idnits 2.17.1 draft-smyshlyaev-tls12-gost-suites-16.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (1 September 2021) is 968 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'ChangeCipherSpec' is mentioned on line 427, but not defined -- Looks like a reference, but probably isn't: '0' on line 694 ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S.V. Smyshlyaev, Ed. 3 Internet-Draft CryptoPro 4 Intended status: Informational D. Belyavskiy 5 Expires: 5 March 2022 Cryptocom 6 M.-J.S. Saarinen 7 Independent Consultant 8 E.K. Alekseev 9 CryptoPro 10 1 September 2021 12 GOST Cipher Suites for Transport Layer Security (TLS) Protocol Version 13 1.2 14 draft-smyshlyaev-tls12-gost-suites-16 16 Abstract 18 This document specifies three new cipher suites, two new signature 19 algorithms, seven new supported groups and two new certificate types 20 for the Transport Layer Security (TLS) protocol Version 1.2 to 21 support the Russian cryptographic standard algorithms (called GOST 22 algorithms). This document specifies a profile of TLS 1.2 with GOST 23 algorithms so that implementers can produce interoperable 24 implementations. 26 This specification is developed to facilitate implementations that 27 wish to support the GOST algorithms. This document does not imply 28 IETF endorsement of the cipher suites, signature algorithms, 29 supported groups and certificate types. 31 Status of This Memo 33 This Internet-Draft is submitted in full conformance with the 34 provisions of BCP 78 and BCP 79. 36 Internet-Drafts are working documents of the Internet Engineering 37 Task Force (IETF). Note that other groups may also distribute 38 working documents as Internet-Drafts. The list of current Internet- 39 Drafts is at https://datatracker.ietf.org/drafts/current/. 41 Internet-Drafts are draft documents valid for a maximum of six months 42 and may be updated, replaced, or obsoleted by other documents at any 43 time. It is inappropriate to use Internet-Drafts as reference 44 material or to cite them other than as "work in progress." 46 This Internet-Draft will expire on 5 March 2022. 48 Copyright Notice 50 Copyright (c) 2021 IETF Trust and the persons identified as the 51 document authors. All rights reserved. 53 This document is subject to BCP 78 and the IETF Trust's Legal 54 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 55 license-info) in effect on the date of publication of this document. 56 Please review these documents carefully, as they describe your rights 57 and restrictions with respect to this document. Code Components 58 extracted from this document must include Simplified BSD License text 59 as described in Section 4.e of the Trust Legal Provisions and are 60 provided without warranty as described in the Simplified BSD License. 62 Table of Contents 64 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 65 2. Conventions Used in This Document . . . . . . . . . . . . . . 4 66 3. Basic Terms and Definitions . . . . . . . . . . . . . . . . . 4 67 4. Cipher Suite Definitions . . . . . . . . . . . . . . . . . . 6 68 4.1. Record Payload Protection . . . . . . . . . . . . . . . . 6 69 4.1.1. CTR_OMAC . . . . . . . . . . . . . . . . . . . . . . 7 70 4.1.2. CNT_IMIT . . . . . . . . . . . . . . . . . . . . . . 8 71 4.2. Key Exchange and Authentication . . . . . . . . . . . . . 9 72 4.2.1. Hello Messages . . . . . . . . . . . . . . . . . . . 11 73 4.2.2. Server Certificate . . . . . . . . . . . . . . . . . 12 74 4.2.3. CertificateRequest . . . . . . . . . . . . . . . . . 12 75 4.2.4. ClientKeyExchange . . . . . . . . . . . . . . . . . . 12 76 4.2.4.1. CTR_OMAC . . . . . . . . . . . . . . . . . . . . 13 77 4.2.4.2. CNT_IMIT . . . . . . . . . . . . . . . . . . . . 15 78 4.2.5. CertificateVerify . . . . . . . . . . . . . . . . . . 17 79 4.2.6. Finished . . . . . . . . . . . . . . . . . . . . . . 18 80 4.3. Cryptographic Algorithms . . . . . . . . . . . . . . . . 18 81 4.3.1. Block Cipher . . . . . . . . . . . . . . . . . . . . 18 82 4.3.2. MAC algorithm . . . . . . . . . . . . . . . . . . . . 18 83 4.3.3. Encryption algorithm . . . . . . . . . . . . . . . . 19 84 4.3.4. PRF and HASH algorithms . . . . . . . . . . . . . . . 19 85 4.3.5. SNMAX parameter . . . . . . . . . . . . . . . . . . . 19 86 5. New Values for the SignatureAlgorithm Registry . . . . . . . 19 87 6. New Values for the Supported Groups Registry . . . . . . . . 20 88 7. New Values for the ClientCertificateType Identifiers 89 Registry . . . . . . . . . . . . . . . . . . . . . . . . 21 90 8. Additional Algorithms . . . . . . . . . . . . . . . . . . . . 22 91 8.1. TLSTREE . . . . . . . . . . . . . . . . . . . . . . . . . 22 92 8.1.1. Key Tree Parameters . . . . . . . . . . . . . . . . . 22 93 8.2. Key export and key import algorithms . . . . . . . . . . 23 94 8.2.1. KExp15 and KImp15 Algorithms . . . . . . . . . . . . 23 95 8.2.2. KExp28147 and KImp28147 Algorithms . . . . . . . . . 24 97 8.3. Key Exchange Generation Algorithms . . . . . . . . . . . 25 98 8.3.1. KEG Algorithm . . . . . . . . . . . . . . . . . . . . 25 99 8.3.2. KEG_28147 Algorithm . . . . . . . . . . . . . . . . . 27 100 8.4. gostIMIT28147 . . . . . . . . . . . . . . . . . . . . . . 28 101 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 28 102 10. Historical Considerations . . . . . . . . . . . . . . . . . . 30 103 11. Security Considerations . . . . . . . . . . . . . . . . . . . 31 104 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 31 105 12.1. Normative References . . . . . . . . . . . . . . . . . . 31 106 12.2. Informative References . . . . . . . . . . . . . . . . . 33 107 Appendix A. Test Examples . . . . . . . . . . . . . . . . . . . 34 108 A.1. Test Examples for CTR_OMAC cipher suites . . . . . . . . 34 109 A.1.1. TLSTREE Examples . . . . . . . . . . . . . . . . . . 34 110 A.1.1.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 111 ciphersuite . . . . . . . . . . . . . . . . . . . . 34 112 A.1.1.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC 113 ciphersuite . . . . . . . . . . . . . . . . . . . . 36 114 A.1.2. Record Examples . . . . . . . . . . . . . . . . . . . 39 115 A.1.2.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 116 ciphersuite . . . . . . . . . . . . . . . . . . . . 39 117 A.1.2.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC 118 ciphersuite . . . . . . . . . . . . . . . . . . . . 41 119 A.1.3. Handshake Examples . . . . . . . . . . . . . . . . . 44 120 A.1.3.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 121 ciphersuite . . . . . . . . . . . . . . . . . . . . 45 122 A.1.3.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC 123 ciphersuite . . . . . . . . . . . . . . . . . . . . 58 124 A.2. Test Examples for CNT_IMIT cipher suites . . . . . . . . 77 125 A.2.1. Record Examples . . . . . . . . . . . . . . . . . . . 77 126 A.2.2. Handshake Examples . . . . . . . . . . . . . . . . . 78 127 Appendix B. Contributors . . . . . . . . . . . . . . . . . . . . 92 128 Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 92 129 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 92 131 1. Introduction 133 This document specifies three new cipher suites, two new signature 134 algorithms, seven new supported groups and two new certificate types 135 for the Transport Layer Security (TLS) Protocol Version 1.2 [RFC5246] 136 to support the set of Russian cryptographic standard algorithms 137 (called GOST algorithms). This document specifies a profile of TLS 138 1.2 with GOST algorithms so that implementers can produce 139 interoperable implementations. The profile of TLS 1.2 with GOST 140 algorithms uses the hash algorithm GOST R 34.11-2012 [RFC6986] and 141 the signature algorithm GOST R 34.10-2012 [RFC7091] and use two types 142 of cipher suites: the CTR_OMAC cipher suites and the CNT_IMIT cipher 143 suite. 145 The CTR_OMAC cipher suites use the GOST R 34.12-2015 (see [RFC7801], 146 [RFC8891]) block ciphers. 148 The CNT_IMIT cipher suite uses the GOST 28147-89 [RFC5830] block 149 cipher. 151 This document specifies the profile of the TLS protocol version 1.2 152 with GOST algorithms. The profile of the TLS protocol version 1.3 153 [RFC8446] with GOST algorithms is specified in a separate document 154 [DraftGostTLS13]. 156 This specification is developed to facilitate implementations that 157 wish to support the GOST algorithms. This document does not imply 158 IETF endorsement of the cipher suites, signature algorithms, 159 supported groups and certificate types. 161 2. Conventions Used in This Document 163 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 164 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 165 "OPTIONAL" in this document are to be interpreted as described in BCP 166 14 [RFC2119] [RFC8174] when, and only when, they appear in all 167 capitals, as shown here. 169 3. Basic Terms and Definitions 171 This document uses the following terms and definitions for the sets 172 and operations on the elements of these sets: 174 B_t the set of byte strings of length t, t >= 0, for t = 0 the 175 B_t set consists of a single empty string of zero length. If 176 A is an element of B_t, then A = (a_1, a_2, ... , a_t), where 177 a_1, a_2, ... , a_t are in {0, ... , 255}; 179 B* the set of all byte strings of a finite length (hereinafter 180 referred to as strings), including the empty string; 182 A[i..j] the string A[i..j] = (a_i, a_{i+1}, ... , a_j) in B_{j-i+1} 183 where A = (a_1, ... , a_t) in B_t and 1<=i<=j<=t; 185 L(A) the length of the byte string A in bytes; 187 A | C concatenation of strings A and C both belonging to B*, i.e., 188 a string in B_{L(A)+L(C)}, where the left substring in B_L(A) 189 is equal to A, and the right substring in B_L(C) is equal to 190 C; 192 A XOR C bitwise exclusive-or of byte strings A and C both belonging 193 to B_t (i.e. both are of length t bytes), i.e., a string in 194 B_t such that if A = (a_1, a_2, ... , a_t), C = (c_1, c_2, 195 ... , c_t) then A XOR C = (a_1 (xor) c_1, a_2 (xor) c_2, ... 