00 01 D5 30 2130 00010: 82 01 D1 30 82 01 7E A0 03 02 01 02 02 08 33 FB 2131 00020: B2 C0 E9 57 5A 46 30 0A 06 08 2A 85 03 07 01 01 2132 00030: 03 02 30 1F 31 1D 30 1B 06 03 55 04 03 0C 14 74 2133 00040: 65 73 74 5F 73 65 6C 66 73 69 67 6E 65 64 5F 63 2134 00050: 65 72 74 30 1E 17 0D 31 39 30 36 32 37 31 35 32 2135 00060: 34 30 38 5A 17 0D 32 30 31 32 31 38 31 35 33 34 2136 00070: 30 38 5A 30 1F 31 1D 30 1B 06 03 55 04 03 0C 14 2137 00080: 74 65 73 74 5F 73 65 6C 66 73 69 67 6E 65 64 5F 2138 00090: 63 65 72 74 30 66 30 1F 06 08 2A 85 03 07 01 01 2139 000A0: 01 01 30 13 06 07 2A 85 03 02 02 23 01 06 08 2A 2140 000B0: 85 03 07 01 01 02 02 03 43 00 04 40 67 81 BF E0 2141 000C0: 60 8C 14 66 73 9B C4 D5 10 BF FA 82 02 07 26 3B 2142 000D0: 29 94 FB 9D FC 5B 65 2E A7 D4 31 65 B8 A5 53 B5 2143 000E0: 77 3E 36 D4 6C C2 66 C2 FF B4 70 82 50 27 E7 26 2144 000F0: 78 6F A6 C4 7F 91 5D DC 71 CC F8 37 A3 81 96 30 2145 00100: 81 93 30 1D 06 03 55 1D 0E 04 16 04 14 E7 D0 0B 2146 00110: B8 4D 8D 24 18 29 3E 05 C1 7C E7 77 98 D4 8D 30 2147 00120: 16 30 0E 06 03 55 1D 0F 01 01 FF 04 04 03 02 01 2148 00130: C6 30 12 06 03 55 1D 13 01 01 FF 04 08 30 06 01 2149 00140: 01 FF 02 01 01 30 4E 06 03 55 1D 23 04 47 30 45 2150 00150: 80 14 E7 D0 0B B8 4D 8D 24 18 29 3E 05 C1 7C E7 2151 00160: 77 98 D4 8D 30 16 A1 23 A4 21 30 1F 31 1D 30 1B 2152 00170: 06 03 55 04 03 0C 14 74 65 73 74 5F 73 65 6C 66 2153 00180: 73 69 67 6E 65 64 5F 63 65 72 74 82 08 33 FB B2 2154 00190: C0 E9 57 5A 46 30 0A 06 08 2A 85 03 07 01 01 03 2155 001A0: 02 03 41 00 E2 88 44 F9 F1 C8 55 E2 DB 5B 19 79 2156 001B0: 79 90 E4 B5 45 2C F8 2F E1 F1 9E E2 37 B7 54 CB 2157 001C0: CD 50 78 D7 52 A2 80 13 DF FC 82 24 AD 11 4B BD 2158 001D0: 7C 1B B7 1E 48 0A D6 EE F9 85 7A 8C 99 C5 95 90 2159 001E0: 53 EE DF E9 2161 ---------------------------Server--------------------------- 2163 ServerHelloDone message: 2164 msg_type: 0E 2165 length: 000000 2166 body: -- 2168 00000: 0E 00 00 00 2170 Record layer message:: 2171 type: 16 2172 version: 2173 major: 03 2174 minor: 03 2175 length: 0004 2176 fragment: 0E000000 2178 00000: 16 03 03 00 04 0E 00 00 00 2180 ---------------------------Client--------------------------- 2182 PMS: 2183 00000: A5 57 6C E7 92 4A 24 F5 81 13 80 8D BD 9E F8 56 2184 00010: F5 BD C3 B1 83 CE 5D AD CA 36 A5 3A A0 77 65 1D 2186 Random d_eph value: 2187 0xA5C77C7482373DE16CE4A6F73CCE7F78 2188 471493FF2C0709B8B706C9E8A25E6C1E 2190 Q_eph ephemeral key: 2191 x = 0xA8F36D63D262A203978F1B3B6795CDBB 2192 F1AE7FB8EF7F47F1F18871C198E00793 2194 y = 0x34CA5D6B4485640EA195435993BEB1F8 2195 B016ED610496B5CC175AC2EA1F14F887 2197 HASH (r_c | r_s): 2198 00000: C3 EF 04 28 D4 B7 A1 F4 C5 02 5F 2E 65 DD 2B 2E 2199 00010: A5 83 AE EF DB 67 C7 F4 21 4A 6A 29 8E 99 E3 25 2200 Export key generation. r value: 2201 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 2203 Export key generation. UKM value: 2204 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 2206 seed: 2207 00000: A5 83 AE EF DB 67 C7 F4 2209 K_EXP: 2210 00000: 1E 58 54 90 E8 65 FF D1 8F 18 D7 C0 A0 4D 0E E8 2211 00010: 4F 1A 5D 79 7C EF AD A0 1B 1E 3B 7F DB 90 E0 29 2213 Export keys K_Exp_MAC | K_Exp_ENC used in KExp15 algorithm: 2214 00000: 2D 8B A8 C8 4C B2 32 FF 41 F1 0C 3A D9 24 13 42 2215 00010: 23 25 4F 71 E5 69 6D 3D 29 C3 E4 C9 DA A6 B2 93 2216 00020: 84 9E B6 34 0B FF AE 69 28 A3 C3 E4 FF 92 EC CB 2217 00030: 1E 8F 0C F7 A1 88 36 8E 6B 74 8E 52 EA 37 8B 0C 2219 IV: 2220 00000: 21 4A 6A 29 2222 PMSEXP: 2223 00000: D7 F0 F0 42 23 67 86 7B 25 FA 42 33 A9 54 F5 8B 2224 00010: DE 92 E9 C9 BB FB 88 16 C9 9F 15 E6 39 87 22 A0 2225 00020: B2 B7 BF E8 49 3E 9A 5C 2227 ---------------------------Client--------------------------- 2229 ClientKeyExchange message: 2230 msg_type: 10 2231 length: 000095 2232 body: 2233 exchange_keys: 3081920428D7F0F0422367867B25FA42 2234 33A954F58BDE92E9C9BBFB8816C99F15 2235 E6398722A0B2B7BFE8493E9A5C306630 2236 . . . 2237 EFB87FAEF1BBCD95673B1B8F9703A262 2238 D2636DF3A887F8141FEAC25A17CCB596 2239 0461ED16B0F8B1BE93594395A10E6485 2240 446B5DCA34 2242 00000: 10 00 00 95 30 81 92 04 28 D7 F0 F0 42 23 67 86 2243 00010: 7B 25 FA 42 33 A9 54 F5 8B DE 92 E9 C9 BB FB 88 2244 00020: 16 C9 9F 15 E6 39 87 22 A0 B2 B7 BF E8 49 3E 9A 2245 00030: 5C 30 66 30 1F 06 08 2A 85 03 07 01 01 01 01 30 2246 00040: 13 06 07 2A 85 03 02 02 23 01 06 08 2A 85 03 07 2247 00050: 01 01 02 02 03 43 00 04 40 93 07 E0 98 C1 71 88 2248 00060: F1 F1 47 7F EF B8 7F AE F1 BB CD 95 67 3B 1B 8F 2249 00070: 97 03 A2 62 D2 63 6D F3 A8 87 F8 14 1F EA C2 5A 2250 00080: 17 CC B5 96 04 61 ED 16 B0 F8 B1 BE 93 59 43 95 2251 00090: A1 0E 64 85 44 6B 5D CA 34 2253 Record layer message: 2254 type: 16 2255 version: 2256 major: 03 2257 minor: 03 2258 length: 0099 2259 fragment: 100000953081920428D7F0F042236786 2260 7B25FA4233A954F58BDE92E9C9BBFB88 2261 16C99F15E6398722A0B2B7BFE8493E9A 2262 . . . 2263 F1F1477FEFB87FAEF1BBCD95673B1B8F 2264 9703A262D2636DF3A887F8141FEAC25A 2265 17CCB5960461ED16B0F8B1BE93594395 2266 A10E6485446B5DCA34 2268 00000: 16 03 03 00 99 10 00 00 95 30 81 92 04 28 D7 F0 2269 00010: F0 42 23 67 86 7B 25 FA 42 33 A9 54 F5 8B DE 92 2270 00020: E9 C9 BB FB 88 16 C9 9F 15 E6 39 87 22 A0 B2 B7 2271 00030: BF E8 49 3E 9A 5C 30 66 30 1F 06 08 2A 85 03 07 2272 00040: 01 01 01 01 30 13 06 07 2A 85 03 02 02 23 01 06 2273 00050: 08 2A 85 03 07 01 01 02 02 03 43 00 04 40 93 07 2274 00060: E0 98 C1 71 88 F1 F1 47 7F EF B8 7F AE F1 BB CD 2275 00070: 95 67 3B 1B 8F 97 03 A2 62 D2 63 6D F3 A8 87 F8 2276 00080: 14 1F EA C2 5A 17 CC B5 96 04 61 ED 16 B0 F8 B1 2277 00090: BE 93 59 43 95 A1 0E 64 85 44 6B 5D CA 34 2279 ---------------------------Server--------------------------- 2281 PMSEXP extracted: 2282 00000: D7 F0 F0 42 23 67 86 7B 25 FA 42 33 A9 54 F5 8B 2283 00010: DE 92 E9 C9 BB FB 88 16 C9 9F 15 E6 39 87 22 A0 2284 00020: B2 B7 BF E8 49 3E 9A 5C 2286 HASH(r_c | r_s): 2287 00000: C3 EF 04 28 D4 B7 A1 F4 C5 02 5F 2E 65 DD 2B 2E 2288 00010: A5 83 AE EF DB 67 C7 F4 21 4A 6A 29 8E 99 E3 25 2290 Export key generation. r value: 2291 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 2293 Export key generation. UKM value: 2295 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 2297 seed: 2298 00000: A5 83 AE EF DB 67 C7 F4 2300 K_EXP: 2301 00000: 1E 58 54 90 E8 65 FF D1 8F 18 D7 C0 A0 4D 0E E8 2302 00010: 4F 1A 5D 79 7C EF AD A0 1B 1E 3B 7F DB 90 E0 29 2304 Import keys K_Imp_MAC | K_Imp_ENC used in KImp15 algorithm: 2305 00000: 2D 8B A8 C8 4C B2 32 FF 41 F1 0C 3A D9 24 13 42 2306 00010: 23 25 4F 71 E5 69 6D 3D 29 C3 E4 C9 DA A6 B2 93 2307 00020: 84 9E B6 34 0B FF AE 69 28 A3 C3 E4 FF 92 EC CB 2308 00030: 1E 8F 0C F7 A1 88 36 8E 6B 74 8E 52 EA 37 8B 0C 2310 IV: 2311 00000: 21 4A 6A 29 2313 PMS: 2314 00000: A5 57 6C E7 92 4A 24 F5 81 13 80 8D BD 9E F8 56 2315 00010: F5 BD C3 B1 83 CE 5D AD CA 36 A5 3A A0 77 65 1D 2317 ---------------------------Client--------------------------- 2319 HASH(HM): 2320 00000: 7E 1F 59 D3 64 9D B6 09 00 EA 4F 8A 58 5A 65 7A 2321 00010: 92 77 B3 04 50 58 4C F5 43 51 19 8C DE A3 0C 49 2323 MS: 2324 00000: FD D2 7C B4 04 AD 4E 44 49 68 4F 7C 55 90 E9 E7 2325 00010: 02 EF 41 01 93 3B 52 77 A4 A9 6D F5 00 B0 7C C3 2326 00020: 32 4F D8 A6 D9 07 CB B0 3D F3 FB 33 1F 1C 4D 0C 2328 Client connection key material 2329 K_write_MAC|K_read_MAC|K_write_ENC|K_read_ENC|IV_write|IV_read: 2330 00000: DD 4E 10 17 E3 09 1F FD 86 75 65 8A 78 00 90 09 2331 00010: 3B BE 69 EC A6 93 31 5C A8 5B E0 A6 14 3D C9 F8 2332 00020: 1D 64 D0 23 46 5F 8B EA 17 F8 12 F8 C2 D8 BF C0 2333 00030: D9 BB AB A7 B4 DF D3 A1 7C E0 E1 3B 2D 63 65 F3 2334 00040: FC 8B 34 59 CF 54 FE 44 9A 04 07 64 53 73 08 00 2335 00050: 75 10 32 55 9D 07 B6 C4 EA C6 75 48 71 BC 97 8A 2336 00060: B9 0E 2A EE 98 77 14 BB D8 F7 57 AE F7 84 FF 24 2337 00070: 47 B3 94 2E B4 3E 26 35 73 1C 4C 28 22 D0 2D 79 2338 00080: 2B 6A 81 3F 93 ED A6 FA 2340 ---------------------------Server--------------------------- 2341 HASH(HM): 2342 00000: 7E 1F 59 D3 64 9D B6 09 00 EA 4F 8A 58 5A 65 7A 2343 00010: 92 77 B3 04 50 58 4C F5 43 51 19 8C DE A3 0C 49 2345 MS: 2346 00000: FD D2 7C B4 04 AD 4E 44 49 68 4F 7C 55 90 E9 E7 2347 00010: 02 EF 41 01 93 3B 52 77 A4 A9 6D F5 00 B0 7C C3 2348 00020: 32 4F D8 A6 D9 07 CB B0 3D F3 FB 33 1F 1C 4D 