idnits 2.17.1 draft-smyshlyaev-tls12-gost-suites-13.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 5, 2021) is 997 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'ChangeCipherSpec' is mentioned on line 405, but not defined -- Looks like a reference, but probably isn't: '0' on line 663 ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Smyshlyaev, Ed. 3 Internet-Draft CryptoPro 4 Intended status: Informational D. Belyavsky 5 Expires: January 6, 2022 Cryptocom 6 M. Saarinen 7 Independent Consultant 8 July 5, 2021 10 GOST Cipher Suites for Transport Layer Security (TLS) Protocol Version 11 1.2 12 draft-smyshlyaev-tls12-gost-suites-13 14 Abstract 16 This document specifies three new cipher suites for the Transport 17 Layer Security (TLS) protocol Version 1.2 to support the Russian 18 cryptographic standard algorithms (called GOST algorithms). 20 This specification is developed to facilitate implementations that 21 wish to support the GOST algorithms. This document does not imply 22 IETF endorsement of the cipher suites. 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at https://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on January 6, 2022. 41 Copyright Notice 43 Copyright (c) 2021 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents 48 (https://trustee.ietf.org/license-info) in effect on the date of 49 publication of this document. Please review these documents 50 carefully, as they describe your rights and restrictions with respect 51 to this document. Code Components extracted from this document must 52 include Simplified BSD License text as described in Section 4.e of 53 the Trust Legal Provisions and are provided without warranty as 54 described in the Simplified BSD License. 56 Table of Contents 58 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 59 2. Conventions Used in This Document . . . . . . . . . . . . . . 4 60 3. Basic Terms and Definitions . . . . . . . . . . . . . . . . . 4 61 4. Cipher Suite Definitions . . . . . . . . . . . . . . . . . . 5 62 4.1. Record Payload Protection . . . . . . . . . . . . . . . . 6 63 4.1.1. CTR_OMAC . . . . . . . . . . . . . . . . . . . . . . 7 64 4.1.2. CNT_IMIT . . . . . . . . . . . . . . . . . . . . . . 8 65 4.2. Key Exchange and Authentication . . . . . . . . . . . . . 9 66 4.2.1. Hello Messages . . . . . . . . . . . . . . . . . . . 10 67 4.2.2. Server Certificate . . . . . . . . . . . . . . . . . 11 68 4.2.3. CertificateRequest . . . . . . . . . . . . . . . . . 11 69 4.2.4. ClientKeyExchange . . . . . . . . . . . . . . . . . . 11 70 4.2.4.1. CTR_OMAC . . . . . . . . . . . . . . . . . . . . 12 71 4.2.4.2. CNT_IMIT . . . . . . . . . . . . . . . . . . . . 14 72 4.2.5. CertificateVerify . . . . . . . . . . . . . . . . . . 16 73 4.2.6. Finished . . . . . . . . . . . . . . . . . . . . . . 17 74 4.3. Cryptographic Algorithms . . . . . . . . . . . . . . . . 17 75 4.3.1. Block Cipher . . . . . . . . . . . . . . . . . . . . 17 76 4.3.2. MAC algorithm . . . . . . . . . . . . . . . . . . . . 17 77 4.3.3. Encryption algorithm . . . . . . . . . . . . . . . . 18 78 4.3.4. PRF and HASH algorithms . . . . . . . . . . . . . . . 18 79 4.3.5. SNMAX parameter . . . . . . . . . . . . . . . . . . . 18 80 5. New Values for the SignatureAlgorithm Registry . . . . . . . 18 81 6. New Values for the Supported Groups Registry . . . . . . . . 19 82 7. New Values for the ClientCertificateType Identifiers Registry 20 83 8. Additional Algorithms . . . . . . . . . . . . . . . . . . . . 21 84 8.1. TLSTREE . . . . . . . . . . . . . . . . . . . . . . . . . 21 85 8.1.1. Key Tree Parameters . . . . . . . . . . . . . . . . . 21 86 8.2. Key export and key import algorithms . . . . . . . . . . 22 87 8.2.1. KExp15 and KImp15 Algorithms . . . . . . . . . . . . 22 88 8.2.2. KExp28147 and KImp28147 Algorithms . . . . . . . . . 23 89 8.3. Key Exchange Generation Algorithms . . . . . . . . . . . 24 90 8.3.1. KEG Algorithm . . . . . . . . . . . . . . . . . . . . 24 91 8.3.2. KEG_28147 Algorithm . . . . . . . . . . . . . . . . . 26 92 8.4. gostIMIT28147 . . . . . . . . . . . . . . . . . . . . . . 27 93 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27 94 10. Historical Considerations . . . . . . . . . . . . . . . . . . 29 95 11. Security Considerations . . . . . . . . . . . . . . . . . . . 30 96 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 30 97 12.1. Normative References . . . . . . . . . . . . . . . . . . 30 98 12.2. Informative References . . . . . . . . . . . . . . . . . 32 99 Appendix A. Test Examples . . . . . . . . . . . . . . . . . . . 33 100 A.1. Test Examples for CTR_OMAC cipher suites . . . . . . . . 33 101 A.1.1. TLSTREE Examples . . . . . . . . . . . . . . . . . . 33 102 A.1.1.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 103 ciphersuite . . . . . . . . . . . . . . . . . . . 33 104 A.1.1.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC 105 ciphersuite . . . . . . . . . . . . . . . . . . . 35 106 A.1.2. Record Examples . . . . . . . . . . . . . . . . . . . 37 107 A.1.2.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 108 ciphersuite . . . . . . . . . . . . . . . . . . . 37 109 A.1.2.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC 110 ciphersuite . . . . . . . . . . . . . . . . . . . 40 111 A.1.3. Handshake Examples . . . . . . . . . . . . . . . . . 43 112 A.1.3.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 113 ciphersuite . . . . . . . . . . . . . . . . . . . 43 114 A.1.3.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC 115 ciphersuite . . . . . . . . . . . . . . . . . . . 57 116 A.2. Test Examples for CNT_IMIT cipher suites . . . . . . . . 76 117 A.2.1. Record Examples . . . . . . . . . . . . . . . . . . . 76 118 A.2.2. Handshake Examples . . . . . . . . . . . . . . . . . 77 119 Appendix B. Contributors . . . . . . . . . . . . . . . . . . . . 90 120 Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 91 121 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 91 123 1. Introduction 125 This document specifies three new cipher suites for the Transport 126 Layer Security (TLS) Protocol Version 1.2 [RFC5246] to support the 127 set of Russian cryptographic standard algorithms (called GOST 128 algorithms). These cipher suites use the same hash algorithm GOST R 129 34.11-2012 [GOST3411-2012] (the English version can be found in 130 [RFC6986]) and the same signature algorithm GOST R 34.10-2012 131 [GOST3410-2012] (the English version can be found in [RFC7091]) but 132 use different encryption and MAC algorithms, so they are divided into 133 two types: the CTR_OMAC cipher suites and the CNT_IMIT cipher suite. 135 The CTR_OMAC cipher suites use the GOST R 34.12-2015 [GOST3412-2015] 136 block ciphers (the English version can be found in [RFC7801]). 138 The CNT_IMIT cipher suite uses the GOST 28147-89 [GOST28147-89] block 139 cipher (the English version can be found in [RFC5830]). 141 This document specifies cipher suites only for the TLS protocol 142 version 1.2. The cipher suites for the TLS protocol version 1.3 143 [RFC8446] to support the set of Russian cryptographic standard 144 algorithms are specified in a separate document [DraftGostTLS13]. 146 This specification is developed to facilitate implementations that 147 wish to support the GOST algorithms. This document does not imply 148 IETF endorsement of the cipher suites. 150 2. Conventions Used in This Document 152 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 153 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 154 "OPTIONAL" in this document are to be interpreted as described in BCP 155 14 [RFC2119] [RFC8174] when, and only when, they appear in all 156 capitals, as shown here. 158 3. Basic Terms and Definitions 160 This document uses the following terms and definitions for the sets 161 and operations on the elements of these sets: 163 B_t the set of byte strings of length t, t >= 0, for t = 0 the 164 B_t set consists of a single empty string of zero length. If 165 A is an element of B_t, then A = (a_1, a_2, ... , a_t), where 166 a_1, a_2, ... , a_t are in {0, ... , 255}; 168 B* the set of all byte strings of a finite length (hereinafter 169 referred to as strings), including the empty string; 171 A[i..j] the string A[i..j] = (a_i, a_{i+1}, ... , a_j) in B_{j-i+1} 172 where A = (a_1, ... , a_t) in B_t and 1<=i<=j<=t; 174 L(A) the length of the byte string A in bytes; 176 A | C concatenation of strings A and C both belonging to B*, i.e., 177 a string in B_{L(A)+L(C)}, where the left substring in B_L(A) 178 is equal to A, and the right substring in B_L(C) is equal to 179 C; 181 A XOR C bitwise exclusive-or of byte strings A and C both belonging 182 to B_t (i.e. both are of length t bytes), i.e., a string in 183 B_t such that if A = (a_1, a_2, ... , a_t), C = (c_1, c_2, 184 ... , c_t) then A XOR C = (a_1 (xor) c_1, a_2 (xor) c_2, ... 185 , a_t (xor) c_t) where (xor) is bitwise exclusive-or of 186 bytes; 188 i & j bitwise AND of integers i and j; 190 STR_t the transformation that maps an integer i = 256^{t-1} * i_1 + 191 ... + 256 * i_{t-1} + i_t into the byte string STR_t(i) = 192 (i_1, ... , i_t) in B_t (the interpretation of the integer as 193 a byte string in big-endian format); 195 str_t the transformation that maps an integer i = 256^{t-1} * i_t + 196 ... + 256 * i_2 + i_1 into the byte string str_t(i) = (i_1, 197 ... , i_t) in B_t (the interpretation of the integer as a 198 byte string in little-endian format); 200 INT the transformation that maps a string a = (a_1, ... , a_t) in 201 B_t into the integer INT(a) = 256^{t-1} * a_1 + ... + 256 * 202 a_{t-1} + a_t (the interpretation of the byte string in big- 203 endian format as an integer); 205 int the transformation that maps a string a = (a_1, ... , a_t) in 206 B_t into the integer int(a) = 256^{t-1} * a_t + ... + 256 * 207 a_2 + a_1 (the interpretation of the byte string in little- 208 endian format as an integer); 210 k the length of the block cipher key in bytes; 212 n the length of the block cipher block in bytes; 214 Q_c the public key stored in the client's certificate; 216 d_c the private key that corresponds to the Q_c key; 218 Q_s the public key stored in the server's certificate; 220 d_s the private key that corresponds to the Q_s key; 222 q_s an order of a cyclic subgroup of elliptic curve points group 223 containing point Q_s; 225 P_s the point of order q_s that belongs to the same curve as Q_s; 227 r_c the random string contained in ClientHello.random field (see 228 [RFC5246]); 230 r_s the random string contained in ServerHello.random field (see 231 [RFC5246]). 233 4. Cipher Suite Definitions 235 This document specifies the CTR_OMAC cipher suites and the CNT_IMIT 236 cipher suite. 238 The CTR_OMAC cipher suites have the following values: 240 TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC = {0xC1, 0x00}; 241 TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC = {0xC1, 0x01}. 243 The CNT_IMIT cipher suite has the following value: 245 TLS_GOSTR341112_256_WITH_28147_CNT_IMIT = {0xC1, 0x02}. 247 4.1. Record Payload Protection 249 The compression method (see Section 6.2.2 of [RFC5246]) MUST be 250 "null" in all of the cipher suites described in this document. This 251 compression method is negotiated according to Section 4.2.1. Note 252 that the CompressionMethod.null operation is an identity operation; 253 no fields of the TLSCompressed structure are altered. 255 All of the cipher suites described in this document use the stream 256 cipher (see Section 4.3.3) to protect records. The TLSCiphertext 257 structure for the CTR_OMAC and CNT_IMIT cipher suites is specified in 258 accordance with the Standard Stream Cipher case (see Section 6.2.3.1 259 of [RFC5246]): 261 struct { 262 ContentType type; 263 ProtocolVersion version; 264 uint16 length; 265 GenericStreamCipher fragment; 266 } TLSCiphertext; 268 where TLSCiphertext.fragment is generated in accordance with 269 Section 4.1.1 when the CTR_OMAC cipher suite is used and 270 Section 4.1.2 when the CNT_IMIT cipher suite is used. 272 The connection key material is a key material that consists of the 273 sender_write_key (either the client_write_key or the 274 server_write_key), the sender_write_MAC_key (either the 275 client_write_MAC_key or the server_write_MAC_key) and the 276 sender_write_IV (either the client_write_IV or the server_write_IV) 277 parameters that are generated in accordance with Section 6.3 of 278 [RFC5246]. 280 The record key material is a key material that is generated from the 281 connection key material and is used to protect a record with the 282 certain sequence number. Note that in some cipher suites defined in 283 this document the record key material can be equal to the connection 284 key material. 286 In this section the TLSCiphertext.fragment generation is described 287 for one particular endpoint (server or client) with the corresponding 288 connection key material and record key material. 290 4.1.1. CTR_OMAC 292 In case of the CTR_OMAC cipher suites the record key material differs 293 from the connection key material, and for the sequence number seqnum 294 consists of: 296 o K_ENC_seqnum in B_k; 298 o K_MAC_seqnum in B_k; 300 o IV_seqnum in B_{n/2}. 302 The K_ENC_seqnum and K_MAC_seqnum values are calculated using the 303 TLSTREE function defined in Section 8.1, the connection key material 304 and the sequence number seqnum. IV_seqnum is calculated by adding 305 seqnum value to sender_write_IV modulo 2^{(n/2)*8}: 307 o K_ENC_seqnum = TLSTREE(sender_write_key, seqnum); 309 o K_MAC_seqnum = TLSTREE(sender_write_MAC_key, seqnum); 311 o IV_seqnum = STR_{n/2}((INT(sender_write_IV) + seqnum) mod 312 2^{(n/2)*8}). 314 The TLSCiphertext.fragment that corresponds to the sequence number 315 seqnum is equal to the ENCValue_seqnum value that is calculated as 316 follows: 318 1. The MACValue_seqnum value is generated using the MAC algorithm 319 (see Section 4.3.2) similar to Section 6.2.3.1 of [RFC5246] except 320 the sender_write_MAC_key is replaced by the K_MAC_seqnum key: 322 MACValue_seqnum = MAC(K_MAC_seqnum, STR_8(seqnum) | type_seqnum | 323 version_seqnum | length_seqnum | fragment_seqnum), 325 where type_seqnum, version_seqnum, length_seqnum, fragment_seqnum are 326 the TLSCompressed.type, TLSCompressed.version, TLSCompressed.length 327 and TLSCompressed.fragment values of the record with the seqnum 328 sequence number. 330 2. The entire data with the MACValue is encrypted with the ENC 331 stream cipher (see Section 4.3.3): 333 ENCValue_seqnum = ENC(K_ENC_seqnum, IV_seqnum, fragment_seqnum | 334 MACValue_seqnum), 336 where fragment_seqnum is the TLSCompressed.fragment value of the 337 record with the seqnum sequence number. 339 4.1.2. CNT_IMIT 341 In case of the CNT_IMIT cipher suite the record key material is equal 342 to the connection key material and consists of: 344 o sender_write_key in B_k; 346 o sender_write_MAC_key in B_k; 348 o sender_write_IV in B_n. 350 The TLSCiphertext.fragment that corresponds to the sequence number 351 seqnum is equal to the ENCValue_seqnum value that is calculated as 352 follows: 354 1. The MACValue_seqnum value is generated by the MAC algorithm (see 355 Section 4.3.2) as follows: 357 MACValue_seqnum = MAC(sender_write_MAC_key, STR_8(0) | type_0 | 358 version_0 | length_0 | fragment_0 | ... | STR_8(seqnum) | 359 type_seqnum | version_seqnum | length_seqnum | fragment_seqnum), 361 where type_i, version_i, length_i, fragment_i, i in {0, ... , 362 seqnum}, are the TLSCompressed.type, TLSCompressed.version, 363 TLSCompressed.length and TLSCompressed.fragment values of the record 364 with the i sequence number. 366 Due to the use of the CBC-MAC based mode (see Section 4.3.2) 367 producing the MACValue_seqnum value does not mean processing all 368 previous records. It is enough to store only an intermediate 369 internal state of the MAC algorithm. 371 2. The entire data with the MACValue is encrypted with the ENC 372 stream cipher (see Section 4.3.3): 374 ENCValue_0 | ... | ENCValue_seqnum = ENC(sender_write_key, 375 sender_write_IV, fragment_0 | MACValue_0 | ... | fragment_seqnum | 376 MACValue_seqnum), 378 where the length of the byte string ENCValue_i in bytes is equal to 379 the length of the byte string (fragment_i | MACValue_i) in bytes, i 380 in {0, ... , seqnum}. 382 Due to the use of the stream cipher (see Section 4.3.3) producing the 383 ENCValue_seqnum value does not mean processing all previous records. 384 It is enough to store only an intermediate internal state of the ENC 385 stream cipher. 387 4.2. Key Exchange and Authentication 389 All of the cipher suites described in this document use a key 390 encapsulation mechanism based on Diffie-Hellman to share the TLS 391 premaster secret. 393 Client Server 395 ClientHello --------> 396 ServerHello 397 Certificate 398 CertificateRequest* 399 <-------- ServerHelloDone 400 Certificate* 401 ClientKeyExchange 402 CertificateVerify* 403 [ChangeCipherSpec] 404 Finished --------> 405 [ChangeCipherSpec] 406 <-------- Finished 407 Application Data <-------> Application Data 409 Figure 1: Message flow for a full handshake. 411 * Indicates optional messages that are sent for 412 the client authentication. 414 Note: To help avoid pipeline stalls, ChangeCipherSpec is an 415 independent TLS protocol content type, and is not actually 416 a TLS handshake message. 418 Figure 1 shows all messages involved in the TLS key establishment 419 protocol (full handshake). A ServerKeyExchange MUST NOT be sent (the 420 server's certificate contains enough data to allow client to exchange 421 the premaster secret). 423 The server side of the channel is always authenticated; the client 424 side is optionally authenticated. The server is authenticated by 425 proving that it knows the premaster secret that is encrypted with the 426 public key Q_s from the server's certificate. The client is 427 authenticated via its signature over the handshake transcript. 429 In general the key exchange process for both CTR_OMAC and CNT_IMIT 430 cipher suites consists of the following steps: 432 1. The client generates the ephemeral key pair (d_eph, Q_eph) that 433 corresponds to the server's public key Q_s stored in its 434 certificate. 436 2. The client generates the premaster secret PS. The PS value is 437 chosen from B_32 at random. 