196 , a_t (xor) c_t) where (xor) is bitwise exclusive-or of 197 bytes; 199 i & j bitwise AND of unsigned integers i and j; 201 STR_t the transformation that maps an integer i = 256^{t-1} * i_1 + 202 ... + 256 * i_{t-1} + i_t into the byte string STR_t(i) = 203 (i_1, ... , i_t) in B_t (the interpretation of the integer as 204 a byte string in big-endian format); 206 str_t the transformation that maps an integer i = 256^{t-1} * i_t + 207 ... + 256 * i_2 + i_1 into the byte string str_t(i) = (i_1, 208 ... , i_t) in B_t (the interpretation of the integer as a 209 byte string in little-endian format); 211 INT the transformation that maps a string a = (a_1, ... , a_t) in 212 B_t into the integer INT(a) = 256^{t-1} * a_1 + ... + 256 * 213 a_{t-1} + a_t (the interpretation of the byte string in big- 214 endian format as an integer); 216 int the transformation that maps a string a = (a_1, ... , a_t) in 217 B_t into the integer int(a) = 256^{t-1} * a_t + ... + 256 * 218 a_2 + a_1 (the interpretation of the byte string in little- 219 endian format as an integer); 221 k the length of the block cipher key in bytes; 223 n the length of the block cipher block in bytes; 225 Q_c the public key stored in the client's certificate; 227 d_c the private key that corresponds to the Q_c key; 229 Q_s the public key stored in the server's certificate; 231 d_s the private key that corresponds to the Q_s key; 233 q_s an order of a cyclic subgroup of elliptic curve points group 234 containing point Q_s; 236 P_s the distinguished generator of the subgroup of order q_s that 237 belongs to the same curve as Q_s; 239 r_c the random string contained in ClientHello.random field (see 240 [RFC5246]); 242 r_s the random string contained in ServerHello.random field (see 243 [RFC5246]). 245 4. Cipher Suite Definitions 247 This document specifies the CTR_OMAC cipher suites and the CNT_IMIT 248 cipher suite. 250 The CTR_OMAC cipher suites have the following values: 252 TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC = {0xC1, 0x00}; 253 TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC = {0xC1, 0x01}. 255 The CNT_IMIT cipher suite has the following value: 257 TLS_GOSTR341112_256_WITH_28147_CNT_IMIT = {0xC1, 0x02}. 259 4.1. Record Payload Protection 261 The profile of TLS 1.2 with GOST algorithms requires that the 262 compression is not used. 264 All of the cipher suites described in this document use such modes of 265 operation (see Section 4.3.3) that protect the records in the same 266 way as if they were protected by a stream cipher. The TLSCiphertext 267 structure for the CTR_OMAC and CNT_IMIT cipher suites is specified in 268 accordance with the Standard Stream Cipher case (see Section 6.2.3.1 269 of [RFC5246]): 271 struct { 272 ContentType type; 273 ProtocolVersion version; 274 uint16 length; 275 GenericStreamCipher fragment; 276 } TLSCiphertext; 278 where TLSCiphertext.fragment is generated in accordance with 279 Section 4.1.1 when the CTR_OMAC cipher suite is used and 280 Section 4.1.2 when the CNT_IMIT cipher suite is used. 282 The connection key material is a key material that consists of the 283 sender_write_key (either the client_write_key or the 284 server_write_key), the sender_write_MAC_key (either the 285 client_write_MAC_key or the server_write_MAC_key) and the 286 sender_write_IV (either the client_write_IV or the server_write_IV) 287 parameters that are generated in accordance with Section 6.3 of 288 [RFC5246]. 290 The record key material is a key material that is generated from the 291 connection key material and is used to protect a record with the 292 certain sequence number. Note that with some cipher suites defined 293 in this document the record key material can be equal to the 294 connection key material. 296 In this section the TLSCiphertext.fragment generation is described 297 for one particular endpoint (server or client) with the corresponding 298 connection key material and record key material. 300 4.1.1. CTR_OMAC 302 In case of the CTR_OMAC cipher suites the record key material differs 303 from the connection key material, and for the sequence number seqnum 304 consists of: 306 * K_ENC_seqnum in B_k; 308 * K_MAC_seqnum in B_k; 310 * IV_seqnum in B_{n/2}. 312 The K_ENC_seqnum and K_MAC_seqnum values are calculated using the 313 TLSTREE function defined in Section 8.1, the connection key material 314 and the sequence number seqnum. IV_seqnum is calculated by adding 315 seqnum value to sender_write_IV modulo 2^{(n/2)*8}: 317 * K_ENC_seqnum = TLSTREE(sender_write_key, seqnum); 319 * K_MAC_seqnum = TLSTREE(sender_write_MAC_key, seqnum); 321 * IV_seqnum = STR_{n/2}((INT(sender_write_IV) + seqnum) mod 322 2^{(n/2)*8}). 324 The TLSCiphertext.fragment that corresponds to the sequence number 325 seqnum is equal to the ENCValue_seqnum value that is calculated as 326 follows: 328 1. The MACValue_seqnum value is generated using the MAC algorithm 329 (see Section 4.3.2) similar to Section 6.2.3.1 of [RFC5246] except 330 the sender_write_MAC_key is replaced by the K_MAC_seqnum key: 332 MACValue_seqnum = MAC(K_MAC_seqnum, STR_8(seqnum) | type_seqnum | 333 version_seqnum | length_seqnum | fragment_seqnum), 335 where type_seqnum, version_seqnum, length_seqnum, fragment_seqnum are 336 the TLSCompressed.type, TLSCompressed.version, TLSCompressed.length 337 and TLSCompressed.fragment values of the record with the seqnum 338 sequence number. 340 2. The entire data with the MACValue is encrypted with the ENC 341 stream cipher (see Section 4.3.3): 343 ENCValue_seqnum = ENC(K_ENC_seqnum, IV_seqnum, fragment_seqnum | 344 MACValue_seqnum), 346 where fragment_seqnum is the TLSCompressed.fragment value of the 347 record with the seqnum sequence number. 349 Note that the profile of TLS 1.2 with GOST algorithms uses the 350 authenticate-then-encrypt method (see Appendix F.4 of [RFC5246]). 351 The profile of TLS 1.2 with GOST algorithms requires that the 352 encrypt_then_mac extension is not used in the ServerHello message 353 (see Section 4.2.1). 355 4.1.2. CNT_IMIT 357 In case of the CNT_IMIT cipher suite the record key material is equal 358 to the connection key material and consists of: 360 * sender_write_key in B_k; 362 * sender_write_MAC_key in B_k; 364 * sender_write_IV in B_n. 366 The TLSCiphertext.fragment that corresponds to the sequence number 367 seqnum is equal to the ENCValue_seqnum value that is calculated as 368 follows: 370 1. The MACValue_seqnum value is generated by the MAC algorithm (see 371 Section 4.3.2) as follows: 373 MACValue_seqnum = MAC(sender_write_MAC_key, STR_8(0) | type_0 | 374 version_0 | length_0 | fragment_0 | ... | STR_8(seqnum) | 375 type_seqnum | version_seqnum | length_seqnum | fragment_seqnum), 377 where type_i, version_i, length_i, fragment_i, i in {0, ... , 378 seqnum}, are the TLSCompressed.type, TLSCompressed.version, 379 TLSCompressed.length and TLSCompressed.fragment values of the record 380 with the i sequence number. 382 Due to the use of the CBC-MAC based mode (see Section 4.3.2) 383 producing the MACValue_seqnum value does not mean processing all 384 previous records. It is enough to store only an intermediate 385 internal state of the MAC algorithm. 387 2. The entire data with the MACValue is encrypted with the ENC 388 stream cipher (see Section 4.3.3): 390 ENCValue_0 | ... | ENCValue_seqnum = ENC(sender_write_key, 391 sender_write_IV, fragment_0 | MACValue_0 | ... | fragment_seqnum | 392 MACValue_seqnum), 394 where the length of the byte string ENCValue_i in bytes is equal to 395 the length of the byte string (fragment_i | MACValue_i) in bytes, i 396 in {0, ... , seqnum}. 398 Due to the use of the stream cipher (see Section 4.3.3) producing the 399 ENCValue_seqnum value does not mean processing all previous records. 400 It is enough to store only an intermediate internal state of the ENC 401 stream cipher. 403 Note that the profile of TLS 1.2 with GOST algorithms uses the 404 authenticate-then-encrypt method (see Appendix F.4 of [RFC5246]). 405 The profile of TLS 1.2 with GOST algorithms requires that the 406 encrypt_then_mac extension is not used in the ServerHello message 407 (see Section 4.2.1). 409 4.2. Key Exchange and Authentication 411 The profile of TLS 1.2 with GOST algorithms described in this 412 document uses a key encapsulation mechanism based on Diffie-Hellman 413 to share the TLS premaster secret. 415 Client Server 417 ClientHello --------> 418 ServerHello 419 Certificate 420 CertificateRequest* 421 <-------- ServerHelloDone 422 Certificate* 423 ClientKeyExchange 424 CertificateVerify* 425 [ChangeCipherSpec] 426 Finished --------> 427 [ChangeCipherSpec] 428 <-------- Finished 429 Application Data <-------> Application Data 431 Figure 1: Message flow for a full handshake. 433 * Indicates optional messages that are sent for 434 the client authentication. 436 Note: To help avoid pipeline stalls, ChangeCipherSpec is an 437 independent TLS protocol content type, and is not actually 438 a TLS handshake message. 440 Figure 1 shows all messages involved in the TLS key establishment 441 protocol (full handshake). A ServerKeyExchange MUST NOT be sent (the 442 server's certificate contains enough data to allow client to exchange 443 the premaster secret). 445 The server side of the channel is always authenticated; the client 446 side is optionally authenticated. The server is authenticated by 447 proving that it knows the premaster secret that is encrypted with the 448 public key Q_s from the server's certificate. The client is 449 authenticated via its signature over the handshake transcript. 451 In general the key exchange process for both CTR_OMAC and CNT_IMIT 452 cipher suites consists of the following steps: 454 1. The client generates the ephemeral key pair (d_eph, Q_eph) that 455 corresponds to the server's public key Q_s stored in its 456 certificate. 458 2. The client generates the premaster secret PS. The PS value is 459 chosen from B_32 at random. 461 3. Using d_eph and Q_s the client generates the export key material 462 (see Section 4.2.4.1 and Section 4.2.4.2) for the particular key 463 export algorithm (see Section 8.2.1 and Section 8.2.2) to 464 generate the export representation PSExp of the PS value. 466 4. The client sends its ephemeral public key Q_eph and PSExp value 467 in the ClientKeyExchange message. 