0C 2350 Server connection key material 2351 K_read_MAC|K_write_MAC|K_read_ENC|K_write_ENC|IV_read|IV_write: 2352 00000: DD 4E 10 17 E3 09 1F FD 86 75 65 8A 78 00 90 09 2353 00010: 3B BE 69 EC A6 93 31 5C A8 5B E0 A6 14 3D C9 F8 2354 00020: 1D 64 D0 23 46 5F 8B EA 17 F8 12 F8 C2 D8 BF C0 2355 00030: D9 BB AB A7 B4 DF D3 A1 7C E0 E1 3B 2D 63 65 F3 2356 00040: FC 8B 34 59 CF 54 FE 44 9A 04 07 64 53 73 08 00 2357 00050: 75 10 32 55 9D 07 B6 C4 EA C6 75 48 71 BC 97 8A 2358 00060: B9 0E 2A EE 98 77 14 BB D8 F7 57 AE F7 84 FF 24 2359 00070: 47 B3 94 2E B4 3E 26 35 73 1C 4C 28 22 D0 2D 79 2360 00080: 2B 6A 81 3F 93 ED A6 FA 2362 ---------------------------Client--------------------------- 2364 ChangeCipherSpec message: 2365 type: 01 2367 00000: 01 2369 Record layer message: 2370 type: 14 2371 version: 2372 major: 03 2373 minor: 03 2374 length: 0001 2375 fragment: 01 2377 00000: 14 03 03 00 01 01 2379 ---------------------------Client--------------------------- 2381 HASH(HM): 2382 00000: 7E 1F 59 D3 64 9D B6 09 00 EA 4F 8A 58 5A 65 7A 2383 00010: 92 77 B3 04 50 58 4C F5 43 51 19 8C DE A3 0C 49 2385 client_verify_data: 2386 00000: B4 61 C5 AD 25 EA 1E 62 B3 70 BD 1F 1B CB 16 91 2387 00010: FC CC BA 37 8B BC 13 43 BE 54 B3 8D F5 53 B7 A5 2389 ---------------------------Client--------------------------- 2391 Finished message: 2392 msg_type: 14 2393 length: 000020 2394 body: 2395 verify_data: B461C5AD25EA1E62B370BD1F1BCB1691 2396 FCCCBA378BBC1343BE54B38DF553B7A5 2398 00000: 14 00 00 20 B4 61 C5 AD 25 EA 1E 62 B3 70 BD 1F 2399 00010: 1B CB 16 91 FC CC BA 37 8B BC 13 43 BE 54 B3 8D 2400 00020: F5 53 B7 A5 2402 Record layer message: 2403 type: 16 2404 version: 2405 major: 03 2406 minor: 03 2407 length: 002C 2408 fragment: 0C630271D4DA39DD8D6BD040302D9B8F 2409 33D5F7B967EED155F7D65592892C03C7 2410 885C249B1225B184AB4D5DBF 2412 00000: 16 03 03 00 2C 0C 63 02 71 D4 DA 39 DD 8D 6B D0 2413 00010: 40 30 2D 9B 8F 33 D5 F7 B9 67 EE D1 55 F7 D6 55 2414 00020: 92 89 2C 03 C7 88 5C 24 9B 12 25 B1 84 AB 4D 5D 2415 00030: BF 2417 ---------------------------Server--------------------------- 2419 ChangeCipherSpec message: 2420 type: 01 2422 00000: 01 2424 Record layer message: 2425 type: 14 2426 version: 2427 major: 03 2428 minor: 03 2429 length: 0001 2430 fragment: 01 2432 00000: 14 03 03 00 01 01 2433 ---------------------------Server--------------------------- 2435 HASH(HM): 2436 00000: DB D7 D8 93 82 4A ED FD D5 FB 7B 75 4B 47 E1 E6 2437 00010: AF E0 77 DA E6 D1 13 63 42 07 C7 EE 0F C6 F3 B1 2439 server_verify_data: 2440 00000: 45 39 EC 8D 0A F7 B1 A6 20 41 AB 43 4A 43 77 71 2441 00010: D3 4C 47 19 D8 6E BB FD 0F 28 C3 E9 53 55 0C D0 2443 ---------------------------Server--------------------------- 2445 Finished message: 2446 msg_type: 14 2447 length: 000020 2448 body: 2449 verify_data: 4539EC8D0AF7B1A62041AB434A437771 2450 D34C4719D86EBBFD0F28C3E953550CD0 2452 00000: 14 00 00 20 45 39 EC 8D 0A F7 B1 A6 20 41 AB 43 2453 00010: 4A 43 77 71 D3 4C 47 19 D8 6E BB FD 0F 28 C3 E9 2454 00020: 53 55 0C D0 2456 Record layer message: 2457 type: 16 2458 version: 2459 major: 03 2460 minor: 03 2461 length: 002C 2462 fragment: E6A94A4BF70886566A2316811E57B483 2463 BB1E47950A1FF820A80DCA77A4DF9954 2464 2DAB6953F3ED03D95CCA4748 2466 00000: 16 03 03 00 2C E6 A9 4A 4B F7 08 86 56 6A 23 16 2467 00010: 81 1E 57 B4 83 BB 1E 47 95 0A 1F F8 20 A8 0D CA 2468 00020: 77 A4 DF 99 54 2D AB 69 53 F3 ED 03 D9 5C CA 47 2469 00030: 48 2471 ---------------------------Client--------------------------- 2473 Application data: 2474 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2475 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2477 Record layer message: 2478 type: 17 2479 version: 2480 major: 03 2481 minor: 03 2482 length: 0028 2483 fragment: 38807B6E5E0C3F4F7E0DBF7758031BF0 2484 7F100C4B63ADBC75F49BCBF428572D37 2485 7CAED097336DB203 2487 00000: 17 03 03 00 28 38 80 7B 6E 5E 0C 3F 4F 7E 0D BF 2488 00010: 77 58 03 1B F0 7F 10 0C 4B 63 AD BC 75 F4 9B CB 2489 00020: F4 28 57 2D 37 7C AE D0 97 33 6D B2 03 2491 ---------------------------Server--------------------------- 2493 Application data: 2494 00000: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 2495 00010: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 2497 Record layer message: 2498 type: 17 2499 version: 2500 major: 03 2501 minor: 03 2502 length: 0028 2503 fragment: 05B869E5C979C3B9D4837B8E39D9BBEE 2504 1BBD0052D3D48340D0CDE082B33BC07F 2505 4E742D1113249AD8 2507 00000: 17 03 03 00 28 05 B8 69 E5 C9 79 C3 B9 D4 83 7B 2508 00010: 8E 39 D9 BB EE 1B BD 00 52 D3 D4 83 40 D0 CD E0 2509 00020: 82 B3 3B C0 7F 4E 74 2D 11 13 24 9A D8 2511 ---------------------------Client--------------------------- 2513 close_notify alert: 2514 Alert: 2515 level: 01 2516 description: 00 2518 00000: 01 00 2520 Record layer message: 2521 type: 15 2522 version: 2523 major: 03 2524 minor: 03 2526 length: 000A 2527 fragment: 4F2A0807A0374E28C632 2529 00000: 15 03 03 00 0A 4F 2A 08 07 A0 37 4E 28 C6 32 2531 ---------------------------Server--------------------------- 2533 close_notify alert: 2534 Alert: 2535 level: 01 2536 description: 00 2538 00000: 01 00 2540 Record layer message: 2541 type: 15 2542 version: 2543 major: 03 2544 minor: 03 2545 length: 000A 2546 fragment: 999468B49AC5B0DE512C 2548 00000: 15 03 03 00 0A 99 94 68 B4 9A C5 B0 DE 51 2C 2550 A.1.3.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC ciphersuite 2552 Server certificate curve OID: 2553 id-tc26-gost-3410-2012-512-paramSetC, "1.2.643.7.1.2.1.2.3" 2555 Server public key Q_s: 2556 x = 0xF14589DA479AD972C66563669B3FF580 2557 92E6A30A288BF447CD9FF6C3133E9724 2558 7A9706B267703C9B4E239F0D7C7E3310 2559 C22D2752B35BD2E4FD39B8F11DEB833A 2561 y = 0xF305E95B36502D4E60A1059FB20AB30B 2562 FC7C95727F3A2C04B1DFDDB53B0413F2 2563 99F2DFE66A5E1CCB4101A7A01D612BE6 2564 BD78E1E3B3D567EBB16ABE587A11F4EA 2566 Server private key d_s: 2568 0x12FD7A70067479A0F66C59F9A25534AD 2569 FBC7ABFD3CC72D79806F8B402601644B 2570 3005ED365A2D8989A8CCAE640D5FC08D 2571 D27DFBBFE137CF528E1AC6D445192E01 2573 Client certificate curve OID: 2574 id-tc26-gost-3410-2012-256-paramSetA, "1.2.643.7.1.2.1.1.1" 2576 Client public key Q_c: 2577 x = 0x0F5DB18A9E15F324B778676025BFD7B5 2578 DF066566EABAA1C51CD879F87B0B4975 2580 y = 0x9EE5BBF18361F842D3F087DEC2943939 2581 E0FA2BFB4EDEC25A8D10ABB22C48F386 2583 Client private key d_c: 2584 0x0918AD3F7D209ABF89F1E8505DA894CE 2585 E10DA09D32E72E815D9C0ADA30B5A103 2587 ---------------------------Client--------------------------- 2589 ClientHello message: 2590 msg_type: 01 2591 length: 000040 2592 body: 2593 client_version: 2594 major: 03 2595 minor: 03 2596 random: 933EA21EC3802A561550EC78D6ED51AC 2597 2439D7E749C31BC3A3456165889684CA 2598 session_id: 2599 length: 00 2600 vector: -- 2601 cipher_suites: 2602 length: 0004 2603 vector: 2604 CipherSuite: C100 2605 CipherSuite: C101 2606 compression_methods: 2607 length: 01 2608 vector: 2609 CompressionMethod: 00 2610 extensions: 2611 length: 0013 2612 vector: 2613 Extension: /* signature_algorithms */ 2614 extension_type: 000D 2615 extension_data: 2616 length: 0006 2617 vector: 2618 supported_signature_algorithms: 2619 length: 0004 2620 vector: 2621 /* 1 pair of algorithms */ 2622 hash: 08 2623 signature: 2624 40 2625 /* 2 pair of algorithms */ 2626 hash: 08 2627 signature: 2628 41 2629 Extension: /* renegotiation_info */ 2630 extension_type: FF01 2631 extension_data: 2632 length: 0001 2633 vector: 2634 renegotiated_connection: 2635 length: 00 2636 vector: -- 2637 Extension: /* extended_master_secret */ 2638 extension_type: 0017 2639 extension_data: 2640 length: 0000 2641 vector: -- 2643 00000: 01 00 00 40 03 03 93 3E A2 1E C3 80 2A 56 15 50 2644 00010: EC 78 D6 ED 51 AC 24 39 D7 E7 49 C3 1B C3 A3 45 2645 00020: 61 65 88 96 84 CA 00 00 04 C1 00 C1 01 01 00 00 2646 00030: 13 00 0D 00 06 00 04 08 40 08 41 FF 01 00 01 00 2647 00040: 00 17 00 00 2649 Record layer message: 2650 type: 16 2651 version: 2652 major: 03 2653 minor: 03 2654 length: 0044 2655 fragment: 010000400303933EA21EC3802A561550 2656 EC78D6ED51AC2439D7E749C31BC3A345 2657 6165889684CA000004C100C101010000 2658 13000D0006000408400841FF01000100 2659 00170000 2661 00000: 16 03 03 00 44 01 00 00 40 03 03 93 3E