439 3. Using d_eph and Q_s the client generates the export key material 440 (see Section 4.2.4.1 and Section 4.2.4.2) for the particular key 441 export algorithm (see Section 8.2.1 and Section 8.2.2) to 442 generate the export representation PSExp of the PS value. 444 4. The client sends its ephemeral public key Q_eph and PSExp value 445 in the ClientKeyExchange message. 447 5. Using its private key d_s the server generates the import key 448 material (see Section 4.2.4.1 and Section 4.2.4.2) for the 449 particular key import algorithm (see Section 8.2.1 and 450 Section 8.2.2) to extract the premaster secret PS from the export 451 representation PSExp. 453 The cipher suites specified in this document define the ClientHello, 454 ServerHello, server Certificate, CertificateRequest, 455 ClientKeyExchange, CertificateVerify and Finished handshake messages, 456 that are described in further detail below. 458 4.2.1. Hello Messages 460 The ClientHello message is generated in accordance with 461 Section 7.4.1.2 of [RFC5246] and must meet the following 462 requirements: 464 o The ClientHello.compression_methods field MUST contain exactly one 465 byte, set to zero, which corresponds to the "null" compression 466 method. 468 o The ClientHello.extensions field MUST contain the 469 signature_algorithms extension (see [RFC5246]). 471 If the negotiated cipher suite is one of CTR_OMAC/CTR_IMIT and the 472 client implementation does not support generating the 473 signature_algorithms extension with the values defined in 474 Section 5, the server MUST either abort the connection or ignore 475 this extension and behave as if the client had sent the 476 signature_algorithms extension with the values {8, 64} and {8, 477 65}. 479 The ServerHello message is generated in accordance with 480 Section 7.4.1.3 of [RFC5246] and must meet the following 481 requirements: 483 o The ServerHello.compression_method field MUST contain exactly one 484 byte, set to zero, which corresponds to the "null" compression 485 method. 487 o The ServerHello.extensions field MUST NOT contain the 488 encrypt_then_mac extension (see [RFC7366]). 490 4.2.2. Server Certificate 492 This message is used to authentically convey the server's public key 493 Q_s to the client and is generated in accordance with Section 7.4.2 494 of [RFC5246]. 496 Upon receiving this message the client validates the certificate 497 chain, extracts the server's public key, and checks that the key type 498 is appropriate for the negotiated key exchange algorithm. (A 499 possible reason for a fatal handshake failure is that the client's 500 capabilities for handling elliptic curves and point formats are 501 exceeded). 503 4.2.3. CertificateRequest 505 This message is sent by the server when requesting client 506 authentication and is generated in accordance with Section 7.4.4 of 507 [RFC5246]. 509 If the CTR_OMAC or CNT_IMIT cipher suite is negotiated, the 510 CertificateRequest message MUST meet the following requirements: 512 o the CertificateRequest.supported_signature_algorithm field MUST 513 contain only signature/hash algorithm pairs with the values {8, 514 64} or {0, 65} defined in Section 5; 516 o the CertificateRequest.certificate_types field MUST contain only 517 the gost_sign256 (67) or gost_sign512 (68) values defined in 518 Section 7. 520 4.2.4. ClientKeyExchange 522 The ClientKeyExchange message is defined as follows. 524 enum { vko_kdf_gost, vko_gost } KeyExchangeAlgorithm; 526 struct { 527 select (KeyExchangeAlgorithm) { 528 case vko_kdf_gost: GostKeyTransport; 529 case vko_gost: TLSGostKeyTransportBlob; 530 } exchange_keys; 531 } ClientKeyExchange; 533 The body of the ClientKeyExchange message consists of a 534 GostKeyTransport/TLSGostKeyTransportBlob structure that contains an 535 export representation of the premaster secret PS. 537 The GostKeyTransport structure corresponds to the CTR_OMAC cipher 538 suites and is described in Section 4.2.4.1 and the 539 TLSGostKeyTransportBlob corresponds to CNT_IMIT cipher suite and is 540 described in Section 4.2.4.2. 542 4.2.4.1. CTR_OMAC 544 In case of the CTR_OMAC cipher suites the body of the 545 ClientKeyExchange message consists of the GostKeyTransport structure 546 that is defined bellow. 548 The client generates the ClientKeyExchange message in accordance with 549 the following steps: 551 1. Generates the ephemeral key pair (Q_eph, d_eph), where: 553 d_eph is chosen from {1, ... , q_s - 1} at random; 555 Q_eph = d_eph * P_s. 557 2. Generates export keys (K_EXP_MAC and K_EXP_ENC) using the KEG 558 algorithm defined in Section 8.3.1: 560 H = HASH(r_c | r_s); 562 K_EXP_MAC | K_EXP_ENC = KEG(d_eph, Q_s, H). 564 3. Generates an export representation PSExp of the premaster secret 565 PS using the KExp15 algorithm defined in Section 8.2.1: 567 IV = H[25..24 + n / 2]; 569 PSExp = KExp15(PS, K_EXP_MAC, K_EXP_ENC, IV). 571 4. Generates the ClientKeyExchange message using the 572 GostKeyTransport structure that is defined as follows: 574 GostKeyTransport ::= SEQUENCE { 575 keyExp OCTET STRING, 576 ephemeralPublicKey SubjectPublicKeyInfo, 577 ukm OCTET STRING OPTIONAL 578 } 580 SubjectPublicKeyInfo ::= SEQUENCE { 581 algorithm AlgorithmIdentifier, 582 subjectPublicKey BIT STRING 583 } 584 AlgorithmIdentifier ::= SEQUENCE { 585 algorithm OBJECT IDENTIFIER, 586 parameters ANY OPTIONAL 587 } 589 where the keyExp field contains the PSExp value, the 590 ephemeralPublicKey field contains the Q_eph value and the ukm field 591 MUST be ignored by the server. 593 Upon receiving the ClientKeyExchange message, the server process it 594 as follows. 596 1. Checks the following three conditions. If either of these checks 597 fails, then the server MUST abort the handshake with an alert. 599 o Q_eph belongs to the same curve as server public key Q_s; 601 o Q_eph is not equal to zero point; 603 o q_s * Q_eph is equal to zero point. 605 2. Generates export keys (K_EXP_MAC and K_EXP_ENC) using the KEG 606 algorithm defined in Section 8.3.1: 608 H = HASH(r_c | r_s); 610 K_EXP_MAC | K_EXP_ENC = KEG(d_s, Q_eph, H). 612 3. Extracts the premaster secret PS from the export representation 613 PSExp using the KImp15 algorithm defined in Section 8.2.1: 615 IV = H[25..24 + n / 2]; 616 PS = KImp15(PSExp, K_EXP_MAC, K_EXP_ENC, IV). 618 4.2.4.2. CNT_IMIT 620 In case of the CNT_IMIT cipher suite the body of the 621 ClientKeyExchange message consists of a TLSGostKeyTransportBlob 622 structure that is defined bellow. 624 The client generates the ClientKeyExchange message in accordance with 625 the following steps: 627 1. Generates the ephemeral key pair (Q_eph, d_eph), where: 629 d_eph is chosen from {1, ... , q_s - 1} at random; 631 Q_eph = d_eph * P_s. 633 2. Generates export key (K_EXP) using the KEG_28147 algorithm 634 defined in Section 8.3.2: 636 H = HASH(r_c | r_s); 638 K_EXP = KEG_28147(d_eph, Q_s, H). 640 3. Generates an export representation PSExp of the premaster secret 641 PS using the KExp28147 algorithm defined in Section 8.2.2: 643 PSExp = IV | CEK_ENC | CEK_MAC = KExp28147(PS, K_EXP, H[1..8]). 645 4. Generates the ClientKeyExchange message using the 646 TLSGostKeyTransportBlob structure that is defined as follows: 648 TLSGostKeyTransportBlob ::= SEQUENCE { 649 keyBlob GostR3410-KeyTransport, 650 } 651 GostR3410-KeyTransport ::= SEQUENCE { 652 sessionEncryptedKey Gost28147-89-EncryptedKey, 653 transportParameters [0] IMPLICIT GostR3410-TransportParameters 654 OPTIONAL 655 } 656 Gost28147-89-EncryptedKey ::= SEQUENCE { 657 encryptedKey Gost28147-89-Key, 658 maskKey [0] IMPLICIT Gost28147-89-Key OPTIONAL, 659 macKey Gost28147-89-MAC 660 } 661 GostR3410-TransportParameters ::= SEQUENCE { 662 encryptionParamSet OBJECT IDENTIFIER, 663 ephemeralPublicKey [0] IMPLICIT SubjectPublicKeyInfo OPTIONAL, 664 ukm OCTET STRING 665 } 667 where GostR3410-KeyTransport, Gost28147-89-EncryptedKey and 668 GostR3410-TransportParameters are defined according to Section 4.2.1 669 of [RFC4490]. 671 In the context of this document the 672 GostR3410-KeyTransport.transportParameters field is always used, the 673 Gost28147-89-EncryptedKey.maskKey field is omitted, the 674 GostR3410-KeyTransport.transportParameters.ephemeralPublicKey field 675 is always used. 677 The Gost28147-89-EncryptedKey.encryptedKey field contains the CEK_ENC 678 value, the Gost28147-89-EncryptedKey.macKey field contains the 679 CEK_MAC value, and GostR3410-TransportParameters.ukm field contains 680 the IV value. 682 The keyBlob.transportParameters.ephemeralPublicKey field contains the 683 client ephemeral public key Q_eph. The encryptionParamSet contains 684 value 1.2.643.7.1.2.5.1.1 that corresponds to the id-tc26-gost- 685 28147-param-Z parameters set defined in [RFC7836]. 687 Upon receiving the ClientKeyExchange message, the server process it 688 as follows. 690 1. Checks the following three conditions. If either of these checks 691 fails, then the server MUST abort the handshake with an alert. 693 o Q_eph belongs to the same curve as server public key Q_s; 694 o Q_eph is not equal to zero point; 696 o q_s * Q_eph is equal to zero point; 698 2. Generates export key (K_EXP) using the KEG_28147 algorithm 699 defined in Section 8.3.2: 701 H = HASH(r_c | r_s); 703 K_EXP = KEG_28147(d_s, Q_eph, H). 705 3. Extracts the premaster secret PS from the export representation 706 PSExp using the KImp28147 algorithm defined in Section 8.2.2: 708 PS = KImp28147(PSExp, K_EXP, H[1..8]). 710 4.2.5. CertificateVerify 712 Client generates the value sgn as follows: 714 sgn = SIGN_{d_c}(handshake_messages) = str_l(r) | str_l(s) 716 where SIGN_{d_c} is the GOST R 34.10-2012 [RFC7091] signature 717 algorithm, d_c is a client long-term private key that corresponds to 718 the client long-term public key Q_c from the client's certificate, l 719 = 32 for gostr34102012_256 value of the SignatureAndHashAlgorithm 720 field and l = 64 for gostr34102012_512 value of the 721 SignatureAndHashAlgorithm field. 723 Here handshake_messages refers to all handshake messages sent or 724 received, starting at ClientHello and up to CertificateVerify, but 725 not including the last message, including the type and length fields 726 of the handshake messages. 728 The TLS CertificateVerify message is specified as follows. 730 struct { 731 SignatureAndHashAlgorithm algorithm; 732 opaque signature<0..2^16-1>; 733 } CertificateVerify; 735 where SignatureAndHashAlgorithm structure is specified in Section 5 736 and CertificateVerify.signature field contains sgn value. 738 4.2.6. Finished 740 The TLS Finished message is generated in accordance with 741 Section 7.4.9 of [RFC5246]. 743 The verify_data_length value is equal to 32 for the CTR_OMAC cipher 744 suites and is equal to 12 for the CNT_IMIT cipher suite. The PRF 745 function is defined in Section 4.3.4. 747 4.3. Cryptographic Algorithms 749 4.3.1. Block Cipher 751 The cipher suite TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC MUST 752 use Kuznyechik [RFC7801] as a base block cipher for the encryption 753 and MAC algorithm. The block length n is 16 bytes and the key length 754 k is 32 bytes. 756 The cipher suite TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC MUST use 757 Magma [GOST3412-2015] as a base block cipher for the encryption and 758 MAC algorithm. The block length n is 8 bytes and the key length k is 759 32 bytes. 761 The cipher suite TLS_GOSTR341112_256_WITH_28147_CNT_IMIT MUST use 762 GOST 28147-89 as a base block cipher [RFC5830] with the set of 763 parameters id-tc26-gost-28147-param-Z defined in [RFC7836]. The 764 block length n is 8 bytes and the key length k is 32 bytes. 766 4.3.2. MAC algorithm 768 The CTR_OMAC cipher suites use the OMAC message authentication code 769 construction defined in [GOST3413-2015], which can be considered as 770 the CMAC mode defined in [CMAC] where Kuznyechik or Magma block 771 cipher (see Section 4.3.1) are used instead of AES block cipher (see 772 [IK2003] for more detail) as the MAC function. The resulting MAC 773 length is equal to the block length and the MAC key length is 32 774 bytes. 776 The CNT_IMIT cipher suite uses the message authentication code 777 function gostIMIT28147 defined in Section 8.4 with the initialization 778 vector IV = IV0, where IV0 in B_8 is a string of all zeros, with the 779 CryptoPro Key Meshing algorithm defined in [RFC4357]. The resulting 780 MAC length is 4 bytes and the MAC key length is 32 bytes. 782 4.3.3. Encryption algorithm 784 The CTR_OMAC cipher suites use the block cipher in CTR-ACPKM 785 encryption mode defined in [RFC8645] as the ENC function. The 786 section size N is 4 KB for 787 TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC cipher suite and 1 KB 788 for TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC cipher suite. 790 The CNT_IMIT cipher suite uses the block cipher in counter encryption 791 mode (CNT) defined in Section 6 of [RFC5830] with the CryptoPro Key 792 Meshing algorithm defined in [RFC4357] as the ENC function. 794 4.3.4. PRF and HASH algorithms 796 The pseudorandom function (PRF) for all the cipher suites defined in 797 this document is the PRF_TLS_GOSTR3411_2012_256 function defined in 798 [RFC7836]. 800 The hash function HASH for all the cipher suites defined in this 801 document is the GOST R 34.11-2012 [RFC6986] hash algorithm with 802 32-byte (256-bit) hash code. 804 4.3.5. SNMAX parameter 806 The SNMAX parameter defines the maximal value of the sequence number 807 seqnum during one TLS 1.2 connection and is defined as follows: 809 +---------------------------------------------+--------------------+ 810 | CipherSuites | SNMAX | 811 +---------------------------------------------+--------------------+ 812 |TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC | SNMAX = 2^64 - 1 | 813 |TLS_GOSTR341112_256_WITH_28147_CNT_IMIT | | 814 +---------------------------------------------+--------------------+ 815 |TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC | SNMAX = 2^32 - 1 | 816 +---------------------------------------------+--------------------+ 817 Table 1 819 5. New Values for the SignatureAlgorithm Registry 821 The signature/hash algorithm pairs are used to indicate to the 822 server/client which algorithms can be used in digital signatures and 823 are defined by the SignatureAndHashAlgorithm structure (see 824 Section 7.4.1.4.1 of [RFC5246]). 826 This document defines new values for the "SignatureAlgorithm 827 Registry" that can be used in the SignatureAndHashAlgorithm.signature 828 field for the particular signature/hash algorithm pair: 830 enum { 831 gostr34102012_256(64), 832 gostr34102012_512(65), 833 } SignatureAlgorithm; 835 where the gostr34102012_256 and gostr34102012_512 values correspond 836 to the GOST R 34.10-2012 [RFC7091] signature algorithm with 32-byte 837 (256-bit) and 64-byte (512-bit) key length respectively. 839 According to [RFC7091] the GOST R 34.10-2012 signature algorithm with 840 32-byte (256-bit) or 64-byte (512-bit) key length use the GOST R 841 34.11-2012 [RFC6986] hash algorithm with 32-byte (256-bit) or 64-byte 842 (512-bit) hash code respectively (the hash algorithm is intrinsic to 843 the signature algorithm). Therefore, if the 844 SignatureAndHashAlgorithm.signature field of a particular hash/ 845 signature pair listed in the Signature Algorithms Extension is equal 846 to the 64 (gostr34102012_256) or 65 (gostr34102012_512) value, the 847 SignatureAndHashAlgorithm.hash field of this pair MUST contain the 848 "Intrinsic" value 8 (see [RFC8422]). 850 6. New Values for the Supported Groups Registry 852 The Supported Groups Extension indicates the set of elliptic curves 853 supported by the client and is defined in [RFC8422] and [RFC7919]. 855 This document defines new values for the "Supported Groups" registry: 857 enum { 858 GC256A(34), GC256B(35), GC256C(36), GC256D(37), 859 GC512A(38), GC512B(39), GC512C(40), 860 } NamedGroup; 862 Where the values corresponds to the following curves: 864 +-------------+--------------------------------------+-----------+ 865 | Description | Curve Identifier Value | Reference | 866 +-------------+--------------------------------------+-----------+ 867 | GC256A | id-tc26-gost-3410-2012-256-paramSetA | RFC 7836 | 868 +-------------+--------------------------------------+-----------+ 869 | GC256B |id-GostR3410-2001-CryptoPro-A-ParamSet| RFC 4357 | 870 +-------------+--------------------------------------+-----------+ 871 | GC256C |id-GostR3410-2001-CryptoPro-B-ParamSet| RFC 4357 | 872 +-------------+--------------------------------------+-----------+ 873 | GC256D |id-GostR3410-2001-CryptoPro-C-ParamSet| RFC 4357 | 874 +-------------+--------------------------------------+-----------+ 875 | GC512A | id-tc26-gost-3410-12-512-paramSetA | RFC 7836 | 876 +-------------+--------------------------------------+-----------+ 877 | GC512B | id-tc26-gost-3410-12-512-paramSetB | RFC 7836 | 878 +-------------+--------------------------------------+-----------+ 879 | GC512C | id-tc26-gost-3410-2012-512-paramSetC | RFC 7836 | 880 +-------------+--------------------------------------+-----------+ 881 Table 2 883 7. New Values for the ClientCertificateType Identifiers Registry 885 The ClientCertificateType field of the CertificateRequest message 886 contains a list of the types of certificate types that the client may 887 offer and is defined in Section 7.4.4 of [RFC5246]. 889 This document defines new values for the "ClientCertificateType 890 Identifiers" registry: 892 enum { 893 gost_sign256(67), 894 gost_sign512(68), 895 } ClientCertificateType; 897 To use the gost_sign256 or gost_sign512 authentication mechanism, the 898 client MUST possess a certificate containing a GOST R 899 34.10-2012-capable public key that corresponds to the 32-byte 900 (256-bit) or 64-byte (512-bit) signature key respectively. 902 The client proves possession of the private key corresponding to the 903 certified key by including a signature in the CertificateVerify 904 message as described in Section 4.2.5. 906 8. Additional Algorithms 908 8.1. TLSTREE 910 The TLSTREE function is defined as follows: 912 TLSTREE(K_root, i) = KDF_3(KDF_2(KDF_1(K_root, STR_8(i & C_1)), 913 STR_8(i & C_2)), STR_8(i & C_3)), 915 where 917 o K_root in B_32; 919 o i in {0, 1, ... , 2^64 - 1}; 921 o C_1, C_2, C_3 are constants defined by the particular cipher suite 922 (see Section 8.1.1); 924 o KDF_j(K, D), j = 1, 2, 3, K in B_32, D in B_8, is the key 925 derivation function based on the KDF_GOSTR3411_2012_256 function 926 defined in [RFC7836]: 928 KDF_1(K, D) = KDF_GOSTR3411_2012_256(K, "level1", D); 929 KDF_2(K, D) = KDF_GOSTR3411_2012_256(K, "level2", D); 930 KDF_3(K, D) = KDF_GOSTR3411_2012_256(K, "level3", D). 