469 5. Using its private key d_s the server generates the import key 470 material (see Section 4.2.4.1 and Section 4.2.4.2) for the 471 particular key import algorithm (see Section 8.2.1 and 472 Section 8.2.2) to extract the premaster secret PS from the export 473 representation PSExp. 475 This section specifies the data structures and computations used by 476 the profile of TLS 1.2 with GOST algorithms. The specifications for 477 the ClientHello, ServerHello, server Certificate, CertificateRequest, 478 ClientKeyExchange, CertificateVerify and Finished handshake messages 479 are described in further detail below. 481 4.2.1. Hello Messages 483 The ClientHello message is generated in accordance with 484 Section 7.4.1.2 of [RFC5246] and must meet the following 485 requirements: 487 * The ClientHello.compression_methods field MUST contain exactly one 488 byte, set to zero, which corresponds to the "null" compression 489 method. 491 * The ClientHello.extensions field MUST contain the 492 signature_algorithms extension (see [RFC5246]). 494 If the negotiated cipher suite is one of CTR_OMAC/CTR_IMIT and the 495 signature_algorithms extension in the ClientHello message does not 496 contain the values defined in Section 5, the server MUST either 497 abort the connection or ignore this extension and behave as if the 498 client had sent the signature_algorithms extension with the values 499 {8, 64} and {8, 65}. 501 The ServerHello message is generated in accordance with 502 Section 7.4.1.3 of [RFC5246] and must meet the following 503 requirements: 505 * The ServerHello.compression_method field MUST contain exactly one 506 byte, set to zero, which corresponds to the "null" compression 507 method. 509 * The ServerHello.extensions field MUST NOT contain the 510 encrypt_then_mac extension (see [RFC7366]). 512 4.2.2. Server Certificate 514 This message is used to authentically convey the server's public key 515 Q_s to the client and is generated in accordance with Section 7.4.2 516 of [RFC5246]. 518 Upon receiving this message the client validates the certificate 519 chain, extracts the server's public key, and checks that the key type 520 is appropriate for the negotiated key exchange algorithm. (A 521 possible reason for a fatal handshake failure is that the client's 522 capabilities for handling elliptic curves and point formats are 523 exceeded). 525 4.2.3. CertificateRequest 527 This message is sent by the server when requesting client 528 authentication and is generated in accordance with Section 7.4.4 of 529 [RFC5246]. 531 If the CTR_OMAC or CNT_IMIT cipher suite is negotiated, the 532 CertificateRequest message MUST meet the following requirements: 534 * the CertificateRequest.supported_signature_algorithm field MUST 535 contain only signature/hash algorithm pairs with the values {8, 536 64} or {8, 65} defined in Section 5; 538 * the CertificateRequest.certificate_types field MUST contain only 539 the gost_sign256 (67) or gost_sign512 (68) values defined in 540 Section 7. 542 4.2.4. ClientKeyExchange 544 The ClientKeyExchange message is defined as follows. 546 enum { vko_kdf_gost, vko_gost } KeyExchangeAlgorithm; 548 struct { 549 select (KeyExchangeAlgorithm) { 550 case vko_kdf_gost: GostKeyTransport; 551 case vko_gost: TLSGostKeyTransportBlob; 552 } exchange_keys; 553 } ClientKeyExchange; 554 The body of the ClientKeyExchange message consists of a 555 GostKeyTransport/TLSGostKeyTransportBlob structure that contains an 556 export representation of the premaster secret PS. 558 The GostKeyTransport structure corresponds to the CTR_OMAC cipher 559 suites and is described in Section 4.2.4.1 and the 560 TLSGostKeyTransportBlob structure corresponds to CNT_IMIT cipher 561 suite and is described in Section 4.2.4.2. 563 The DER encoding rules are used to encode the GostKeyTransport and 564 the TLSGostKeyTransportBlob structures. 566 4.2.4.1. CTR_OMAC 568 In case of the CTR_OMAC cipher suites the body of the 569 ClientKeyExchange message consists of the GostKeyTransport structure 570 that is defined bellow. 572 The client generates the ClientKeyExchange message in accordance with 573 the following steps: 575 1. Generates the ephemeral key pair (Q_eph, d_eph), where: 577 d_eph is chosen from {1, ... , q_s - 1} at random; 579 Q_eph = d_eph * P_s. 581 2. Generates the premaster secret PS, where PS is chosen from B_32 582 at random. 584 3. Generates export keys (K_EXP_MAC and K_EXP_ENC) using the KEG 585 algorithm defined in Section 8.3.1: 587 H = HASH(r_c | r_s); 589 K_EXP_MAC | K_EXP_ENC = KEG(d_eph, Q_s, H). 591 4. Generates an export representation PSExp of the premaster secret 592 PS using the KExp15 algorithm defined in Section 8.2.1: 594 IV = H[25..24 + n / 2]; 596 PSExp = KExp15(PS, K_EXP_MAC, K_EXP_ENC, IV). 598 5. Generates the ClientKeyExchange message using the 599 GostKeyTransport structure that is defined as follows: 601 GostKeyTransport ::= SEQUENCE { 602 keyExp OCTET STRING, 603 ephemeralPublicKey SubjectPublicKeyInfo, 604 ukm OCTET STRING OPTIONAL 605 } 607 SubjectPublicKeyInfo ::= SEQUENCE { 608 algorithm AlgorithmIdentifier, 609 subjectPublicKey BIT STRING 610 } 611 AlgorithmIdentifier ::= SEQUENCE { 612 algorithm OBJECT IDENTIFIER, 613 parameters ANY OPTIONAL 614 } 616 where the keyExp field contains the PSExp value, the 617 ephemeralPublicKey field contains the Q_eph value and the ukm field 618 MUST be ignored by the server. 620 Upon receiving the ClientKeyExchange message, the server process it 621 as follows. 623 1. Checks the following three conditions. If either of these checks 624 fails, then the server MUST abort the handshake with an alert. 626 * Q_eph belongs to the same curve as server public key Q_s; 628 * Q_eph is not equal to zero point; 630 * q_s * Q_eph is equal to zero point. 632 2. Generates export keys (K_EXP_MAC and K_EXP_ENC) using the KEG 633 algorithm defined in Section 8.3.1: 635 H = HASH(r_c | r_s); 637 K_EXP_MAC | K_EXP_ENC = KEG(d_s, Q_eph, H). 639 3. Extracts the premaster secret PS from the export representation 640 PSExp using the KImp15 algorithm defined in Section 8.2.1: 642 IV = H[25..24 + n / 2]; 644 PS = KImp15(PSExp, K_EXP_MAC, K_EXP_ENC, IV). 646 4.2.4.2. CNT_IMIT 648 In case of the CNT_IMIT cipher suite the body of the 649 ClientKeyExchange message consists of a TLSGostKeyTransportBlob 650 structure that is defined bellow. 652 The client generates the ClientKeyExchange message in accordance with 653 the following steps: 655 1. Generates the ephemeral key pair (Q_eph, d_eph), where: 657 d_eph is chosen from {1, ... , q_s - 1} at random; 659 Q_eph = d_eph * P_s. 661 2. Generates the premaster secret PS, where PS is chosen from B_32 662 at random. 664 3. Generates export key (K_EXP) using the KEG_28147 algorithm 665 defined in Section 8.3.2: 667 * H = HASH(r_c | r_s); 669 * K_EXP = KEG_28147(d_eph, Q_s, H). 671 4. Generates an export representation PSExp of the premaster secret 672 PS using the KExp28147 algorithm defined in Section 8.2.2: 674 PSExp = IV | CEK_ENC | CEK_MAC = KExp28147(PS, K_EXP, H[1..8]). 676 5. Generates the ClientKeyExchange message using the 677 TLSGostKeyTransportBlob structure that is defined as follows: 679 TLSGostKeyTransportBlob ::= SEQUENCE { 680 keyBlob GostR3410-KeyTransport, 681 } 682 GostR3410-KeyTransport ::= SEQUENCE { 683 sessionEncryptedKey Gost28147-89-EncryptedKey, 684 transportParameters [0] IMPLICIT GostR3410-TransportParameters 685 OPTIONAL 686 } 687 Gost28147-89-EncryptedKey ::= SEQUENCE { 688 encryptedKey Gost28147-89-Key, 689 maskKey [0] IMPLICIT Gost28147-89-Key OPTIONAL, 690 macKey Gost28147-89-MAC 691 } 692 GostR3410-TransportParameters ::= SEQUENCE { 693 encryptionParamSet OBJECT IDENTIFIER, 694 ephemeralPublicKey [0] IMPLICIT SubjectPublicKeyInfo OPTIONAL, 695 ukm OCTET STRING 696 } 698 where GostR3410-KeyTransport, Gost28147-89-EncryptedKey and 699 GostR3410-TransportParameters are defined according to Section 4.2.1 700 of [RFC4490]. 702 In the context of this document the 703 GostR3410-KeyTransport.transportParameters field is always used, the 704 Gost28147-89-EncryptedKey.maskKey field is omitted, the 705 GostR3410-KeyTransport.transportParameters.ephemeralPublicKey field 706 is always used. 708 The Gost28147-89-EncryptedKey.encryptedKey field contains the CEK_ENC 709 value, the Gost28147-89-EncryptedKey.macKey field contains the 710 CEK_MAC value, and GostR3410-TransportParameters.ukm field contains 711 the IV value. 713 The keyBlob.transportParameters.ephemeralPublicKey field contains the 714 client ephemeral public key Q_eph. The encryptionParamSet contains 715 value 1.2.643.7.1.2.5.1.1 that corresponds to the id-tc26-gost- 716 28147-param-Z parameters set defined in [RFC7836]. 718 Upon receiving the ClientKeyExchange message, the server process it 719 as follows. 721 1. Checks the following three conditions. If either of these checks 722 fails, then the server MUST abort the handshake with an alert. 724 * Q_eph belongs to the same curve as server public key Q_s; 725 * Q_eph is not equal to zero point; 727 * q_s * Q_eph is equal to zero point; 729 2. Generates export key (K_EXP) using the KEG_28147 algorithm 730 defined in Section 8.3.2: 732 * H = HASH(r_c | r_s); 734 * K_EXP = KEG_28147(d_s, Q_eph, H). 736 3. Extracts the premaster secret PS from the export representation 737 PSExp using the KImp28147 algorithm defined in Section 8.2.2: 739 PS = KImp28147(PSExp, K_EXP, H[1..8]). 741 4.2.5. CertificateVerify 743 Client generates the value sgn as follows: 745 sgn = SIGN_{d_c}(handshake_messages) = str_l(r) | str_l(s) 747 where SIGN_{d_c} is the GOST R 34.10-2012 [RFC7091] signature 748 algorithm, d_c is a client long-term private key that corresponds to 749 the client long-term public key Q_c from the client's certificate, l 750 = 32 for gostr34102012_256 value of the SignatureAndHashAlgorithm 751 field and l = 64 for gostr34102012_512 value of the 752 SignatureAndHashAlgorithm field. 754 Here handshake_messages refers to all handshake messages sent or 755 received, starting at ClientHello and up to CertificateVerify, but 756 not including the last message, including the type and length fields 757 of the handshake messages. 759 The TLS CertificateVerify message is specified as follows. 