A2 1E C3 2662 00010: 80 2A 56 15 50 EC 78 D6 ED 51 AC 24 39 D7 E7 49 2663 00020: C3 1B C3 A3 45 61 65 88 96 84 CA 00 00 04 C1 00 2664 00030: C1 01 01 00 00 13 00 0D 00 06 00 04 08 40 08 41 2665 00040: FF 01 00 01 00 00 17 00 00 2667 ---------------------------Server--------------------------- 2669 ServerHello message: 2670 msg_type: 02 2671 length: 000041 2672 body: 2673 server_version: 2674 major: 03 2675 minor: 03 2676 random: 933EA21E49C31BC3A3456165889684CA 2677 A5576CE7924A24F58113808DBD9EF856 2678 session_id: 2679 length: 10 2680 vector: C3802A561550EC78D6ED51AC2439D7E7 2681 cipher_suite: 2682 CipherSuite: C100 2683 compression_method: 2684 CompressionMethod: 00 2685 extensions: 2686 length: 0009 2687 vector: 2688 Extension: /* renegotiation_info */ 2689 extension_type: FF01 2690 extension_data: 2691 length: 0001 2692 vector: 2693 renegotiated_connection: 2694 length: 00 2695 vector: -- 2696 Extension: /* extended_master_secret */ 2697 extension_type: 0017 2698 extension_data: 2699 length: 0000 2700 vector: -- 2702 00000: 02 00 00 41 03 03 93 3E A2 1E 49 C3 1B C3 A3 45 2703 00010: 61 65 88 96 84 CA A5 57 6C E7 92 4A 24 F5 81 13 2704 00020: 80 8D BD 9E F8 56 10 C3 80 2A 56 15 50 EC 78 D6 2705 00030: ED 51 AC 24 39 D7 E7 C1 00 00 00 09 FF 01 00 01 2706 00040: 00 00 17 00 00 2708 Record layer message: 2709 type: 16 2710 version: 2711 major: 03 2712 minor: 03 2713 length: 0045 2714 fragment: 020000410303933EA21E49C31BC3A345 2715 6165889684CAA5576CE7924A24F58113 2716 808DBD9EF85610C3802A561550EC78D6 2717 ED51AC2439D7E7C100000009FF010001 2718 0000170000 2720 00000: 16 03 03 00 45 02 00 00 41 03 03 93 3E A2 1E 49 2721 00010: C3 1B C3 A3 45 61 65 88 96 84 CA A5 57 6C E7 92 2722 00020: 4A 24 F5 81 13 80 8D BD 9E F8 56 10 C3 80 2A 56 2723 00030: 15 50 EC 78 D6 ED 51 AC 24 39 D7 E7 C1 00 00 00 2724 00040: 09 FF 01 00 01 00 00 17 00 00 2726 ---------------------------Server--------------------------- 2728 Certificate message: 2729 msg_type: 0B 2730 length: 00024C 2731 body: 2732 certificate_list: 2733 length: 000249 2734 vector: 2735 ASN.1Cert: 2736 length: 000246 2737 vector: 30820242308201AEA003020102020101 2738 300A06082A850307010103033042312C 2739 302A06092A864886F70D010901161D74 2740 . . . 2741 371AF83C5BC58B366DFEFA7345D50317 2742 867C177AC84AC07EE8612164629AB7BD 2743 C48AA0F64A741FE7298E82C5BFCE8672 2744 029F875391F7 2746 00000: 0B 00 02 4C 00 02 49 00 02 46 30 82 02 42 30 82 2747 00010: 01 AE A0 03 02 01 02 02 01 01 30 0A 06 08 2A 85 2748 00020: 03 07 01 01 03 03 30 42 31 2C 30 2A 06 09 2A 86 2749 00030: 48 86 F7 0D 01 09 01 16 1D 74 6C 73 31 32 5F 73 2750 00040: 65 72 76 65 72 35 31 32 43 40 63 72 79 70 74 6F 2751 00050: 70 72 6F 2E 72 75 31 12 30 10 06 03 55 04 03 13 2752 00060: 09 53 65 72 76 65 72 35 31 32 30 1E 17 0D 31 37 2753 00070: 30 35 32 35 30 39 32 35 31 38 5A 17 0D 33 30 30 2754 00080: 35 30 31 30 39 32 35 31 38 5A 30 42 31 2C 30 2A 2755 00090: 06 09 2A 86 48 86 F7 0D 01 09 01 16 1D 74 6C 73 2756 000A0: 31 32 5F 73 65 72 76 65 72 35 31 32 43 40 63 72 2757 000B0: 79 70 74 6F 70 72 6F 2E 72 75 31 12 30 10 06 03 2758 000C0: 55 04 03 13 09 53 65 72 76 65 72 35 31 32 30 81 2759 000D0: AA 30 21 06 08 2A 85 03 07 01 01 01 02 30 15 06 2760 000E0: 09 2A 85 03 07 01 02 01 02 03 06 08 2A 85 03 07 2761 000F0: 01 01 02 03 03 81 84 00 04 81 80 3A 83 EB 1D F1 2762 00100: B8 39 FD E4 D2 5B B3 52 27 2D C2 10 33 7E 7C 0D 2763 00110: 9F 23 4E 9B 3C 70 67 B2 06 97 7A 24 97 3E 13 C3 2764 00120: F6 9F CD 47 F4 8B 28 0A A3 E6 92 80 F5 3F 9B 66 2765 00130: 63 65 C6 72 D9 9A 47 DA 89 45 F1 EA F4 11 7A 58 2766 00140: BE 6A B1 EB 67 D5 B3 E3 E1 78 BD E6 2B 61 1D A0 2767 00150: A7 01 41 CB 1C 5E 6A E6 DF F2 99 F2 13 04 3B B5 2768 00160: DD DF B1 04 2C 3A 7F 72 95 7C FC 0B B3 0A B2 9F 2769 00170: 05 A1 60 4E 2D 50 36 5B E9 05 F3 A3 43 30 41 30 2770 00180: 1D 06 03 55 1D 0E 04 16 04 14 87 9C C6 5A 0F 4A 2771 00190: 89 CB 4A 58 49 DF 05 61 56 9B AA DC 11 69 30 0B 2772 001A0: 06 03 55 1D 0F 04 04 03 02 03 28 30 13 06 03 55 2773 001B0: 1D 25 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 2774 001C0: 30 0A 06 08 2A 85 03 07 01 01 03 03 03 81 81 00 2775 001D0: 35 BE 38 51 EC B6 E9 2D 32 40 01 81 0F 8C 89 03 2776 001E0: 52 42 F4 05 46 9F 4C 4E CB 05 02 7C 57 E2 71 52 2777 001F0: 12 AF D7 CD BB 0C ED 7A 8B 4D 33 42 CC 50 1A BD 2778 00200: 99 99 75 A5 8A DE 0E 58 4F CA 35 F5 2E 45 58 B7 2779 00210: 31 1D 49 D0 A0 51 32 79 F7 39 37 1A F8 3C 5B C5 2780 00220: 8B 36 6D FE FA 73 45 D5 03 17 86 7C 17 7A C8 4A 2781 00230: C0 7E E8 61 21 64 62 9A B7 BD C4 8A A0 F6 4A 74 2782 00240: 1F E7 29 8E 82 C5 BF CE 86 72 02 9F 87 53 91 F7 2784 Record layer message: 2785 type: 16 2786 version: 2787 major: 03 2788 minor: 03 2789 length: 0250 2790 fragment: 0B00024C000249000246308202423082 2791 01AEA003020102020101300A06082A85 2792 0307010103033042312C302A06092A86 2793 . . . 2794 8B366DFEFA7345D50317867C177AC84A 2795 C07EE8612164629AB7BDC48AA0F64A74 2796 1FE7298E82C5BFCE8672029F875391F7 2798 00000: 16 03 03 02 50 0B 00 02 4C 00 02 49 00 02 46 30 2799 00010: 82 02 42 30 82 01 AE A0 03 02 01 02 02 01 01 30 2800 00020: 0A 06 08 2A 85 03 07 01 01 03 03 30 42 31 2C 30 2801 00030: 2A 06 09 2A 86 48 86 F7 0D 01 09 01 16 1D 74 6C 2802 00040: 73 31 32 5F 73 65 72 76 65 72 35 31 32 43 40 63 2803 00050: 72 79 70 74 6F 70 72 6F 2E 72 75 31 12 30 10 06 2804 00060: 03 55 04 03 13 09 53 65 72 76 65 72 35 31 32 30 2805 00070: 1E 17 0D 31 37 30 35 32 35 30 39 32 35 31 38 5A 2806 00080: 17 0D 33 30 30 35 30 31 30 39 32 35 31 38 5A 30 2807 00090: 42 31 2C 30 2A 06 09 2A 86 48 86 F7 0D 01 09 01 2808 000A0: 16 1D 74 6C 73 31 32 5F 73 65 72 76 65 72 35 31 2809 000B0: 32 43 40 63 72 79 70 74 6F 70 72 6F 2E 72 75 31 2810 000C0: 12 30 10 06 03 55 04 03 13 09 53 65 72 76 65 72 2811 000D0: 35 31 32 30 81 AA 30 21 06 08 2A 85 03 07 01 01 2812 000E0: 01 02 30 15 06 09 2A 85 03 07 01 02 01 02 03 06 2813 000F0: 08 2A 85 03 07 01 01 02 03 03 81 84 00 04 81 80 2814 00100: 3A 83 EB 1D F1 B8 39 FD E4 D2 5B B3 52 27 2D C2 2815 00110: 10 33 7E 7C 0D 9F 23 4E 9B 3C 70 67 B2 06 97 7A 2816 00120: 24 97 3E 13 C3 F6 9F CD 47 F4 8B 28 0A A3 E6 92 2817 00130: 80 F5 3F 9B 66 63 65 C6 72 D9 9A 47 DA 89 45 F1 2818 00140: EA F4 11 7A 58 BE 6A B1 EB 67 D5 B3 E3 E1 78 BD 2819 00150: E6 2B 61 1D A0 A7 01 41 CB 1C 5E 6A E6 DF F2 99 2820 00160: F2 13 04 3B B5 DD DF B1 04 2C 3A 7F 72 95 7C FC 2821 00170: 0B B3 0A B2 9F 05 A1 60 4E 2D 50 36 5B E9 05 F3 2822 00180: A3 43 30 41 30 1D 06 03 55 1D 0E 04 16 04 14 87 2823 00190: 9C C6 5A 0F 4A 89 CB 4A 58 49 DF 05 61 56 9B AA 2824 001A0: DC 11 69 30 0B 06 03 55 1D 0F 04 04 03 02 03 28 2825 001B0: 30 13 06 03 55 1D 25 04 0C 30 0A 06 08 2B 06 01 2826 001C0: 05 05 07 03 01 30 0A 06 08 2A 85 03 07 01 01 03 2827 001D0: 03 03 81 81 00 35 BE 38 51 EC B6 E9 2D 32 40 01 2828 001E0: 81 0F 8C 89 03 52 42 F4 05 46 9F 4C 4E CB 05 02 2829 001F0: 7C 57 E2 71 52 12 AF D7 CD BB 0C ED 7A 8B 4D 33 2830 00200: 42 CC 50 1A BD 99 99 75 A5 8A DE 0E 58 4F CA 35 2831 00210: F5 2E 45 58 B7 31 1D 49 D0 A0 51 32 79 F7 39 37 2832 00220: 1A F8 3C 5B C5 8B 36 6D FE FA 73 45 D5 03 17 86 2833 00230: 7C 17 7A C8 4A C0 7E E8 61 21 64 62 9A B7 BD C4 2834 00240: 8A A0 F6 4A 74 1F E7 29 8E 82 C5 BF CE 86 72 02 2835 00250: 9F 87 53 91 F7 2837 ---------------------------Server--------------------------- 2839 CertificateRequest message: 2840 msg_type: 0D 2841 length: 00000B 2842 body: 2843 certificate_types: 2844 length: 02 2845 vector: 2846 /* gost_sign256 */ 2847 43 2848 /* gost_sign512 */ 2849 44 2850 supported_signature_algorithms: 2851 length: 0004 2852 vector: 2853 /* 1 pair of algorithms */ 2854 hash: 08 2855 signature: 40 2856 /* 2 pair of algorithms */ 2857 hash: 08 2858 signature: 41 2859 certificate_authorities: 2860 length: 0000 2861 vector: -- 2863 00000: 0D 00 00 0B 02 43 44 00 04 08 40 08 41 00 00 2865 Record layer message: 2866 type: 16 2867 version: 2868 major: 03 2869 minor: 03 2870 length: 000F 2871 fragment: 0D00000B0243440004084008410000 2873 00000: 16 03 03 00 0F 0D 00 00 0B 02 43 44 00 04 08 40 2874 00010: 08 41 00 00 2876 ---------------------------Server--------------------------- 2878 ServerHelloDone message: 2879 msg_type: 0E 2880 length: 000000 2881 body: -- 2883 00000: 0E 00 00 00 2885 Record layer message: 2886 type: 16 2887 version: 2888 major: 03 2889 minor: 03 2890 length: 0004 2891 fragment: 0E000000 2893 00000: 16 03 03 00 04 0E 00 00 00 2895 ---------------------------Client--------------------------- 2897 Certificate message: 2899 msg_type: 0B 2900 length: 0001EA 2901 body: 2902 certificate_list: 2903 length: 0001E7 2904 vector: 2905 ASN.1Cert: 2906 length: 0001E4 2907 vector: 308201E03082018DA003020102020101 2908 300A06082A850307010103023053312E 2909 302C06092A864886F70D010901161F74 2910 . . . 