932 8.1.1. Key Tree Parameters 934 The CTR_OMAC cipher suites use the TLSTREE function for the re-keying 935 approach. The constants for it are defined as in the table below. 937 +--------------------------------------------+----------------------+ 938 | CipherSuites | C_1, C_2, C_3 | 939 +--------------------------------------------+----------------------+ 940 |TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC|C_1=0xFFFFFFFF00000000| 941 | |C_2=0xFFFFFFFFFFF80000| 942 | |C_3=0xFFFFFFFFFFFFFFC0| 943 +--------------------------------------------+----------------------+ 944 |TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC |C_1=0xFFFFFFC000000000| 945 | |C_2=0xFFFFFFFFFE000000| 946 | |C_3=0xFFFFFFFFFFFFF000| 947 +--------------------------------------------+----------------------+ 948 Table 3 950 8.2. Key export and key import algorithms 952 8.2.1. KExp15 and KImp15 Algorithms 954 Algorithms KExp15 and KImp15 use the block cipher determined by the 955 particular cipher suite. 957 The KExp15 key export algorithm is defined as follows. 959 +------------------------------------------------------------+ 960 | KExp15(S, K_Exp_MAC, K_Exp_ENC, IV) | 961 |------------------------------------------------------------| 962 | Input: | 963 | - secret S to be exported, S in B*, | 964 | - key K_Exp_MAC in B_k, | 965 | - key K_Exp_ENC in B_k, | 966 | - IV in B_{n/2} | 967 | Output: | 968 | - export representation SExp in B_{L(S)+n} | 969 |------------------------------------------------------------| 970 | 1. CEK_MAC = OMAC(K_Exp_MAC, IV | S), CEK_MAC in B_n | 971 | 2. SExp = CTR-Encrypt(K_Exp_ENC, IV, S | CEK_MAC) | 972 | 3. return SExp | 973 +------------------------------------------------------------+ 975 where the OMAC function is defined in [MODES], the CTR-Encrypt(K, IV, 976 S) function denotes the encryption of message S on key K and nonce IV 977 in the CTR mode with s = n (see [MODES]). 979 The KImp15 key import algorithm is defined as follows. 981 +-------------------------------------------------------------------+ 982 | KImp15(SExp, K_Exp_MAC, K_Exp_ENC, IV) | 983 |-------------------------------------------------------------------| 984 | Input: | 985 | - export representation SExp in B* | 986 | - key K_Exp_MAC in B_k, | 987 | - key K_Exp_ENC in B_k, | 988 | - IV in B_{n/2} | 989 | Output: | 990 | - secret S in B_{L(SExp)-n} or FAIL | 991 |-------------------------------------------------------------------| 992 | 1. S | CEK_MAC = CTR-Decrypt(K_Exp_ENC, IV, SExp), CEK_MAC in B_n| 993 | 2. If CEK_MAC = OMAC(K_Exp_MAC, IV | S) | 994 | then return S; else return FAIL | 995 +-------------------------------------------------------------------+ 997 where the OMAC function is defined in [MODES], the CTR-Decrypt(K, IV, 998 S) function denotes the decryption of message S on key K and nonce IV 999 in the CTR mode (see [MODES]). 1001 The keys K_Exp_MAC and K_Exp_ENC MUST be independent. For every pair 1002 of keys (K_Exp_ENC, K_Exp_MAC) the IV values MUST be unique. For the 1003 import of key K with the KImp15 algorithm every IV value MUST be sent 1004 with the export key representation or be a preshared value. 1006 8.2.2. KExp28147 and KImp28147 Algorithms 1008 The KExp28147 key export algorithm is defined as follows. 1010 +----------------------------------------------------------------+ 1011 | KExp28147(S, K, IV) | 1012 |----------------------------------------------------------------| 1013 | Input: | 1014 | - secret S to be exported, S in B_32, | 1015 | - key K in B_32, | 1016 | - IV in B_8. | 1017 | Output: | 1018 | - export representation SExp in B_44 | 1019 |----------------------------------------------------------------| 1020 | 1. CEK_MAC = gost28147IMIT(IV, K, S), CEK_MAC in B_4 | 1021 | 2. CEK_ENC = ECB-Encrypt(K, S), CEK_ENC in B_32 | 1022 | 3. return SExp = IV | CEK_ENC | CEK_MAC | 1023 +----------------------------------------------------------------+ 1024 where the gost28147IMIT function is defined in Section 8.4, the ECB- 1025 Encrypt(K, S) function denotes the encryption of message S on key K 1026 with the block cipher GOST 28147-89 in the ECB mode (see [RFC5830]). 1028 The KImp28147 key import algorithm is defined as follows. 1030 +----------------------------------------------------------------+ 1031 | KImp28147(SExp, K, IV) | 1032 |----------------------------------------------------------------| 1033 | Input: | 1034 | - export representation SExp in B_44, | 1035 | - key K in B_32, | 1036 | - IV in B_8. | 1037 | Output: | 1038 | - imported secret S in B_32 or FAIL | 1039 |----------------------------------------------------------------| 1040 | 1. extract from SExp | 1041 | IV' = SExp[1..8], | 1042 | CEK_ENC = SExp[9..40], | 1043 | CEK_MAC = SExp[41..44] | 1044 | 2. if IV' != IV then return FAIL; else | 1045 | 3. S = ECB-Decrypt(K, CEK_ENC), S in B_32 | 1046 | 4. If CEK_MAC = gost28147IMIT(IV, K, S) | 1047 | then return S; else return FAIL | 1048 +----------------------------------------------------------------+ 1050 where the gost28147IMIT function is defined in Section 8.4, the ECB- 1051 Decrypt(CEK_ENC, M) function denotes the decryption of ciphertext 1052 CEK_ENC on key K with a block cipher GOST 28147-89 in the ECB mode 1053 (see [RFC5830]). 1055 8.3. Key Exchange Generation Algorithms 1057 8.3.1. KEG Algorithm 1059 The KEG algorithm is defined as follows: 1061 +----------------------------------------------------------------+ 1062 | KEG(d, Q, H) | 1063 |----------------------------------------------------------------| 1064 | Input: | 1065 | - private key d, | 1066 | - public key Q, | 1067 | - H in B_32. | 1068 | Output: | 1069 | - key material K in B_64. | 1070 |----------------------------------------------------------------| 1071 | 1. If q * Q is not equal to zero point | 1072 | return FAIL | 1073 | 2. If 2^{254} < q < 2^{256} | 1074 | return KEG_256(d, Q, H) | 1075 | 3. If 2^{508} < q < 2^{512} | 1076 | return KEG_512(d, Q, H) | 1077 | 4. return FAIL | 1078 +----------------------------------------------------------------+ 1080 where q is an order of a cyclic subgroup of elliptic curve points 1081 group containing point Q, d in {1, ... , q - 1}. 1083 The KEG_256 algorithm is defined as follows: 1085 +----------------------------------------------------------------+ 1086 | KEG_256(d, Q, H) | 1087 |----------------------------------------------------------------| 1088 | Input: | 1089 | - private key d, | 1090 | - public key Q, | 1091 | - H in B_32. | 1092 | Output: | 1093 | - key material K in B_64. | 1094 |----------------------------------------------------------------| 1095 | 1. r = INT(H[1..16]) | 1096 | 2. If r = 0 | 1097 | UKM = 1; else UKM = r | 1098 | 3. K_EXP = VKO_256(d, Q, UKM) | 1099 | 4. seed = H[17..24] | 1100 | 5. return KDFTREE_256(K_EXP, "kdf tree", seed, 1) | 1101 +----------------------------------------------------------------+ 1103 where VKO_256 is the function VKO_GOSTR3410_2012_256 defined in 1104 [RFC7836] and KDFTREE_256 is the KDF_TREE_GOSTR3411_2012_256 function 1105 defined in [RFC7836] with the parameter L equal to 512. 1107 The KEG_512 algorithm is defined as follows: 1109 +----------------------------------------------------------------+ 1110 | KEG_512(d, Q, H) | 1111 |----------------------------------------------------------------| 1112 | Input: | 1113 | - private key d, | 1114 | - public key Q, | 1115 | - H in B_32. | 1116 | Output: | 1117 | - key material K in B_64. | 1118 |----------------------------------------------------------------| 1119 | 1. r = INT(H[1..16]) | 1120 | 2. If r = 0 | 1121 | UKM = 1; else UKM = r | 1122 | 3. return VKO_512(d, Q, UKM) | 1123 +----------------------------------------------------------------+ 1125 where VKO_512 is the VKO_GOSTR3410_2012_512 function defined in 1126 [RFC7836]. 1128 8.3.2. KEG_28147 Algorithm 1130 The KEG_28147 algorithm is defined as follows: 1132 +----------------------------------------------------------------+ 1133 | KEG_28147(d, Q, H) | 1134 |----------------------------------------------------------------| 1135 | Input: | 1136 | - private key d, | 1137 | - public key Q, | 1138 | - H in B_32. | 1139 | Output: | 1140 | - key material K in B_32. | 1141 |----------------------------------------------------------------| 1142 | 1. If q * Q is not equal to zero point | 1143 | return FAIL | 1144 | 2. UKM = H[1..8] | 1145 | 3. R = VKO_256(d, Q, int(UKM)) | 1146 | 4. return K = CPDivers(UKM, R) | 1147 +----------------------------------------------------------------+ 1149 where the VKO_256 function is equal to the VKO_GOSTR3410_2012_256 1150 function defined in [RFC7836], the CPDivers function corresponds to 1151 the CryptoPro KEK Diversification Algorithm defined in [RFC4357], 1152 which takes as input the UKM value and the key value. 1154 8.4. gostIMIT28147 1156 gost28147IMIT(IV, K, M) is a MAC algorithm with 4 bytes output and is 1157 defined as follows: 1159 +----------------------------------------------------------------+ 1160 | gost28147IMIT(IV, K, M) | 1161 |----------------------------------------------------------------| 1162 | Input: | 1163 | - initial value IV in B_8, | 1164 | - key K in B_32, | 1165 | - message M in B*. | 1166 | Output: | 1167 | - MAC value T in B_4. | 1168 |----------------------------------------------------------------| 1169 | 1. M' = PAD(M) | 1170 | 2. M' = M'_0 | ... | M'_r, L(M'_i) = 8, i in {0, ... , r} | 1171 | 3. M'' = (M'_0 XOR IV) | M'_1 | ... | M'_r | 1172 | 4. return T = MAC28147(K, M'') | 1173 +----------------------------------------------------------------+ 1175 where the PAD function is the padding function that adds m zero bytes 1176 to the end of the message, where m is the smallest, non-negative 1177 solution to the equation (L(M) + m) mod 8 = 0, the MAC28147 function 1178 corresponds to Message Authentication Code Generation Mode defined in 1179 [RFC5830] with 4 byte length output. 1181 9. IANA Considerations 1183 IANA is asked to update the registry entries to reference this 1184 document when it is published as an RFC. 1186 IANA has added numbers {0xC1, 0x00}, {0xC1, 0x01} and {0xC1, 0x02} 1187 with the names TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC, 1188 TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC, 1189 TLS_GOSTR341112_256_WITH_28147_CNT_IMIT to the "TLS Cipher Suite" 1190 registry with this document as reference, as shown below. 1192 +-------------+-----------------------------+---------+----------+ 1193 | Value | Description | DTLS-OK | Reference| 1194 +-------------+-----------------------------+---------+----------+ 1195 | 0xC1, 0x00 | TLS_GOSTR341112_256_ | N | this RFC | 1196 | | _WITH_KUZNYECHIK_CTR_OMAC | | | 1197 +-------------+-----------------------------+---------+----------+ 1198 | 0xC1, 0x01 | TLS_GOSTR341112_256_ | N | this RFC | 1199 | | _WITH_MAGMA_CTR_OMAC | | | 1200 +-------------+-----------------------------+---------+----------+ 1201 | 0xC1, 0x02 | TLS_GOSTR341112_256_ | N | this RFC | 1202 | | _WITH_28147_CNT_IMIT | | | 1203 +-------------+-----------------------------+---------+----------+ 1204 Table 4 1206 IANA has added numbers 64, 65 with the names gostr34102012_256, 1207 gostr34102012_512, to the "TLS SignatureAlgorithm" registry, as shown 1208 below. 1210 +-----------+---------------------+---------+----------+ 1211 | Value | Description | DTLS-OK | Reference| 1212 +-----------+---------------------+---------+----------+ 1213 | 64 | gostr34102012_256 | Y | this RFC | 1214 +-----------+---------------------+---------+----------+ 1215 | 65 | gostr34102012_512 | Y | this RFC | 1216 +-----------+---------------------+---------+----------+ 1217 Table 5 1219 IANA has added numbers 34, 35, 36, 37, 38, 39, 40 with the names 1220 GC256A, GC256B, GC256C, GC256D, GC512A, GC512B, GC512C to the "TLS 1221 Supported Groups" registry, as shown below. 1223 +-----------+----------------+---------+------------+-----------+ 1224 | Value | Description | DTLS-OK | Recomended | Reference | 1225 +-----------+----------------+---------+------------+-----------+ 1226 | 34 | GC256A | Y | N | this RFC | 1227 +-----------+----------------+---------+------------+-----------+ 1228 | 35 | GC256B | Y | N | this RFC | 1229 +-----------+----------------+---------+------------+-----------+ 1230 | 36 | GC256C | Y | N | this RFC | 1231 +-----------+----------------+---------+------------+-----------+ 1232 | 37 | GC256D | Y | N | this RFC | 1233 +-----------+----------------+---------+------------+-----------+ 1234 | 38 | GC512A | Y | N | this RFC | 1235 +-----------+----------------+---------+------------+-----------+ 1236 | 39 | GC512B | Y | N | this RFC | 1237 +-----------+----------------+---------+------------+-----------+ 1238 | 40 | GC512C | Y | N | this RFC | 1239 +-----------+----------------+---------+------------+-----------+ 1240 Table 6 1242 IANA has added numbers 67, 68 with the names gost_sign256, 1243 gost_sign512 to the "ClientCertificateType Identifiers" registry, as 1244 shown below. 1246 +-----------+---------------------+---------+----------+ 1247 | Value | Description | DTLS-OK | Reference| 1248 +-----------+---------------------+---------+----------+ 1249 | 67 | gost_sign256 | Y | this RFC | 1250 +-----------+---------------------+---------+----------+ 1251 | 68 | gost_sign512 | Y | this RFC | 1252 +-----------+---------------------+---------+----------+ 1253 Table 7 1255 10. Historical Considerations 1257 Note that prior to the existence of this document implementations 1258 could use only the values from the Private Use space in order to use 1259 the GOST-based algorithms. So some old implementations can still use 1260 the old value {0x00, 0x81} instead of the {0xC1, 0x02} value to 1261 indicate the TLS_GOSTR341112_256_WITH_28147_CNT_IMIT cipher suite; 1262 one old value 0xEE instead of the values 64, 8 and 67 (to indicate 1263 the gostr34102012_256 signature algorithm, the Intrinsic hash 1264 algorithm and the gost_sign256 certificate type respectively); one 1265 old value 0xEF instead of the values 65, 8 and 68 (to indicate the 1266 gostr34102012_512 signature algorithm, the Intrinsic hash algorithm 1267 and the gost_sign512 certificate type respectively). 1269 Due to historical reasons in addition to the curve identifier values 1270 listed in Table 2 there exist some extra identifier values that 1271 correspond to the curves GC256B, GC256C and GC256D as follows. 1273 +-------------+-----------------------------------------+ 1274 | Description | Curve Identifier Values | 1275 +-------------+-----------------------------------------+ 1276 | GC256B |id-GostR3410_2001-CryptoPro-XchA-ParamSet| 1277 | |id-tc26-gost-3410-2012-256-paramSetB | 1278 +-------------+-----------------------------------------+ 1279 | GC256C |id-tc26-gost-3410-2012-256-paramSetC | 1280 +-------------+-----------------------------------------+ 1281 | GC256D |id-GostR3410-2001-CryptoPro-XchB-ParamSet| 1282 | |id-tc26-gost-3410-2012-256-paramSetD | 1283 +-------------+-----------------------------------------+ 1284 Table 8 1286 Client should be prepared to handle any of them correctly if 1287 corresponding group is included in the supported_groups extension 1288 (see [RFC8422] and [RFC7919]). 1290 11. Security Considerations 1292 This entire document is about security considerations. 1294 12. References 1296 12.1. Normative References 1298 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1299 Requirement Levels", BCP 14, RFC 2119, 1300 DOI 10.17487/RFC2119, March 1997, 1301 . 1303 [RFC4357] Popov, V., Kurepkin, I., and S. Leontiev, "Additional 1304 Cryptographic Algorithms for Use with GOST 28147-89, GOST 1305 R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 1306 Algorithms", RFC 4357, DOI 10.17487/RFC4357, January 2006, 1307 . 1309 [RFC4490] Leontiev, S., Ed. and G. Chudov, Ed., "Using the GOST 1310 28147-89, GOST R 34.11-94, GOST R 34.10-94, and GOST R 1311 34.10-2001 Algorithms with Cryptographic Message Syntax 1312 (CMS)", RFC 4490, DOI 10.17487/RFC4490, May 2006, 1313 . 1315 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 1316 (TLS) Protocol Version 1.2", RFC 5246, 1317 DOI 10.17487/RFC5246, August 2008, 1318 . 1320 [RFC5746] Rescorla, E., Ray, M., Dispensa, S., and N. Oskov, 1321 "Transport Layer Security (TLS) Renegotiation Indication 1322 Extension", RFC 5746, DOI 10.17487/RFC5746, February 2010, 1323 . 1325 [RFC5830] Dolmatov, V., Ed., "GOST 28147-89: Encryption, Decryption, 1326 and Message Authentication Code (MAC) Algorithms", 1327 RFC 5830, DOI 10.17487/RFC5830, March 2010, 1328 . 1330 [RFC6986] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.11-2012: 1331 Hash Function", RFC 6986, DOI 10.17487/RFC6986, August 1332 2013, . 1334 [RFC7091] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.10-2012: 1335 Digital Signature Algorithm", RFC 7091, 1336 DOI 10.17487/RFC7091, December 2013, 1337 . 1339 [RFC7366] Gutmann, P., "Encrypt-then-MAC for Transport Layer 1340 Security (TLS) and Datagram Transport Layer Security 1341 (DTLS)", RFC 7366, DOI 10.17487/RFC7366, September 2014, 1342 . 1344 [RFC7627] Bhargavan, K., Ed., Delignat-Lavaud, A., Pironti, A., 1345 Langley, A., and M. Ray, "Transport Layer Security (TLS) 1346 Session Hash and Extended Master Secret Extension", 1347 RFC 7627, DOI 10.17487/RFC7627, September 2015, 1348 . 1350 [RFC7801] Dolmatov, V., Ed., "GOST R 34.12-2015: Block Cipher 1351 "Kuznyechik"", RFC 7801, DOI 10.17487/RFC7801, March 2016, 1352 . 1354 [RFC7836] Smyshlyaev, S., Ed., Alekseev, E., Oshkin, I., Popov, V., 1355 Leontiev, S., Podobaev, V., and D. Belyavsky, "Guidelines 1356 on the Cryptographic Algorithms to Accompany the Usage of 1357 Standards GOST R 34.10-2012 and GOST R 34.11-2012", 1358 RFC 7836, DOI 10.17487/RFC7836, March 2016, 1359 . 1361 [RFC7919] Gillmor, D., "Negotiated Finite Field Diffie-Hellman 1362 Ephemeral Parameters for Transport Layer Security (TLS)", 1363 RFC 7919, DOI 10.17487/RFC7919, August 2016, 1364 . 1366 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1367 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1368 May 2017, . 