761 struct { 762 SignatureAndHashAlgorithm algorithm; 763 opaque signature<0..2^16-1>; 764 } CertificateVerify; 766 where SignatureAndHashAlgorithm structure is specified in Section 5 767 and CertificateVerify.signature field contains sgn value. 769 4.2.6. Finished 771 The TLS Finished message is generated in accordance with 772 Section 7.4.9 of [RFC5246]. 774 The verify_data_length value is equal to 32 for the CTR_OMAC cipher 775 suites and is equal to 12 for the CNT_IMIT cipher suite. The PRF 776 function is defined in Section 4.3.4. 778 4.3. Cryptographic Algorithms 780 4.3.1. Block Cipher 782 The cipher suite TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC MUST 783 use Kuznyechik [RFC7801] as a base block cipher for the encryption 784 and MAC algorithm. The block length n is 16 bytes and the key length 785 k is 32 bytes. 787 The cipher suite TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC MUST use 788 Magma [RFC8891] as a base block cipher for the encryption and MAC 789 algorithm. The block length n is 8 bytes and the key length k is 32 790 bytes. 792 The cipher suite TLS_GOSTR341112_256_WITH_28147_CNT_IMIT MUST use 793 GOST 28147-89 as a base block cipher [RFC5830] with the set of 794 parameters id-tc26-gost-28147-param-Z defined in [RFC7836]. The 795 block length n is 8 bytes and the key length k is 32 bytes. 797 4.3.2. MAC algorithm 799 The CTR_OMAC cipher suites use the OMAC message authentication code 800 construction defined in [GOST3413-2015], which can be considered as 801 the CMAC mode defined in [CMAC] where Kuznyechik or Magma block 802 cipher (see Section 4.3.1) are used instead of AES block cipher (see 803 [IK2003] for more detail) as the MAC function. The resulting MAC 804 length is equal to the block length and the MAC key length is 32 805 bytes. 807 The CNT_IMIT cipher suite uses the message authentication code 808 function gostIMIT28147 defined in Section 8.4 with the initialization 809 vector IV = IV0, where IV0 in B_8 is a string of all zeros, with the 810 CryptoPro Key Meshing algorithm defined in [RFC4357]. The resulting 811 MAC length is 4 bytes and the MAC key length is 32 bytes. 813 4.3.3. Encryption algorithm 815 The CTR_OMAC cipher suites use the block cipher in CTR-ACPKM 816 encryption mode defined in [RFC8645] as the ENC function. The 817 section size N is 4 KB for 818 TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC cipher suite and 1 KB 819 for TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC cipher suite. 821 The CNT_IMIT cipher suite uses the block cipher in counter encryption 822 mode (CNT) defined in Section 6 of [RFC5830] with the CryptoPro Key 823 Meshing algorithm defined in [RFC4357] as the ENC function. 825 Note that the counter modes used in cipher suites described in this 826 document act as stream ciphers. 828 4.3.4. PRF and HASH algorithms 830 The pseudorandom function (PRF) for all the cipher suites defined in 831 this document is the PRF_TLS_GOSTR3411_2012_256 function defined in 832 [RFC7836]. 834 The hash function HASH for all the cipher suites defined in this 835 document is the GOST R 34.11-2012 [RFC6986] hash algorithm with 836 32-byte (256-bit) hash code. 838 4.3.5. SNMAX parameter 840 The SNMAX parameter defines the maximal value of the sequence number 841 seqnum during one TLS 1.2 connection and is defined as follows: 843 +---------------------------------------------+--------------------+ 844 | CipherSuites | SNMAX | 845 +---------------------------------------------+--------------------+ 846 |TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC | SNMAX = 2^64 - 1 | 847 |TLS_GOSTR341112_256_WITH_28147_CNT_IMIT | | 848 +---------------------------------------------+--------------------+ 849 |TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC | SNMAX = 2^32 - 1 | 850 +---------------------------------------------+--------------------+ 851 Table 1 853 5. New Values for the SignatureAlgorithm Registry 855 The signature/hash algorithm pairs are used to indicate to the 856 server/client which algorithms can be used in digital signatures and 857 are defined by the SignatureAndHashAlgorithm structure (see 858 Section 7.4.1.4.1 of [RFC5246]). 860 This document defines new values for the "SignatureAlgorithm 861 Registry" that can be used in the SignatureAndHashAlgorithm.signature 862 field for the particular signature/hash algorithm pair: 864 enum { 865 gostr34102012_256(64), 866 gostr34102012_512(65), 867 } SignatureAlgorithm; 869 where the gostr34102012_256 and gostr34102012_512 values correspond 870 to the GOST R 34.10-2012 [RFC7091] signature algorithm with 32-byte 871 (256-bit) and 64-byte (512-bit) key length respectively. 873 According to [RFC7091] the GOST R 34.10-2012 signature algorithm with 874 32-byte (256-bit) or 64-byte (512-bit) key length use the GOST R 875 34.11-2012 [RFC6986] hash algorithm with 32-byte (256-bit) or 64-byte 876 (512-bit) hash code respectively (the hash algorithm is intrinsic to 877 the signature algorithm). Therefore, if the 878 SignatureAndHashAlgorithm.signature field of a particular hash/ 879 signature pair listed in the Signature Algorithms Extension is equal 880 to the 64 (gostr34102012_256) or 65 (gostr34102012_512) value, the 881 SignatureAndHashAlgorithm.hash field of this pair MUST contain the 882 "Intrinsic" value 8 (see [RFC8422]). 884 So, to represent gostr34102012_256 and gostr34102012_512 in the 885 signature_algorithms extension, the value shall be (8,64) and (8,65), 886 respectively. 888 6. New Values for the Supported Groups Registry 890 The Supported Groups Extension indicates the set of elliptic curves 891 supported by the client and is defined in [RFC8422] and [RFC7919]. 893 This document defines new values for the "Supported Groups" registry: 895 enum { 896 GC256A(34), GC256B(35), GC256C(36), GC256D(37), 897 GC512A(38), GC512B(39), GC512C(40), 898 } NamedGroup; 900 Where the values corresponds to the following curves: 902 +-------------+--------------------------------------+-----------+ 903 | Description | Curve Identifier Value | Reference | 904 +-------------+--------------------------------------+-----------+ 905 | GC256A | id-tc26-gost-3410-2012-256-paramSetA | RFC 7836 | 906 +-------------+--------------------------------------+-----------+ 907 | GC256B |id-GostR3410-2001-CryptoPro-A-ParamSet| RFC 4357 | 908 +-------------+--------------------------------------+-----------+ 909 | GC256C |id-GostR3410-2001-CryptoPro-B-ParamSet| RFC 4357 | 910 +-------------+--------------------------------------+-----------+ 911 | GC256D |id-GostR3410-2001-CryptoPro-C-ParamSet| RFC 4357 | 912 +-------------+--------------------------------------+-----------+ 913 | GC512A | id-tc26-gost-3410-12-512-paramSetA | RFC 7836 | 914 +-------------+--------------------------------------+-----------+ 915 | GC512B | id-tc26-gost-3410-12-512-paramSetB | RFC 7836 | 916 +-------------+--------------------------------------+-----------+ 917 | GC512C | id-tc26-gost-3410-2012-512-paramSetC | RFC 7836 | 918 +-------------+--------------------------------------+-----------+ 919 Table 2 921 7. New Values for the ClientCertificateType Identifiers Registry 923 The ClientCertificateType field of the CertificateRequest message 924 contains a list of the types of certificate types that the client may 925 offer and is defined in Section 7.4.4 of [RFC5246]. 927 This document defines new values for the "ClientCertificateType 928 Identifiers" registry: 930 enum { 931 gost_sign256(67), 932 gost_sign512(68), 933 } ClientCertificateType; 935 To use the gost_sign256 or gost_sign512 authentication mechanism, the 936 client MUST possess a certificate containing a GOST R 937 34.10-2012-capable public key that corresponds to the 32-byte 938 (256-bit) or 64-byte (512-bit) signature key respectively. 940 The client proves possession of the private key corresponding to the 941 certified key by including a signature in the CertificateVerify 942 message as described in Section 4.2.5. 944 8. Additional Algorithms 946 The cipher suites specified in this document rely on some additional 947 algorithms, specified below; the use of these algorithms is not 948 confined to the use in TLS specified in this document. 950 8.1. TLSTREE 952 The TLSTREE function is defined as follows: 954 TLSTREE(K_root, i) = KDF_3(KDF_2(KDF_1(K_root, STR_8(i & C_1)), 955 STR_8(i & C_2)), STR_8(i & C_3)), 957 where 959 * K_root in B_32; 961 * i in {0, 1, ... , 2^64 - 1}; 963 * C_1, C_2, C_3 are constants defined by the particular cipher suite 964 (see Section 8.1.1); 966 * KDF_j(K, D), j = 1, 2, 3, K in B_32, D in B_8, is the key 967 derivation function based on the KDF_GOSTR3411_2012_256 function 968 defined in [RFC7836]: 970 KDF_1(K, D) = KDF_GOSTR3411_2012_256(K, "level1", D); 972 KDF_2(K, D) = KDF_GOSTR3411_2012_256(K, "level2", D); 974 KDF_3(K, D) = KDF_GOSTR3411_2012_256(K, "level3", D). 976 8.1.1. Key Tree Parameters 978 The CTR_OMAC cipher suites use the TLSTREE function for the re-keying 979 approach. The constants for it are defined as in the table below. 981 +--------------------------------------------+----------------------+ 982 | CipherSuites | C_1, C_2, C_3 | 983 +--------------------------------------------+----------------------+ 984 |TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC|C_1=0xFFFFFFFF00000000| 985 | |C_2=0xFFFFFFFFFFF80000| 986 | |C_3=0xFFFFFFFFFFFFFFC0| 987 +--------------------------------------------+----------------------+ 988 |TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC |C_1=0xFFFFFFC000000000| 989 | |C_2=0xFFFFFFFFFE000000| 990 | |C_3=0xFFFFFFFFFFFFF000| 991 +--------------------------------------------+----------------------+ 992 Table 3 994 8.2. Key export and key import algorithms 996 8.2.1. KExp15 and KImp15 Algorithms 998 Algorithms KExp15 and KImp15 use the block cipher determined by the 999 particular cipher suite. 1001 The KExp15 key export algorithm is defined as follows. 