2911 C1CAB43AC01AFB0F3451BDC2DB188BBC 2912 B77884251CDF6037BA830F4B31D5E96F 2913 DC9BC1C95ABE658266C48402E070DE1F 2914 292724E8 2916 00000: 0B 00 01 EA 00 01 E7 00 01 E4 30 82 01 E0 30 82 2917 00010: 01 8D A0 03 02 01 02 02 01 01 30 0A 06 08 2A 85 2918 00020: 03 07 01 01 03 02 30 53 31 2E 30 2C 06 09 2A 86 2919 00030: 48 86 F7 0D 01 09 01 16 1F 74 6C 73 31 32 5F 63 2920 00040: 6C 69 65 6E 74 32 35 36 41 5F 45 40 63 72 79 70 2921 00050: 74 6F 70 72 6F 2E 72 75 31 21 30 1F 06 03 55 04 2922 00060: 03 1E 18 00 43 00 6C 00 69 00 65 00 6E 00 74 00 2923 00070: 32 00 35 00 36 00 41 00 5F 00 45 30 1E 17 0D 31 2924 00080: 37 30 35 32 35 30 39 33 31 31 38 5A 17 0D 33 30 2925 00090: 30 35 30 31 30 39 33 31 31 38 5A 30 53 31 2E 30 2926 000A0: 2C 06 09 2A 86 48 86 F7 0D 01 09 01 16 1F 74 6C 2927 000B0: 73 31 32 5F 63 6C 69 65 6E 74 32 35 36 41 5F 45 2928 000C0: 40 63 72 79 70 74 6F 70 72 6F 2E 72 75 31 21 30 2929 000D0: 1F 06 03 55 04 03 1E 18 00 43 00 6C 00 69 00 65 2930 000E0: 00 6E 00 74 00 32 00 35 00 36 00 41 00 5F 00 45 2931 000F0: 30 68 30 21 06 08 2A 85 03 07 01 01 01 01 30 15 2932 00100: 06 09 2A 85 03 07 01 02 01 01 01 06 08 2A 85 03 2933 00110: 07 01 01 02 02 03 43 00 04 40 75 49 0B 7B F8 79 2934 00120: D8 1C C5 A1 BA EA 66 65 06 DF B5 D7 BF 25 60 67 2935 00130: 78 B7 24 F3 15 9E 8A B1 5D 0F 86 F3 48 2C B2 AB 2936 00140: 10 8D 5A C2 DE 4E FB 2B FA E0 39 39 94 C2 DE 87 2937 00150: F0 D3 42 F8 61 83 F1 BB E5 9E A3 43 30 41 30 1D 2938 00160: 06 03 55 1D 0E 04 16 04 14 74 49 1E 77 30 D3 42 2939 00170: A6 28 0E 72 A1 13 9D D9 90 8B FA F1 03 30 0B 06 2940 00180: 03 55 1D 0F 04 04 03 02 07 80 30 13 06 03 55 1D 2941 00190: 25 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 02 30 2942 001A0: 0A 06 08 2A 85 03 07 01 01 03 02 03 41 00 1C 2D 2943 001B0: 35 22 B4 11 02 D6 20 1F 23 50 C1 CA B4 3A C0 1A 2944 001C0: FB 0F 34 51 BD C2 DB 18 8B BC B7 78 84 25 1C DF 2945 001D0: 60 37 BA 83 0F 4B 31 D5 E9 6F DC 9B C1 C9 5A BE 2946 001E0: 65 82 66 C4 84 02 E0 70 DE 1F 29 27 24 E8 2947 Record layer message: 2948 type: 16 2949 version: 2950 major: 03 2951 minor: 03 2952 length: 01EE 2953 fragment: 0B0001EA0001E70001E4308201E03082 2954 018DA003020102020101300A06082A85 2955 0307010103023053312E302C06092A86 2956 . . . 2957 3522B41102D6201F2350C1CAB43AC01A 2958 FB0F3451BDC2DB188BBCB77884251CDF 2959 6037BA830F4B31D5E96FDC9BC1C95ABE 2960 658266C48402E070DE1F292724E8 2962 00000: 16 03 03 01 EE 0B 00 01 EA 00 01 E7 00 01 E4 30 2963 00010: 82 01 E0 30 82 01 8D A0 03 02 01 02 02 01 01 30 2964 00020: 0A 06 08 2A 85 03 07 01 01 03 02 30 53 31 2E 30 2965 00030: 2C 06 09 2A 86 48 86 F7 0D 01 09 01 16 1F 74 6C 2966 00040: 73 31 32 5F 63 6C 69 65 6E 74 32 35 36 41 5F 45 2967 00050: 40 63 72 79 70 74 6F 70 72 6F 2E 72 75 31 21 30 2968 00060: 1F 06 03 55 04 03 1E 18 00 43 00 6C 00 69 00 65 2969 00070: 00 6E 00 74 00 32 00 35 00 36 00 41 00 5F 00 45 2970 00080: 30 1E 17 0D 31 37 30 35 32 35 30 39 33 31 31 38 2971 00090: 5A 17 0D 33 30 30 35 30 31 30 39 33 31 31 38 5A 2972 000A0: 30 53 31 2E 30 2C 06 09 2A 86 48 86 F7 0D 01 09 2973 000B0: 01 16 1F 74 6C 73 31 32 5F 63 6C 69 65 6E 74 32 2974 000C0: 35 36 41 5F 45 40 63 72 79 70 74 6F 70 72 6F 2E 2975 000D0: 72 75 31 21 30 1F 06 03 55 04 03 1E 18 00 43 00 2976 000E0: 6C 00 69 00 65 00 6E 00 74 00 32 00 35 00 36 00 2977 000F0: 41 00 5F 00 45 30 68 30 21 06 08 2A 85 03 07 01 2978 00100: 01 01 01 30 15 06 09 2A 85 03 07 01 02 01 01 01 2979 00110: 06 08 2A 85 03 07 01 01 02 02 03 43 00 04 40 75 2980 00120: 49 0B 7B F8 79 D8 1C C5 A1 BA EA 66 65 06 DF B5 2981 00130: D7 BF 25 60 67 78 B7 24 F3 15 9E 8A B1 5D 0F 86 2982 00140: F3 48 2C B2 AB 10 8D 5A C2 DE 4E FB 2B FA E0 39 2983 00150: 39 94 C2 DE 87 F0 D3 42 F8 61 83 F1 BB E5 9E A3 2984 00160: 43 30 41 30 1D 06 03 55 1D 0E 04 16 04 14 74 49 2985 00170: 1E 77 30 D3 42 A6 28 0E 72 A1 13 9D D9 90 8B FA 2986 00180: F1 03 30 0B 06 03 55 1D 0F 04 04 03 02 07 80 30 2987 00190: 13 06 03 55 1D 25 04 0C 30 0A 06 08 2B 06 01 05 2988 001A0: 05 07 03 02 30 0A 06 08 2A 85 03 07 01 01 03 02 2989 001B0: 03 41 00 1C 2D 35 22 B4 11 02 D6 20 1F 23 50 C1 2990 001C0: CA B4 3A C0 1A FB 0F 34 51 BD C2 DB 18 8B BC B7 2991 001D0: 78 84 25 1C DF 60 37 BA 83 0F 4B 31 D5 E9 6F DC 2992 001E0: 9B C1 C9 5A BE 65 82 66 C4 84 02 E0 70 DE 1F 29 2993 001F0: 27 24 E8 2994 ---------------------------Client--------------------------- 2996 PMS value: 2997 00000: A5 57 6C E7 92 4A 24 F5 81 13 80 8D BD 9E F8 56 2998 00010: F5 BD C3 B1 83 CE 5D AD CA 36 A5 3A A0 77 65 1D 3000 Random d_eph value: 3001 0x150ACD11B66DD695AD18418FA7A2DC63 3002 6B7E29DCA24536AABC826EE3175BB1FA 3003 DC3AA0D01D3092E120B0FCF7EB872F4B 3004 7E26EA17849D689222A48CF95A6E4831 3006 Q_eph ephemeral key: 3007 x = 0xC941BE5193189B476D5A0334114A3E04 3008 BBE5B37C738AE40F150B334135288664 3009 FEBFC5622818894A07B1F7AD60E28480 3010 B4B637B90EA7D4BA980186B605D75BC6 3012 y = 0xA154F7B93E8148652011F4FD52C9A06A 3013 6471ADB28D0A949AE26BC786DE874153 3014 ABC00B35164F3214A8A83C00ECE27831 3015 B093528456234EFE766224FC2A7E9ABE 3017 HASH (r_c | r_s): 3018 00000: C3 EF 04 28 D4 B7 A1 F4 C5 02 5F 2E 65 DD 2B 2E 3019 00010: A5 83 AE EF DB 67 C7 F4 21 4A 6A 29 8E 99 E3 25 3021 Export key generation. r value: 3022 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 3024 Export key generation. UKM value: 3025 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 3027 Export keys K_Exp_MAC | K_Exp_ENC used in KExp15 algorithm: 3028 00000: 7D AC 56 E4 8A 4D C1 70 FA A8 FC BA E2 0D B8 45 3029 00010: 45 0C CC C4 C6 32 8B DC 8D 01 15 7C EF A2 A5 F1 3030 00020: 1F 1C BA D8 86 61 66 F0 1F FA AB 01 52 E2 4B F4 3031 00030: 60 9D 5F 46 A5 C8 99 C7 87 90 0D 08 B9 FC AD 24 3033 IV: 3034 00000: 21 4A 6A 29 8E 99 E3 25 3036 PMSEXP: 3037 00000: 25 0D 1B 67 A2 70 AB 04 D3 F6 54 18 E1 D3 80 B4 3038 00010: CB 94 5F 0A 3D CA 51 50 0C F3 A1 BE F3 7F 76 C0 3039 00020: 73 41 A9 83 9C CF 6C BA 71 89 DA 61 EB 67 17 6C 3040 ---------------------------Client--------------------------- 3042 ClientKeyExchange message: 3043 msg_type: 10 3044 length: 0000E2 3045 body: 3046 exchange_keys: 3081DF0430250D1B67A270AB04D3F654 3047 18E1D380B4CB945F0A3DCA51500CF3A1 3048 BEF37F76C07341A9839CCF6CBA7189DA 3049 . . . 3050 93B03178E2EC003CA8A814324F16350B 3051 C0AB534187DE86C76BE29A940A8DB2AD 3052 71646AA0C952FDF411206548813EB9F7 3053 54A1 3055 00000: 10 00 00 E2 30 81 DF 04 30 25 0D 1B 67 A2 70 AB 3056 00010: 04 D3 F6 54 18 E1 D3 80 B4 CB 94 5F 0A 3D CA 51 3057 00020: 50 0C F3 A1 BE F3 7F 76 C0 73 41 A9 83 9C CF 6C 3058 00030: BA 71 89 DA 61 EB 67 17 6C 30 81 AA 30 21 06 08 3059 00040: 2A 85 03 07 01 01 01 02 30 15 06 09 2A 85 03 07 3060 00050: 01 02 01 02 03 06 08 2A 85 03 07 01 01 02 03 03 3061 00060: 81 84 00 04 81 80 C6 5B D7 05 B6 86 01 98 BA D4 3062 00070: A7 0E B9 37 B6 B4 80 84 E2 60 AD F7 B1 07 4A 89 3063 00080: 18 28 62 C5 BF FE 64 86 28 35 41 33 0B 15 0F E4 3064 00090: 8A 73 7C B3 E5 BB 04 3E 4A 11 34 03 5A 6D 47 9B 3065 000A0: 18 93 51 BE 41 C9 BE 9A 7E 2A FC 24 62 76 FE 4E 3066 000B0: 23 56 84 52 93 B0 31 78 E2 EC 00 3C A8 A8 14 32 3067 000C0: 4F 16 35 0B C0 AB 53 41 87 DE 86 C7 6B E2 9A 94 3068 000D0: 0A 8D B2 AD 71 64 6A A0 C9 52 FD F4 11 20 65 48 3069 000E0: 81 3E B9 F7 54 A1 3071 Record layer message: 3072 type: 16 3073 version: 3074 major: 03 3075 minor: 03 3076 length: 00E6 3077 fragment: 100000E23081DF0430250D1B67A270AB 3078 04D3F65418E1D380B4CB945F0A3DCA51 3079 500CF3A1BEF37F76C07341A9839CCF6C 3080 . . . 