1370 [RFC8422] Nir, Y., Josefsson, S., and M. Pegourie-Gonnard, "Elliptic 1371 Curve Cryptography (ECC) Cipher Suites for Transport Layer 1372 Security (TLS) Versions 1.2 and Earlier", RFC 8422, 1373 DOI 10.17487/RFC8422, August 2018, 1374 . 1376 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 1377 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 1378 . 1380 [RFC8645] Smyshlyaev, S., Ed., "Re-keying Mechanisms for Symmetric 1381 Keys", RFC 8645, DOI 10.17487/RFC8645, August 2019, 1382 . 1384 12.2. Informative References 1386 [CMAC] Dworkin, M., "Recommendation for Block Cipher Modes of 1387 Operation: the CMAC Mode for Authentication", NIST Special 1388 Publication 800-38B, 2005. 1390 [DraftGostTLS13] 1391 Smyshlyaev, S., Alekseev, E., Griboedova, E., and A. 1392 Babueva, "GOST Cipher Suites for Transport Layer Security 1393 (TLS) Protocol Version 1.3", 2020, 1394 . 1397 [GOST28147-89] 1398 Government Committee of the USSR for Standards, 1399 "Cryptographic Protection for Data Processing System, 1400 Gosudarstvennyi Standard of USSR (In Russian)", 1401 GOST 28147-89, 1989. 1403 [GOST3410-2012] 1404 Federal Agency on Technical Regulating and Metrology, 1405 "Information technology. Cryptographic data security. 1406 Signature and verification processes of [electronic] 1407 digital signature", GOST R 34.10-2012, 2012. 1409 [GOST3411-2012] 1410 Federal Agency on Technical Regulating and Metrology, 1411 "Information technology. Cryptographic Data Security. 1412 Hashing function", GOST R 34.11-2012, 2012. 1414 [GOST3412-2015] 1415 Federal Agency on Technical Regulating and Metrology, 1416 "Information technology. Cryptographic data security. 1417 Block ciphers", GOST R 34.12-2015, 2015. 1419 [GOST3413-2015] 1420 Federal Agency on Technical Regulating and Metrology, 1421 "Information technology. Cryptographic data security. 1422 Modes of operation for block ciphers", GOST R 34.13-2015, 1423 2015. 1425 [IK2003] Iwata T., Kurosawa K. (2003), "OMAC: One-Key CBC MAC.", 1426 FSE 2003. Lecture Notes in Computer Science, vol 2887. 1427 Springer, Berlin, Heidelberg, 2003. 1429 [MODES] Dworkin, M., "Recommendation for Block Cipher Modes of 1430 Operation: Methods and Techniques", NIST Special 1431 Publication 800-38A, December 2001. 1433 Appendix A. Test Examples 1435 A.1. Test Examples for CTR_OMAC cipher suites 1437 A.1.1. TLSTREE Examples 1439 A.1.1.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC ciphersuite 1441 TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 1442 *********************************************** 1443 Root Key K_root: 1444 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 1445 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 1447 seqnum = 0 1448 First level key from Divers_1: 1449 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1450 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1452 Second level key from Divers_2: 1453 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1454 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1455 The resulting key from Divers 3: 1456 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1457 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1459 seqnum = 4095 1460 First level key from Divers_1: 1461 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1462 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1464 Second level key from Divers_2: 1465 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1466 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1468 The resulting key from Divers 3: 1469 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1470 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1472 seqnum = 4096 1473 First level key from Divers_1: 1474 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1475 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1477 Second level key from Divers_2: 1478 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1479 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1481 The resulting key from Divers 3: 1482 FB 30 EE 53 CF CF 89 D7 48 FC 0C 72 EF 16 0B 8B 1483 53 CB BB FD 03 12 82 B0 26 21 4A B2 E0 77 58 FF 1485 seqnum = 33554431 1486 First level key from Divers_1: 1487 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1488 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1490 Second level key from Divers_2: 1491 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1492 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1494 The resulting key from Divers 3: 1495 B8 5B 36 DC 22 82 32 6B C0 35 C5 72 DC 93 F1 8D 1496 83 AA 01 74 F3 94 20 9A 51 3B B3 74 DC 09 35 AE 1498 seqnum = 33554432 1499 First level key from Divers_1: 1500 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1501 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1502 Second level key from Divers_2: 1503 3F EA 59 38 DA 2B F8 DD C4 7E C1 DC 55 61 89 66 1504 79 02 BE 42 0D F4 C3 7D AF 21 75 3B CB 1D C7 F3 1506 The resulting key from Divers 3: 1507 0F D7 C0 9E FD F8 E8 15 73 EE CC F8 6E 4B 95 E3 1508 AF 7F 34 DA B1 17 7C FD 7D B9 7B 6D A9 06 40 8A 1510 seqnum = 274877906943 1511 First level key from Divers_1: 1512 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1513 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1515 Second level key from Divers_2: 1516 AB F3 A5 37 98 3A 1B 98 40 06 6D E6 8A 49 BF 25 1517 97 7E E5 C3 F5 2D 33 3E 3C 22 0F 1D 15 C5 08 93 1519 The resulting key from Divers 3: 1520 48 0F 99 72 BA F2 5D 4C 36 9A 96 AF 91 BC A4 55 1521 3F 79 D8 F0 C5 61 8B 19 FD 44 CF DC 57 FA 37 33 1523 seqnum = 274877906944 1524 First level key from Divers_1: 1525 15 60 0D 9E 8F A6 85 54 CF 15 2D C7 4F BC 42 51 1526 17 B0 3E 09 76 BB 28 EA 98 24 C3 B7 0F 28 CB D8 1528 Second level key from Divers_2: 1529 6C C2 8E B0 93 24 72 12 5C 7A D3 F8 09 73 B3 C8 1530 C4 13 7D A5 73 BC 17 1A 24 ED D4 A3 71 F1 F8 73 1532 The resulting key from Divers 3: 1533 25 28 C1 C6 A8 F0 92 7B F2 BE 27 BB 78 D2 7F 21 1534 46 D6 55 93 B0 C7 17 3A 06 CB 9D 88 DF 92 32 65 1536 A.1.1.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC ciphersuite 1538 TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC 1539 *********************************************** 1540 Root Key K_root: 1541 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 1542 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 1544 seqnum = 0 1545 First level key from Divers_1: 1546 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1547 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1549 Second level key from Divers_2: 1550 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1551 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1553 The resulting key from Divers 3: 1554 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1555 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1557 seqnum = 63 1558 First level key from Divers_1: 1559 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1560 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1562 Second level key from Divers_2: 1563 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1564 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1566 The resulting key from Divers 3: 1567 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1568 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1570 seqnum = 64 1571 First level key from Divers_1: 1572 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1573 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1575 Second level key from Divers_2: 1576 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1577 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1579 The resulting key from Divers 3: 1580 AE BE 1E F4 18 71 3B F0 44 B9 FC D9 E5 72 D4 37 1581 FB 38 B5 D8 29 56 7A 6F 79 18 39 6D 9F 4E 09 6B 1583 seqnum = 524287 1584 First level key from Divers_1: 1585 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1586 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1588 Second level key from Divers_2: 1589 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1590 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1592 The resulting key from Divers 3: 1593 6F 18 D4 00 3E A2 CB 30 F5 FE C1 93 A2 34 F0 7D 1594 7C 43 94 98 7F 50 75 8D E2 2B 22 0D 8A 10 51 06 1595 seqnum = 524288 1596 First level key from Divers_1: 1597 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1598 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1600 Second level key from Divers_2: 1601 F6 59 EB 85 EE BD 2A 8D CC 1B B3 F7 C6 00 57 FF 1602 6D 33 B6 0F 74 65 DD 42 B5 11 2C F3 A6 B1 AB 66 1604 The resulting key from Divers 3: 1605 E5 4B 16 41 5B 3B 66 3E 78 0B 06 2D 24 F7 36 C4 1606 49 54 63 C3 A8 91 E1 FA 46 F7 AE 99 FF F9 F3 78 1608 seqnum = 4294967295 1609 First level key from Divers_1: 1610 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1611 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1613 Second level key from Divers_2: 1614 F4 BC 10 1A BB 68 86 2A 8C E3 1E A0 0D DF A7 FE 1615 B8 29 10 F1 24 F4 B1 E2 9E A8 3B E0 06 C2 26 8D 1617 The resulting key from Divers 3: 1618 CF 60 09 04 C7 1E 7B 88 A4 9A C8 E2 45 77 4B 3D 1619 BE ED FB 81 DE 9A 0E 2F 4E 46 C3 56 07 BC 2F 04 1621 seqnum = 4294967296 1622 First level key from Divers_1: 1623 55 CC 95 E0 D1 FB 54 85 AF 8E F6 9A CD 72 B2 32 1624 79 7C D2 E8 5D 86 CD FD 1D E5 5B D1 FA 14 37 78 1626 Second level key from Divers_2: 1627 72 16 91 E1 01 C4 28 96 A6 40 AE 18 3F BB 44 5B 1628 76 37 9C 57 E1 FD 8A 7D 49 A6 23 E4 23 8C 0E 1D 1630 The resulting key from Divers 3: 1631 16 18 0B 24 64 54 00 B8 36 14 38 37 D8 6A AC 93 1632 95 2A E3 EB 82 44 D5 EC 2A B0 2C FF 30 78 11 38 1634 A.1.2. Record Examples 1636 A.1.2.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC ciphersuite 1638 TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 1639 ******************************************************** 1640 It is assumed that during Handshake following keys were established: 1642 - MAC key: 1643 00000: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 1644 00010: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 1645 - Encryption key: 1646 00000: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 1647 00010: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 1648 - IV: 1649 00000: 00 00 00 00 1650 --------------------------------------------------------- 1651 seqnum = 0 1653 Application data: 1654 00000: 00 00 00 00 00 00 00 1656 TLSPlaintext: 1657 00000: 17 03 03 00 07 00 00 00 00 00 00 00 1659 K_MAC_0: 1660 00000: 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1661 00010: 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1663 MAC value: 1664 00000: F3 3E B6 89 6F EC E2 86 1666 K_ENC_0: 1667 00000: 58 AF BE 9A 4C 31 98 AA AB AA 26 92 C4 19 F1 79 1668 00010: 7C 9B 92 DE B3 CC 74 46 B3 63 57 71 13 F0 FB 56 1670 IV_0: 1671 00000: 00 00 00 00 1673 TLSCiphertext: 1674 00000: 17 03 03 00 0F 9B 42 0D A8 6F AF 36 7F 05 14 43 1675 00010: CE 9C 10 72 1676 --------------------------------------------------------- 1677 seqnum = 4095 1679 Application data: 1680 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1681 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1682 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1683 . . . 1684 003D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1685 003E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1686 003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1687 TLSPlaintext: 1688 00000: 17 03 03 04 00 00 00 00 00 00 00 00 00 00 00 00 1689 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1690 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1691 . . . 1692 003D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1693 003E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1694 003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1695 00400: 00 00 00 00 00 1697 K_MAC_4095: 1698 00000: 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1699 00010: 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1701 MAC value: 1702 00000: 58 D3 BB 60 8F BC 98 B8 1704 K_ENC_4095: 1705 00000: 58 AF BE 9A 4C 31 98 AA AB AA 26 92 C4 19 F1 79 1706 00010: 7C 9B 92 DE B3 CC 74 46 B3 63 57 71 13 F0 FB 56 1708 IV_4095: 1709 00000: 00 00 0F FF 1711 TLSCiphertext: 1712 00000: 17 03 03 04 08 B7 11 43 8B 16 20 1F 3C 49 33 95 1713 00010: 21 C9 C8 CA 75 66 D4 C2 0F D3 3E 58 1F 80 07 DC 1714 00020: 76 04 3E 2B 35 C8 E8 4B B2 55 08 27 66 13 59 6F 1715 . . . 1716 003D0: E7 77 70 BF 45 17 E1 F8 DD 1B 2C 05 64 AD 68 FC 1717 003E0: 4A 88 9A 48 B8 B1 FF 0E A4 E1 BB 70 4D 56 A4 75 1718 003F0: 2F 51 A5 82 CC 54 1A 80 8F 8C 8B 62 97 68 88 C8 1719 00400: 10 59 DE 41 27 63 A3 E0 99 9A CD DA 77 1721 --------------------------------------------------------- 1722 seqnum = 4096 1724 Application data: 1725 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1726 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1727 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1728 . . . 1729 007D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1730 007E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1731 007F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1733 TLSPlaintext: 1734 00000: 17 03 03 08 00 00 00 00 00 00 00 00 00 00 00 00 1735 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1736 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1737 . . . 1738 007D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1739 007E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1740 007F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1741 00800: 00 00 00 00 00 1743 K_MAC_4096: 1744 00000: FB 30 EE 53 CF CF 89 D7 48 FC 0C 72 EF 16 0B 8B 1745 00010: 53 CB BB FD 03 12 82 B0 26 21 4A B2 E0 77 58 FF 1747 MAC value: 1748 00000: 50 55 A2 6A BE 19 63 81 1750 K_ENC_4096: 1751 00000: ED F2 FD 02 47 71 60 23 83 09 00 2D 1D 57 DF 9F 1752 00010: D2 ED 18 D6 45 66 C7 6F 4B F0 3D 3A BF 7B BB 1E 1754 IV_4096: 1755 00000: 00 00 10 00 1757 TLSCiphertext: 1758 00000: 17 03 03 08 08 99 95 26 07 03 47 1D ED A2 E6 55 1759 00010: B6 B3 93 83 5E 33 8B 1E D0 0E DD 22 47 A2 FB 88 1760 00020: FB B7 A8 94 80 62 08 8A F3 2C AE B6 AA 2C 4F 2A 1761 . . . 1762 007D0: 7F 0B 24 61 E7 5F E1 06 34 B8 4D C5 70 35 72 5A 1763 007E0: CA 4F 0C BC A9 B0 6C B9 F7 6F BD 2F 80 46 2B 8D 1764 007F0: 77 5E BD 41 6F 63 41 39 AC 89 C2 ED 3D F1 9F E2 1765 00800: 4E F8 C0 5A A8 90 93 1B 01 86 FD 7D DF 1767 A.1.2.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC ciphersuite 1769 TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC 1770 *********************************************** 1771 It is assumed that during Handshake following keys were established: 1773 - MAC key: 1774 00000: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 1775 00010: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 1776 - Encryption key: 1777 00000: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 1778 00010: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 1779 - IV: 1781 00000: 00 00 00 00 00 00 00 00 1783 --------------------------------------------------------- 1784 seqnum = 0 1786 Application data: 1787 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1789 TLSPlaintext: 1790 00000: 17 03 03 00 0F 00 00 00 00 00 00 00 00 00 00 00 1791 00010: 00 00 00 00 1793 K_MAC_0: 1794 00000: 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1795 00010: 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1797 MAC value: 1798 00000: FD 17 19 DD 95 08 37 EB 7C 7B B8 F5 00 37 99 81 1800 K_ENC_0: 1801 00000: 58 AF BE 9A 4C 31 98 AA AB AA 26 92 C4 19 F1 79 1802 00010: 7C 9B 92 DE B3 CC 74 46 B3 63 57 71 13 F0 FB 56 1804 IV_0: 1805 00000: 00 00 00 00 00 00 00 00 1807 TLSCiphertext: 1808 00000: 17 03 03 00 1F 4D 1A 30 52 36 57 3B FF C1 4E 46 1809 00010: DC BE 74 6D B6 C9 9A 17 5A 81 C4 71 1E 2F 84 C3 1810 00020: 92 C5 40 7C 1812 --------------------------------------------------------- 1813 seqnum = 63 1815 Application data: 1816 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1817 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1818 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1819 . . . 1820 00FD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1821 00FE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1822 00FF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1824 TLSPlaintext: 1825 00000: 17 03 03 10 00 00 00 00 00 00 00 00 00 00 00 00 1826 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1827 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1828 . . . 1830 00FD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1831 00FE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1832 00FF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1833 01000: 00 00 00 00 00 1835 K_MAC_63: 1836 00000: 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1837 00010: 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1839 Mac value: 1840 00000: 98 46 27 61 D0 26 24 4A 2C 0B 7D 1B CC CB E7 B0 1842 K_ENC_63: 1843 00000: 58 AF BE 9A 4C 31 98 AA AB AA 26 92 C4 19 F1 79 1844 00010: 7C 9B 92 DE B3 CC 74 46 B3 63 57 71 13 F0 FB 56 1846 IV_63: 1847 00000: 00 00 00 00 00 00 00 3F 1849 TLSCiphertext: 1850 00000: 17 03 03 10 10 12 93 51 D2 6E 14 07 13 A2 1B 37 1851 00010: 68 24 A2 23 17 CD C0 D8 8E 01 CF A3 FE 21 41 5F 1852 00020: 5C 5E 05 86 9C CF 38 A5 1B C2 E0 ED 68 94 46 A8 1853 . . . 1854 00FE0: 19 AD 99 8C 06 25 21 E6 7B 63 59 A4 F5 C8 16 F9 1855 00FF0: 47 6B A7 13 26 82 BB A8 CE 0B ED AD 65 E4 20 A2 1856 01000: 97 B6 E2 C6 1F A4 06 D9 B8 CA 36 FD 9F CD 3A EE 1857 01010: 24 78 F4 D1 96 1859 --------------------------------------------------------- 1860 seqnum = 64 1862 Application data: 1863 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1864 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1865 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1866 . . . 1867 01FD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1868 01FE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1869 01FF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1871 TLSPlaintext: 1872 00000: 17 03 03 20 00 00 00 00 00 00 00 00 00 00 00 00 1873 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1874 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1875 . . . 