1003 +------------------------------------------------------------+ 1004 | KExp15(S, K_Exp_MAC, K_Exp_ENC, IV) | 1005 |------------------------------------------------------------| 1006 | Input: | 1007 | - secret S to be exported, S in B*, | 1008 | - key K_Exp_MAC in B_k, | 1009 | - key K_Exp_ENC in B_k, | 1010 | - IV in B_{n/2} | 1011 | Output: | 1012 | - export representation SExp in B_{L(S)+n} | 1013 |------------------------------------------------------------| 1014 | 1. CEK_MAC = OMAC(K_Exp_MAC, IV | S), CEK_MAC in B_n | 1015 | 2. SExp = CTR-Encrypt(K_Exp_ENC, IV, S | CEK_MAC) | 1016 | 3. return SExp | 1017 +------------------------------------------------------------+ 1019 where the OMAC function is defined in [MODES], the CTR-Encrypt(K, IV, 1020 S) function denotes the encryption of message S on key K and nonce IV 1021 in the CTR mode with s = n (see [MODES]). 1023 The KImp15 key import algorithm is defined as follows. 1025 +-------------------------------------------------------------------+ 1026 | KImp15(SExp, K_Exp_MAC, K_Exp_ENC, IV) | 1027 |-------------------------------------------------------------------| 1028 | Input: | 1029 | - export representation SExp in B* | 1030 | - key K_Exp_MAC in B_k, | 1031 | - key K_Exp_ENC in B_k, | 1032 | - IV in B_{n/2} | 1033 | Output: | 1034 | - secret S in B_{L(SExp)-n} or FAIL | 1035 |-------------------------------------------------------------------| 1036 | 1. S | CEK_MAC = CTR-Decrypt(K_Exp_ENC, IV, SExp), CEK_MAC in B_n| 1037 | 2. If CEK_MAC = OMAC(K_Exp_MAC, IV | S) | 1038 | then return S; else return FAIL | 1039 +-------------------------------------------------------------------+ 1041 where the OMAC function is defined in [MODES], the CTR-Decrypt(K, IV, 1042 S) function denotes the decryption of message S on key K and nonce IV 1043 in the CTR mode (see [MODES]). 1045 The keys K_Exp_MAC and K_Exp_ENC MUST be independent. For every pair 1046 of keys (K_Exp_ENC, K_Exp_MAC) the IV values MUST be unique. For the 1047 import of key with the KImp15 algorithm, the IV value may be sent 1048 with the export key representation. 1050 8.2.2. KExp28147 and KImp28147 Algorithms 1052 The KExp28147 key export algorithm is defined as follows. 1054 +----------------------------------------------------------------+ 1055 | KExp28147(S, K, IV) | 1056 |----------------------------------------------------------------| 1057 | Input: | 1058 | - secret S to be exported, S in B_32, | 1059 | - key K in B_32, | 1060 | - IV in B_8. | 1061 | Output: | 1062 | - export representation SExp in B_44 | 1063 |----------------------------------------------------------------| 1064 | 1. CEK_MAC = gost28147IMIT(IV, K, S), CEK_MAC in B_4 | 1065 | 2. CEK_ENC = ECB-Encrypt(K, S), CEK_ENC in B_32 | 1066 | 3. return SExp = IV | CEK_ENC | CEK_MAC | 1067 +----------------------------------------------------------------+ 1068 where the gost28147IMIT function is defined in Section 8.4, the ECB- 1069 Encrypt(K, S) function denotes the encryption of message S on key K 1070 with the block cipher GOST 28147-89 in the ECB mode (see [RFC5830]). 1072 The KImp28147 key import algorithm is defined as follows. 1074 +----------------------------------------------------------------+ 1075 | KImp28147(SExp, K, IV) | 1076 |----------------------------------------------------------------| 1077 | Input: | 1078 | - export representation SExp in B_44, | 1079 | - key K in B_32, | 1080 | - IV in B_8. | 1081 | Output: | 1082 | - imported secret S in B_32 or FAIL | 1083 |----------------------------------------------------------------| 1084 | 1. extract from SExp | 1085 | IV' = SExp[1..8], | 1086 | CEK_ENC = SExp[9..40], | 1087 | CEK_MAC = SExp[41..44] | 1088 | 2. if IV' != IV then return FAIL; else | 1089 | 3. S = ECB-Decrypt(K, CEK_ENC), S in B_32 | 1090 | 4. If CEK_MAC = gost28147IMIT(IV, K, S) | 1091 | then return S; else return FAIL | 1092 +----------------------------------------------------------------+ 1094 where the gost28147IMIT function is defined in Section 8.4, the ECB- 1095 Decrypt(CEK_ENC, M) function denotes the decryption of ciphertext 1096 CEK_ENC on key K with a block cipher GOST 28147-89 in the ECB mode 1097 (see [RFC5830]). 1099 8.3. Key Exchange Generation Algorithms 1101 8.3.1. KEG Algorithm 1103 The KEG algorithm is defined as follows: 1105 +----------------------------------------------------------------+ 1106 | KEG(d, Q, H) | 1107 |----------------------------------------------------------------| 1108 | Input: | 1109 | - private key d, | 1110 | - public key Q, | 1111 | - H in B_32. | 1112 | Output: | 1113 | - key material K in B_64. | 1114 |----------------------------------------------------------------| 1115 | 1. If q * Q is not equal to zero point | 1116 | return FAIL | 1117 | 2. If 2^{254} < q < 2^{256} | 1118 | return KEG_256(d, Q, H) | 1119 | 3. If 2^{508} < q < 2^{512} | 1120 | return KEG_512(d, Q, H) | 1121 | 4. return FAIL | 1122 +----------------------------------------------------------------+ 1124 where q is an order of a cyclic subgroup of elliptic curve points 1125 group containing point Q, d in {1, ... , q - 1}. 1127 The KEG_256 algorithm is defined as follows: 1129 +----------------------------------------------------------------+ 1130 | KEG_256(d, Q, H) | 1131 |----------------------------------------------------------------| 1132 | Input: | 1133 | - private key d, | 1134 | - public key Q, | 1135 | - H in B_32. | 1136 | Output: | 1137 | - key material K in B_64. | 1138 |----------------------------------------------------------------| 1139 | 1. r = INT(H[1..16]) | 1140 | 2. If r = 0 | 1141 | UKM = 1; else UKM = r | 1142 | 3. K_EXP = VKO_256(d, Q, UKM) | 1143 | 4. seed = H[17..24] | 1144 | 5. return KDFTREE_256(K_EXP, "kdf tree", seed, 1) | 1145 +----------------------------------------------------------------+ 1147 where VKO_256 is the function VKO_GOSTR3410_2012_256 defined in 1148 [RFC7836] and KDFTREE_256 is the KDF_TREE_GOSTR3411_2012_256 function 1149 defined in [RFC7836] with the parameter L equal to 512. 1151 The KEG_512 algorithm is defined as follows: 1153 +----------------------------------------------------------------+ 1154 | KEG_512(d, Q, H) | 1155 |----------------------------------------------------------------| 1156 | Input: | 1157 | - private key d, | 1158 | - public key Q, | 1159 | - H in B_32. | 1160 | Output: | 1161 | - key material K in B_64. | 1162 |----------------------------------------------------------------| 1163 | 1. r = INT(H[1..16]) | 1164 | 2. If r = 0 | 1165 | UKM = 1; else UKM = r | 1166 | 3. return VKO_512(d, Q, UKM) | 1167 +----------------------------------------------------------------+ 1169 where VKO_512 is the VKO_GOSTR3410_2012_512 function defined in 1170 [RFC7836]. 1172 8.3.2. KEG_28147 Algorithm 1174 The KEG_28147 algorithm is defined as follows: 1176 +----------------------------------------------------------------+ 1177 | KEG_28147(d, Q, H) | 1178 |----------------------------------------------------------------| 1179 | Input: | 1180 | - private key d, | 1181 | - public key Q, | 1182 | - H in B_32. | 1183 | Output: | 1184 | - key material K in B_32. | 1185 |----------------------------------------------------------------| 1186 | 1. If q * Q is not equal to zero point | 1187 | return FAIL | 1188 | 2. UKM = H[1..8] | 1189 | 3. R = VKO_256(d, Q, int(UKM)) | 1190 | 4. return K = CPDivers(UKM, R) | 1191 +----------------------------------------------------------------+ 1193 where the VKO_256 function is equal to the VKO_GOSTR3410_2012_256 1194 function defined in [RFC7836], the CPDivers function corresponds to 1195 the CryptoPro KEK Diversification Algorithm defined in [RFC4357], 1196 which takes as input the UKM value and the key value. 1198 8.4. gostIMIT28147 1200 gost28147IMIT(IV, K, M) is a MAC algorithm with 4 bytes output and is 1201 defined as follows: 1203 +----------------------------------------------------------------+ 1204 | gost28147IMIT(IV, K, M) | 1205 |----------------------------------------------------------------| 1206 | Input: | 1207 | - initial value IV in B_8, | 1208 | - key K in B_32, | 1209 | - message M in B*. | 1210 | Output: | 1211 | - MAC value T in B_4. | 1212 |----------------------------------------------------------------| 1213 | 1. M' = PAD(M) | 1214 | 2. M' = M'_0 | ... | M'_r, L(M'_i) = 8, i in {0, ... , r} | 1215 | 3. M'' = (M'_0 XOR IV) | M'_1 | ... | M'_r | 1216 | 4. return T = MAC28147(K, M'') | 1217 +----------------------------------------------------------------+ 1219 where the PAD function is the padding function that adds m zero bytes 1220 to the end of the message, where m is the smallest, non-negative 1221 solution to the equation (L(M) + m) mod 8 = 0, the MAC28147 function 1222 corresponds to Message Authentication Code Generation Mode defined in 1223 [RFC5830] with 4 byte length output. 1225 9. IANA Considerations 1227 IANA is asked to update the registry entries to reference this 1228 document when it is published as an RFC. 1230 IANA has added numbers {0xC1, 0x00}, {0xC1, 0x01} and {0xC1, 0x02} 1231 with the names TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC, 1232 TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC, 1233 TLS_GOSTR341112_256_WITH_28147_CNT_IMIT to the "TLS Cipher Suite" 1234 registry with this document as reference, as shown below. 1236 +-------------+-----------------------------+---------+----------+ 1237 | Value | Description | DTLS-OK | Reference| 1238 +-------------+-----------------------------+---------+----------+ 1239 | 0xC1, 0x00 | TLS_GOSTR341112_256_ | N | this RFC | 1240 | | _WITH_KUZNYECHIK_CTR_OMAC | | | 1241 +-------------+-----------------------------+---------+----------+ 1242 | 0xC1, 0x01 | TLS_GOSTR341112_256_ | N | this RFC | 1243 | | _WITH_MAGMA_CTR_OMAC | | | 1244 +-------------+-----------------------------+---------+----------+ 1245 | 0xC1, 0x02 | TLS_GOSTR341112_256_ | N | this RFC | 1246 | | _WITH_28147_CNT_IMIT | | | 1247 +-------------+-----------------------------+---------+----------+ 1248 Table 4 1250 IANA has added numbers 64, 65 with the names gostr34102012_256, 1251 gostr34102012_512, to the "TLS SignatureAlgorithm" registry, as shown 1252 below. 