3081 2356845293B03178E2EC003CA8A81432 3082 4F16350BC0AB534187DE86C76BE29A94 3083 0A8DB2AD71646AA0C952FDF411206548 3084 813EB9F754A1 3086 00000: 16 03 03 00 E6 10 00 00 E2 30 81 DF 04 30 25 0D 3087 00010: 1B 67 A2 70 AB 04 D3 F6 54 18 E1 D3 80 B4 CB 94 3088 00020: 5F 0A 3D CA 51 50 0C F3 A1 BE F3 7F 76 C0 73 41 3089 00030: A9 83 9C CF 6C BA 71 89 DA 61 EB 67 17 6C 30 81 3090 00040: AA 30 21 06 08 2A 85 03 07 01 01 01 02 30 15 06 3091 00050: 09 2A 85 03 07 01 02 01 02 03 06 08 2A 85 03 07 3092 00060: 01 01 02 03 03 81 84 00 04 81 80 C6 5B D7 05 B6 3093 00070: 86 01 98 BA D4 A7 0E B9 37 B6 B4 80 84 E2 60 AD 3094 00080: F7 B1 07 4A 89 18 28 62 C5 BF FE 64 86 28 35 41 3095 00090: 33 0B 15 0F E4 8A 73 7C B3 E5 BB 04 3E 4A 11 34 3096 000A0: 03 5A 6D 47 9B 18 93 51 BE 41 C9 BE 9A 7E 2A FC 3097 000B0: 24 62 76 FE 4E 23 56 84 52 93 B0 31 78 E2 EC 00 3098 000C0: 3C A8 A8 14 32 4F 16 35 0B C0 AB 53 41 87 DE 86 3099 000D0: C7 6B E2 9A 94 0A 8D B2 AD 71 64 6A A0 C9 52 FD 3100 000E0: F4 11 20 65 48 81 3E B9 F7 54 A1 3102 ---------------------------Server--------------------------- 3104 PMSEXP extracted: 3105 00000: 25 0D 1B 67 A2 70 AB 04 D3 F6 54 18 E1 D3 80 B4 3106 00010: CB 94 5F 0A 3D CA 51 50 0C F3 A1 BE F3 7F 76 C0 3107 00020: 73 41 A9 83 9C CF 6C BA 71 89 DA 61 EB 67 17 6C 3109 HASH(r_c | r_s): 3110 00000: C3 EF 04 28 D4 B7 A1 F4 C5 02 5F 2E 65 DD 2B 2E 3111 00010: A5 83 AE EF DB 67 C7 F4 21 4A 6A 29 8E 99 E3 25 3113 Export key generation. r value: 3114 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 3116 Export key generation. UKM value: 3117 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 3119 Export keys K_Exp_MAC | K_Exp_ENC used in KImp15 algorithm: 3120 00000: 7D AC 56 E4 8A 4D C1 70 FA A8 FC BA E2 0D B8 45 3121 00010: 45 0C CC C4 C6 32 8B DC 8D 01 15 7C EF A2 A5 F1 3122 00020: 1F 1C BA D8 86 61 66 F0 1F FA AB 01 52 E2 4B F4 3123 00030: 60 9D 5F 46 A5 C8 99 C7 87 90 0D 08 B9 FC AD 24 3125 IV: 3126 00000: 21 4A 6A 29 8E 99 E3 25 3128 PMS: 3129 00000: A5 57 6C E7 92 4A 24 F5 81 13 80 8D BD 9E F8 56 3130 00010: F5 BD C3 B1 83 CE 5D AD CA 36 A5 3A A0 77 65 1D 3132 ---------------------------Client--------------------------- 3133 Random value k used in signature generation: 3134 0x163962EEA268203E7C6B3F70BF8D4A36 3135 34CE6E2CFC424687951D70ACE0B4292A 3137 Signature value sgn_c = SIGN_d_c(HM): 3138 00000: F7 1F 43 62 45 5B C5 5B A8 9A 8F AF 01 82 88 EC 3139 00010: 00 B3 27 17 48 2E 76 24 B2 57 D9 79 7C 8F F6 02 3140 00020: E3 15 FD BD 8D E5 6D 08 54 18 04 0E 1B 61 BB F6 3141 00030: B3 01 AC 26 3D 50 03 8B 30 31 13 DB 36 17 50 3A 3143 ---------------------------Client--------------------------- 3145 CertificateVerify message: 3146 msg_type: 0F 3147 length: 000044 3148 body: 3149 algorithm: 3150 hash: 08 3151 signature: 40 3152 signature: 3153 length: 0040 3154 vector: F71F4362455BC55BA89A8FAF018288EC 3155 00B32717482E7624B257D9797C8FF602 3156 E315FDBD8DE56D085418040E1B61BBF6 3157 B301AC263D50038B303113DB3617503A 3159 00000: 0F 00 00 44 08 40 00 40 F7 1F 43 62 45 5B C5 5B 3160 00010: A8 9A 8F AF 01 82 88 EC 00 B3 27 17 48 2E 76 24 3161 00020: B2 57 D9 79 7C 8F F6 02 E3 15 FD BD 8D E5 6D 08 3162 00030: 54 18 04 0E 1B 61 BB F6 B3 01 AC 26 3D 50 03 8B 3163 00040: 30 31 13 DB 36 17 50 3A 3165 Record layer message: 3166 type: 16 3167 version: 3168 major: 03 3169 minor: 03 3170 length: 0048 3171 fragment: 0F00004408400040F71F4362455BC55B 3172 A89A8FAF018288EC00B32717482E7624 3173 B257D9797C8FF602E315FDBD8DE56D08 3174 5418040E1B61BBF6B301AC263D50038B 3175 303113DB3617503A 3177 00000: 16 03 03 00 48 0F 00 00 44 08 40 00 40 F7 1F 43 3178 00010: 62 45 5B C5 5B A8 9A 8F AF 01 82 88 EC 00 B3 27 3179 00020: 17 48 2E 76 24 B2 57 D9 79 7C 8F F6 02 E3 15 FD 3180 00030: BD 8D E5 6D 08 54 18 04 0E 1B 61 BB F6 B3 01 AC 3181 00040: 26 3D 50 03 8B 30 31 13 DB 36 17 50 3A 3183 ---------------------------Client--------------------------- 3185 HASH(HM): 3186 00000: 9D 64 0D D8 B2 54 6B 87 05 CC 3E 67 F3 BB 83 2F 3187 00010: 89 2A 5B D5 D4 5C A0 44 85 01 14 C2 E6 56 02 69 3189 MS: 3190 00000: E3 18 17 B0 EC 7F 3B C9 4A 8B C4 5F 89 12 DE C5 3191 00010: 71 2A 7A 34 78 56 31 C0 4B AE 81 43 EE 17 90 B4 3192 00020: C9 D3 68 0F 6C 9D E1 70 74 58 C8 75 62 4D B6 ED 3194 Client connection key material 3195 K_write_MAC|K_read_MAC|K_write_ENC|K_read_ENC|IV_write|IV_read: 3196 00000: 50 52 5D 33 4E F7 00 6C 1D ED B8 B8 08 EA 03 CC 3197 00010: CF 1F CB 3D 33 65 F9 72 E1 7C 7C 31 4E DD 97 90 3198 00020: 6C 74 35 22 0A A1 B0 C6 DE 6A 1B 0F AC 29 B6 17 3199 00030: 9E B3 23 86 62 25 E0 7F 30 4C A1 D1 27 75 86 29 3200 00040: 7B 97 20 5D 7A 08 C2 CD 7F 60 3C 09 46 75 E6 C4 3201 00050: CC 15 F2 84 0D 9A EC 63 F0 2A FF 51 DB D5 74 D2 3202 00060: 76 6C 77 2B 83 2F CE 58 CB 4D E5 49 88 77 A6 7A 3203 00070: A4 51 40 B2 ED 52 6E 61 65 0A 28 1B 32 56 35 BC 3204 00080: CB 8E F9 4C 5B DF 5B 9F 47 48 B9 5B F1 B0 E0 BF 3206 ---------------------------Server--------------------------- 3208 HASH(HM): 3209 00000: 9D 64 0D D8 B2 54 6B 87 05 CC 3E 67 F3 BB 83 2F 3210 00010: 89 2A 5B D5 D4 5C A0 44 85 01 14 C2 E6 56 02 69 3212 MS: 3213 00000: E3 18 17 B0 EC 7F 3B C9 4A 8B C4 5F 89 12 DE C5 3214 00010: 71 2A 7A 34 78 56 31 C0 4B AE 81 43 EE 17 90 B4 3215 00020: C9 D3 68 0F 6C 9D E1 70 74 58 C8 75 62 4D B6 ED 3217 Server connection key material 3218 K_read_MAC|K_write_MAC|K_read_ENC|K_write_ENC|IV_read|IV_write: 3219 00000: 50 52 5D 33 4E F7 00 6C 1D ED B8 B8 08 EA 03 CC 3220 00010: CF 1F CB 3D 33 65 F9 72 E1 7C 7C 31 4E DD 97 90 3221 00020: 6C 74 35 22 0A A1 B0 C6 DE 6A 1B 0F AC 29 B6 17 3222 00030: 9E B3 23 86 62 25 E0 7F 30 4C A1 D1 27 75 86 29 3223 00040: 7B 97 20 5D 7A 08 C2 CD 7F 60 3C 09 46 75 E6 C4 3224 00050: CC 15 F2 84 0D 9A EC 63 F0 2A FF 51 DB D5 74 D2 3225 00060: 76 6C 77 2B 83 2F CE 58 CB 4D E5 49 88 77 A6 7A 3226 00070: A4 51 40 B2 ED 52 6E 61 65 0A 28 1B 32 56 35 BC 3227 00080: CB 8E F9 4C 5B DF 5B 9F 47 48 B9 5B F1 B0 E0 BF 3229 ---------------------------Client--------------------------- 3231 ChangeCipherSpec message: 3232 type: 01 3234 00000: 01 3236 Record layer message: 3237 type: 14 3238 version: 3239 major: 03 3240 minor: 03 3241 length: 0001 3242 fragment: 01 3244 00000: 14 03 03 00 01 01 3246 ---------------------------Client--------------------------- 3248 HASH(HM): 3249 00000: C9 A4 80 DA 29 6C DD 12 3E 9A EB 26 88 8B 86 19 3250 00010: EA 67 78 B7 23 FA A8 B2 DC 70 6A CB A5 AB AF 11 3252 client_verify_data: 3253 00000: 98 7C 13 E6 FA 16 F3 D5 10 AE 83 00 23 58 72 27 3254 00010: 32 90 09 4C 8F C7 B5 F0 C7 D7 47 C4 27 35 F8 F1 3256 ---------------------------Client--------------------------- 3258 Finished message: 3259 msg_type: 14 3260 length: 000020 3261 body: 3262 verify_data: 987C13E6FA16F3D510AE830023587227 3263 3290094C8FC7B5F0C7D747C42735F8F1 3265 00000: 14 00 00 20 98 7C 13 E6 FA 16 F3 D5 10 AE 83 00 3266 00010: 23 58 72 27 32 90 09 4C 8F C7 B5 F0 C7 D7 47 C4 3267 00020: 27 35 F8 F1 3269 Record layer message: 3270 type: 16 3271 version: 3272 major: 03 3273 minor: 03 3274 length: 0034 3275 fragment: 4DC53D655EDFD1843AF69ADBDE989C0B 3276 1F0C0A1A0FD1B3F458029D8F9989FBF9 3277 6C5C42971063A9B70714F412E4F6280F 3278 7C21601B 3280 00000: 16 03 03 00 34 4D C5 3D 65 5E DF D1 84 3A F6 9A 3281 00010: DB DE 98 9C 0B 1F 0C 0A 1A 0F D1 B3 F4 58 02 9D 3282 00020: 8F 99 89 FB F9 6C 5C 42 97 10 63 A9 B7 07 14 F4 3283 00030: 12 E4 F6 28 0F 7C 21 60 1B 3285 ---------------------------Server--------------------------- 3287 ChangeCipherSpec message: 3288 type: 01 3290 00000: 01 3292 Record layer message: 3293 type: 14 3294 version: 3295 major: 03 3296 minor: 03 3297 length: 0001 3298 fragment: 01 3300 00000: 14 03 03 00 01 01 3302 ---------------------------Server--------------------------- 3304 HASH(HM): 3305 00000: 4A 41 4C AD 20 F8 46 D8 F5 D1 05 26 10 A5 9D ED 3306 00010: 6D 2B 1B B2 A8 9E 13 51 01 FC 9E 49 ED A8 0F B4 3308 server_verify_data: 3309 00000: 1E 93 7D A4 77 EE 1F 23 0A 41 D6 E9 D4 14 46 B7 3310 00010: F2 1C A1 B2 E2 32 4A 55 2D 52 B3 25 5E B4 3D DF 3312 ---------------------------Server--------------------------- 3314 Finished message: 3315 msg_type: 14 3316 length: 000020 3317 body: 3318 verify_data: 1E937DA477EE1F230A41D6E9D41446B7 3319 F21CA1B2E2324A552D52B3255EB43DDF 3321 00000: 14 00 00 20 1E 93 7D A4 77 EE 1F 23 0A 41 D6 E9 3322 00010: D4 14 46 B7 F2 1C A1 B2 E2 32 4A 55 2D 52 B3 25 3323 00020: 5E B4 3D DF 3325 Record layer message: 3326 type: 16 3327 version: 3328 major: 03 3329 minor: 03 3330 length: 0034 3331 fragment: F9887C3654B6CCC6AE7D7B18A46C663F 3332 3D1DAF30C9A853A9871077FDD5CA063B 3333 2C81BCC9D59FA6E3F5FAD9B2599BB586 