1876 01FD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1877 01FE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1878 01FF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1879 02000: 00 00 00 00 00 1881 K_MAC_64: 1882 00000: AE BE 1E F4 18 71 3B F0 44 B9 FC D9 E5 72 D4 37 1883 00010: FB 38 B5 D8 29 56 7A 6F 79 18 39 6D 9F 4E 09 6B 1885 Mac value: 1886 00000: EA C3 97 87 84 2B 1D BD 60 80 CC 3F BF AE 5C 2F 1888 K_ENC_64: 1889 00000: 64 F5 5A FC 37 A1 74 D9 53 3E 70 8B CD 14 FA 4A 1890 00010: EE C3 7B C0 E3 2B A4 99 01 B4 66 9E 96 A6 3D 96 1892 IV_64: 1893 00000: 00 00 00 00 00 00 00 40 1895 TLSCiphertext: 1896 00000: 17 03 03 20 10 E6 66 BB 98 AC 5B 0F 39 31 D8 55 1897 00010: 1B 93 36 85 96 EE F0 EB A8 26 9C B8 BD AA E7 EB 1898 00020: 80 C8 30 D7 5A B7 D4 6C 25 06 DC 8B 83 E1 F2 D3 1899 . . . 1900 01FE0: B3 02 67 2C CB 02 86 CD 40 48 FB D5 38 1A 65 55 1901 01FF0: 26 11 25 51 01 4F A8 ED F5 C2 1B 7D 1D B3 9D 6B 1902 02000: AD EC 0D 7C 07 05 34 8B 5C 55 6C 4D 50 81 69 1A 1903 02010: A9 EC 36 F8 B5 1905 A.1.3. Handshake Examples 1907 The ClientHello.extensions and the ServerHello.extensions fields 1908 contain the extended_master_secret extension (see [RFC7627]) and the 1909 renegotiation_info extension (see [RFC5746]) in the following 1910 examples. 1912 A.1.3.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC ciphersuite 1914 Server certificate curve OID: 1915 id-GostR3410-2001-CryptoPro-A-ParamSet, "1.2.643.2.2.35.1" 1917 Server public key Q_s: 1918 x = 0x6531D4A72E655BFC9DFB94293B260702 1919 82FABF10D5C49B7366148C60E0BF8167 1921 y = 0x37F8CC71DC5D917FC4A66F7826E72750 1922 8270B4FFC266C26CD4363E77B553A5B8 1924 Server private key d_s: 1925 0x5F308355DFD6A8ACAEE0837B100A3B1F 1926 6D63FB29B78EF27D3967757F0527144C 1928 ---------------------------Client--------------------------- 1930 ClientHello message: 1931 msg_type: 01 1932 length: 000040 1933 body: 1934 client_version: 1935 major: 03 1936 minor: 03 1937 random: 933EA21EC3802A561550EC78D6ED51AC 1938 2439D7E749C31BC3A3456165889684CA 1939 session_id: 1940 length: 00 1941 vector: -- 1942 cipher_suites: 1943 length: 0004 1944 vector: 1945 CipherSuite: C100 1946 CipherSuite: C101 1947 compression_methods: 1948 length: 01 1949 vector: 1950 CompressionMethod: 00 1951 extensions: 1952 length: 0013 1953 vector: 1954 Extension: /* signature_algorithms */ 1955 extension_type: 000D 1956 extension_data: 1957 length: 0006 1958 vector: 1959 supported_signature_algorithms: 1960 length: 0004 1961 vector: 1962 /* 1 pair of algorithms */ 1963 hash: 08 1964 signature: 1965 40 1966 /* 2 pair of algorithms */ 1967 hash: 08 1968 signature: 1970 41 1971 Extension: /* renegotiation_info */ 1972 extension_type: FF01 1973 extension_data: 1974 length: 0001 1975 vector: 1976 renegotiated_connection: 1977 length: 00 1978 vector: -- 1979 Extension: /* extended_master_secret */ 1980 extension_type: 0017 1981 extension_data: 1982 length: 0000 1983 vector: -- 1985 00000: 01 00 00 40 03 03 93 3E A2 1E C3 80 2A 56 15 50 1986 00010: EC 78 D6 ED 51 AC 24 39 D7 E7 49 C3 1B C3 A3 45 1987 00020: 61 65 88 96 84 CA 00 00 04 C1 00 C1 01 01 00 00 1988 00030: 13 00 0D 00 06 00 04 08 40 08 41 FF 01 00 01 00 1989 00040: 00 17 00 00 1991 Record layer message: 1992 type: 16 1993 version: 1994 major: 03 1995 minor: 03 1996 length: 0044 1997 fragment: 010000400303933EA21EC3802A561550 1998 EC78D6ED51AC2439D7E749C31BC3A345 1999 6165889684CA000004C100C101010000 2000 13000D0006000408400841FF01000100 2001 00170000 2003 00000: 16 03 03 00 44 01 00 00 40 03 03 93 3E A2 1E C3 2004 00010: 80 2A 56 15 50 EC 78 D6 ED 51 AC 24 39 D7 E7 49 2005 00020: C3 1B C3 A3 45 61 65 88 96 84 CA 00 00 04 C1 00 2006 00030: C1 01 01 00 00 13 00 0D 00 06 00 04 08 40 08 41 2007 00040: FF 01 00 01 00 00 17 00 00 2009 ---------------------------Server--------------------------- 2011 ServerHello message: 2012 msg_type: 02 2013 length: 000041 2014 body: 2015 server_version: 2016 major: 03 2017 minor: 03 2018 random: 933EA21E49C31BC3A3456165889684CA 2019 A5576CE7924A24F58113808DBD9EF856 2020 session_id: 2021 length: 10 2022 vector: C3802A561550EC78D6ED51AC2439D7E7 2023 cipher_suite: 2024 CipherSuite: C101 2025 compression_method: 2026 CompressionMethod: 00 2027 extensions: 2028 length: 0009 2029 vector: 2030 Extension: /* renegotiation_info */ 2031 extension_type: FF01 2032 extension_data: 2033 length: 0001 2034 vector: 2035 renegotiated_connection: 2036 length: 00 2037 vector: -- 2038 Extension: /* extended_master_secret */ 2039 extension_type: 0017 2040 extension_data: 2041 length: 0000 2042 vector: -- 2044 00000: 02 00 00 41 03 03 93 3E A2 1E 49 C3 1B C3 A3 45 2045 00010: 61 65 88 96 84 CA A5 57 6C E7 92 4A 24 F5 81 13 2046 00020: 80 8D BD 9E F8 56 10 C3 80 2A 56 15 50 EC 78 D6 2047 00030: ED 51 AC 24 39 D7 E7 C1 01 00 00 09 FF 01 00 01 2048 00040: 00 00 17 00 00 2050 Record layer message: 2051 type: 16 2052 version: 2053 major: 03 2054 minor: 03 2055 length: 0045 2056 fragment: 020000410303933EA21E49C31BC3A345 2057 6165889684CAA5576CE7924A24F58113 2058 808DBD9EF85610C3802A561550EC78D6 2059 ED51AC2439D7E7C101000009FF010001 2060 0000170000 2062 00000: 16 03 03 00 45 02 00 00 41 03 03 93 3E A2 1E 49 2063 00010: C3 1B C3 A3 45 61 65 88 96 84 CA A5 57 6C E7 92 2064 00020: 4A 24 F5 81 13 80 8D BD 9E F8 56 10 C3 80 2A 56 2065 00030: 15 50 EC 78 D6 ED 51 AC 24 39 D7 E7 C1 01 00 00 2066 00040: 09 FF 01 00 01 00 00 17 00 00 2068 ---------------------------Server--------------------------- 2070 Certificate message: 2071 msg_type: 0B 2072 length: 0001DB 2073 body: 2074 certificate_list: 2075 length: 0001D8 2076 vector: 2077 ASN.1Cert: 2078 length: 0001D5 2079 vector: 308201D13082017EA003020102020833 2080 FBB2C0E9575A46300A06082A85030701 2081 010302301F311D301B06035504030C14 2082 . . . 2083 797990E4B5452CF82FE1F19EE237B754 2084 CBCD5078D752A28013DFFC8224AD114B 2085 BD7C1BB71E480AD6EEF9857A8C99C595 2086 9053EEDFE9 2088 00000: 0B 00 01 DB 00 01 D8 00 01 D5 30 82 01 D1 30 82 2089 00010: 01 7E A0 03 02 01 02 02 08 33 FB B2 C0 E9 57 5A 2090 00020: 46 30 0A 06 08 2A 85 03 07 01 01 03 02 30 1F 31 2091 00030: 1D 30 1B 06 03 55 04 03 0C 14 74 65 73 74 5F 73 2092 00040: 65 6C 66 73 69 67 6E 65 64 5F 63 65 72 74 30 1E 2093 00050: 17 0D 31 39 30 36 32 37 31 35 32 34 30 38 5A 17 2094 00060: 0D 32 30 31 32 31 38 31 35 33 34 30 38 5A 30 1F 2095 00070: 31 1D 30 1B 06 03 55 04 03 0C 14 74 65 73 74 5F 2096 00080: 73 65 6C 66 73 69 67 6E 65 64 5F 63 65 72 74 30 2097 00090: 66 30 1F 06 08 2A 85 03 07 01 01 01 01 30 13 06 2098 000A0: 07 2A 85 03 02 02 23 01 06 08 2A 85 03 07 01 01 2099 000B0: 02 02 03 43 00 04 40 67 81 BF E0 60 8C 14 66 73 2100 000C0: 9B C4 D5 10 BF FA 82 02 07 26 3B 29 94 FB 9D FC 2101 000D0: 5B 65 2E A7 D4 31 65 B8 A5 53 B5 77 3E 36 D4 6C 2102 000E0: C2 66 C2 FF B4 70 82 50 27 E7 26 78 6F A6 C4 7F 2103 000F0: 91 5D DC 71 CC F8 37 A3 81 96 30 81 93 30 1D 06 2104 00100: 03 55 1D 0E 04 16 04 14 E7 D0 0B B8 4D 8D 24 18 2105 00110: 29 3E 05 C1 7C E7 77 98 D4 8D 30 16 30 0E 06 03 2106 00120: 55 1D 0F 01 01 FF 04 04 03 02 01 C6 30 12 06 03 2107 00130: 55 1D 13 01 01 FF 04 08 30 06 01 01 FF 02 01 01 2108 00140: 30 4E 06 03 55 1D 23 04 47 30 45 80 14 E7 D0 0B 2109 00150: B8 4D 8D 24 18 29 3E 05 C1 7C E7 77 98 D4 8D 30 2110 00160: 16 A1 23 A4 21 30 1F 31 1D 30 1B 06 03 55 04 03 2111 00170: 0C 14 74 65 73 74 5F 73 65 6C 66 73 69 67 6E 65 2112 00180: 64 5F 63 65 72 74 82 08 33 FB B2 C0 E9 57 5A 46 2113 00190: 30 0A 06 08 2A 85 03 07 01 01 03 02 03 41 00 E2 2114 001A0: 88 44 F9 F1 C8 55 E2 DB 5B 19 79 79 90 E4 B5 45 2115 001B0: 2C F8 2F E1 F1 9E E2 37 B7 54 CB CD 50 78 D7 52 2116 001C0: A2 80 13 DF FC 82 24 AD 11 4B BD 7C 1B B7 1E 48 2117 001D0: 0A D6 EE F9 85 7A 8C 99 C5 95 90 53 EE DF E9 2119 Record layer message: 2120 type: 16 2121 version: 2122 major: 03 2123 minor: 03 2124 length: 01DF 2125 fragment: 0B0001DB0001D80001D5308201D13082 2126 017EA003020102020833FBB2C0E9575A 2127 46300A06082A85030701010302301F31 2128 . . . 2129 8844F9F1C855E2DB5B19797990E4B545 2130 2CF82FE1F19EE237B754CBCD5078D752 2131 A28013DFFC8224AD114BBD7C1BB71E48 2132 0AD6EEF9857A8C99C5959053EEDFE9 2134 00000: 16 03 03 01 DF 0B 00 01 DB 00 01 D8 00 01 D5 30 2135 00010: 82 01 D1 30 82 01 7E A0 03 02 01 02 02 08 33 FB 2136 00020: B2 C0 E9 57 5A 46 30 0A 06 08 2A 85 03 07 01 01 2137 00030: 03 02 30 1F 31 1D 30 1B 06 03 55 04 03 0C 14 74 2138 00040: 65 73 74 5F 73 65 6C 66 73 69 67 6E 65 64 5F 63 2139 00050: 65 72 74 30 1E 17 0D 31 39 30 36 32 37 31 35 32 2140 00060: 34 30 38 5A 17 0D 32 30 31 32 31 38 31 35 33 34 2141 00070: 30 38 5A 30 1F 31 1D 30 1B 06 03 55 04 03 0C 14 2142 00080: 74 65 73 74 5F 73 65 6C 66 73 69 67 6E 65 64 5F 2143 00090: 63 65 72 74 30 66 30 1F 06 08 2A 85 03 07 01 01 2144 000A0: 01 01 30 13 06 07 2A 85 03 02 02 23 01 06 08 2A 2145 000B0: 85 03 07 01 01 02 02 03 43 00 04 40 67 81 BF E0 2146 000C0: 60 8C 14 66 73 9B C4 D5 10 BF FA 82 02 07 26 3B 2147 000D0: 29 94 FB 9D FC 5B 65 2E A7 D4 31 65 B8 A5 53 B5 2148 000E0: 77 3E 36 D4 6C C2 66 C2 FF B4 70 82 50 27 E7 26 2149 000F0: 78 6F A6 C4 7F 91 5D DC 71 CC F8 37 A3 81 96 30 2150 00100: 81 93 30 1D 06 03 55 1D 0E 04 16 04 14 E7 D0 0B 2151 00110: B8 4D 8D 24 18 29 3E 05 C1 7C E7 77 98 D4 8D 30 2152 00120: 16 30 0E 06 03 55 1D 0F 01 01 FF 04 04 03 02 01 2153 00130: C6 30 12 06 03 55 1D 13 01 01 FF 04 08 30 06 01 2154 00140: 01 FF 02 01 01 30 4E 06 03 55 1D 23 04 47 30 45 2155 00150: 80 14 E7 D0 0B B8 4D 8D 24 18 29 3E 05 C1 7C E7 2156 00160: 77 98 D4 8D 30 16 A1 23 A4 21 30 1F 31 1D 30 1B 2157 00170: 06 03 55 04 03 0C 14 74 65 73 74 5F 73 65 6C 66 2158 00180: 73 69 67 6E 65 64 5F 63 65 72 74 82 08 33 FB B2 2159 00190: C0 E9 57 5A 46 30 0A 06 08 2A 85 03 07 01 01 03 2160 001A0: 02 03 41 00 E2 88 44 F9 F1 C8 55 E2 DB 5B 19 79 2161 001B0: 79 90 E4 B5 45 2C F8 2F E1 F1 9E E2 37 B7 54 CB 2162 001C0: CD 50 78 D7 52 A2 80 13 DF FC 82 24 AD 11 4B BD 2163 001D0: 7C 1B B7 1E 48 0A D6 EE F9 85 7A 8C 99 C5 95 90 2164 001E0: 53 EE DF E9 2166 ---------------------------Server--------------------------- 2168 ServerHelloDone message: 2169 msg_type: 0E 2170 length: 000000 2171 body: -- 2173 00000: 0E 00 00 00 2175 Record layer message:: 2176 type: 16 2177 version: 2178 major: 03 2179 minor: 03 2180 length: 0004 2181 fragment: 0E000000 2183 00000: 16 03 03 00 04 0E 00 00 00 2185 ---------------------------Client--------------------------- 2187 PMS: 2188 00000: A5 57 6C E7 92 4A 24 F5 81 13 80 8D BD 9E F8 56 2189 00010: F5 BD C3 B1 83 CE 5D AD CA 36 A5 3A A0 77 65 1D 2191 Random d_eph value: 2192 0xA5C77C7482373DE16CE4A6F73CCE7F78 2193 471493FF2C0709B8B706C9E8A25E6C1E 2195 Q_eph ephemeral key: 2196 x = 0xA8F36D63D262A203978F1B3B6795CDBB 2197 F1AE7FB8EF7F47F1F18871C198E00793 2199 y = 0x34CA5D6B4485640EA195435993BEB1F8 2200 B016ED610496B5CC175AC2EA1F14F887 2202 HASH (r_c | r_s): 2203 00000: C3 EF 04 28 D4 B7 A1 F4 C5 02 5F 2E 65 DD 2B 2E 2204 00010: A5 83 AE EF DB 67 C7 F4 21 4A 6A 29 8E 99 E3 25 2205 Export key generation. r value: 2206 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 2208 Export key generation. UKM value: 2209 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 2211 seed: 2212 00000: A5 83 AE EF DB 67 C7 F4 2214 K_EXP: 2215 00000: 1E 58 54 90 E8 65 FF D1 8F 18 D7 C0 A0 4D 0E E8 2216 00010: 4F 1A 5D 79 7C EF AD A0 1B 1E 3B 7F DB 90 E0 29 2218 Export keys K_Exp_MAC | K_Exp_ENC used in KExp15 algorithm: 2219 00000: 2D 8B A8 C8 4C B2 32 FF 41 F1 0C 3A D9 24 13 42 2220 00010: 23 25 4F 71 E5 69 6D 3D 29 C3 E4 C9 DA A6 B2 93 2221 00020: 84 9E B6 34 0B FF AE 69 28 A3 C3 E4 FF 92 EC CB 2222 00030: 1E 8F 0C F7 A1 88 36 8E 6B 74 8E 52 EA 37 8B 0C 2224 IV: 2225 00000: 21 4A 6A 29 2227 PMSEXP: 2228 00000: D7 F0 F0 42 23 67 86 7B 25 FA 42 33 A9 54 F5 8B 2229 00010: DE 92 E9 C9 BB FB 88 16 C9 9F 15 E6 39 87 22 A0 2230 00020: B2 B7 BF E8 49 3E 9A 5C 2232 ---------------------------Client--------------------------- 2234 ClientKeyExchange message: 2235 msg_type: 10 2236 length: 000095 2237 body: 2238 exchange_keys: 3081920428D7F0F0422367867B25FA42 2239 33A954F58BDE92E9C9BBFB8816C99F15 2240 E6398722A0B2B7BFE8493E9A5C306630 2241 . . . 2242 EFB87FAEF1BBCD95673B1B8F9703A262 2243 D2636DF3A887F8141FEAC25A17CCB596 2244 0461ED16B0F8B1BE93594395A10E6485 2245 446B5DCA34 2247 00000: 10 00 00 95 30 81 92 04 28 D7 F0 F0 42 23 67 86 2248 00010: 7B 25 FA 42 33 A9 54 F5 8B DE 92 E9 C9 BB FB 88 2249 00020: 16 C9 9F 15 E6 39 87 22 A0 B2 B7 BF E8 49 3E 9A 2250 00030: 5C 30 66 30 1F 06 08 2A 85 03 07 01 01 01 01 30 2251 00040: 13 06 07 2A 85 03 02 02 23 01 06 08 2A 85 03 07 2252 00050: 01 01 02 02 03 43 00 04 40 93 07 E0 98 C1 71 88 2253 00060: F1 F1 47 7F EF B8 7F AE F1 BB CD 95 67 3B 1B 8F 2254 00070: 97 03 A2 62 D2 63 6D F3 A8 87 F8 14 1F EA C2 5A 2255 00080: 17 CC B5 96 04 61 ED 16 B0 F8 B1 BE 93 59 43 95 2256 00090: A1 0E 64 85 44 6B 5D CA 34 2258 Record layer message: 2259 type: 16 2260 version: 2261 major: 03 2262 minor: 03 2263 length: 0099 2264 fragment: 100000953081920428D7F0F042236786 2265 7B25FA4233A954F58BDE92E9C9BBFB88 2266 16C99F15E6398722A0B2B7BFE8493E9A 2267 . . . 2268 F1F1477FEFB87FAEF1BBCD95673B1B8F 2269 9703A262D2636DF3A887F8141FEAC25A 2270 17CCB5960461ED16B0F8B1BE93594395 2271 A10E6485446B5DCA34 2273 00000: 16 03 03 00 99 10 00 00 95 30 81 92 04 28 D7 F0 2274 00010: F0 42 23 67 86 7B 25 FA 42 33 A9 54 F5 8B DE 92 2275 00020: E9 C9 BB FB 88 16 C9 9F 15 E6 39 87 22 A0 B2 B7 2276 00030: BF E8 49 3E 9A 5C 30 66 30 1F 06 08 2A 85 03 07 2277 00040: 01 01 01 01 30 13 06 07 2A 85 03 02 02 23 01 06 2278 00050: 08 2A 85 03 07 01 01 02 02 03 43 00 04 40 93 07 2279 00060: E0 98 C1 71 88 F1 F1 47 7F EF B8 7F AE F1 BB CD 2280 00070: 95 67 3B 1B 8F 97 03 A2 62 D2 63 6D F3 A8 87 F8 2281 00080: 14 1F EA C2 5A 17 CC B5 96 04 61 ED 16 B0 F8 B1 2282 00090: BE 93 59 43 95 A1 0E 64 85 44 6B 5D CA 34 2284 ---------------------------Server--------------------------- 2286 PMSEXP extracted: 2287 00000: D7 F0 F0 42 23 67 86 7B 25 FA 42 33 A9 54 F5 8B 2288 00010: DE 92 E9 C9 BB FB 88 16 C9 9F 15 E6 39 87 22 A0 2289 00020: B2 B7 BF E8 49 3E 9A 5C 2291 HASH(r_c | r_s): 2292 00000: C3 EF 04 28 D4 B7 A1 F4 C5 02 5F 2E 65 DD 2B 2E 2293 00010: A5 83 AE EF DB 67 C7 F4 21 4A 6A 29 8E 99 E3 25 2295 Export key generation. r value: 2296 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 2298 Export key generation. UKM value: 2300 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 2302 seed: 2303 00000: A5 83 AE EF DB 67 C7 F4 2305 K_EXP: 2306 00000: 1E 58 54 90 E8 65 FF D1 8F 18 D7 C0 A0 4D 0E E8 2307 00010: 4F 1A 5D 79 7C EF AD A0 1B 1E 3B 7F DB 90 E0 29 2309 Import keys K_Imp_MAC | K_Imp_ENC used in KImp15 algorithm: 2310 00000: 2D 8B A8 C8 4C B2 32 FF 41 F1 0C 3A D9 24 13 42 2311 00010: 23 25 4F 71 E5 69 6D 3D 29 C3 E4 C9 DA A6 B2 93 2312 00020: 84 9E B6 34 0B FF AE 69 28 A3 C3 E4 FF 92 EC CB 2313 00030: 1E 8F 0C F7 A1 88 36 8E 6B 74 8E 52 EA 37 8B 0C 2315 IV: 2316 00000: 21 4A 6A 29 2318 PMS: 2319 00000: A5 57 6C E7 92 4A 24 F5 81 13 80 8D BD 9E F8 56 2320 00010: F5 BD C3 B1 83 CE 5D AD CA 36 A5 3A A0 77 65 1D 2322 ---------------------------Client--------------------------- 2324 HASH(HM): 2325 00000: 7E 1F 59 D3 64 9D B6 09 00 EA 4F 8A 58 5A 65 7A 2326 00010: 92 77 B3 04 50 58 4C F5 43 51 19 8C DE A3 0C 49 2328 MS: 2329 00000: FD D2 7C B4 04 AD 4E 44 49 68 4F 7C 55 90 E9 E7 2330 00010: 02 EF 41 01 93 3B 52 77 A4 A9 6D F5 00 B0 7C C3 2331 00020: 32 4F D8 A6 D9 07 CB B0 3D F3 FB 33 1F 1C 4D 0C 2333 Client connection key material 2334 K_write_MAC|K_read_MAC|K_write_ENC|K_read_ENC|IV_write|IV_read: 2335 00000: DD 4E 10 17 E3 09 1F FD 86 75 65 8A 78 00 90 09 2336 00010: 3B BE 69 EC A6 93 31 5C A8 5B E0 A6 14 3D C9 F8 2337 00020: 1D 64 D0 23 46 5F 8B EA 17 F8 12 F8 C2 D8 BF C0 2338 00030: D9 BB AB A7 B4 DF D3 A1 7C E0 E1 3B 2D 63 65 F3 2339 00040: FC 8B 34 59 CF 54 FE 44 9A 04 07 64 53 73 08 00 2340 00050: 75 10 32 55 9D 07 B6 C4 EA C6 75 48 71 BC 97 8A 2341 00060: B9 0E 2A EE 98 77 14 BB D8 F7 57 AE F7 84 FF 24 2342 00070: 47 B3 94 2E B4 3E 26 35 73 1C 4C 28 22 D0 2D 79 2343 00080: 2B 6A 81 3F 93 ED A6 FA 2345 ---------------------------Server--------------------------- 2346 HASH(HM): 2347 00000: 7E 1F 59 D3 64 9D B6 09 00 EA 4F 8A 58 5A 65 7A 2348 00010: 92 77 B3 04 50 58 4C F5 43 51 19 8C DE A3 0C 49 2350 MS: 2351 00000: FD D2 7C B4 04 AD 4E 44 49 68 4F 7C 55 90 E9 E7 2352 00010: 02 EF 41 01 93 3B 52 77 A4 A9 6D F5 00 B0 7C C3 2353 00020: 32 4F D8 A6 D9 07 CB B0 3D F3 FB 33 1F 1C 4D 0C 2355 Server connection key material 2356 K_read_MAC|K_write_MAC|K_read_ENC|K_write_ENC|IV_read|IV_write: 2357 00000: DD 4E 10 17 E3 09 1F FD 86 75 65 8A 78 00 90 09 2358 00010: 3B BE 69 EC A6 93 31 5C A8 5B E0 A6 14 3D C9 F8 2359 00020: 1D 64 D0 23 46 5F 8B EA 17 F8 12 F8 C2 D8 BF C0 2360 00030: D9 BB AB A7 B4 DF D3 A1 7C E0 E1 3B 2D 63 65 F3 2361 00040: FC 8B 34 59 CF 54 FE 44 9A 04 07 64 53 73 08 00 2362 00050: 75 10 32 55 9D 07 B6 C4 EA C6 75 48 71 BC 97 8A 2363 00060: B9 0E 2A EE 98 77 14 BB D8 F7 57 AE F7 84 FF 24 2364 00070: 47 B3 94 2E B4 3E 26 35 73 1C 4C 28 22 D0 2D 79 2365 00080: 2B 6A 81 3F 93 ED A6 FA 2367 ---------------------------Client--------------------------- 2369 ChangeCipherSpec message: 2370 type: 01 2372 00000: 01 2374 Record layer message: 2375 type: 14 2376 version: 2377 major: 03 2378 minor: 03 2379 length: 0001 2380 fragment: 01 2382 00000: 14 03 03 00 01 01 2384 ---------------------------Client--------------------------- 2386 HASH(HM): 2387 00000: 7E 1F 59 D3 64 9D B6 09 00 EA 4F 8A 58 5A 65 7A 2388 00010: 92 77 B3 04 50 58 4C F5 43 51 19 8C DE A3 0C 49 2390 client_verify_data: 2391 00000: B4 61 C5 AD 25 EA 1E 62 B3 70 BD 1F 1B CB 16 91 2392 00010: FC CC BA 37 8B BC 13 43 BE 54 B3 8D F5 53 B7 A5 2394 ---------------------------Client--------------------------- 2396 Finished message: 2397 msg_type: 14 2398 length: 000020 2399 body: 2400 verify_data: B461C5AD25EA1E62B370BD1F1BCB1691 2401 FCCCBA378BBC1343BE54B38DF553B7A5 2403 00000: 14 00 00 20 B4 61 C5 AD 25 EA 1E 62 B3 70 BD 1F 2404 00010: 1B CB 16 91 FC CC BA 37 8B BC 13 43 BE 54 B3 8D 2405 00020: F5 53 B7 A5 2407 Record layer message: 2408 type: 16 2409 version: 2410 major: 03 2411 minor: 03 2412 length: 002C 2413 fragment: 0C630271D4DA39DD8D6BD040302D9B8F 2414 33D5F7B967EED155F7D65592892C03C7 2415 885C249B1225B184AB4D5DBF 2417 00000: 16 03 03 00 2C 0C 63 02 71 D4 DA 39 DD 8D 6B D0 2418 00010: 40 30 2D 9B 8F 33 D5 F7 B9 67 EE D1 55 F7 D6 55 2419 00020: 92 89 2C 03 C7 88 5C 24 9B 12 25 B1 84 AB 4D 5D 2420 00030: BF 2422 ---------------------------Server--------------------------- 2424 ChangeCipherSpec message: 2425 type: 01 2427 00000: 01 2429 Record layer message: 2430 type: 14 2431 version: 2432 major: 03 2433 minor: 03 2434 length: 0001 2435 fragment: 01 2437 00000: 14 03 03 00 01 01 2438 ---------------------------Server--------------------------- 2440 HASH(HM): 2441 00000: DB D7 D8 93 82 4A ED FD D5 FB 7B 75 4B 47 E1 E6 2442 00010: AF E0 77 DA E6 D1 13 63 42 07 C7 EE 0F C6 F3 B1 2444 server_verify_data: 2445 00000: 45 39 EC 8D 0A F7 B1 A6 20 41 AB 43 4A 43 77 71 2446 00010: D3 4C 47 19 D8 6E BB FD 0F 28 C3 E9 53 55 0C D0 2448 ---------------------------Server--------------------------- 2450 Finished message: 2451 msg_type: 14 2452 length: 000020 2453 body: 2454 verify_data: 4539EC8D0AF7B1A62041AB434A437771 2455 D34C4719D86EBBFD0F28C3E953550CD0 2457 00000: 14 00 00 20 45 39 EC 8D 0A F7 B1 A6 20 41 AB 43 2458 00010: 4A 43 77 71 D3 4C 47 19 D8 6E BB FD 0F 28 C3 E9 2459 00020: 53 55 0C D0 2461 Record layer message: 2462 type: 16 2463 version: 2464 major: 03 2465 minor: 03 2466 length: 002C 2467 fragment: E6A94A4BF70886566A2316811E57B483 2468 BB1E47950A1FF820A80DCA77A4DF9954 2469 2DAB6953F3ED03D95CCA4748 2471 00000: 16 03 03 00 2C E6 A9 4A 4B F7 08 86 56 6A 23 16 2472 00010: 81 1E 57 B4 83 BB 1E 47 95 0A 1F F8 20 A8 0D CA 2473 00020: 77 A4 DF 99 54 2D AB 69 53 F3 ED 03 D9 5C CA 47 2474 00030: 48 2476 ---------------------------Client--------------------------- 2478 Application data: 2479 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2480 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2482 Record layer message: 2483 type: 17 2484 version: 2485 major: 03 2486 minor: 03 2487 length: 0028 2488 fragment: 38807B6E5E0C3F4F7E0DBF7758031BF0 2489 7F100C4B63ADBC75F49BCBF428572D37 2490 7CAED097336DB203 2492 00000: 17 03 03 00 28 38 80 7B 6E 5E 0C 3F 4F 7E 0D BF 2493 00010: 77 58 03 1B F0 7F 10 0C 4B 63 AD BC 75 F4 9B CB 2494 00020: F4 28 57 2D 37 7C AE D0 97 33 6D B2 03 2496 ---------------------------Server--------------------------- 2498 Application data: 2499 00000: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 2500 00010: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 2502 Record layer message: 2503 type: 17 2504 version: 2505 major: 03 2506 minor: 03 2507 length: 0028 2508 fragment: 05B869E5C979C3B9D4837B8E39D9BBEE 2509 1BBD0052D3D48340D0CDE082B33BC07F 2510 4E742D1113249AD8 2512 00000: 17 03 03 00 28 05 B8 69 E5 C9 79 C3 B9 D4 83 7B 2513 00010: 8E 39 D9 BB EE 1B BD 00 52 D3 D4 83 40 D0 CD E0 2514 00020: 82 B3 3B C0 7F 4E 74 2D 11 13 24 9A D8 2516 ---------------------------Client--------------------------- 2518 close_notify alert: 2519 Alert: 2520 level: 01 2521 description: 00 2523 00000: 01 00 2525 Record layer message: 2526 type: 15 2527 version: 2528 major: 03 2529 minor: 03 2531 length: 000A 2532 fragment: 4F2A0807A0374E28C632 2534 00000: 15 03 03 00 0A 4F 2A 08 07 A0 37 4E 28 C6 32 2536 ---------------------------Server--------------------------- 2538 close_notify alert: 2539 Alert: 2540 level: 01 2541 description: 00 2543 00000: 01 00 2545 Record layer message: 2546 type: 15 2547 version: 2548 major: 03 2549 minor: 03 2550 length: 000A 2551 fragment: 999468B49AC5B0DE512C 2553 00000: 15 03 03 00 0A 99 94 68 B4 9A C5 B0 DE 51 2C 2555 A.1.3.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC ciphersuite 2557 Server certificate curve OID: 2558 id-tc26-gost-3410-2012-512-paramSetC, "1.2.643.7.1.2.1.2.3" 2560 Server public key Q_s: 2561 x = 0xF14589DA479AD972C66563669B3FF580 2562 92E6A30A288BF447CD9FF6C3133E9724 2563 7A9706B267703C9B4E239F0D7C7E3310 2564 C22D2752B35BD2E4FD39B8F11DEB833A 2566 y = 0xF305E95B36502D4E60A1059FB20AB30B 2567 FC7C95727F3A2C04B1DFDDB53B0413F2 2568 99F2DFE66A5E1CCB4101A7A01D612BE6 2569 BD78E1E3B3D567EBB16ABE587A11F4EA 2571 Server private key d_s: 2573 0x12FD7A70067479A0F66C59F9A25534AD 2574 FBC7ABFD3CC72D79806F8B402601644B 2575 3005ED365A2D8989A8CCAE640D5FC08D 2576 D27DFBBFE137CF528E1AC6D445192E01 2578 Client certificate curve OID: 2579 id-tc26-gost-3410-2012-256-paramSetA, "1.2.643.7.1.2.1.1.1" 2581 Client public key Q_c: 2582 x = 0x0F5DB18A9E15F324B778676025BFD7B5 2583 DF066566EABAA1C51CD879F87B0B4975 2585 y = 0x9EE5BBF18361F842D3F087DEC2943939 2586 E0FA2BFB4EDEC25A8D10ABB22C48F386 2588 Client private key d_c: 2589 0x0918AD3F7D209ABF89F1E8505DA894CE 2590 E10DA09D32E72E815D9C0ADA30B5A103 2592 ---------------------------Client--------------------------- 2594 ClientHello message: 2595 msg_type: 01 2596 length: 000040 2597 body: 2598 client_version: 2599 major: 03 2600 minor: 03 2601 random: 933EA21EC3802A561550EC78D6ED51AC 2602 2439D7E749C31BC3A3456165889684CA 2603 session_id: 2604 length: 00 2605 vector: -- 2606 cipher_suites: 2607 length: 0004 2608 vector: 2609 CipherSuite: C100 2610 CipherSuite: C101 2611 compression_methods: 2612 length: 01 2613 vector: 2614 CompressionMethod: 00 2615 extensions: 2616 length: 0013 2617 vector: 2618 Extension: /* signature_algorithms */ 2619 extension_type: 000D 2620 extension_data: 2621 length: 0006 2622 vector: 2623 supported_signature_algorithms: 2624 length: 0004 2625 vector: 2626 /* 1 pair of algorithms */ 2627 hash: 08 2628 signature: 2629 40 2630 /* 2 pair of algorithms */ 2631 hash: 08 2632 signature: 2633 41 2634 Extension: /* renegotiation_info */ 2635 extension_type: FF01 2636 extension_data: 2637 length: 0001 2638 vector: 2639 renegotiated_connection: 2640 length: 00 2641 vector: -- 2642 Extension: /* extended_master_secret */ 2643 extension_type: 0017 2644 extension_data: 2645 length: 0000 2646 vector: -- 2648 00000: 01 00 00 40 03 03 93 3E A2 1E C3 80 2A 56 15 50 2649 00010: EC 78 D6 ED 51 AC 24 39 D7 E7 49 C3 1B C3 A3 45 2650 00020: 61 65 88 96 84 CA 00 00 04 C1 00 C1 01 01 00 00 2651 00030: 13 00 0D 00 06 00 04 08 40 08 41 FF 01 00 01 00 2652 00040: 00 17 00 00 2654 Record layer message: 2655 type: 16 2656 version: 2657 major: 03 2658 minor: 03 2659 length: 0044 2660 fragment: 010000400303933EA21EC3802A561550 2661 EC78D6ED51AC2439D7E749C31BC3A345 2662 6165889684CA000004C100C101010000 2663 13000D0006000408400841FF01000100 2664 00170000 2666 00000: 16 03 03 00 44 01 00 00 40 03 03 93 3E A2 1E C3 2667 00010: 80 2A 56 15 50 EC 78 D6 ED 51 AC 24 39 D7 E7 49 2668 00020: C3 1B C3 A3 45 61 65 88 96 84 CA 00 00 04 C1 00 2669 00030: C1 01 01 00 00 13 00 0D 00 06 00 04 08 40 08 41 2670 00040: FF 01 00 01 00 00 17 00 00 2672 ---------------------------Server--------------------------- 2674 ServerHello message: 2675 msg_type: 02 2676 length: 000041 2677 body: 2678 server_version: 2679 major: 03 2680 minor: 03 2681 random: 933EA21E49C31BC3A3456165889684CA 2682 A5576CE7924A24F58113808DBD9EF856 2683 session_id: 2684 length: 10 2685 vector: C3802A561550EC78D6ED51AC2439D7E7 2686 cipher_suite: 2687 CipherSuite: C100 2688 compression_method: 2689 CompressionMethod: 00 2690 extensions: 2691 length: 0009 2692 vector: 2693 Extension: /* renegotiation_info */ 2694 extension_type: FF01 2695 extension_data: 2696 length: 0001 2697 vector: 2698 renegotiated_connection: 2699 length: 00 2700 vector: -- 2701 Extension: /* extended_master_secret */ 2702 extension_type: 0017 2703 extension_data: 2704 length: 0000 2705 vector: -- 2707 00000: 02 00 00 41 03 03 93 3E A2 1E 49 C3 1B C3 A3 45 2708 00010: 61 65 88 96 84 CA A5 57 6C E7 92 4A 24 F5 81 13 2709 00020: 80 8D BD 9E F8 56 10 C3 80 2A 56 15 50 EC 78 D6 2710 00030: ED 51 AC 24 39 D7 E7 C1 00 00 00 09 FF 01 00 01 2711 00040: 00 00 17 00 00 2713 Record layer message: 2714 type: 16 2715 version: 2716 major: 03 2717 minor: 03 2718 length: 0045 2719 fragment: 020000410303933EA21E49C31BC3A345 2720 6165889684CAA5576CE7924A24F58113 2721 808DBD9EF85610C3802A561550EC78D6 2722 ED51AC2439D7E7C100000009FF010001 2723 0000170000 2725 00000: 16 03 03 00 45 02 00 00 41 03 03 93 3E A2 1E 49 2726 00010: C3 1B C3 A3 45 61 65 88 96 84 CA A5 57 6C E7 92 2727 00020: 4A 24 F5 81 13 80 8D BD 9E F8 56 10 C3 80 2A 56 2728 00030: 15 50 EC 78 D6 ED 51 AC 24 39 D7 E7 C1 00 00 00 2729 00040: 09 FF 01 00 01 00 00 17 00 00 2731 ---------------------------Server--------------------------- 2733 Certificate message: 2734 msg_type: 0B 2735 length: 00024C 2736 body: 2737 certificate_list: 2738 length: 000249 2739 vector: 2740 ASN.1Cert: 2741 length: 000246 2742 vector: 30820242308201AEA003020102020101 2743 300A06082A850307010103033042312C 2744 302A06092A864886F70D010901161D74 2745 . . . 2746 371AF83C5BC58B366DFEFA7345D50317 2747 867C177AC84AC07EE8612164629AB7BD 2748 C48AA0F64A741FE7298E82C5BFCE8672 2749 029F875391F7 2751 00000: 0B 00 02 4C 00 02 49 00 02 46 30 82 02 42 30 82 2752 00010: 01 AE A0 03 02 01 02 02 01 01 30 0A 06 08 2A 85 2753 00020: 03 07 01 01 03 03 30 42 31 2C 30 2A 06 09 2A 86 2754 00030: 48 86 F7 0D 01 09 01 16 1D 74 6C 73 31 32 5F 73 2755 00040: 65 72 76 65 72 35 31 32 43 40 63 72 79 70 74 6F 2756 00050: 70 72 6F 2E 72 75 31 12 30 10 06 03 55 04 03 13 2757 00060: 09 53 65 72 76 65 72 35 31 32 30 1E 17 0D 31 37 2758 00070: 30 35 32 35 30 39 32 35 31 38 5A 17 0D 33 30 30 2759 00080: 35 30 31 30 39 32 35 31 38 5A 30 42 31 2C 30 2A 2760 00090: 06 09 2A 86 48 86 F7 0D 01 09 01 16 1D 74 6C 73 2761 000A0: 31 32 5F 73 65 72 76 65 72 35 31 32 43 40 63 72 2762 000B0: 79 70 74 6F 70 72 6F 2E 72 75 31 12 30 10 06 03 2763 000C0: 55 04 03 13 09 53 65 72 76 65 72 35 31 32 30 81 2764 000D0: AA 30 21 06 08 2A 85 03 07 01 01 01 02 30 15 06 2765 000E0: 09 2A 85 03 07 01 02 01 02 03 06 08 2A 85 03 07 2766 000F0: 01 01 02 03 03 81 84 00 04 81 80 3A 83 EB 1D F1 2767 00100: B8 39 FD E4 D2 5B B3 52 27 2D C2 10 33 7E 7C 0D 2768 00110: 9F 23 4E 9B 3C 70 67 B2 06 97 7A 24 97 3E 13 C3 2769 00120: F6 9F CD 47 F4 8B 28 0A A3 E6 92 80 F5 3F 9B 66 2770 00130: 63 65 C6 72 D9 9A 47 DA 89 45 F1 EA F4 11 7A 58 2771 00140: BE 6A B1 EB 67 D5 B3 E3 E1 78 BD E6 2B 61 1D A0 2772 00150: A7 01 41 CB 1C 5E 6A E6 DF F2 99 F2 13 04 3B B5 2773 00160: DD DF B1 04 2C 3A 7F 72 95 7C FC 0B B3 0A B2 9F 2774 00170: 05 A1 60 4E 2D 50 36 5B E9 05 F3 A3 43 30 41 30 2775 00180: 1D 06 03 55 1D 0E 04 16 04 14 87 9C C6 5A 0F 4A 2776 00190: 89 CB 4A 58 49 DF 05 61 56 9B AA DC 11 69 30 0B 2777 001A0: 06 03 55 1D 0F 04 04 03 02 03 28 30 13 06 03 55 2778 001B0: 1D 25 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 2779 001C0: 30 0A 06 08 2A 85 03 07 01 01 03 03 03 81 81 00 2780 001D0: 35 BE 38 51 EC B6 E9 2D 32 40 01 81 0F 8C 89 03 2781 001E0: 52 42 F4 05 46 9F 4C 4E CB 05 02 7C 57 E2 71 52 2782 001F0: 12 AF D7 CD BB 0C ED 7A 8B 4D 33 42 CC 50 1A BD 2783 00200: 99 99 75 A5 8A DE 0E 58 4F CA 35 F5 2E 45 58 B7 2784 00210: 31 1D 49 D0 A0 51 32 79 F7 39 37 1A F8 3C 5B C5 2785 00220: 8B 36 6D FE FA 73 45 D5 03 17 86 7C 17 7A C8 4A 2786 00230: C0 7E E8 61 21 64 62 9A B7 BD C4 8A A0 F6 4A 74 2787 00240: 1F E7 29 8E 82 C5 BF CE 86 72 02 9F 87 53 91 F7 2789 Record layer message: 2790 type: 16 2791 version: 2792 major: 03 2793 minor: 03 2794 length: 0250 2795 fragment: 0B00024C000249000246308202423082 2796 01AEA003020102020101300A06082A85 2797 0307010103033042312C302A06092A86 2798 . . . 2799 8B366DFEFA7345D50317867C177AC84A 2800 C07EE8612164629AB7BDC48AA0F64A74 2801 1FE7298E82C5BFCE8672029F875391F7 2803 00000: 16 03 03 02 50 0B 00 02 4C 00 02 49 00 02 46 30 2804 00010: 82 02 42 30 82 01 AE A0 03 02 01 02 02 01 01 30 2805 00020: 0A 06 08 2A 85 03 07 01 01 03 03 30 42 31 2C 30 2806 00030: 2A 06 09 2A 86 48 86 F7 0D 01 09 01 16 1D 74 6C 2807 00040: 73 31 32 5F 73 65 72 76 65 72 35 31 32 43 40 63 2808 00050: 72 79 70 74 6F 70 72 6F 2E 72 75 31 12 30 10 06 2809 00060: 03 55 04 03 13 09 53 65 72 76 65 72 35 31 32 30 2810 00070: 1E 17 0D 31 37 30 35 32 35 30 39 32 35 31 38 5A 2811 00080: 17 0D 33 30 30 35 30 31 30 39 32 35 31 38 5A 30 2812 00090: 42 31 2C 30 2A 06 09 2A 86 48 86 F7 0D 01 09 01 2813 000A0: 16 1D 74 6C 73 31 32 5F 73 65 72 76 65 72 35 31 2814 000B0: 32 43 40 63 72 79 70 74 6F 70 72 6F 2E 72 75 31 2815 000C0: 12 30 10 06 03 55 04 03 13 09 53 65 72 76 65 72 2816 000D0: 35 31 32 30 81 AA 30 21 06 08 2A 85 03 07 01 01 2817 000E0: 01 02 30 15 06 09 2A 85 03 07 01 02 01 02 03 06 2818 000F0: 08 2A 85 03 07 01 01 02 03 03 81 84 00 04 81 80 2819 00100: 3A 83 EB 1D F1 B8 39 FD E4 D2 5B B3 52 27 2D C2 2820 00110: 10 33 7E 7C 0D 9F 23 4E 9B 3C 70 67 B2 06 97 7A 2821 00120: 24 97 3E 13 C3 F6 9F CD 47 F4 8B 28 0A A3 E6 92 2822 00130: 80 F5 3F 9B 66 63 65 C6 72 D9 9A 47 DA 89 45 F1 2823 00140: EA F4 11 7A 58 BE 6A B1 EB 67 D5 B3 E3 E1 78 BD 2824 00150: E6 2B 61 1D A0 A7 01 41 CB 1C 5E 6A E6 DF F2 99 2825 00160: F2 13 04 3B B5 DD DF B1 04 2C 3A 7F 72 95 7C FC 2826 00170: 0B B3 0A B2 9F 05 A1 60 4E 2D 50 36 5B E9 05 F3 2827 00180: A3 43 30 41 30 1D 06 03 55 1D 0E 04 16 04 14 87 2828 00190: 9C C6 5A 0F 4A 89 CB 4A 58 49 DF 05 61 56 9B AA 2829 001A0: DC 11 69 30 0B 06 03 55 1D 0F 04 04 03 02 03 28 2830 001B0: 30 13 06 03 55 1D 25 04 0C 30 0A 06 08 2B 06 01 2831 001C0: 05 05 07 03 01 30 0A 06 08 2A 85 03 07 01 01 03 2832 001D0: 03 03 81 81 00 35 BE 38 51 EC B6 E9 2D 32 40 01 2833 001E0: 81 0F 8C 89 03 52 42 F4 05 46 9F 4C 4E CB 05 02 2834 001F0: 7C 57 E2 71 52 12 AF D7 CD BB 0C ED 7A 8B 4D 33 2835 00200: 42 CC 50 1A BD 99 99 75 A5 8A DE 0E 58 4F CA 35 2836 00210: F5 2E 45 58 B7 31 1D 49 D0 A0 51 32 79 F7 39 37 2837 00220: 1A F8 3C 5B C5 8B 36 6D FE FA 73 45 D5 03 17 86 2838 00230: 7C 17 7A C8 4A C0 7E E8 61 21 64 62 9A B7 BD C4 2839 00240: 8A A0 F6 4A 74 1F E7 29 8E 82 C5 BF CE 86 72 02 2840 00250: 9F 87 53 91 F7 2842 ---------------------------Server--------------------------- 2844 CertificateRequest message: 2845 msg_type: 0D 2846 length: 00000B 2847 body: 2848 certificate_types: 2849 length: 02 2850 vector: 2851 /* gost_sign256 */ 2852 43 2853 /* gost_sign512 */ 2854 44 2855 supported_signature_algorithms: 2856 length: 0004 2857 vector: 2858 /* 1 pair of algorithms */ 2859 hash: 08 2860 signature: 40 2861 /* 2 pair of algorithms */ 2862 hash: 08 2863 signature: 41 2864 certificate_authorities: 2865 length: 0000 2866 vector: -- 2868 00000: 0D 00 00 0B 02 43 44 00 04 08 40 08 41 00 00 2870 Record layer message: 2871 type: 16 2872 version: 2873 major: 03 2874 minor: 03 2875 length: 000F 2876 fragment: 0D00000B0243440004084008410000 2878 00000: 16 03 03 00 0F 0D 00 00 0B 02 43 44 00 04 08 40 2879 00010: 08 41 00 00 2881 ---------------------------Server--------------------------- 2883 ServerHelloDone message: 2884 msg_type: 0E 2885 length: 000000 2886 body: -- 2888 00000: 0E 00 00 00 2890 Record layer message: 2891 type: 16 2892 version: 2893 major: 03 2894 minor: 03 2895 length: 0004 2896 fragment: 0E000000 2898 00000: 16 03 03 00 04 0E 00 00 00 2900 ---------------------------Client--------------------------- 2902 Certificate message: 2904 msg_type: 0B 2905 length: 0001EA 2906 body: 2907 certificate_list: 2908 length: 0001E7 2909 vector: 2910 ASN.1Cert: 2911 length: 0001E4 2912 vector: 308201E03082018DA003020102020101 2913 300A06082A850307010103023053312E 2914 302C06092A864886F70D010901161F74 2915 . . . 2916 C1CAB43AC01AFB0F3451BDC2DB188BBC 2917 B77884251CDF6037BA830F4B31D5E96F 2918 DC9BC1C95ABE658266C48402E070DE1F 2919 292724E8 2921 00000: 0B 00 01 EA 00 01 E7 00 01 E4 30 82 01 E0 30 82 2922 00010: 01 8D A0 03 02 01 02 02 01 01 30 0A 06 08 2A 85 2923 00020: 03 07 01 01 03 02 30 53 31 2E 30 2C 06 09 2A 86 2924 00030: 48 86 F7 0D 01 09 01 16 1F 74 6C 73 31 32 5F 63 2925 00040: 6C 69 65 6E 74 32 35 36 41 5F 45 40 63 72 79 70 2926 00050: 74 6F 70 72 6F 2E 72 75 31 21 30 1F 06 03 55 04 2927 00060: 03 1E 18 00 43 00 6C 00 69 00 65 00 6E 00 74 00 2928 00070: 32 00 35 00 36 00 41 00 5F 00 45 30 1E 17 0D 31 2929 00080: 37 30 35 32 35 30 39 33 31 31 38 5A 17 0D 33 30 2930 00090: 30 35 30 31 30 39 33 31 31 38 5A 30 53 31 2E 30 2931 000A0: 2C 06 09 2A 86 48 86 F7 0D 01 09 01 16 1F 74 6C 2932 000B0: 73 31 32 5F 63 6C 69 65 6E 74 32 35 36 41 5F 45 2933 000C0: 40 63 72 79 70 74 6F 70 72 6F 2E 72 75 31 21 30 2934 000D0: 1F 06 03 55 04 03 1E 18 00 43 00 6C 00 69 00 65 2935 000E0: 00 6E 00 74 00 32 00 35 00 36 00 41 00 5F 00 45 2936 000F0: 30 68 30 21 06 08 2A 85 03 07 01 01 01 01 30 15 2937 00100: 06 09 2A 85 03 07 01 02 01 01 01 06 08 2A 85 03 2938 00110: 07 01 01 02 02 03 43 00 04 40 75 49 0B 7B F8 79 2939 00120: D8 1C C5 A1 BA EA 66 65 06 DF B5 D7 BF 25 60 67 2940 00130: 78 B7 24 F3 15 9E 8A B1 5D 0F 86 F3 48 2C B2 AB 2941 00140: 10 8D 5A C2 DE 4E FB 2B FA E0 39 39 94 C2 DE 87 2942 00150: F0 D3 42 F8 61 83 F1 BB E5 9E A3 43 30 41 30 1D 2943 00160: 06 03 55 1D 0E 04 16 04 14 74 49 1E 77 30 D3 42 2944 00170: A6 28 0E 72 A1 13 9D D9 90 8B FA F1 03 30 0B 06 2945 00180: 03 55 1D 0F 04 04 03 02 07 80 30 13 06 03 55 1D 2946 00190: 25 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 02 30 2947 001A0: 0A 06 08 2A 85 03 07 01 01 03 02 03 41 00 1C 2D 2948 001B0: 35 22 B4 11 02 D6 20 1F 23 50 C1 CA B4 3A C0 1A 2949 001C0: FB 0F 34 51 BD C2 DB 18 8B BC B7 78 84 25 1C DF 2950 001D0: 60 37 BA 83 0F 4B 31 D5 E9 6F DC 9B C1 C9 5A BE 2951 001E0: 65 82 66 C4 84 02 E0 70 DE 1F 29 27 24 E8 2952 Record layer message: 2953 type: 16 2954 version: 2955 major: 03 2956 minor: 03 2957 length: 01EE 2958 fragment: 0B0001EA0001E70001E4308201E03082 2959 018DA003020102020101300A06082A85 2960 0307010103023053312E302C06092A86 2961 . . . 