1254 +-----------+---------------------+---------+----------+ 1255 | Value | Description | DTLS-OK | Reference| 1256 +-----------+---------------------+---------+----------+ 1257 | 64 | gostr34102012_256 | Y | this RFC | 1258 +-----------+---------------------+---------+----------+ 1259 | 65 | gostr34102012_512 | Y | this RFC | 1260 +-----------+---------------------+---------+----------+ 1261 Table 5 1263 IANA has added numbers 34, 35, 36, 37, 38, 39, 40 with the names 1264 GC256A, GC256B, GC256C, GC256D, GC512A, GC512B, GC512C to the "TLS 1265 Supported Groups" registry, as shown below. 1267 +-----------+----------------+---------+------------+-----------+ 1268 | Value | Description | DTLS-OK | Recomended | Reference | 1269 +-----------+----------------+---------+------------+-----------+ 1270 | 34 | GC256A | Y | N | this RFC | 1271 +-----------+----------------+---------+------------+-----------+ 1272 | 35 | GC256B | Y | N | this RFC | 1273 +-----------+----------------+---------+------------+-----------+ 1274 | 36 | GC256C | Y | N | this RFC | 1275 +-----------+----------------+---------+------------+-----------+ 1276 | 37 | GC256D | Y | N | this RFC | 1277 +-----------+----------------+---------+------------+-----------+ 1278 | 38 | GC512A | Y | N | this RFC | 1279 +-----------+----------------+---------+------------+-----------+ 1280 | 39 | GC512B | Y | N | this RFC | 1281 +-----------+----------------+---------+------------+-----------+ 1282 | 40 | GC512C | Y | N | this RFC | 1283 +-----------+----------------+---------+------------+-----------+ 1284 Table 6 1286 IANA has added numbers 67, 68 with the names gost_sign256, 1287 gost_sign512 to the "ClientCertificateType Identifiers" registry, as 1288 shown below. 1290 +-----------+---------------------+---------+----------+ 1291 | Value | Description | DTLS-OK | Reference| 1292 +-----------+---------------------+---------+----------+ 1293 | 67 | gost_sign256 | Y | this RFC | 1294 +-----------+---------------------+---------+----------+ 1295 | 68 | gost_sign512 | Y | this RFC | 1296 +-----------+---------------------+---------+----------+ 1297 Table 7 1299 10. Historical Considerations 1301 Note that prior to the existence of this document implementations 1302 could use only the values from the Private Use space in order to use 1303 the GOST-based algorithms. So some old implementations can still use 1304 the old value {0xFF, 0x85} instead of the {0xC1, 0x02} value to 1305 indicate the TLS_GOSTR341112_256_WITH_28147_CNT_IMIT cipher suite; 1306 one old value 0xEE instead of the values 64, 8 and 67 (to indicate 1307 the gostr34102012_256 signature algorithm, the Intrinsic hash 1308 algorithm and the gost_sign256 certificate type respectively); one 1309 old value 0xEF instead of the values 65, 8 and 68 (to indicate the 1310 gostr34102012_512 signature algorithm, the Intrinsic hash algorithm 1311 and the gost_sign512 certificate type respectively). 1313 Due to historical reasons in addition to the curve identifier values 1314 listed in Table 2 there exist some extra identifier values that 1315 correspond to the curves GC256B, GC256C and GC256D as follows (see 1316 [RFC4357], [R-1323565.1.024-2019]). 1318 +-------------+-----------------------------------------+ 1319 | Description | Curve Identifier Values | 1320 +-------------+-----------------------------------------+ 1321 | GC256B |id-GostR3410_2001-CryptoPro-XchA-ParamSet| 1322 | |id-tc26-gost-3410-2012-256-paramSetB | 1323 +-------------+-----------------------------------------+ 1324 | GC256C |id-tc26-gost-3410-2012-256-paramSetC | 1325 +-------------+-----------------------------------------+ 1326 | GC256D |id-GostR3410-2001-CryptoPro-XchB-ParamSet| 1327 | |id-tc26-gost-3410-2012-256-paramSetD | 1328 +-------------+-----------------------------------------+ 1329 Table 8 1331 Client should be prepared to handle any of them correctly if 1332 corresponding group is included in the supported_groups extension 1333 (see [RFC8422] and [RFC7919]). 1335 11. Security Considerations 1337 The profile of TLS 1.2 with GOST algorithms does not provide Perfect 1338 Forward Secrecy. 1340 The authenticate-then-encrypt method is crucial for the CNT_IMIT 1341 cipher suite. Encryption of the MAC value is conducted to reduce the 1342 possibility of forgery to guessing. Here the probability of guess is 1343 approximately equal to 2^{-32}, which is acceptable in some practical 1344 cases. 1346 12. References 1348 12.1. Normative References 1350 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1351 Requirement Levels", BCP 14, RFC 2119, 1352 DOI 10.17487/RFC2119, March 1997, 1353 . 1355 [RFC4357] Popov, V., Kurepkin, I., and S. Leontiev, "Additional 1356 Cryptographic Algorithms for Use with GOST 28147-89, GOST 1357 R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 1358 Algorithms", RFC 4357, DOI 10.17487/RFC4357, January 2006, 1359 . 1361 [RFC4490] Leontiev, S., Ed. and G. Chudov, Ed., "Using the GOST 1362 28147-89, GOST R 34.11-94, GOST R 34.10-94, and GOST R 1363 34.10-2001 Algorithms with Cryptographic Message Syntax 1364 (CMS)", RFC 4490, DOI 10.17487/RFC4490, May 2006, 1365 . 1367 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 1368 (TLS) Protocol Version 1.2", RFC 5246, 1369 DOI 10.17487/RFC5246, August 2008, 1370 . 1372 [RFC5746] Rescorla, E., Ray, M., Dispensa, S., and N. Oskov, 1373 "Transport Layer Security (TLS) Renegotiation Indication 1374 Extension", RFC 5746, DOI 10.17487/RFC5746, February 2010, 1375 . 1377 [RFC5830] Dolmatov, V., Ed., "GOST 28147-89: Encryption, Decryption, 1378 and Message Authentication Code (MAC) Algorithms", 1379 RFC 5830, DOI 10.17487/RFC5830, March 2010, 1380 . 1382 [RFC6986] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.11-2012: 1383 Hash Function", RFC 6986, DOI 10.17487/RFC6986, August 1384 2013, . 1386 [RFC7091] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.10-2012: 1387 Digital Signature Algorithm", RFC 7091, 1388 DOI 10.17487/RFC7091, December 2013, 1389 . 1391 [RFC7366] Gutmann, P., "Encrypt-then-MAC for Transport Layer 1392 Security (TLS) and Datagram Transport Layer Security 1393 (DTLS)", RFC 7366, DOI 10.17487/RFC7366, September 2014, 1394 . 1396 [RFC7627] Bhargavan, K., Ed., Delignat-Lavaud, A., Pironti, A., 1397 Langley, A., and M. Ray, "Transport Layer Security (TLS) 1398 Session Hash and Extended Master Secret Extension", 1399 RFC 7627, DOI 10.17487/RFC7627, September 2015, 1400 . 1402 [RFC7801] Dolmatov, V., Ed., "GOST R 34.12-2015: Block Cipher 1403 "Kuznyechik"", RFC 7801, DOI 10.17487/RFC7801, March 2016, 1404 . 1406 [RFC7836] Smyshlyaev, S., Ed., Alekseev, E., Oshkin, I., Popov, V., 1407 Leontiev, S., Podobaev, V., and D. Belyavsky, "Guidelines 1408 on the Cryptographic Algorithms to Accompany the Usage of 1409 Standards GOST R 34.10-2012 and GOST R 34.11-2012", 1410 RFC 7836, DOI 10.17487/RFC7836, March 2016, 1411 . 1413 [RFC7919] Gillmor, D., "Negotiated Finite Field Diffie-Hellman 1414 Ephemeral Parameters for Transport Layer Security (TLS)", 1415 RFC 7919, DOI 10.17487/RFC7919, August 2016, 1416 . 1418 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1419 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1420 May 2017, . 1422 [RFC8422] Nir, Y., Josefsson, S., and M. Pegourie-Gonnard, "Elliptic 1423 Curve Cryptography (ECC) Cipher Suites for Transport Layer 1424 Security (TLS) Versions 1.2 and Earlier", RFC 8422, 1425 DOI 10.17487/RFC8422, August 2018, 1426 . 1428 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 1429 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 1430 . 1432 [RFC8645] Smyshlyaev, S., Ed., "Re-keying Mechanisms for Symmetric 1433 Keys", RFC 8645, DOI 10.17487/RFC8645, August 2019, 1434 . 1436 [RFC8891] Dolmatov, V., Ed. and D. Baryshkov, "GOST R 34.12-2015: 1437 Block Cipher "Magma"", RFC 8891, DOI 10.17487/RFC8891, 1438 September 2020, . 1440 12.2. Informative References 1442 [CMAC] Dworkin, M., "Recommendation for Block Cipher Modes of 1443 Operation: the CMAC Mode for Authentication", NIST Special 1444 Publication 800-38B, 2005. 1446 [DraftGostTLS13] 1447 Smyshlyaev, S., Alekseev, E., Griboedova, E., and A. 1448 Babueva, "GOST Cipher Suites for Transport Layer Security 1449 (TLS) Protocol Version 1.3", 2021, 1450 . 1453 [GOST3413-2015] 1454 Federal Agency on Technical Regulating and Metrology, 1455 "Information technology. Cryptographic data security. 1456 Modes of operation for block ciphers", GOST R 34.13-2015, 1457 2015. 1459 [IK2003] Iwata T., Kurosawa K. (2003), "OMAC: One-Key CBC MAC.", 1460 FSE 2003. Lecture Notes in Computer Science, vol 2887. 1461 Springer, Berlin, Heidelberg, 2003. 1463 [MODES] Dworkin, M., "Recommendation for Block Cipher Modes of 1464 Operation: Methods and Techniques", NIST Special 1465 Publication 800-38A, December 2001. 1467 [R-1323565.1.024-2019] 1468 Federal Agency on Technical Regulating and Metrology, 1469 "Information technology. Cryptographic data security. 1470 Elliptic curve parameters for the cryptographic algorithms 1471 and protocols", R 1323565.1.024-2019, 2019. 1473 Appendix A. Test Examples 1475 A.1. Test Examples for CTR_OMAC cipher suites 1477 A.1.1. TLSTREE Examples 1479 A.1.1.