3334 854A2D76 3336 00000: 16 03 03 00 34 F9 88 7C 36 54 B6 CC C6 AE 7D 7B 3337 00010: 18 A4 6C 66 3F 3D 1D AF 30 C9 A8 53 A9 87 10 77 3338 00020: FD D5 CA 06 3B 2C 81 BC C9 D5 9F A6 E3 F5 FA D9 3339 00030: B2 59 9B B5 86 85 4A 2D 76 3341 ---------------------------Client--------------------------- 3343 Application data: 3344 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3345 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3347 Record layer message: 3348 type: 17 3349 version: 3350 major: 03 3351 minor: 03 3352 length: 0030 3353 fragment: F14F06FB8557408846080690E7A5525D 3354 1C6E9C901D24025486AB79728BF63D06 3355 5C09C27233006D65CFF0B5BA87504969 3357 00000: 17 03 03 00 30 F1 4F 06 FB 85 57 40 88 46 08 06 3358 00010: 90 E7 A5 52 5D 1C 6E 9C 90 1D 24 02 54 86 AB 79 3359 00020: 72 8B F6 3D 06 5C 09 C2 72 33 00 6D 65 CF F0 B5 3360 00030: BA 87 50 49 69 3361 ---------------------------Server--------------------------- 3363 Application data: 3364 00000: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3365 00010: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3367 Record layer message: 3368 type: 17 3369 version: 3370 major: 03 3371 minor: 03 3372 length: 0030 3373 fragment: 1561E52A8B6DB258746FFE18F3CDCB11 3374 1D0173AF2E5C13741C99BFF13B47CD32 3375 B3CED856A9506E706A2340D5841AB114 3377 00000: 17 03 03 00 30 15 61 E5 2A 8B 6D B2 58 74 6F FE 3378 00010: 18 F3 CD CB 11 1D 01 73 AF 2E 5C 13 74 1C 99 BF 3379 00020: F1 3B 47 CD 32 B3 CE D8 56 A9 50 6E 70 6A 23 40 3380 00030: D5 84 1A B1 14 3382 ---------------------------Client--------------------------- 3384 close_notify alert: 3385 Alert: 3386 level: 01 3387 description: 00 3389 00000: 01 00 3391 Record layer message: 3392 type: 15 3393 version: 3394 major: 03 3395 minor: 03 3396 length: 0012 3397 fragment: E530C164642A078CEF528CB465E9DA7E 3398 AD4D 3400 00000: 15 03 03 00 12 E5 30 C1 64 64 2A 07 8C EF 52 8C 3401 00010: B4 65 E9 DA 7E AD 4D 3403 ---------------------------Server--------------------------- 3405 close_notify alert: 3406 Alert: 3408 level: 01 3409 description: 00 3411 00000: 01 00 3413 Record layer message: 3414 type: 15 3415 version: 3416 major: 03 3417 minor: 03 3418 length: 0012 3419 fragment: EB62E5AB78BF2A4B678920A11027EC43 3420 0C3F 3422 00000: 15 03 03 00 12 EB 62 E5 AB 78 BF 2A 4B 67 89 20 3423 00010: A1 10 27 EC 43 0C 3F 3425 A.2. Test Examples for CNT_IMIT cipher suites 3427 A.2.1. Record Examples 3429 It is assumed that during Handshake following keys were established: 3431 - MAC key: 3432 00000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 3433 00010: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 3434 - Encryption key: 3435 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3436 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3437 - IV: 3438 00000: 00 00 00 00 00 00 00 00 3440 --------------------------------------------------------- 3441 seqnum = 0 3443 Application data: 3444 00000: 00 00 00 00 00 00 00 3446 Plaintext: 3447 00000: 17 03 03 00 07 00 00 00 00 00 00 00 3449 MAC: 3450 00000: 30 01 34 a1 3452 Ciphertext: 3453 00000: 17 03 03 00 0b 86 71 cd bf 3c 1a ae 0f 62 4b 04 3454 --------------------------------------------------------- 3455 seqnum = 1 3457 Application data: 3459 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3460 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3461 .... 3462 007f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3464 Plaintext: 3465 00000: 17 03 03 08 00 00 00 00 00 00 00 00 00 00 00 00 3466 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3467 .... 3468 007f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3469 00804: 00 00 00 00 00 3471 MAC: 3472 00000: f7 c3 8b 8a 3474 Ciphertext: 3475 00000: 17 03 03 08 04 cf aa 0c b4 2f a5 a4 7a 13 3d 73 3476 00010: b9 f2 c0 b0 4f 8c a2 55 52 f8 56 bc be 6a 58 fa 3477 .... 3478 007f0: 3e e2 c7 6f a2 30 a0 44 be 21 dc 8e 1a 96 f9 a8 3479 00804: 88 1f ad 83 45 96 96 84 47 3481 A.2.2. Handshake Examples 3483 The ClientHello.extensions and the ServerHello.extensions fields 3484 contain the renegotiation_info extension (see [RFC5746]) in the 3485 following examples. 3487 Server certificate curve OID: 3488 id-tc26-gost-3410-12-512-paramSetA, "1.2.643.7.1.2.1.2.1" 3490 Server public key Q_s: 3491 x = 0x16DB0566C0278AC8204143994824236D 3492 97F36A13D5433E990B2EAC859D2E9B7A 3493 E054794655389158B8242923E3841B14 3494 24FD89F221701C89D9A3BF6A9F946795 3496 y = 0xD01E80DEC5BD23C8BC6B85F12BBB1635 3497 A5AE7AD50DE24FB8FD02CB285A4AE65A 3498 7D6FBB99AAFFDA80629826F2F7F73282 3499 220444761615A06D082077C4A00FD4CF 3501 Server private key d_s: 3502 0x5F1E83AFA2C4CB2C5633C51380E84E37 3503 4B013EE7C238330709080CE914B442D4 3504 34EB016D23FB63FEDC18B62D9DA93D26 3505 B3B9CE6F663B383303BD5930ED41608B 3507 ---------------------------Client--------------------------- 3509 ClientHello message: 3510 msg_type: 01 3511 length: 00003a 3512 body: 3513 client_version: 3514 major: 03 3515 minor: 03 3516 random: 6A523D6880DCC2DC75CCC43CFD04B616 3517 F5C3757B8077B76A9B504949FD3BFDB8 3518 session_id: 3519 length: 00 3520 vector: -- 3521 cipher_suites: 3522 length: 0002 3523 vector: 3524 CipherSuite: C102 3525 compression_methods: 3526 length: 01 3527 vector: 3528 CompressionMethod: 00 3529 extensions: 3530 length: 000F 3531 Extension: /* signature_algorithms */ 3532 extension_type: 000D 3533 extension_data: 3534 length: 0006 3535 vector: 3536 supported_signature_algorithms: 3537 length: 0004 3538 vector: 3539 /* 1 pair of algorithms */ 3540 hash: 08 3541 signature: 3542 41 3543 /* 2 pair of algorithms */ 3544 hash: 08 3545 signature: 3547 40 3548 Extension: /* renegotiation_info */ 3549 extension_type: FF01 3550 extension_data: 3551 length: 0001 3552 vector: 3553 renegotiated_connection: 3554 length: 00 3555 vector: -- 3557 00000: 01 00 00 3A 03 03 6A 52 3D 68 80 DC C2 DC 75 CC 3558 00010: C4 3C FD 04 B6 16 F5 C3 75 7B 80 77 B7 6A 9B 50 3559 00020: 49 49 FD 3B FD B8 00 00 02 C1 02 01 00 00 0F 00 3560 00030: 0D 00 06 00 04 08 41 08 40 FF 01 00 01 00 3562 Record layer message: 3563 type: 16 3564 version: 3565 major: 03 3566 minor: 03 3567 length: 003e 3568 fragment: 0100003A03036A523D6880DCC2DC75CC 3569 C43CFD04B616F5C3757B8077B76A9B50 3570 4949FD3BFDB8000002C1020100000F00 3571 0D0006000408410840FF01000100 3573 00000: 16 03 03 00 3E 01 00 00 3A 03 03 6A 52 3D 68 80 3574 00010: DC C2 DC 75 CC C4 3C FD 04 B6 16 F5 C3 75 7B 80 3575 00020: 77 B7 6A 9B 50 49 49 FD 3B FD B8 00 00 02 C1 02 3576 00030: 01 00 00 0F 00 0D 00 06 00 04 08 41 08 40 FF 01 3577 00040: 00 01 00 3579 ---------------------------Server--------------------------- 3581 ServerHello message: 3582 msg_type: 02 3583 length: 00004D 3584 body: 3585 client_version: 3586 major: 03 3587 minor: 03 3588 random: FE92C9516D0E1A67A04C33CD7F2C90B1 3589 5E76DCC30815C19F92A6D100915AF2DB 3590 session_id: 3591 length: 20 3592 vector: 12AAA5E5779014711CCD6D265BDEE519 3593 1026431C83768EE5EB5A157F940BE9FB 3595 cipher_suite: 3596 CipherSuite: C102 3597 compression_method: 3598 CompressionMethod: 00 3599 extensions: 3600 length: 0005 3601 Extension: /* renegotiation_info */ 3602 extension_type: FF01 3603 extension_data: 3604 length: 0001 3605 vector: 3606 renegotiated_connection: 3607 length: 00 3608 vector: -- 3610 00000: 02 00 00 4D 03 03 FE 92 C9 51 6D 0E 1A 67 A0 4C 3611 00010: 33 CD 7F 2C 90 B1 5E 76 DC C3 08 15 C1 9F 92 A6 3612 00020: D1 00 91 5A F2 DB 20 12 AA A5 E5 77 90 14 71 1C 3613 00030: CD 6D 26 5B DE E5 19 10 26 43 1C 83 76 8E E5 EB 3614 00040: 5A 15 7F 94 0B E9 FB C1 02 00 00 05 FF 01 00 01 3615 00050: 00 3617 Record layer message: 3618 type: 16 3619 version: 3620 major: 03 3621 minor: 03 3622 length: 0051 3623 fragment: 0200004D0303FE92C9516D0E1A67A04C 3624 33CD7F2C90B15E76DCC30815C19F92A6 3625 D100915AF2DB2012AAA5E5779014711C 3626 CD6D265BDEE5191026431C83768EE5EB 3627 5A157F940BE9FBC102000005FF010001 3628 00 3630 00000: 16 03 03 00 51 02 00 00 4D 03 03 FE 92 C9 51 6D 3631 00010: 0E 1A 67 A0 4C 33 CD 7F 2C 90 B1 5E 76 DC C3 08 3632 00020: 15 C1 9F 92 A6 D1 00 91 5A F2 DB 20 12 AA A5 E5 3633 00030: 77 90 14 71 1C CD 6D 26 5B DE E5 19 10 26 43 1C 3634 00040: 83 76 8E E5 EB 5A 15 7F 94 0B E9 FB C1 02 00 00 3635 00050: 05 FF 01 00 01 00 3637 ---------------------------Server--------------------------- 3639 Certificate message: 3640 msg_type: 0B 3641 length: 000266 3642 body: 3643 certificate_list: 3644 length: 000263 3645 vector: 3646 ASN.1Cert: 3647 length: 000260 3648 vector: 3082025C308201C8A003020102021478 3649 94DC9D920977809191642F1DAEDC26BA 3650 3B5104300A06082A8503070101030330 3651 . . . 