2962 3522B41102D6201F2350C1CAB43AC01A 2963 FB0F3451BDC2DB188BBCB77884251CDF 2964 6037BA830F4B31D5E96FDC9BC1C95ABE 2965 658266C48402E070DE1F292724E8 2967 00000: 16 03 03 01 EE 0B 00 01 EA 00 01 E7 00 01 E4 30 2968 00010: 82 01 E0 30 82 01 8D A0 03 02 01 02 02 01 01 30 2969 00020: 0A 06 08 2A 85 03 07 01 01 03 02 30 53 31 2E 30 2970 00030: 2C 06 09 2A 86 48 86 F7 0D 01 09 01 16 1F 74 6C 2971 00040: 73 31 32 5F 63 6C 69 65 6E 74 32 35 36 41 5F 45 2972 00050: 40 63 72 79 70 74 6F 70 72 6F 2E 72 75 31 21 30 2973 00060: 1F 06 03 55 04 03 1E 18 00 43 00 6C 00 69 00 65 2974 00070: 00 6E 00 74 00 32 00 35 00 36 00 41 00 5F 00 45 2975 00080: 30 1E 17 0D 31 37 30 35 32 35 30 39 33 31 31 38 2976 00090: 5A 17 0D 33 30 30 35 30 31 30 39 33 31 31 38 5A 2977 000A0: 30 53 31 2E 30 2C 06 09 2A 86 48 86 F7 0D 01 09 2978 000B0: 01 16 1F 74 6C 73 31 32 5F 63 6C 69 65 6E 74 32 2979 000C0: 35 36 41 5F 45 40 63 72 79 70 74 6F 70 72 6F 2E 2980 000D0: 72 75 31 21 30 1F 06 03 55 04 03 1E 18 00 43 00 2981 000E0: 6C 00 69 00 65 00 6E 00 74 00 32 00 35 00 36 00 2982 000F0: 41 00 5F 00 45 30 68 30 21 06 08 2A 85 03 07 01 2983 00100: 01 01 01 30 15 06 09 2A 85 03 07 01 02 01 01 01 2984 00110: 06 08 2A 85 03 07 01 01 02 02 03 43 00 04 40 75 2985 00120: 49 0B 7B F8 79 D8 1C C5 A1 BA EA 66 65 06 DF B5 2986 00130: D7 BF 25 60 67 78 B7 24 F3 15 9E 8A B1 5D 0F 86 2987 00140: F3 48 2C B2 AB 10 8D 5A C2 DE 4E FB 2B FA E0 39 2988 00150: 39 94 C2 DE 87 F0 D3 42 F8 61 83 F1 BB E5 9E A3 2989 00160: 43 30 41 30 1D 06 03 55 1D 0E 04 16 04 14 74 49 2990 00170: 1E 77 30 D3 42 A6 28 0E 72 A1 13 9D D9 90 8B FA 2991 00180: F1 03 30 0B 06 03 55 1D 0F 04 04 03 02 07 80 30 2992 00190: 13 06 03 55 1D 25 04 0C 30 0A 06 08 2B 06 01 05 2993 001A0: 05 07 03 02 30 0A 06 08 2A 85 03 07 01 01 03 02 2994 001B0: 03 41 00 1C 2D 35 22 B4 11 02 D6 20 1F 23 50 C1 2995 001C0: CA B4 3A C0 1A FB 0F 34 51 BD C2 DB 18 8B BC B7 2996 001D0: 78 84 25 1C DF 60 37 BA 83 0F 4B 31 D5 E9 6F DC 2997 001E0: 9B C1 C9 5A BE 65 82 66 C4 84 02 E0 70 DE 1F 29 2998 001F0: 27 24 E8 2999 ---------------------------Client--------------------------- 3001 PMS value: 3002 00000: A5 57 6C E7 92 4A 24 F5 81 13 80 8D BD 9E F8 56 3003 00010: F5 BD C3 B1 83 CE 5D AD CA 36 A5 3A A0 77 65 1D 3005 Random d_eph value: 3006 0x150ACD11B66DD695AD18418FA7A2DC63 3007 6B7E29DCA24536AABC826EE3175BB1FA 3008 DC3AA0D01D3092E120B0FCF7EB872F4B 3009 7E26EA17849D689222A48CF95A6E4831 3011 Q_eph ephemeral key: 3012 x = 0xC941BE5193189B476D5A0334114A3E04 3013 BBE5B37C738AE40F150B334135288664 3014 FEBFC5622818894A07B1F7AD60E28480 3015 B4B637B90EA7D4BA980186B605D75BC6 3017 y = 0xA154F7B93E8148652011F4FD52C9A06A 3018 6471ADB28D0A949AE26BC786DE874153 3019 ABC00B35164F3214A8A83C00ECE27831 3020 B093528456234EFE766224FC2A7E9ABE 3022 HASH (r_c | r_s): 3023 00000: C3 EF 04 28 D4 B7 A1 F4 C5 02 5F 2E 65 DD 2B 2E 3024 00010: A5 83 AE EF DB 67 C7 F4 21 4A 6A 29 8E 99 E3 25 3026 Export key generation. r value: 3027 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 3029 Export key generation. UKM value: 3030 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 3032 Export keys K_Exp_MAC | K_Exp_ENC used in KExp15 algorithm: 3033 00000: 7D AC 56 E4 8A 4D C1 70 FA A8 FC BA E2 0D B8 45 3034 00010: 45 0C CC C4 C6 32 8B DC 8D 01 15 7C EF A2 A5 F1 3035 00020: 1F 1C BA D8 86 61 66 F0 1F FA AB 01 52 E2 4B F4 3036 00030: 60 9D 5F 46 A5 C8 99 C7 87 90 0D 08 B9 FC AD 24 3038 IV: 3039 00000: 21 4A 6A 29 8E 99 E3 25 3041 PMSEXP: 3042 00000: 25 0D 1B 67 A2 70 AB 04 D3 F6 54 18 E1 D3 80 B4 3043 00010: CB 94 5F 0A 3D CA 51 50 0C F3 A1 BE F3 7F 76 C0 3044 00020: 73 41 A9 83 9C CF 6C BA 71 89 DA 61 EB 67 17 6C 3045 ---------------------------Client--------------------------- 3047 ClientKeyExchange message: 3048 msg_type: 10 3049 length: 0000E2 3050 body: 3051 exchange_keys: 3081DF0430250D1B67A270AB04D3F654 3052 18E1D380B4CB945F0A3DCA51500CF3A1 3053 BEF37F76C07341A9839CCF6CBA7189DA 3054 . . . 3055 93B03178E2EC003CA8A814324F16350B 3056 C0AB534187DE86C76BE29A940A8DB2AD 3057 71646AA0C952FDF411206548813EB9F7 3058 54A1 3060 00000: 10 00 00 E2 30 81 DF 04 30 25 0D 1B 67 A2 70 AB 3061 00010: 04 D3 F6 54 18 E1 D3 80 B4 CB 94 5F 0A 3D CA 51 3062 00020: 50 0C F3 A1 BE F3 7F 76 C0 73 41 A9 83 9C CF 6C 3063 00030: BA 71 89 DA 61 EB 67 17 6C 30 81 AA 30 21 06 08 3064 00040: 2A 85 03 07 01 01 01 02 30 15 06 09 2A 85 03 07 3065 00050: 01 02 01 02 03 06 08 2A 85 03 07 01 01 02 03 03 3066 00060: 81 84 00 04 81 80 C6 5B D7 05 B6 86 01 98 BA D4 3067 00070: A7 0E B9 37 B6 B4 80 84 E2 60 AD F7 B1 07 4A 89 3068 00080: 18 28 62 C5 BF FE 64 86 28 35 41 33 0B 15 0F E4 3069 00090: 8A 73 7C B3 E5 BB 04 3E 4A 11 34 03 5A 6D 47 9B 3070 000A0: 18 93 51 BE 41 C9 BE 9A 7E 2A FC 24 62 76 FE 4E 3071 000B0: 23 56 84 52 93 B0 31 78 E2 EC 00 3C A8 A8 14 32 3072 000C0: 4F 16 35 0B C0 AB 53 41 87 DE 86 C7 6B E2 9A 94 3073 000D0: 0A 8D B2 AD 71 64 6A A0 C9 52 FD F4 11 20 65 48 3074 000E0: 81 3E B9 F7 54 A1 3076 Record layer message: 3077 type: 16 3078 version: 3079 major: 03 3080 minor: 03 3081 length: 00E6 3082 fragment: 100000E23081DF0430250D1B67A270AB 3083 04D3F65418E1D380B4CB945F0A3DCA51 3084 500CF3A1BEF37F76C07341A9839CCF6C 3085 . . . 3086 2356845293B03178E2EC003CA8A81432 3087 4F16350BC0AB534187DE86C76BE29A94 3088 0A8DB2AD71646AA0C952FDF411206548 3089 813EB9F754A1 3091 00000: 16 03 03 00 E6 10 00 00 E2 30 81 DF 04 30 25 0D 3092 00010: 1B 67 A2 70 AB 04 D3 F6 54 18 E1 D3 80 B4 CB 94 3093 00020: 5F 0A 3D CA 51 50 0C F3 A1 BE F3 7F 76 C0 73 41 3094 00030: A9 83 9C CF 6C BA 71 89 DA 61 EB 67 17 6C 30 81 3095 00040: AA 30 21 06 08 2A 85 03 07 01 01 01 02 30 15 06 3096 00050: 09 2A 85 03 07 01 02 01 02 03 06 08 2A 85 03 07 3097 00060: 01 01 02 03 03 81 84 00 04 81 80 C6 5B D7 05 B6 3098 00070: 86 01 98 BA D4 A7 0E B9 37 B6 B4 80 84 E2 60 AD 3099 00080: F7 B1 07 4A 89 18 28 62 C5 BF FE 64 86 28 35 41 3100 00090: 33 0B 15 0F E4 8A 73 7C B3 E5 BB 04 3E 4A 11 34 3101 000A0: 03 5A 6D 47 9B 18 93 51 BE 41 C9 BE 9A 7E 2A FC 3102 000B0: 24 62 76 FE 4E 23 56 84 52 93 B0 31 78 E2 EC 00 3103 000C0: 3C A8 A8 14 32 4F 16 35 0B C0 AB 53 41 87 DE 86 3104 000D0: C7 6B E2 9A 94 0A 8D B2 AD 71 64 6A A0 C9 52 FD 3105 000E0: F4 11 20 65 48 81 3E B9 F7 54 A1 3107 ---------------------------Server--------------------------- 3109 PMSEXP extracted: 3110 00000: 25 0D 1B 67 A2 70 AB 04 D3 F6 54 18 E1 D3 80 B4 3111 00010: CB 94 5F 0A 3D CA 51 50 0C F3 A1 BE F3 7F 76 C0 3112 00020: 73 41 A9 83 9C CF 6C BA 71 89 DA 61 EB 67 17 6C 3114 HASH(r_c | r_s): 3115 00000: C3 EF 04 28 D4 B7 A1 F4 C5 02 5F 2E 65 DD 2B 2E 3116 00010: A5 83 AE EF DB 67 C7 F4 21 4A 6A 29 8E 99 E3 25 3118 Export key generation. r value: 3119 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 3121 Export key generation. UKM value: 3122 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 3124 Export keys K_Exp_MAC | K_Exp_ENC used in KImp15 algorithm: 3125 00000: 7D AC 56 E4 8A 4D C1 70 FA A8 FC BA E2 0D B8 45 3126 00010: 45 0C CC C4 C6 32 8B DC 8D 01 15 7C EF A2 A5 F1 3127 00020: 1F 1C BA D8 86 61 66 F0 1F FA AB 01 52 E2 4B F4 3128 00030: 60 9D 5F 46 A5 C8 99 C7 87 90 0D 08 B9 FC AD 24 3130 IV: 3131 00000: 21 4A 6A 29 8E 99 E3 25 3133 PMS: 3134 00000: A5 57 6C E7 92 4A 24 F5 81 13 80 8D BD 9E F8 56 3135 00010: F5 BD C3 B1 83 CE 5D AD CA 36 A5 3A A0 77 65 1D 3137 ---------------------------Client--------------------------- 3138 Random value k used in signature generation: 3139 0x163962EEA268203E7C6B3F70BF8D4A36 3140 34CE6E2CFC424687951D70ACE0B4292A 3142 Signature value sgn_c = SIGN_d_c(HM): 3143 00000: F7 1F 43 62 45 5B C5 5B A8 9A 8F AF 01 82 88 EC 3144 00010: 00 B3 27 17 48 2E 76 24 B2 57 D9 79 7C 8F F6 02 3145 00020: E3 15 FD BD 8D E5 6D 08 54 18 04 0E 1B 61 BB F6 3146 00030: B3 01 AC 26 3D 50 03 8B 30 31 13 DB 36 17 50 3A 3148 ---------------------------Client--------------------------- 3150 CertificateVerify message: 3151 msg_type: 0F 3152 length: 000044 3153 body: 3154 algorithm: 3155 hash: 08 3156 signature: 40 3157 signature: 3158 length: 0040 3159 vector: F71F4362455BC55BA89A8FAF018288EC 3160 00B32717482E7624B257D9797C8FF602 3161 E315FDBD8DE56D085418040E1B61BBF6 3162 B301AC263D50038B303113DB3617503A 3164 00000: 0F 00 00 44 08 40 00 40 F7 1F 43 62 45 5B C5 5B 3165 00010: A8 9A 8F AF 01 82 88 EC 00 B3 27 17 48 2E 76 24 3166 00020: B2 57 D9 79 7C 8F F6 02 E3 15 FD BD 8D E5 6D 08 3167 00030: 54 18 04 0E 1B 61 BB F6 B3 01 AC 26 3D 50 03 8B 3168 00040: 30 31 13 DB 36 17 50 3A 3170 Record layer message: 3171 type: 16 3172 version: 3173 major: 03 3174 minor: 03 3175 length: 0048 3176 fragment: 0F00004408400040F71F4362455BC55B 3177 A89A8FAF018288EC00B32717482E7624 3178 B257D9797C8FF602E315FDBD8DE56D08 3179 5418040E1B61BBF6B301AC263D50038B 3180 303113DB3617503A 3182 00000: 16 03 03 00 48 0F 00 00 44 08 40 00 40 F7 1F 43 3183 00010: 62 45 5B C5 5B A8 9A 8F AF 01 82 88 EC 00 B3 27 3184 00020: 17 48 2E 76 24 B2 57 D9 79 7C 8F F6 02 E3 15 FD 3185 00030: BD 8D E5 6D 08 54 18 04 0E 1B 61 BB F6 B3 01 AC 3186 00040: 26 3D 50 03 8B 30 31 13 DB 36 17 50 3A 3188 ---------------------------Client--------------------------- 3190 HASH(HM): 3191 00000: 9D 64 0D D8 B2 54 6B 87 05 CC 3E 67 F3 BB 83 2F 3192 00010: 89 2A 5B D5 D4 5C A0 44 85 01 14 C2 E6 56 02 69 3194 MS: 3195 00000: E3 18 17 B0 EC 7F 3B C9 4A 8B C4 5F 89 12 DE C5 3196 00010: 71 2A 7A 34 78 56 31 C0 4B AE 81 43 EE 17 90 B4 3197 00020: C9 D3 68 0F 6C 9D E1 70 74 58 C8 75 62 4D B6 ED 3199 Client connection key material 3200 K_write_MAC|K_read_MAC|K_write_ENC|K_read_ENC|IV_write|IV_read: 3201 00000: 50 52 5D 33 4E F7 00 6C 1D ED B8 B8 08 EA 03 CC 3202 00010: CF 1F CB 3D 33 65 F9 72 E1 7C 7C 31 4E DD 97 90 3203 00020: 6C 74 35 22 0A A1 B0 C6 DE 6A 1B 0F AC 29 B6 17 3204 00030: 9E B3 23 86 62 25 E0 7F 30 4C A1 D1 27 75 86 29 3205 00040: 7B 97 20 5D 7A 08 C2 CD 7F 60 3C 09 46 75 E6 C4 3206 00050: CC 15 F2 84 0D 9A EC 63 F0 2A FF 51 DB D5 74 D2 3207 00060: 76 6C 77 2B 83 2F CE 58 CB 4D E5 49 88 77 A6 7A 3208 00070: A4 51 40 B2 ED 52 6E 61 65 0A 28 1B 32 56 35 BC 3209 00080: CB 8E F9 4C 5B DF 5B 9F 47 48 B9 5B F1 B0 E0 BF 3211 ---------------------------Server--------------------------- 3213 HASH(HM): 3214 00000: 9D 64 0D D8 B2 54 6B 87 05 CC 3E 67 F3 BB 83 2F 3215 00010: 89 2A 5B D5 D4 5C A0 44 85 01 14 C2 E6 56 02 69 3217 MS: 3218 00000: E3 18 17 B0 EC 7F 3B C9 4A 8B C4 5F 89 12 DE C5 3219 00010: 71 2A 7A 34 78 56 31 C0 4B AE 81 43 EE 17 90 B4 3220 00020: C9 D3 68 0F 6C 9D E1 70 74 58 C8 75 62 4D B6 ED 3222 Server connection key material 3223 K_read_MAC|K_write_MAC|K_read_ENC|K_write_ENC|IV_read|IV_write: 3224 00000: 50 52 5D 33 4E F7 00 6C 1D ED B8 B8 08 EA 03 CC 3225 00010: CF 1F CB 3D 33 65 F9 72 E1 7C 7C 31 4E DD 97 90 3226 00020: 6C 74 35 22 0A A1 B0 C6 DE 6A 1B 0F AC 29 B6 17 3227 00030: 9E B3 23 86 62 25 E0 7F 30 4C A1 D1 27 75 86 29 3228 00040: 7B 97 20 5D 7A 08 C2 CD 7F 60 3C 09 46 75 E6 C4 3229 00050: CC 15 F2 84 0D 9A EC 63 F0 2A FF 51 DB D5 74 D2 3230 00060: 76 6C 77 2B 83 2F CE 58 CB 4D E5 49 88 77 A6 7A 3231 00070: A4 51 40 B2 ED 52 6E 61 65 0A 28 1B 32 56 35 BC 3232 00080: CB 8E F9 4C 5B DF 5B 9F 47 48 B9 5B F1 B0 E0 BF 3234 ---------------------------Client--------------------------- 3236 ChangeCipherSpec message: 3237 type: 01 3239 00000: 01 3241 Record layer message: 3242 type: 14 3243 version: 3244 major: 03 3245 minor: 03 3246 length: 0001 3247 fragment: 01 3249 00000: 14 03 03 00 01 01 3251 ---------------------------Client--------------------------- 3253 HASH(HM): 3254 00000: C9 A4 80 DA 29 6C DD 12 3E 9A EB 26 88 8B 86 19 3255 00010: EA 67 78 B7 23 FA A8 B2 DC 70 6A CB A5 AB AF 11 3257 client_verify_data: 3258 00000: 98 7C 13 E6 FA 16 F3 D5 10 AE 83 00 23 58 72 27 3259 00010: 32 90 09 4C 8F C7 B5 F0 C7 D7 47 C4 27 35 F8 F1 3261 ---------------------------Client--------------------------- 3263 Finished message: 3264 msg_type: 14 3265 length: 000020 3266 body: 3267 verify_data: 987C13E6FA16F3D510AE830023587227 3268 3290094C8FC7B5F0C7D747C42735F8F1 3270 00000: 14 00 00 20 98 7C 13 E6 FA 16 F3 D5 10 AE 83 00 3271 00010: 23 58 72 27 32 90 09 4C 8F C7 B5 F0 C7 D7 47 C4 3272 00020: 27 35 F8 F1 3274 Record layer message: 3275 type: 16 3276 version: 3277 major: 03 3278 minor: 03 3279 length: 0034 3280 fragment: 4DC53D655EDFD1843AF69ADBDE989C0B 3281 1F0C0A1A0FD1B3F458029D8F9989FBF9 3282 6C5C42971063A9B70714F412E4F6280F 3283 7C21601B 3285 00000: 16 03 03 00 34 4D C5 3D 65 5E DF D1 84 3A F6 9A 3286 00010: DB DE 98 9C 0B 1F 0C 0A 1A 0F D1 B3 F4 58 02 9D 3287 00020: 8F 99 89 FB F9 6C 5C 42 97 10 63 A9 B7 07 14 F4 3288 00030: 12 E4 F6 28 0F 7C 21 60 1B 3290 ---------------------------Server--------------------------- 3292 ChangeCipherSpec message: 3293 type: 01 3295 00000: 01 3297 Record layer message: 3298 type: 14 3299 version: 3300 major: 03 3301 minor: 03 3302 length: 0001 3303 fragment: 01 3305 00000: 14 03 03 00 01 01 3307 ---------------------------Server--------------------------- 3309 HASH(HM): 3310 00000: 4A 41 4C AD 20 F8 46 D8 F5 D1 05 26 10 A5 9D ED 3311 00010: 6D 2B 1B B2 A8 9E 13 51 01 FC 9E 49 ED A8 0F B4 3313 server_verify_data: 3314 00000: 1E 93 7D A4 77 EE 1F 23 0A 41 D6 E9 D4 14 46 B7 3315 00010: F2 1C A1 B2 E2 32 4A 55 2D 52 B3 25 5E B4 3D DF 3317 ---------------------------Server--------------------------- 3319 Finished message: 3320 msg_type: 14 3321 length: 000020 3322 body: 3323 verify_data: 1E937DA477EE1F230A41D6E9D41446B7 3324 F21CA1B2E2324A552D52B3255EB43DDF 3326 00000: 14 00 00 20 1E 93 7D A4 77 EE 1F 23 0A 41 D6 E9 3327 00010: D4 14 46 B7 F2 1C A1 B2 E2 32 4A 55 2D 52 B3 25 3328 00020: 5E B4 3D DF 3330 Record layer message: 3331 type: 16 3332 version: 3333 major: 03 3334 minor: 03 3335 length: 0034 3336 fragment: F9887C3654B6CCC6AE7D7B18A46C663F 3337 3D1DAF30C9A853A9871077FDD5CA063B 3338 2C81BCC9D59FA6E3F5FAD9B2599BB586 3339 854A2D76 3341 00000: 16 03 03 00 34 F9 88 7C 36 54 B6 CC C6 AE 7D 7B 3342 00010: 18 A4 6C 66 3F 3D 1D AF 30 C9 A8 53 A9 87 10 77 3343 00020: FD D5 CA 06 3B 2C 81 BC C9 D5 9F A6 E3 F5 FA D9 3344 00030: B2 59 9B B5 86 85 4A 2D 76 3346 ---------------------------Client--------------------------- 3348 Application data: 3349 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3350 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3352 Record layer message: 3353 type: 17 3354 version: 3355 major: 03 3356 minor: 03 3357 length: 0030 3358 fragment: F14F06FB8557408846080690E7A5525D 3359 1C6E9C901D24025486AB79728BF63D06 3360 5C09C27233006D65CFF0B5BA87504969 3362 00000: 17 03 03 00 30 F1 4F 06 FB 85 57 40 88 46 08 06 3363 00010: 90 E7 A5 52 5D 1C 6E 9C 90 1D 24 02 54 86 AB 79 3364 00020: 72 8B F6 3D 06 5C 09 C2 72 33 00 6D 65 CF F0 B5 3365 00030: BA 87 50 49 69 3366 ---------------------------Server--------------------------- 3368 Application data: 3369 00000: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3370 00010: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3372 Record layer message: 3373 type: 17 3374 version: 3375 major: 03 3376 minor: 03 3377 length: 0030 3378 fragment: 1561E52A8B6DB258746FFE18F3CDCB11 3379 1D0173AF2E5C13741C99BFF13B47CD32 3380 B3CED856A9506E706A2340D5841AB114 3382 00000: 17 03 03 00 30 15 61 E5 2A 8B 6D B2 58 74 6F FE 3383 00010: 18 F3 CD CB 11 1D 01 73 AF 2E 5C 13 74 1C 99 BF 3384 00020: F1 3B 47 CD 32 B3 CE D8 56 A9 50 6E 70 6A 23 40 3385 00030: D5 84 1A B1 14 3387 ---------------------------Client--------------------------- 3389 close_notify alert: 3390 Alert: 3391 level: 01 3392 description: 00 3394 00000: 01 00 3396 Record layer message: 3397 type: 15 3398 version: 3399 major: 03 3400 minor: 03 3401 length: 0012 3402 fragment: E530C164642A078CEF528CB465E9DA7E 3403 AD4D 3405 00000: 15 03 03 00 12 E5 30 C1 64 64 2A 07 8C EF 52 8C 3406 00010: B4 65 E9 DA 7E AD 4D 3408 ---------------------------Server--------------------------- 3410 close_notify alert: 3411 Alert: 3413 level: 01 3414 description: 00 3416 00000: 01 00 3418 Record layer message: 3419 type: 15 3420 version: 3421 major: 03 3422 minor: 03 3423 length: 0012 3424 fragment: EB62E5AB78BF2A4B678920A11027EC43 3425 0C3F 3427 00000: 15 03 03 00 12 EB 62 E5 AB 78 BF 2A 4B 67 89 20 3428 00010: A1 10 27 EC 43 0C 3F 3430 A.2. Test Examples for CNT_IMIT cipher suites 3432 A.2.1. Record Examples 3434 It is assumed that during Handshake following keys were established: 3436 - MAC key: 3437 00000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 3438 00010: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 3439 - Encryption key: 3440 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3441 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3442 - IV: 3443 00000: 00 00 00 00 00 00 00 00 3445 --------------------------------------------------------- 3446 seqnum = 0 3448 Application data: 3449 00000: 00 00 00 00 00 00 00 3451 Plaintext: 3452 00000: 17 03 03 00 07 00 00 00 00 00 00 00 3454 MAC: 3455 00000: 30 01 34 a1 3457 Ciphertext: 3458 00000: 17 03 03 00 0b 86 71 cd bf 3c 1a ae 0f 62 4b 04 3459 --------------------------------------------------------- 3460 seqnum = 1 3462 Application data: 3464 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3465 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3466 .... 3467 007f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3469 Plaintext: 3470 00000: 17 03 03 08 00 00 00 00 00 00 00 00 00 00 00 00 3471 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3472 .... 3473 007f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3474 00804: 00 00 00 00 00 3476 MAC: 3477 00000: f7 c3 8b 8a 3479 Ciphertext: 3480 00000: 17 03 03 08 04 cf aa 0c b4 2f a5 a4 7a 13 3d 73 3481 00010: b9 f2 c0 b0 4f 8c a2 55 52 f8 56 bc be 6a 58 fa 3482 .... 3483 007f0: 3e e2 c7 6f a2 30 a0 44 be 21 dc 8e 1a 96 f9 a8 3484 00804: 88 1f ad 83 45 96 96 84 47 3486 A.2.2. Handshake Examples 3488 The ClientHello.extensions and the ServerHello.extensions fields 3489 contain the renegotiation_info extension (see [RFC5746]) in the 3490 following examples. 