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC ciphersuite 1481 TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 1482 *********************************************** 1483 Root Key K_root: 1484 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 1485 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 1487 seqnum = 0 1488 First level key from Divers_1: 1489 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1490 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1492 Second level key from Divers_2: 1494 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1495 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1497 The resulting key from Divers 3: 1498 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1499 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1501 seqnum = 4095 1502 First level key from Divers_1: 1503 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1504 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1506 Second level key from Divers_2: 1507 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1508 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1510 The resulting key from Divers 3: 1511 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1512 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1514 seqnum = 4096 1515 First level key from Divers_1: 1516 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1517 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1519 Second level key from Divers_2: 1520 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1521 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1523 The resulting key from Divers 3: 1524 FB 30 EE 53 CF CF 89 D7 48 FC 0C 72 EF 16 0B 8B 1525 53 CB BB FD 03 12 82 B0 26 21 4A B2 E0 77 58 FF 1527 seqnum = 33554431 1528 First level key from Divers_1: 1529 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1530 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1532 Second level key from Divers_2: 1533 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1534 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1536 The resulting key from Divers 3: 1537 B8 5B 36 DC 22 82 32 6B C0 35 C5 72 DC 93 F1 8D 1538 83 AA 01 74 F3 94 20 9A 51 3B B3 74 DC 09 35 AE 1540 seqnum = 33554432 1541 First level key from Divers_1: 1543 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1544 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1546 Second level key from Divers_2: 1547 3F EA 59 38 DA 2B F8 DD C4 7E C1 DC 55 61 89 66 1548 79 02 BE 42 0D F4 C3 7D AF 21 75 3B CB 1D C7 F3 1550 The resulting key from Divers 3: 1551 0F D7 C0 9E FD F8 E8 15 73 EE CC F8 6E 4B 95 E3 1552 AF 7F 34 DA B1 17 7C FD 7D B9 7B 6D A9 06 40 8A 1554 seqnum = 274877906943 1555 First level key from Divers_1: 1556 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1557 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1559 Second level key from Divers_2: 1560 AB F3 A5 37 98 3A 1B 98 40 06 6D E6 8A 49 BF 25 1561 97 7E E5 C3 F5 2D 33 3E 3C 22 0F 1D 15 C5 08 93 1563 The resulting key from Divers 3: 1564 48 0F 99 72 BA F2 5D 4C 36 9A 96 AF 91 BC A4 55 1565 3F 79 D8 F0 C5 61 8B 19 FD 44 CF DC 57 FA 37 33 1567 seqnum = 274877906944 1568 First level key from Divers_1: 1569 15 60 0D 9E 8F A6 85 54 CF 15 2D C7 4F BC 42 51 1570 17 B0 3E 09 76 BB 28 EA 98 24 C3 B7 0F 28 CB D8 1572 Second level key from Divers_2: 1573 6C C2 8E B0 93 24 72 12 5C 7A D3 F8 09 73 B3 C8 1574 C4 13 7D A5 73 BC 17 1A 24 ED D4 A3 71 F1 F8 73 1576 The resulting key from Divers 3: 1577 25 28 C1 C6 A8 F0 92 7B F2 BE 27 BB 78 D2 7F 21 1578 46 D6 55 93 B0 C7 17 3A 06 CB 9D 88 DF 92 32 65 1580 A.1.1.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC ciphersuite 1582 TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC 1583 *********************************************** 1584 Root Key K_root: 1585 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 1586 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 1587 seqnum = 0 1588 First level key from Divers_1: 1589 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1590 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1592 Second level key from Divers_2: 1593 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1594 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1596 The resulting key from Divers 3: 1597 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1598 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1600 seqnum = 63 1601 First level key from Divers_1: 1602 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1603 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1605 Second level key from Divers_2: 1606 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1607 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1609 The resulting key from Divers 3: 1610 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1611 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1613 seqnum = 64 1614 First level key from Divers_1: 1615 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1616 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1618 Second level key from Divers_2: 1619 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1620 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1622 The resulting key from Divers 3: 1623 AE BE 1E F4 18 71 3B F0 44 B9 FC D9 E5 72 D4 37 1624 FB 38 B5 D8 29 56 7A 6F 79 18 39 6D 9F 4E 09 6B 1626 seqnum = 524287 1627 First level key from Divers_1: 1628 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1629 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1631 Second level key from Divers_2: 1632 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1633 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1634 The resulting key from Divers 3: 1635 6F 18 D4 00 3E A2 CB 30 F5 FE C1 93 A2 34 F0 7D 1636 7C 43 94 98 7F 50 75 8D E2 2B 22 0D 8A 10 51 06 1638 seqnum = 524288 1639 First level key from Divers_1: 1640 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1641 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1643 Second level key from Divers_2: 1644 F6 59 EB 85 EE BD 2A 8D CC 1B B3 F7 C6 00 57 FF 1645 6D 33 B6 0F 74 65 DD 42 B5 11 2C F3 A6 B1 AB 66 1647 The resulting key from Divers 3: 1648 E5 4B 16 41 5B 3B 66 3E 78 0B 06 2D 24 F7 36 C4 1649 49 54 63 C3 A8 91 E1 FA 46 F7 AE 99 FF F9 F3 78 1651 seqnum = 4294967295 1652 First level key from Divers_1: 1653 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1654 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1656 Second level key from Divers_2: 1657 F4 BC 10 1A BB 68 86 2A 8C E3 1E A0 0D DF A7 FE 1658 B8 29 10 F1 24 F4 B1 E2 9E A8 3B E0 06 C2 26 8D 1660 The resulting key from Divers 3: 1661 CF 60 09 04 C7 1E 7B 88 A4 9A C8 E2 45 77 4B 3D 1662 BE ED FB 81 DE 9A 0E 2F 4E 46 C3 56 07 BC 2F 04 1664 seqnum = 4294967296 1665 First level key from Divers_1: 1666 55 CC 95 E0 D1 FB 54 85 AF 8E F6 9A CD 72 B2 32 1667 79 7C D2 E8 5D 86 CD FD 1D E5 5B D1 FA 14 37 78 1669 Second level key from Divers_2: 1670 72 16 91 E1 01 C4 28 96 A6 40 AE 18 3F BB 44 5B 1671 76 37 9C 57 E1 FD 8A 7D 49 A6 23 E4 23 8C 0E 1D 1673 The resulting key from Divers 3: 1674 16 18 0B 24 64 54 00 B8 36 14 38 37 D8 6A AC 93 1675 95 2A E3 EB 82 44 D5 EC 2A B0 2C FF 30 78 11 38 1677 A.1.2. Record Examples 1679 A.1.2.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC ciphersuite 1681 TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 1682 ******************************************************** 1683 It is assumed that during Handshake following keys were established: 1685 - MAC key: 1686 00000: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 1687 00010: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 1688 - Encryption key: 1689 00000: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 1690 00010: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 1691 - IV: 1692 00000: 00 00 00 00 1693 --------------------------------------------------------- 1694 seqnum = 0 1696 Application data: 1697 00000: 00 00 00 00 00 00 00 1699 TLSPlaintext: 1700 00000: 17 03 03 00 07 00 00 00 00 00 00 00 1702 K_MAC_0: 1703 00000: 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1704 00010: 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1706 MAC value: 1707 00000: F3 3E B6 89 6F EC E2 86 1709 K_ENC_0: 1710 00000: 58 AF BE 9A 4C 31 98 AA AB AA 26 92 C4 19 F1 79 1711 00010: 7C 9B 92 DE B3 CC 74 46 B3 63 57 71 13 F0 FB 56 1713 IV_0: 1714 00000: 00 00 00 00 1716 TLSCiphertext: 1717 00000: 17 03 03 00 0F 9B 42 0D A8 6F AF 36 7F 05 14 43 1718 00010: CE 9C 10 72 1719 --------------------------------------------------------- 1720 seqnum = 4095 1722 Application data: 1723 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1724 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1725 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1726 . . . 1727 003D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1728 003E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1729 003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1731 TLSPlaintext: 1732 00000: 17 03 03 04 00 00 00 00 00 00 00 00 00 00 00 00 1733 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1734 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1735 . . . 1736 003D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1737 003E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1738 003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1739 00400: 00 00 00 00 00 1741 K_MAC_4095: 1742 00000: 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1743 00010: 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1745 MAC value: 1746 00000: 58 D3 BB 60 8F BC 98 B8 1748 K_ENC_4095: 1749 00000: 58 AF BE 9A 4C 31 98 AA AB AA 26 92 C4 19 F1 79 1750 00010: 7C 9B 92 DE B3 CC 74 46 B3 63 57 71 13 F0 FB 56 1752 IV_4095: 1753 00000: 00 00 0F FF 1755 TLSCiphertext: 1756 00000: 17 03 03 04 08 B7 11 43 8B 16 20 1F 3C 49 33 95 1757 00010: 21 C9 C8 CA 75 66 D4 C2 0F D3 3E 58 1F 80 07 DC 1758 00020: 76 04 3E 2B 35 C8 E8 4B B2 55 08 27 66 13 59 6F 1759 . . . 1760 003D0: E7 77 70 BF 45 17 E1 F8 DD 1B 2C 05 64 AD 68 FC 1761 003E0: 4A 88 9A 48 B8 B1 FF 0E A4 E1 BB 70 4D 56 A4 75 1762 003F0: 2F 51 A5 82 CC 54 1A 80 8F 8C 8B 62 97 68 88 C8 1763 00400: 10 59 DE 41 27 63 A3 E0 99 9A CD DA 77 1765 --------------------------------------------------------- 1766 seqnum = 4096 1768 Application data: 1769 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1770 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1771 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1772 . . . 1773 007D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1774 007E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1775 007F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1777 TLSPlaintext: 1778 00000: 17 03 03 08 00 00 00 00 00 00 00 00 00 00 00 00 1779 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1780 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1781 . . . 1782 007D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1783 007E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1784 007F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1785 00800: 00 00 00 00 00 1787 K_MAC_4096: 1788 00000: FB 30 EE 53 CF CF 89 D7 48 FC 0C 72 EF 16 0B 8B 1789 00010: 53 CB BB FD 03 12 82 B0 26 21 4A B2 E0 77 58 FF 1791 MAC value: 1792 00000: 50 55 A2 6A BE 19 63 81 1794 K_ENC_4096: 1795 00000: ED F2 FD 02 47 71 60 23 83 09 00 2D 1D 57 DF 9F 1796 00010: D2 ED 18 D6 45 66 C7 6F 4B F0 3D 3A BF 7B BB 1E 1798 IV_4096: 1799 00000: 00 00 10 00 1801 TLSCiphertext: 1802 00000: 17 03 03 08 08 99 95 26 07 03 47 1D ED A2 E6 55 1803 00010: B6 B3 93 83 5E 33 8B 1E D0 0E DD 22 47 A2 FB 88 1804 00020: FB B7 A8 94 80 62 08 8A F3 2C AE B6 AA 2C 4F 2A 1805 . . . 