3652 6C12D51F99C98A4A9904F0EA5486FED7 3653 FF66AB8EB2425E1ACEAE8A758BDF843B 3654 E1A8F6FEBF673015FED7AB86533DBF20 3656 00000: 0B 00 02 66 00 02 63 00 02 60 30 82 02 5C 30 82 3657 00010: 01 C8 A0 03 02 01 02 02 14 78 94 DC 9D 92 09 77 3658 00020: 80 91 91 64 2F 1D AE DC 26 BA 3B 51 04 30 0A 06 3659 00030: 08 2A 85 03 07 01 01 03 03 30 19 31 17 30 15 06 3660 00040: 03 55 04 03 13 0E 43 41 20 43 65 72 74 69 66 69 3661 00050: 63 61 74 65 30 1E 17 0D 31 38 30 31 30 32 30 30 3662 00060: 30 30 31 31 5A 17 0D 32 32 30 31 30 32 30 30 30 3663 00070: 30 32 31 5A 30 21 31 1F 30 1D 06 03 55 04 03 13 3664 00080: 16 53 65 72 76 65 72 20 35 31 32 20 43 65 72 74 3665 00090: 69 66 69 63 61 74 65 30 81 AA 30 21 06 08 2A 85 3666 000a0: 03 07 01 01 01 02 30 15 06 09 2A 85 03 07 01 02 3667 000b0: 01 02 01 06 08 2A 85 03 07 01 01 02 03 03 81 84 3668 000c0: 00 04 81 80 95 67 94 9F 6A BF A3 D9 89 1C 70 21 3669 000d0: F2 89 FD 24 14 1B 84 E3 23 29 24 B8 58 91 38 55 3670 000e0: 46 79 54 E0 7A 9B 2E 9D 85 AC 2E 0B 99 3E 43 D5 3671 000f0: 13 6A F3 97 6D 23 24 48 99 43 41 20 C8 8A 27 C0 3672 00100: 66 05 DB 16 CF D4 0F A0 C4 77 20 08 6D A0 15 16 3673 00110: 76 44 04 22 82 32 F7 F7 F2 26 98 62 80 DA FF AA 3674 00120: 99 BB 6F 7D 5A E6 4A 5A 28 CB 02 FD B8 4F E2 0D 3675 00130: D5 7A AE A5 35 16 BB 2B F1 85 6B BC C8 23 BD C5 3676 00140: DE 80 1E D0 A3 81 93 30 81 90 30 0C 06 03 55 1D 3677 00150: 13 01 01 FF 04 02 30 00 30 1A 06 03 55 1D 11 04 3678 00160: 13 30 11 82 09 6C 6F 63 61 6C 68 6F 73 74 87 04 3679 00170: 7F 00 00 01 30 13 06 03 55 1D 25 04 0C 30 0A 06 3680 00180: 08 2B 06 01 05 05 07 03 01 30 0F 06 03 55 1D 0F 3681 00190: 01 01 FF 04 05 03 03 07 B0 00 30 1D 06 03 55 1D 3682 001a0: 0E 04 16 04 14 AE 46 41 1B FD B3 08 C3 39 03 47 3683 001b0: 57 57 2B 0F BF A3 6F 9A 99 30 1F 06 03 55 1D 23 3684 001c0: 04 18 30 16 80 14 7F 7B 7A 15 61 A6 F2 18 A2 E3 3685 001d0: 48 3B C6 39 D9 7F 42 DB 6D AF 30 0A 06 08 2A 85 3686 001e0: 03 07 01 01 03 03 03 81 81 00 9C 49 78 F7 1B AB 3687 001f0: 54 8A 25 6D 2A 18 7C A8 4D 72 4F E1 EF A7 E5 36 3688 00200: 67 2E 79 1F 8A 0C B6 74 1E B1 63 E2 96 37 8C 5B 3689 00210: 82 83 EE DA B4 1B A4 22 1E BC E2 05 F6 F8 79 CF 3690 00220: EB F0 AD E9 36 07 0F B2 40 E5 0D 04 37 03 7F 2A 3691 00230: EC 99 C7 CD 23 9F 6F 20 25 A8 6C 12 D5 1F 99 C9 3692 00240: 8A 4A 99 04 F0 EA 54 86 FE D7 FF 66 AB 8E B2 42 3693 00250: 5E 1A CE AE 8A 75 8B DF 84 3B E1 A8 F6 FE BF 67 3694 00260: 30 15 FE D7 AB 86 53 3D BF 20 3696 Record layer message: 3697 type: 16 3698 version: 3699 major: 03 3700 minor: 03 3701 length: 026A 3702 fragment: 0B0002660002630002603082025C3082 3703 01C8A00302010202147894DC9D920977 3704 809191642F1DAEDC26BA3B5104300A06 3705 . . . 3706 EC99C7CD239F6F2025A86C12D51F99C9 3707 8A4A9904F0EA5486FED7FF66AB8EB242 3708 5E1ACEAE8A758BDF843BE1A8F6FEBF67 3709 3015FED7AB86533DBF20 3711 00000: 16 03 03 02 6A 0B 00 02 66 00 02 63 00 02 60 30 3712 00010: 82 02 5C 30 82 01 C8 A0 03 02 01 02 02 14 78 94 3713 00020: DC 9D 92 09 77 80 91 91 64 2F 1D AE DC 26 BA 3B 3714 00030: 51 04 30 0A 06 08 2A 85 03 07 01 01 03 03 30 19 3715 00040: 31 17 30 15 06 03 55 04 03 13 0E 43 41 20 43 65 3716 00050: 72 74 69 66 69 63 61 74 65 30 1E 17 0D 31 38 30 3717 00060: 31 30 32 30 30 30 30 31 31 5A 17 0D 32 32 30 31 3718 00070: 30 32 30 30 30 30 32 31 5A 30 21 31 1F 30 1D 06 3719 00080: 03 55 04 03 13 16 53 65 72 76 65 72 20 35 31 32 3720 00090: 20 43 65 72 74 69 66 69 63 61 74 65 30 81 AA 30 3721 000a0: 21 06 08 2A 85 03 07 01 01 01 02 30 15 06 09 2A 3722 000b0: 85 03 07 01 02 01 02 01 06 08 2A 85 03 07 01 01 3723 000c0: 02 03 03 81 84 00 04 81 80 95 67 94 9F 6A BF A3 3724 000d0: D9 89 1C 70 21 F2 89 FD 24 14 1B 84 E3 23 29 24 3725 000e0: B8 58 91 38 55 46 79 54 E0 7A 9B 2E 9D 85 AC 2E 3726 000f0: 0B 99 3E 43 D5 13 6A F3 97 6D 23 24 48 99 43 41 3727 00100: 20 C8 8A 27 C0 66 05 DB 16 CF D4 0F A0 C4 77 20 3728 00110: 08 6D A0 15 16 76 44 04 22 82 32 F7 F7 F2 26 98 3729 00120: 62 80 DA FF AA 99 BB 6F 7D 5A E6 4A 5A 28 CB 02 3730 00130: FD B8 4F E2 0D D5 7A AE A5 35 16 BB 2B F1 85 6B 3731 00140: BC C8 23 BD C5 DE 80 1E D0 A3 81 93 30 81 90 30 3732 00150: 0C 06 03 55 1D 13 01 01 FF 04 02 30 00 30 1A 06 3733 00160: 03 55 1D 11 04 13 30 11 82 09 6C 6F 63 61 6C 68 3734 00170: 6F 73 74 87 04 7F 00 00 01 30 13 06 03 55 1D 25 3735 00180: 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 30 0F 3736 00190: 06 03 55 1D 0F 01 01 FF 04 05 03 03 07 B0 00 30 3737 001a0: 1D 06 03 55 1D 0E 04 16 04 14 AE 46 41 1B FD B3 3738 001b0: 08 C3 39 03 47 57 57 2B 0F BF A3 6F 9A 99 30 1F 3739 001c0: 06 03 55 1D 23 04 18 30 16 80 14 7F 7B 7A 15 61 3740 001d0: A6 F2 18 A2 E3 48 3B C6 39 D9 7F 42 DB 6D AF 30 3741 001e0: 0A 06 08 2A 85 03 07 01 01 03 03 03 81 81 00 9C 3742 001f0: 49 78 F7 1B AB 54 8A 25 6D 2A 18 7C A8 4D 72 4F 3743 00200: E1 EF A7 E5 36 67 2E 79 1F 8A 0C B6 74 1E B1 63 3744 00210: E2 96 37 8C 5B 82 83 EE DA B4 1B A4 22 1E BC E2 3745 00220: 05 F6 F8 79 CF EB F0 AD E9 36 07 0F B2 40 E5 0D 3746 00230: 04 37 03 7F 2A EC 99 C7 CD 23 9F 6F 20 25 A8 6C 3747 00240: 12 D5 1F 99 C9 8A 4A 99 04 F0 EA 54 86 FE D7 FF 3748 00250: 66 AB 8E B2 42 5E 1A CE AE 8A 75 8B DF 84 3B E1 3749 00260: A8 F6 FE BF 67 30 15 FE D7 AB 86 53 3D BF 20 3751 ---------------------------Server--------------------------- 3753 ServerHelloDone message: 3754 msg_type: 0E 3755 length: 000000 3756 body: -- 3758 00000: 0E 00 00 00 3760 Record layer message:: 3761 type: 16 3762 version: 3763 major: 03 3764 minor: 03 3765 length: 0004 3766 fragment: 0E000000 3768 00000: 16 03 03 00 04 0E 00 00 00 3770 ---------------------------Client--------------------------- 3772 PMS: 3773 00000: CE 0D D6 B6 70 42 12 15 2B E4 69 5A 7E 89 F6 4C 3774 00010: 89 29 A4 0D BF 0A 5A 55 C2 CE 00 2B 06 BA B6 2F 3776 Random d_eph value: 3777 0xC96486B1A3732389A162F5AD0145D537 3778 43C9AC27D42ACF1091CE7EF67E6C3CCA 3779 0F6C879B2DA3C1607648BAEB96471BD2 3780 078DF5CAAA4FA83ECC0FFD6D3C8E5D56 3782 Q_eph ephemeral key: 3783 x = 0x4B9CB381BCC737E493E43B2D7FD95BFE 3784 2AEF6BE8F6224882E5E559ADA08170DC 3785 49A815B3A1B3B323D2B50195153CFC60 3786 DD6139C3770C5762A6A7719FABF84BFB 3788 y = 0x95CEF28392C846A5EEFCB51C84E4960A 3789 77B77D0D85EBD22061BFDA0013C5AB6C 3790 42DDD04973F65D2AEB8A5427A53D6872 3791 CF2D68F5F722C4640D7AAF2E0194FBD0 3793 HASH(r_c | r_s): 3794 00000: FB F3 9D 10 E8 00 AF 70 E7 AA 22 C1 10 DA 94 A9 3795 00010: 9A 58 98 D8 45 27 C7 CB DE C1 1E 53 39 90 6A 1A 3797 K_EXP: 3798 00000: 3F D9 99 D1 68 4A 15 CC 9B DD 5A 35 06 7A F6 98 3799 00010: 17 15 00 22 E0 95 54 AC 79 1A 60 F1 61 F5 53 49 3801 IV: 3802 00000: FB F3 9D 10 E8 00 AF 70 3804 CEK_ENC: 3805 00000: D6 22 D1 67 A5 64 2E 29 52 5A 29 5C B9 F2 8F 96 3806 00010: F2 8B 0E FA A7 D3 A2 BE E1 49 B0 11 78 C2 DF D5 3808 CEK_MAC: 3809 00000: 4C 93 36 57 3811 PMSEXP: 3812 00000: FB F3 9D 10 E8 00 AF 70 D6 22 D1 67 A5 64 2E 29 3813 00010: 52 5A 29 5C B9 F2 8F 96 F2 8B 0E FA A7 D3 A2 BE 3814 00020: E1 49 B0 11 78 C2 DF D5 4C 93 36 57 3816 ---------------------------Client--------------------------- 3818 ClientKeyExchange message: 3819 msg_type: 10 3820 length: 0000F5 3821 body: 3822 exchange_keys: 3081F23081EF30280420D622D167A564 3823 2E29525A295CB9F28F96F28B0EFAA7D3 3824 A2BEE149B01178C2DFD504044C933657 3825 . . . 3826 DABF6120D2EB850D7DB7770A96E4841C 3827 B5FCEEA546C89283F2CE950408FBF39D 3828 10E800AF70 3830 00000: 10 00 00 F5 30 81 F2 30 81 EF 30 28 04 20 D6 22 3831 00010: D1 67 A5 64 2E 29 52 5A 29 5C B9 F2 8F 96 F2 8B 3832 00020: 0E FA A7 D3 A2 BE E1 49 B0 11 78 C2 DF D5 04 04 3833 00030: 4C 93 36 57 A0 81 C2 06 09 2A 85 03 07 01 02 05 3834 00040: 01 01 A0 81 AA 30 21 06 08 2A 85 03 07 01 01 01 3835 00050: 02 30 15 06 09 2A 85 03 07 01 02 01 02 01 06 08 3836 00060: 2A 85 03 07 01 01 02 03 03 81 84 00 04 81 80 FB 3837 00070: 4B F8 AB 9F 71 A7 A6 62 57 0C 77 C3 39 61 DD 60 3838 00080: FC 3C 15 95 01 B5 D2 23 B3 B3 A1 B3 15 A8 49 DC 3839 00090: 70 81 A0 AD 59 E5 E5 82 48 22 F6 E8 6B EF 2A FE 3840 000A0: 5B D9 7F 2D 3B E4 93 E4 37 C7 BC 81 B3 9C 4B D0 3841 000B0: FB 94 01 2E AF 7A 0D 64 C4 22 F7 F5 68 2D CF 72 3842 000C0: 68 3D A5 27 54 8A EB 2A 5D F6 73 49 D0 DD 42 6C 3843 000D0: AB C5 13 00 DA BF 61 20 D2 EB 85 0D 7D B7 77 0A 3844 000E0: 96 E4 84 1C B5 FC EE A5 46 C8 92 83 F2 CE 95 04 3845 000F0: 08 FB F3 9D 10 E8 00 AF 70 3847 Record layer message: 3848 type: 16 3849 version: 3850 major: 03 3851 minor: 03 3852 length: 00F9 3853 fragment: 100000F53081F23081EF30280420D622 3854 D167A5642E29525A295CB9F28F96F28B 3855 0EFAA7D3A2BEE149B01178C2DFD50404 3856 . . . 