3492 Server certificate curve OID: 3493 id-tc26-gost-3410-12-512-paramSetA, "1.2.643.7.1.2.1.2.1" 3495 Server public key Q_s: 3496 x = 0x16DB0566C0278AC8204143994824236D 3497 97F36A13D5433E990B2EAC859D2E9B7A 3498 E054794655389158B8242923E3841B14 3499 24FD89F221701C89D9A3BF6A9F946795 3501 y = 0xD01E80DEC5BD23C8BC6B85F12BBB1635 3502 A5AE7AD50DE24FB8FD02CB285A4AE65A 3503 7D6FBB99AAFFDA80629826F2F7F73282 3504 220444761615A06D082077C4A00FD4CF 3506 Server private key d_s: 3507 0x5F1E83AFA2C4CB2C5633C51380E84E37 3508 4B013EE7C238330709080CE914B442D4 3509 34EB016D23FB63FEDC18B62D9DA93D26 3510 B3B9CE6F663B383303BD5930ED41608B 3512 ---------------------------Client--------------------------- 3514 ClientHello message: 3515 msg_type: 01 3516 length: 00003a 3517 body: 3518 client_version: 3519 major: 03 3520 minor: 03 3521 random: 6A523D6880DCC2DC75CCC43CFD04B616 3522 F5C3757B8077B76A9B504949FD3BFDB8 3523 session_id: 3524 length: 00 3525 vector: -- 3526 cipher_suites: 3527 length: 0002 3528 vector: 3529 CipherSuite: C102 3530 compression_methods: 3531 length: 01 3532 vector: 3533 CompressionMethod: 00 3534 extensions: 3535 length: 000F 3536 Extension: /* signature_algorithms */ 3537 extension_type: 000D 3538 extension_data: 3539 length: 0006 3540 vector: 3541 supported_signature_algorithms: 3542 length: 0004 3543 vector: 3544 /* 1 pair of algorithms */ 3545 hash: 08 3546 signature: 3547 41 3548 /* 2 pair of algorithms */ 3549 hash: 08 3550 signature: 3552 40 3553 Extension: /* renegotiation_info */ 3554 extension_type: FF01 3555 extension_data: 3556 length: 0001 3557 vector: 3558 renegotiated_connection: 3559 length: 00 3560 vector: -- 3562 00000: 01 00 00 3A 03 03 6A 52 3D 68 80 DC C2 DC 75 CC 3563 00010: C4 3C FD 04 B6 16 F5 C3 75 7B 80 77 B7 6A 9B 50 3564 00020: 49 49 FD 3B FD B8 00 00 02 C1 02 01 00 00 0F 00 3565 00030: 0D 00 06 00 04 08 41 08 40 FF 01 00 01 00 3567 Record layer message: 3568 type: 16 3569 version: 3570 major: 03 3571 minor: 03 3572 length: 003e 3573 fragment: 0100003A03036A523D6880DCC2DC75CC 3574 C43CFD04B616F5C3757B8077B76A9B50 3575 4949FD3BFDB8000002C1020100000F00 3576 0D0006000408410840FF01000100 3578 00000: 16 03 03 00 3E 01 00 00 3A 03 03 6A 52 3D 68 80 3579 00010: DC C2 DC 75 CC C4 3C FD 04 B6 16 F5 C3 75 7B 80 3580 00020: 77 B7 6A 9B 50 49 49 FD 3B FD B8 00 00 02 C1 02 3581 00030: 01 00 00 0F 00 0D 00 06 00 04 08 41 08 40 FF 01 3582 00040: 00 01 00 3584 ---------------------------Server--------------------------- 3586 ServerHello message: 3587 msg_type: 02 3588 length: 00004D 3589 body: 3590 client_version: 3591 major: 03 3592 minor: 03 3593 random: FE92C9516D0E1A67A04C33CD7F2C90B1 3594 5E76DCC30815C19F92A6D100915AF2DB 3595 session_id: 3596 length: 20 3597 vector: 12AAA5E5779014711CCD6D265BDEE519 3598 1026431C83768EE5EB5A157F940BE9FB 3600 cipher_suite: 3601 CipherSuite: C102 3602 compression_method: 3603 CompressionMethod: 00 3604 extensions: 3605 length: 0005 3606 Extension: /* renegotiation_info */ 3607 extension_type: FF01 3608 extension_data: 3609 length: 0001 3610 vector: 3611 renegotiated_connection: 3612 length: 00 3613 vector: -- 3615 00000: 02 00 00 4D 03 03 FE 92 C9 51 6D 0E 1A 67 A0 4C 3616 00010: 33 CD 7F 2C 90 B1 5E 76 DC C3 08 15 C1 9F 92 A6 3617 00020: D1 00 91 5A F2 DB 20 12 AA A5 E5 77 90 14 71 1C 3618 00030: CD 6D 26 5B DE E5 19 10 26 43 1C 83 76 8E E5 EB 3619 00040: 5A 15 7F 94 0B E9 FB C1 02 00 00 05 FF 01 00 01 3620 00050: 00 3622 Record layer message: 3623 type: 16 3624 version: 3625 major: 03 3626 minor: 03 3627 length: 0051 3628 fragment: 0200004D0303FE92C9516D0E1A67A04C 3629 33CD7F2C90B15E76DCC30815C19F92A6 3630 D100915AF2DB2012AAA5E5779014711C 3631 CD6D265BDEE5191026431C83768EE5EB 3632 5A157F940BE9FBC102000005FF010001 3633 00 3635 00000: 16 03 03 00 51 02 00 00 4D 03 03 FE 92 C9 51 6D 3636 00010: 0E 1A 67 A0 4C 33 CD 7F 2C 90 B1 5E 76 DC C3 08 3637 00020: 15 C1 9F 92 A6 D1 00 91 5A F2 DB 20 12 AA A5 E5 3638 00030: 77 90 14 71 1C CD 6D 26 5B DE E5 19 10 26 43 1C 3639 00040: 83 76 8E E5 EB 5A 15 7F 94 0B E9 FB C1 02 00 00 3640 00050: 05 FF 01 00 01 00 3642 ---------------------------Server--------------------------- 3644 Certificate message: 3645 msg_type: 0B 3646 length: 000266 3647 body: 3648 certificate_list: 3649 length: 000263 3650 vector: 3651 ASN.1Cert: 3652 length: 000260 3653 vector: 3082025C308201C8A003020102021478 3654 94DC9D920977809191642F1DAEDC26BA 3655 3B5104300A06082A8503070101030330 3656 . . . 3657 6C12D51F99C98A4A9904F0EA5486FED7 3658 FF66AB8EB2425E1ACEAE8A758BDF843B 3659 E1A8F6FEBF673015FED7AB86533DBF20 3661 00000: 0B 00 02 66 00 02 63 00 02 60 30 82 02 5C 30 82 3662 00010: 01 C8 A0 03 02 01 02 02 14 78 94 DC 9D 92 09 77 3663 00020: 80 91 91 64 2F 1D AE DC 26 BA 3B 51 04 30 0A 06 3664 00030: 08 2A 85 03 07 01 01 03 03 30 19 31 17 30 15 06 3665 00040: 03 55 04 03 13 0E 43 41 20 43 65 72 74 69 66 69 3666 00050: 63 61 74 65 30 1E 17 0D 31 38 30 31 30 32 30 30 3667 00060: 30 30 31 31 5A 17 0D 32 32 30 31 30 32 30 30 30 3668 00070: 30 32 31 5A 30 21 31 1F 30 1D 06 03 55 04 03 13 3669 00080: 16 53 65 72 76 65 72 20 35 31 32 20 43 65 72 74 3670 00090: 69 66 69 63 61 74 65 30 81 AA 30 21 06 08 2A 85 3671 000a0: 03 07 01 01 01 02 30 15 06 09 2A 85 03 07 01 02 3672 000b0: 01 02 01 06 08 2A 85 03 07 01 01 02 03 03 81 84 3673 000c0: 00 04 81 80 95 67 94 9F 6A BF A3 D9 89 1C 70 21 3674 000d0: F2 89 FD 24 14 1B 84 E3 23 29 24 B8 58 91 38 55 3675 000e0: 46 79 54 E0 7A 9B 2E 9D 85 AC 2E 0B 99 3E 43 D5 3676 000f0: 13 6A F3 97 6D 23 24 48 99 43 41 20 C8 8A 27 C0 3677 00100: 66 05 DB 16 CF D4 0F A0 C4 77 20 08 6D A0 15 16 3678 00110: 76 44 04 22 82 32 F7 F7 F2 26 98 62 80 DA FF AA 3679 00120: 99 BB 6F 7D 5A E6 4A 5A 28 CB 02 FD B8 4F E2 0D 3680 00130: D5 7A AE A5 35 16 BB 2B F1 85 6B BC C8 23 BD C5 3681 00140: DE 80 1E D0 A3 81 93 30 81 90 30 0C 06 03 55 1D 3682 00150: 13 01 01 FF 04 02 30 00 30 1A 06 03 55 1D 11 04 3683 00160: 13 30 11 82 09 6C 6F 63 61 6C 68 6F 73 74 87 04 3684 00170: 7F 00 00 01 30 13 06 03 55 1D 25 04 0C 30 0A 06 3685 00180: 08 2B 06 01 05 05 07 03 01 30 0F 06 03 55 1D 0F 3686 00190: 01 01 FF 04 05 03 03 07 B0 00 30 1D 06 03 55 1D 3687 001a0: 0E 04 16 04 14 AE 46 41 1B FD B3 08 C3 39 03 47 3688 001b0: 57 57 2B 0F BF A3 6F 9A 99 30 1F 06 03 55 1D 23 3689 001c0: 04 18 30 16 80 14 7F 7B 7A 15 61 A6 F2 18 A2 E3 3690 001d0: 48 3B C6 39 D9 7F 42 DB 6D AF 30 0A 06 08 2A 85 3691 001e0: 03 07 01 01 03 03 03 81 81 00 9C 49 78 F7 1B AB 3692 001f0: 54 8A 25 6D 2A 18 7C A8 4D 72 4F E1 EF A7 E5 36 3693 00200: 67 2E 79 1F 8A 0C B6 74 1E B1 63 E2 96 37 8C 5B 3694 00210: 82 83 EE DA B4 1B A4 22 1E BC E2 05 F6 F8 79 CF 3695 00220: EB F0 AD E9 36 07 0F B2 40 E5 0D 04 37 03 7F 2A 3696 00230: EC 99 C7 CD 23 9F 6F 20 25 A8 6C 12 D5 1F 99 C9 3697 00240: 8A 4A 99 04 F0 EA 54 86 FE D7 FF 66 AB 8E B2 42 3698 00250: 5E 1A CE AE 8A 75 8B DF 84 3B E1 A8 F6 FE BF 67 3699 00260: 30 15 FE D7 AB 86 53 3D BF 20 3701 Record layer message: 3702 type: 16 3703 version: 3704 major: 03 3705 minor: 03 3706 length: 026A 3707 fragment: 0B0002660002630002603082025C3082 3708 01C8A00302010202147894DC9D920977 3709 809191642F1DAEDC26BA3B5104300A06 3710 . . . 3711 EC99C7CD239F6F2025A86C12D51F99C9 3712 8A4A9904F0EA5486FED7FF66AB8EB242 3713 5E1ACEAE8A758BDF843BE1A8F6FEBF67 3714 3015FED7AB86533DBF20 3716 00000: 16 03 03 02 6A 0B 00 02 66 00 02 63 00 02 60 30 3717 00010: 82 02 5C 30 82 01 C8 A0 03 02 01 02 02 14 78 94 3718 00020: DC 9D 92 09 77 80 91 91 64 2F 1D AE DC 26 BA 3B 3719 00030: 51 04 30 0A 06 08 2A 85 03 07 01 01 03 03 30 19 3720 00040: 31 17 30 15 06 03 55 04 03 13 0E 43 41 20 43 65 3721 00050: 72 74 69 66 69 63 61 74 65 30 1E 17 0D 31 38 30 3722 00060: 31 30 32 30 30 30 30 31 31 5A 17 0D 32 32 30 31 3723 00070: 30 32 30 30 30 30 32 31 5A 30 21 31 1F 30 1D 06 3724 00080: 03 55 04 03 13 16 53 65 72 76 65 72 20 35 31 32 3725 00090: 20 43 65 72 74 69 66 69 63 61 74 65 30 81 AA 30 3726 000a0: 21 06 08 2A 85 03 07 01 01 01 02 30 15 06 09 2A 3727 000b0: 85 03 07 01 02 01 02 01 06 08 2A 85 03 07 01 01 3728 000c0: 02 03 03 81 84 00 04 81 80 95 67 94 9F 6A BF A3 3729 000d0: D9 89 1C 70 21 F2 89 FD 24 14 1B 84 E3 23 29 24 3730 000e0: B8 58 91 38 55 46 79 54 E0 7A 9B 2E 9D 85 AC 2E 3731 000f0: 0B 99 3E 43 D5 13 6A F3 97 6D 23 24 48 99 43 41 3732 00100: 20 C8 8A 27 C0 66 05 DB 16 CF D4 0F A0 C4 77 20 3733 00110: 08 6D A0 15 16 76 44 04 22 82 32 F7 F7 F2 26 98 3734 00120: 62 80 DA FF AA 99 BB 6F 7D 5A E6 4A 5A 28 CB 02 3735 00130: FD B8 4F E2 0D D5 7A AE A5 35 16 BB 2B F1 85 6B 3736 00140: BC C8 23 BD C5 DE 80 1E D0 A3 81 93 30 81 90 30 3737 00150: 0C 06 03 55 1D 13 01 01 FF 04 02 30 00 30 1A 06 3738 00160: 03 55 1D 11 04 13 30 11 82 09 6C 6F 63 61 6C 68 3739 00170: 6F 73 74 87 04 7F 00 00 01 30 13 06 03 55 1D 25 3740 00180: 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 30 0F 3741 00190: 06 03 55 1D 0F 01 01 FF 04 05 03 03 07 B0 00 30 3742 001a0: 1D 06 03 55 1D 0E 04 16 04 14 AE 46 41 1B FD B3 3743 001b0: 08 C3 39 03 47 57 57 2B 0F BF A3 6F 9A 99 30 1F 3744 001c0: 06 03 55 1D 23 04 18 30 16 80 14 7F 7B 7A 15 61 3745 001d0: A6 F2 18 A2 E3 48 3B C6 39 D9 7F 42 DB 6D AF 30 3746 001e0: 0A 06 08 2A 85 03 07 01 01 03 03 03 81 81 00 9C 3747 001f0: 49 78 F7 1B AB 54 8A 25 6D 2A 18 7C A8 4D 72 4F 3748 00200: E1 EF A7 E5 36 67 2E 79 1F 8A 0C B6 74 1E B1 63 3749 00210: E2 96 37 8C 5B 82 83 EE DA B4 1B A4 22 1E BC E2 3750 00220: 05 F6 F8 79 CF EB F0 AD E9 36 07 0F B2 40 E5 0D 3751 00230: 04 37 03 7F 2A EC 99 C7 CD 23 9F 6F 20 25 A8 6C 3752 00240: 12 D5 1F 99 C9 8A 4A 99 04 F0 EA 54 86 FE D7 FF 3753 00250: 66 AB 8E B2 42 5E 1A CE AE 8A 75 8B DF 84 3B E1 3754 00260: A8 F6 FE BF 67 30 15 FE D7 AB 86 53 3D BF 20 3756 ---------------------------Server--------------------------- 3758 ServerHelloDone message: 3759 msg_type: 0E 3760 length: 000000 3761 body: -- 3763 00000: 0E 00 00 00 3765 Record layer message:: 3766 type: 16 3767 version: 3768 major: 03 3769 minor: 03 3770 length: 0004 3771 fragment: 0E000000 3773 00000: 16 03 03 00 04 0E 00 00 00 3775 ---------------------------Client--------------------------- 3777 PMS: 3778 00000: CE 0D D6 B6 70 42 12 15 2B E4 69 5A 7E 89 F6 4C 3779 00010: 89 29 A4 0D BF 0A 5A 55 C2 CE 00 2B 06 BA B6 2F 3781 Random d_eph value: 3782 0xC96486B1A3732389A162F5AD0145D537 3783 43C9AC27D42ACF1091CE7EF67E6C3CCA 3784 0F6C879B2DA3C1607648BAEB96471BD2 3785 078DF5CAAA4FA83ECC0FFD6D3C8E5D56 3787 Q_eph ephemeral key: 3788 x = 0x4B9CB381BCC737E493E43B2D7FD95BFE 3789 2AEF6BE8F6224882E5E559ADA08170DC 3790 49A815B3A1B3B323D2B50195153CFC60 3791 DD6139C3770C5762A6A7719FABF84BFB 3793 y = 0x95CEF28392C846A5EEFCB51C84E4960A 3794 77B77D0D85EBD22061BFDA0013C5AB6C 3795 42DDD04973F65D2AEB8A5427A53D6872 3796 CF2D68F5F722C4640D7AAF2E0194FBD0 3798 HASH(r_c | r_s): 3799 00000: FB F3 9D 10 E8 00 AF 70 E7 AA 22 C1 10 DA 94 A9 3800 00010: 9A 58 98 D8 45 27 C7 CB DE C1 1E 53 39 90 6A 1A 3802 K_EXP: 3803 00000: 3F D9 99 D1 68 4A 15 CC 9B DD 5A 35 06 7A F6 98 3804 00010: 17 15 00 22 E0 95 54 AC 79 1A 60 F1 61 F5 53 49 3806 IV: 3807 00000: FB F3 9D 10 E8 00 AF 70 3809 CEK_ENC: 3810 00000: D6 22 D1 67 A5 64 2E 29 52 5A 29 5C B9 F2 8F 96 3811 00010: F2 8B 0E FA A7 D3 A2 BE E1 49 B0 11 78 C2 DF D5 3813 CEK_MAC: 3814 00000: 4C 93 36 57 3816 PMSEXP: 3817 00000: FB F3 9D 10 E8 00 AF 70 D6 22 D1 67 A5 64 2E 29 3818 00010: 52 5A 29 5C B9 F2 8F 96 F2 8B 0E FA A7 D3 A2 BE 3819 00020: E1 49 B0 11 78 C2 DF D5 4C 93 36 57 3821 ---------------------------Client--------------------------- 3823 ClientKeyExchange message: 3824 msg_type: 10 3825 length: 0000F5 3826 body: 3827 exchange_keys: 3081F23081EF30280420D622D167A564 3828 2E29525A295CB9F28F96F28B0EFAA7D3 3829 A2BEE149B01178C2DFD504044C933657 3830 . . . 3831 DABF6120D2EB850D7DB7770A96E4841C 3832 B5FCEEA546C89283F2CE950408FBF39D 3833 10E800AF70 3835 00000: 10 00 00 F5 30 81 F2 30 81 EF 30 28 04 20 D6 22 3836 00010: D1 67 A5 64 2E 29 52 5A 29 5C B9 F2 8F 96 F2 8B 3837 00020: 0E FA A7 D3 A2 BE E1 49 B0 11 78 C2 DF D5 04 04 3838 00030: 4C 93 36 57 A0 81 C2 06 09 2A 85 03 07 01 02 05 3839 00040: 01 01 A0 81 AA 30 21 06 08 2A 85 03 07 01 01 01 3840 00050: 02 30 15 06 09 2A 85 03 07 01 02 01 02 01 06 08 3841 00060: 2A 85 03 07 01 01 02 03 03 81 84 00 04 81 80 FB 3842 00070: 4B F8 AB 9F 71 A7 A6 62 57 0C 77 C3 39 61 DD 60 3843 00080: FC 3C 15 95 01 B5 D2 23 B3 B3 A1 B3 15 A8 49 DC 3844 00090: 70 81 A0 AD 59 E5 E5 82 48 22 F6 E8 6B EF 2A FE 3845 000A0: 5B D9 7F 2D 3B E4 93 E4 37 C7 BC 81 B3 9C 4B D0 3846 000B0: FB 94 01 2E AF 7A 0D 64 C4 22 F7 F5 68 2D CF 72 3847 000C0: 68 3D A5 27 54 8A EB 2A 5D F6 73 49 D0 DD 42 6C 3848 000D0: AB C5 13 00 DA BF 61 20 D2 EB 85 0D 7D B7 77 0A 3849 000E0: 96 E4 84 1C B5 FC EE A5 46 C8 92 83 F2 CE 95 04 3850 000F0: 08 FB F3 9D 10 E8 00 AF 70 3852 Record layer message: 3853 type: 16 3854 version: 3855 major: 03 3856 minor: 03 3857 length: 00F9 3858 fragment: 100000F53081F23081EF30280420D622 3859 D167A5642E29525A295CB9F28F96F28B 3860 0EFAA7D3A2BEE149B01178C2DFD50404 3861 . . . 3862 ABC51300DABF6120D2EB850D7DB7770A 3863 96E4841CB5FCEEA546C89283F2CE9504 3864 08FBF39D10E800AF70 3866 00000: 16 03 03 00 F9 10 00 00 F5 30 81 F2 30 81 EF 30 3867 00010: 28 04 20 D6 22 D1 67 A5 64 2E 29 52 5A 29 5C B9 3868 00020: F2 8F 96 F2 8B 0E FA A7 D3 A2 BE E1 49 B0 11 78 3869 00030: C2 DF D5 04 04 4C 93 36 57 A0 81 C2 06 09 2A 85 3870 00040: 03 07 01 02 05 01 01 A0 81 AA 30 21 06 08 2A 85 3871 00050: 03 07 01 01 01 02 30 15 06 09 2A 85 03 07 01 02 3872 00060: 01 02 01 06 08 2A 85 03 07 01 01 02 03 03 81 84 3873 00070: 00 04 81 80 FB 4B F8 AB 9F 71 A7 A6 62 57 0C 77 3874 00080: C3 39 61 DD 60 FC 3C 15 95 01 B5 D2 23 B3 B3 A1 3875 00090: B3 15 A8 49 DC 70 81 A0 AD 59 E5 E5 82 48 22 F6 3876 000A0: E8 6B EF 2A FE 5B D9 7F 2D 3B E4 93 E4 37 C7 BC 3877 000B0: 81 B3 9C 4B D0 FB 94 01 2E AF 7A 0D 64 C4 22 F7 3878 000C0: F5 68 2D CF 72 68 3D A5 27 54 8A EB 2A 5D F6 73 3879 000D0: 49 D0 DD 42 6C AB C5 13 00 DA BF 61 20 D2 EB 85 3880 000E0: 0D 7D B7 77 0A 96 E4 84 1C B5 FC EE A5 46 C8 92 3881 000F0: 83 F2 CE 95 04 08 FB F3 9D 10 E8 00 AF 70 3883 ---------------------------Client--------------------------- 3884 HASH(HM): 3885 00000: F8 D6 FE EB 17 64 4D 17 B0 38 36 A6 51 EB 87 69 3886 00010: BD EA A2 D3 EB 18 47 F6 91 91 42 7C 30 D0 17 8E 3888 MS: 3889 00000: BE 57 46 C8 BB B7 84 7E 97 8F D4 C9 4F 52 34 52 3890 00010: 44 2C 8E B1 72 FD E6 28 1C 18 C5 44 63 B1 F9 4C 3891 00020: 2B D9 81 40 05 41 6D BB 0F 90 A5 7E A4 E0 6B 50 3893 Client connection key material 3894 K_write_MAC|K_read_MAC|K_write_ENC|K_read_ENC|IV_write|IV_read: 3895 00000: F3 37 F6 A8 6F F3 1F CA 52 EA 64 7C DE E3 B7 83 3896 00010: 34 AB 77 B5 7F E0 DB 2F C0 C8 71 EC DC AC A5 A8 3897 00020: FB A0 4C 21 32 82 3A 24 96 EF 93 6F 0E BC F3 0E 3898 00030: A0 CB 7E AF 6C A7 94 75 4F 1F 45 B1 77 22 DE B4 3899 00040: 4E 5B C3 2D 44 30 AF 58 93 11 6A CF 81 A3 BE 0C 3900 00050: 90 D2 EA 8E 76 E0 84 07 28 BA F5 E2 B2 F9 40 C0 3901 00060: AE 18 26 7B B6 34 C1 6A 1D 1A C1 24 73 50 95 4B 3902 00070: 2F EE 9B 77 F3 0D 18 D5 54 01 2B 43 78 60 87 0A 3903 00080: D9 21 A8 4B 07 FF 98 AF 8C 82 38 6B 91 FB BA 64 3905 ---------------------------Server--------------------------- 3907 PMSEXP extracted: 3908 00000: FB F3 9D 10 E8 00 AF 70 D6 22 D1 67 A5 64 2E 29 3909 00010: 52 5A 29 5C B9 F2 8F 96 F2 8B 0E FA A7 D3 A2 BE 3910 00020: E1 49 B0 11 78 C2 DF D5 4C 93 36 57 3912 HASH(r_c | r_s): 3913 00000: FB F3 9D 10 E8 00 AF 70 E7 AA 22 C1 10 DA 94 A9 3914 00010: 9A 58 98 D8 45 27 C7 CB DE C1 1E 53 39 90 6A 1A 3916 K_EXP: 3917 00000: 3F D9 99 D1 68 4A 15 CC 9B DD 5A 35 06 7A F6 98 3918 00010: 17 15 00 22 E0 95 54 AC 79 1A 60 F1 61 F5 53 49 3920 PMS: 3921 00000: CE 0D D6 B6 70 42 12 15 2B E4 69 5A 7E 89 F6 4C 3922 00010: 89 29 A4 0D BF 0A 5A 55 C2 CE 00 2B 06 BA B6 2F 3924 ---------------------------Server--------------------------- 3926 HASH(HM): 3927 00000: F8 D6 FE EB 17 64 4D 17 B0 38 36 A6 51 EB 87 69 3928 00010: BD EA A2 D3 EB 18 47 F6 91 91 42 7C 30 D0 17 8E 3930 MS: 3932 00000: BE 57 46 C8 BB B7 84 7E 97 8F D4 C9 4F 52 34 52 3933 00010: 44 2C 8E B1 72 FD E6 28 1C 18 C5 44 63 B1 F9 4C 3934 00020: 2B D9 81 40 05 41 6D BB 0F 90 A5 7E A4 E0 6B 50 3936 Client connection key material 3937 K_read_MAC|K_write_MAC|K_read_ENC|K_write_ENC|IV_read|IV_write: 3938 00000: F3 37 F6 A8 6F F3 1F CA 52 EA 64 7C DE E3 B7 83 3939 00010: 34 AB 77 B5 7F E0 DB 2F C0 C8 71 EC DC AC A5 A8 3940 00020: FB A0 4C 21 32 82 3A 24 96 EF 93 6F 0E BC F3 0E 3941 00030: A0 CB 7E AF 6C A7 94 75 4F 1F 45 B1 77 22 DE B4 3942 00040: 4E 5B C3 2D 44 30 AF 58 93 11 6A CF 81 A3 BE 0C 3943 00050: 90 D2 EA 8E 76 E0 84 07 28 BA F5 E2 B2 F9 40 C0 3944 00060: AE 18 26 7B B6 34 C1 6A 1D 1A C1 24 73 50 95 4B 3945 00070: 2F EE 9B 77 F3 0D 18 D5 54 01 2B 43 78 60 87 0A 3946 00080: D9 21 A8 4B 07 FF 98 AF 8C 82 38 6B 91 FB BA 64 3948 ---------------------------Client--------------------------- 3950 ChangeCipherSpec message: 3951 type: 01 3953 00000: 01 3955 Record layer message: 3956 type: 14 3957 version: 3958 major: 03 3959 minor: 03 3960 length: 0001 3961 fragment: 01 3963 00000: 14 03 03 00 01 01 3965 ---------------------------Client--------------------------- 3967 HASH(HM): 3968 00000: F8 D6 FE EB 17 64 4D 17 B0 38 36 A6 51 EB 87 69 3969 00010: BD EA A2 D3 EB 18 47 F6 91 91 42 7C 30 D0 17 8E 3971 Finished message: 3972 msg_type: 14 3973 length: 00000C 3974 body: 3975 verify_data: D3EE1DEA725CD7080C744311 3977 00000: 14 00 00 0C D3 EE 1D EA 72 5C D7 08 0C 74 43 11 3978 Record layer message: 3979 type: 16 3980 version: 3981 major: 03 3982 minor: 03 3983 length: 0014 3984 fragment: 8854A0ED0CCBDAE076FA7D22D763A8D1 3985 AF701BBB 3987 00000: 16 03 03 00 14 88 54 A0 ED 0C CB DA E0 76 FA 7D 3988 00010: 22 D7 63 A8 D1 AF 70 1B BB 3990 ---------------------------Server--------------------------- 3992 ChangeCipherSpec message: 3993 type: 01 3995 00000: 01 3997 Record layer message: 3998 type: 14 3999 version: 4000 major: 03 4001 minor: 03 4002 length: 0001 4003 fragment: 01 4005 00000: 14 03 03 00 01 01 4007 ---------------------------Server--------------------------- 4009 HASH(HM): 4010 00000: 9C 9F C4 E3 32 5B 5F B3 70 B9 94 2A 71 D2 6E F0 4011 00010: 10 71 D8 A5 A1 8F 69 E8 C2 0B 70 CC 90 E9 A9 46 4013 Finished message: 4014 msg_type: 14 4015 length: 00000C 4016 body: 4017 verify_data: D6A2A697E9F23DB0F9017A79 4019 00000: 14 00 00 0C D6 A2 A6 97 E9 F2 3D B0 F9 01 7A 79 4021 Record layer message: 4022 type: 16 4023 version: 4024 major: 03 4025 minor: 03 4026 length: 0014 4027 fragment: 7BDDBB3C0A6A4A9E302B468CCD5CF786 4028 665FFEBC 4030 00000: 16 03 03 00 14 7B DD BB 3C 0A 6A 4A 9E 30 2B 46 4031 00010: 8C CD 5C F7 86 66 5F FE BC 4033 ---------------------------Client--------------------------- 4035 Application data: 4036 00000: 48 45 4C 4F 0A 4038 Record layer message: 4039 type: 17 4040 version: 4041 major: 03 4042 minor: 03 4043 length: 0009 4044 fragment: A8951D9389D1AEFE3B 4046 00000: 17 03 03 00 09 A8 95 1D 93 89 D1 AE FE 3B 4048 ---------------------------Server--------------------------- 4050 Application data: 4051 00000: 48 45 4C 4F 0A 4053 Record layer message: 4054 type: 17 4055 version: 4056 major: 03 4057 minor: 03 4058 length: 0009 4059 fragment: 0F368E5CEC86B4F8D7 4061 00000: 17 03 03 00 09 0F 36 8E 5C EC 86 B4 F8 D7 4063 ---------------------------Client--------------------------- 4065 close_notify alert: 4066 Alert: 4067 level: 01 4068 description: 00 4070 00000: 01 00 4072 Record layer message: 4073 type: 15 4074 version: 4075 major: 03 4076 minor: 03 4077 length: 0006 4078 fragment: F91FCD98F309 4080 00000: 15 03 03 00 06 F9 1F CD 98 F3 09 4082 ---------------------------Server--------------------------- 4084 close_notify alert: 4085 Alert: 4086 level: 01 4087 description: 00 4089 00000: 01 00 4091 Record layer message: 4092 type: 15 4093 version: 4094 major: 03 4095 minor: 03 4096 length: 0006 4097 fragment: 117B57AD5FED 4099 00000: 15 03 03 00 06 11 7B 57 AD 5F ED 4101 Appendix B. Contributors 4103 o Evgeny Alekseev 4104 CryptoPro 4105 alekseev@cryptopro.ru 4107 o Ekaterina Smyshlyaeva 4108 CryptoPro 4109 ess@cryptopro.ru 4111 o Grigory Sedov 4112 CryptoPro 4113 sedovgk@cryptopro.ru 4115 o Dmitry Eremin-Solenikov 4116 Auriga 4117 dbaryshkov@gmail.com 4119 Appendix C. Acknowledgments 4121 Authors' Addresses 4123 Stanislav Smyshlyaev (editor) 4124 CryptoPro 4125 18, Suschevsky val 4126 Moscow 127018 4127 Russian Federation 4129 Phone: +7 (495) 995-48-20 4130 Email: svs@cryptopro.ru 4132 Dmitry Belyavsky 4133 Cryptocom 4134 14/2 Kedrova st 4135 Moscow 117218 4136 Russian Federation 4138 Email: beldmit@gmail.com 4140 Markku-Juhani O. Saarinen 4141 Independent Consultant 4143 Email: mjos@iki.fi