3857 ABC51300DABF6120D2EB850D7DB7770A 3858 96E4841CB5FCEEA546C89283F2CE9504 3859 08FBF39D10E800AF70 3861 00000: 16 03 03 00 F9 10 00 00 F5 30 81 F2 30 81 EF 30 3862 00010: 28 04 20 D6 22 D1 67 A5 64 2E 29 52 5A 29 5C B9 3863 00020: F2 8F 96 F2 8B 0E FA A7 D3 A2 BE E1 49 B0 11 78 3864 00030: C2 DF D5 04 04 4C 93 36 57 A0 81 C2 06 09 2A 85 3865 00040: 03 07 01 02 05 01 01 A0 81 AA 30 21 06 08 2A 85 3866 00050: 03 07 01 01 01 02 30 15 06 09 2A 85 03 07 01 02 3867 00060: 01 02 01 06 08 2A 85 03 07 01 01 02 03 03 81 84 3868 00070: 00 04 81 80 FB 4B F8 AB 9F 71 A7 A6 62 57 0C 77 3869 00080: C3 39 61 DD 60 FC 3C 15 95 01 B5 D2 23 B3 B3 A1 3870 00090: B3 15 A8 49 DC 70 81 A0 AD 59 E5 E5 82 48 22 F6 3871 000A0: E8 6B EF 2A FE 5B D9 7F 2D 3B E4 93 E4 37 C7 BC 3872 000B0: 81 B3 9C 4B D0 FB 94 01 2E AF 7A 0D 64 C4 22 F7 3873 000C0: F5 68 2D CF 72 68 3D A5 27 54 8A EB 2A 5D F6 73 3874 000D0: 49 D0 DD 42 6C AB C5 13 00 DA BF 61 20 D2 EB 85 3875 000E0: 0D 7D B7 77 0A 96 E4 84 1C B5 FC EE A5 46 C8 92 3876 000F0: 83 F2 CE 95 04 08 FB F3 9D 10 E8 00 AF 70 3878 ---------------------------Client--------------------------- 3879 HASH(HM): 3880 00000: F8 D6 FE EB 17 64 4D 17 B0 38 36 A6 51 EB 87 69 3881 00010: BD EA A2 D3 EB 18 47 F6 91 91 42 7C 30 D0 17 8E 3883 MS: 3884 00000: BE 57 46 C8 BB B7 84 7E 97 8F D4 C9 4F 52 34 52 3885 00010: 44 2C 8E B1 72 FD E6 28 1C 18 C5 44 63 B1 F9 4C 3886 00020: 2B D9 81 40 05 41 6D BB 0F 90 A5 7E A4 E0 6B 50 3888 Client connection key material 3889 K_write_MAC|K_read_MAC|K_write_ENC|K_read_ENC|IV_write|IV_read: 3890 00000: F3 37 F6 A8 6F F3 1F CA 52 EA 64 7C DE E3 B7 83 3891 00010: 34 AB 77 B5 7F E0 DB 2F C0 C8 71 EC DC AC A5 A8 3892 00020: FB A0 4C 21 32 82 3A 24 96 EF 93 6F 0E BC F3 0E 3893 00030: A0 CB 7E AF 6C A7 94 75 4F 1F 45 B1 77 22 DE B4 3894 00040: 4E 5B C3 2D 44 30 AF 58 93 11 6A CF 81 A3 BE 0C 3895 00050: 90 D2 EA 8E 76 E0 84 07 28 BA F5 E2 B2 F9 40 C0 3896 00060: AE 18 26 7B B6 34 C1 6A 1D 1A C1 24 73 50 95 4B 3897 00070: 2F EE 9B 77 F3 0D 18 D5 54 01 2B 43 78 60 87 0A 3898 00080: D9 21 A8 4B 07 FF 98 AF 8C 82 38 6B 91 FB BA 64 3900 ---------------------------Server--------------------------- 3902 PMSEXP extracted: 3903 00000: FB F3 9D 10 E8 00 AF 70 D6 22 D1 67 A5 64 2E 29 3904 00010: 52 5A 29 5C B9 F2 8F 96 F2 8B 0E FA A7 D3 A2 BE 3905 00020: E1 49 B0 11 78 C2 DF D5 4C 93 36 57 3907 HASH(r_c | r_s): 3908 00000: FB F3 9D 10 E8 00 AF 70 E7 AA 22 C1 10 DA 94 A9 3909 00010: 9A 58 98 D8 45 27 C7 CB DE C1 1E 53 39 90 6A 1A 3911 K_EXP: 3912 00000: 3F D9 99 D1 68 4A 15 CC 9B DD 5A 35 06 7A F6 98 3913 00010: 17 15 00 22 E0 95 54 AC 79 1A 60 F1 61 F5 53 49 3915 PMS: 3916 00000: CE 0D D6 B6 70 42 12 15 2B E4 69 5A 7E 89 F6 4C 3917 00010: 89 29 A4 0D BF 0A 5A 55 C2 CE 00 2B 06 BA B6 2F 3919 ---------------------------Server--------------------------- 3921 HASH(HM): 3922 00000: F8 D6 FE EB 17 64 4D 17 B0 38 36 A6 51 EB 87 69 3923 00010: BD EA A2 D3 EB 18 47 F6 91 91 42 7C 30 D0 17 8E 3925 MS: 3927 00000: BE 57 46 C8 BB B7 84 7E 97 8F D4 C9 4F 52 34 52 3928 00010: 44 2C 8E B1 72 FD E6 28 1C 18 C5 44 63 B1 F9 4C 3929 00020: 2B D9 81 40 05 41 6D BB 0F 90 A5 7E A4 E0 6B 50 3931 Client connection key material 3932 K_read_MAC|K_write_MAC|K_read_ENC|K_write_ENC|IV_read|IV_write: 3933 00000: F3 37 F6 A8 6F F3 1F CA 52 EA 64 7C DE E3 B7 83 3934 00010: 34 AB 77 B5 7F E0 DB 2F C0 C8 71 EC DC AC A5 A8 3935 00020: FB A0 4C 21 32 82 3A 24 96 EF 93 6F 0E BC F3 0E 3936 00030: A0 CB 7E AF 6C A7 94 75 4F 1F 45 B1 77 22 DE B4 3937 00040: 4E 5B C3 2D 44 30 AF 58 93 11 6A CF 81 A3 BE 0C 3938 00050: 90 D2 EA 8E 76 E0 84 07 28 BA F5 E2 B2 F9 40 C0 3939 00060: AE 18 26 7B B6 34 C1 6A 1D 1A C1 24 73 50 95 4B 3940 00070: 2F EE 9B 77 F3 0D 18 D5 54 01 2B 43 78 60 87 0A 3941 00080: D9 21 A8 4B 07 FF 98 AF 8C 82 38 6B 91 FB BA 64 3943 ---------------------------Client--------------------------- 3945 ChangeCipherSpec message: 3946 type: 01 3948 00000: 01 3950 Record layer message: 3951 type: 14 3952 version: 3953 major: 03 3954 minor: 03 3955 length: 0001 3956 fragment: 01 3958 00000: 14 03 03 00 01 01 3960 ---------------------------Client--------------------------- 3962 HASH(HM): 3963 00000: F8 D6 FE EB 17 64 4D 17 B0 38 36 A6 51 EB 87 69 3964 00010: BD EA A2 D3 EB 18 47 F6 91 91 42 7C 30 D0 17 8E 3966 Finished message: 3967 msg_type: 14 3968 length: 00000C 3969 body: 3970 verify_data: D3EE1DEA725CD7080C744311 3972 00000: 14 00 00 0C D3 EE 1D EA 72 5C D7 08 0C 74 43 11 3973 Record layer message: 3974 type: 16 3975 version: 3976 major: 03 3977 minor: 03 3978 length: 0014 3979 fragment: 8854A0ED0CCBDAE076FA7D22D763A8D1 3980 AF701BBB 3982 00000: 16 03 03 00 14 88 54 A0 ED 0C CB DA E0 76 FA 7D 3983 00010: 22 D7 63 A8 D1 AF 70 1B BB 3985 ---------------------------Server--------------------------- 3987 ChangeCipherSpec message: 3988 type: 01 3990 00000: 01 3992 Record layer message: 3993 type: 14 3994 version: 3995 major: 03 3996 minor: 03 3997 length: 0001 3998 fragment: 01 4000 00000: 14 03 03 00 01 01 4002 ---------------------------Server--------------------------- 4004 HASH(HM): 4005 00000: 9C 9F C4 E3 32 5B 5F B3 70 B9 94 2A 71 D2 6E F0 4006 00010: 10 71 D8 A5 A1 8F 69 E8 C2 0B 70 CC 90 E9 A9 46 4008 Finished message: 4009 msg_type: 14 4010 length: 00000C 4011 body: 4012 verify_data: D6A2A697E9F23DB0F9017A79 4014 00000: 14 00 00 0C D6 A2 A6 97 E9 F2 3D B0 F9 01 7A 79 4016 Record layer message: 4017 type: 16 4018 version: 4019 major: 03 4020 minor: 03 4021 length: 0014 4022 fragment: 7BDDBB3C0A6A4A9E302B468CCD5CF786 4023 665FFEBC 4025 00000: 16 03 03 00 14 7B DD BB 3C 0A 6A 4A 9E 30 2B 46 4026 00010: 8C CD 5C F7 86 66 5F FE BC 4028 ---------------------------Client--------------------------- 4030 Application data: 4031 00000: 48 45 4C 4F 0A 4033 Record layer message: 4034 type: 17 4035 version: 4036 major: 03 4037 minor: 03 4038 length: 0009 4039 fragment: A8951D9389D1AEFE3B 4041 00000: 17 03 03 00 09 A8 95 1D 93 89 D1 AE FE 3B 4043 ---------------------------Server--------------------------- 4045 Application data: 4046 00000: 48 45 4C 4F 0A 4048 Record layer message: 4049 type: 17 4050 version: 4051 major: 03 4052 minor: 03 4053 length: 0009 4054 fragment: 0F368E5CEC86B4F8D7 4056 00000: 17 03 03 00 09 0F 36 8E 5C EC 86 B4 F8 D7 4058 ---------------------------Client--------------------------- 4060 close_notify alert: 4061 Alert: 4062 level: 01 4063 description: 00 4065 00000: 01 00 4067 Record layer message: 4068 type: 15 4069 version: 4070 major: 03 4071 minor: 03 4072 length: 0006 4073 fragment: F91FCD98F309 4075 00000: 15 03 03 00 06 F9 1F CD 98 F3 09 4077 ---------------------------Server--------------------------- 4079 close_notify alert: 4080 Alert: 4081 level: 01 4082 description: 00 4084 00000: 01 00 4086 Record layer message: 4087 type: 15 4088 version: 4089 major: 03 4090 minor: 03 4091 length: 0006 4092 fragment: 117B57AD5FED 4094 00000: 15 03 03 00 06 11 7B 57 AD 5F ED 4096 Appendix B. Contributors 4098 o Evgeny Alekseev 4099 CryptoPro 4100 alekseev@cryptopro.ru 4102 o Ekaterina Smyshlyaeva 4103 CryptoPro 4104 ess@cryptopro.ru 4106 o Grigory Sedov 4107 CryptoPro 4108 sedovgk@cryptopro.ru 4110 o Dmitry Eremin-Solenikov 4111 Auriga 4112 dbaryshkov@gmail.com 4114 Appendix C. Acknowledgments 4116 Authors' Addresses 4118 Stanislav Smyshlyaev (editor) 4119 CryptoPro 4120 18, Suschevsky val 4121 Moscow 127018 4122 Russian Federation 4124 Phone: +7 (495) 995-48-20 4125 Email: svs@cryptopro.ru 4127 Dmitry Belyavsky 4128 Cryptocom 4129 14/2 Kedrova st 4130 Moscow 117218 4131 Russian Federation 4133 Email: beldmit@gmail.com 4135 Markku-Juhani O. Saarinen 4136 Independent Consultant 4138 Email: mjos@iki.fi