1806 007D0: 7F 0B 24 61 E7 5F E1 06 34 B8 4D C5 70 35 72 5A 1807 007E0: CA 4F 0C BC A9 B0 6C B9 F7 6F BD 2F 80 46 2B 8D 1808 007F0: 77 5E BD 41 6F 63 41 39 AC 89 C2 ED 3D F1 9F E2 1809 00800: 4E F8 C0 5A A8 90 93 1B 01 86 FD 7D DF 1811 A.1.2.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC ciphersuite 1812 TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC 1813 *********************************************** 1814 It is assumed that during Handshake following keys were established: 1816 - MAC key: 1817 00000: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 1818 00010: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 1819 - Encryption key: 1820 00000: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 1821 00010: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 1822 - IV: 1823 00000: 00 00 00 00 00 00 00 00 1825 --------------------------------------------------------- 1826 seqnum = 0 1828 Application data: 1829 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1831 TLSPlaintext: 1832 00000: 17 03 03 00 0F 00 00 00 00 00 00 00 00 00 00 00 1833 00010: 00 00 00 00 1835 K_MAC_0: 1836 00000: 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1837 00010: 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1839 MAC value: 1840 00000: FD 17 19 DD 95 08 37 EB 7C 7B B8 F5 00 37 99 81 1842 K_ENC_0: 1843 00000: 58 AF BE 9A 4C 31 98 AA AB AA 26 92 C4 19 F1 79 1844 00010: 7C 9B 92 DE B3 CC 74 46 B3 63 57 71 13 F0 FB 56 1846 IV_0: 1847 00000: 00 00 00 00 00 00 00 00 1849 TLSCiphertext: 1850 00000: 17 03 03 00 1F 4D 1A 30 52 36 57 3B FF C1 4E 46 1851 00010: DC BE 74 6D B6 C9 9A 17 5A 81 C4 71 1E 2F 84 C3 1852 00020: 92 C5 40 7C 1854 --------------------------------------------------------- 1855 seqnum = 63 1857 Application data: 1858 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1859 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1860 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1861 . . . 1862 00FD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1863 00FE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1864 00FF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1866 TLSPlaintext: 1867 00000: 17 03 03 10 00 00 00 00 00 00 00 00 00 00 00 00 1868 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1869 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1870 . . . 1871 00FD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1872 00FE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1873 00FF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1874 01000: 00 00 00 00 00 1876 K_MAC_63: 1877 00000: 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1878 00010: 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1880 Mac value: 1881 00000: 98 46 27 61 D0 26 24 4A 2C 0B 7D 1B CC CB E7 B0 1883 K_ENC_63: 1884 00000: 58 AF BE 9A 4C 31 98 AA AB AA 26 92 C4 19 F1 79 1885 00010: 7C 9B 92 DE B3 CC 74 46 B3 63 57 71 13 F0 FB 56 1887 IV_63: 1888 00000: 00 00 00 00 00 00 00 3F 1890 TLSCiphertext: 1891 00000: 17 03 03 10 10 12 93 51 D2 6E 14 07 13 A2 1B 37 1892 00010: 68 24 A2 23 17 CD C0 D8 8E 01 CF A3 FE 21 41 5F 1893 00020: 5C 5E 05 86 9C CF 38 A5 1B C2 E0 ED 68 94 46 A8 1894 . . . 1895 00FE0: 19 AD 99 8C 06 25 21 E6 7B 63 59 A4 F5 C8 16 F9 1896 00FF0: 47 6B A7 13 26 82 BB A8 CE 0B ED AD 65 E4 20 A2 1897 01000: 97 B6 E2 C6 1F A4 06 D9 B8 CA 36 FD 9F CD 3A EE 1898 01010: 24 78 F4 D1 96 1900 --------------------------------------------------------- 1901 seqnum = 64 1903 Application data: 1904 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1905 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1906 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1907 . . . 1909 01FD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1910 01FE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1911 01FF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1913 TLSPlaintext: 1914 00000: 17 03 03 20 00 00 00 00 00 00 00 00 00 00 00 00 1915 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1916 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1917 . . . 1918 01FD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1919 01FE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1920 01FF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1921 02000: 00 00 00 00 00 1923 K_MAC_64: 1924 00000: AE BE 1E F4 18 71 3B F0 44 B9 FC D9 E5 72 D4 37 1925 00010: FB 38 B5 D8 29 56 7A 6F 79 18 39 6D 9F 4E 09 6B 1927 Mac value: 1928 00000: EA C3 97 87 84 2B 1D BD 60 80 CC 3F BF AE 5C 2F 1930 K_ENC_64: 1931 00000: 64 F5 5A FC 37 A1 74 D9 53 3E 70 8B CD 14 FA 4A 1932 00010: EE C3 7B C0 E3 2B A4 99 01 B4 66 9E 96 A6 3D 96 1934 IV_64: 1935 00000: 00 00 00 00 00 00 00 40 1937 TLSCiphertext: 1938 00000: 17 03 03 20 10 E6 66 BB 98 AC 5B 0F 39 31 D8 55 1939 00010: 1B 93 36 85 96 EE F0 EB A8 26 9C B8 BD AA E7 EB 1940 00020: 80 C8 30 D7 5A B7 D4 6C 25 06 DC 8B 83 E1 F2 D3 1941 . . . 1942 01FE0: B3 02 67 2C CB 02 86 CD 40 48 FB D5 38 1A 65 55 1943 01FF0: 26 11 25 51 01 4F A8 ED F5 C2 1B 7D 1D B3 9D 6B 1944 02000: AD EC 0D 7C 07 05 34 8B 5C 55 6C 4D 50 81 69 1A 1945 02010: A9 EC 36 F8 B5 1947 A.1.3. Handshake Examples 1949 The ClientHello.extensions and the ServerHello.extensions fields 1950 contain the extended_master_secret extension (see [RFC7627]) and the 1951 renegotiation_info extension (see [RFC5746]) in the following 1952 examples. 1954 A.1.3.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC ciphersuite 1956 Server certificate curve OID: 1957 id-GostR3410-2001-CryptoPro-A-ParamSet, "1.2.643.2.2.35.1" 1959 Server public key Q_s: 1960 x = 0x6531D4A72E655BFC9DFB94293B260702 1961 82FABF10D5C49B7366148C60E0BF8167 1963 y = 0x37F8CC71DC5D917FC4A66F7826E72750 1964 8270B4FFC266C26CD4363E77B553A5B8 1966 Server private key d_s: 1967 0x5F308355DFD6A8ACAEE0837B100A3B1F 1968 6D63FB29B78EF27D3967757F0527144C 1970 ---------------------------Client--------------------------- 1972 ClientHello message: 1973 msg_type: 01 1974 length: 000040 1975 body: 1976 client_version: 1977 major: 03 1978 minor: 03 1979 random: 933EA21EC3802A561550EC78D6ED51AC 1980 2439D7E749C31BC3A3456165889684CA 1981 session_id: 1982 length: 00 1983 vector: -- 1984 cipher_suites: 1985 length: 0004 1986 vector: 1987 CipherSuite: C100 1988 CipherSuite: C101 1989 compression_methods: 1990 length: 01 1991 vector: 1992 CompressionMethod: 00 1993 extensions: 1994 length: 0013 1995 vector: 1996 Extension: /* signature_algorithms */ 1997 extension_type: 000D 1998 extension_data: 2000 length: 0006 2001 vector: 2002 supported_signature_algorithms: 2003 length: 0004 2004 vector: 2005 /* 1 pair of algorithms */ 2006 hash: 08 2007 signature: 2008 40 2009 /* 2 pair of algorithms */ 2010 hash: 08 2011 signature: 2012 41 2013 Extension: /* renegotiation_info */ 2014 extension_type: FF01 2015 extension_data: 2016 length: 0001 2017 vector: 2018 renegotiated_connection: 2019 length: 00 2020 vector: -- 2021 Extension: /* extended_master_secret */ 2022 extension_type: 0017 2023 extension_data: 2024 length: 0000 2025 vector: -- 2027 00000: 01 00 00 40 03 03 93 3E A2 1E C3 80 2A 56 15 50 2028 00010: EC 78 D6 ED 51 AC 24 39 D7 E7 49 C3 1B C3 A3 45 2029 00020: 61 65 88 96 84 CA 00 00 04 C1 00 C1 01 01 00 00 2030 00030: 13 00 0D 00 06 00 04 08 40 08 41 FF 01 00 01 00 2031 00040: 00 17 00 00 2033 Record layer message: 2034 type: 16 2035 version: 2036 major: 03 2037 minor: 03 2038 length: 0044 2039 fragment: 010000400303933EA21EC3802A561550 2040 EC78D6ED51AC2439D7E749C31BC3A345 2041 6165889684CA000004C100C101010000 2042 13000D0006000408400841FF01000100 2043 00170000 2045 00000: 16 03 03 00 44 01 00 00 40 03 03 93 3E A2 1E C3 2046 00010: 80 2A 56 15 50 EC 78 D6 ED 51 AC 24 39 D7 E7 49 2047 00020: C3 1B C3 A3 45 61 65 88 96 84 CA 00 00 04 C1 00 2048 00030: C1 01 01 00 00 13 00 0D 00 06 00 04 08 40 08 41 2049 00040: FF 01 00 01 00 00 17 00 00 2051 ---------------------------Server--------------------------- 2053 ServerHello message: 2054 msg_type: 02 2055 length: 000041 2056 body: 2057 server_version: 2058 major: 03 2059 minor: 03 2060 random: 933EA21E49C31BC3A3456165889684CA 2061 A5576CE7924A24F58113808DBD9EF856 2062 session_id: 2063 length: 10 2064 vector: C3802A561550EC78D6ED51AC2439D7E7 2065 cipher_suite: 2066 CipherSuite: C101 2067 compression_method: 2068 CompressionMethod: 00 2069 extensions: 2070 length: 0009 2071 vector: 2072 Extension: /* renegotiation_info */ 2073 extension_type: FF01 2074 extension_data: 2075 length: 0001 2076 vector: 2077 renegotiated_connection: 2078 length: 00 2079 vector: -- 2080 Extension: /* extended_master_secret */ 2081 extension_type: 0017 2082 extension_data: 2083 length: 0000 2084 vector: -- 2086 00000: 02 00 00 41 03 03 93 3E A2 1E 49 C3 1B C3 A3 45 2087 00010: 61 65 88 96 84 CA A5 57 6C E7 92 4A 24 F5 81 13 2088 00020: 80 8D BD 9E F8 56 10 C3 80 2A 56 15 50 EC 78 D6 2089 00030: ED 51 AC 24 39 D7 E7 C1 01 00 00 09 FF 01 00 01 2090 00040: 00 00 17 00 00 2092 Record layer message: 2093 type: 16 2094 version: 2096 major: 03 2097 minor: 03 2098 length: 0045 2099 fragment: 020000410303933EA21E49C31BC3A345 2100 6165889684CAA5576CE7924A24F58113 2101 808DBD9EF85610C3802A561550EC78D6 2102 ED51AC2439D7E7C101000009FF010001 2103 0000170000 2105 00000: 16 03 03 00 45 02 00 00 41 03 03 93 3E A2 1E 49 2106 00010: C3 1B C3 A3 45 61 65 88 96 84 CA A5 57 6C E7 92 2107 00020: 4A 24 F5 81 13 80 8D BD 9E F8 56 10 C3 80 2A 56 2108 00030: 15 50 EC 78 D6 ED 51 AC 24 39 D7 E7 C1 01 00 00 2109 00040: 09 FF 01 00 01 00 00 17 00 00 2111 ---------------------------Server--------------------------- 2113 Certificate message: 2114 msg_type: 0B 2115 length: 0001DB 2116 body: 2117 certificate_list: 2118 length: 0001D8 2119 vector: 2120 ASN.1Cert: 2121 length: 0001D5 2122 vector: 308201D13082017EA003020102020833 2123 FBB2C0E9575A46300A06082A85030701 2124 010302301F311D301B06035504030C14 2125 . . . 2126 797990E4B5452CF82FE1F19EE237B754 2127 CBCD5078D752A28013DFFC8224AD114B 2128 BD7C1BB71E480AD6EEF9857A8C99C595 2129 9053EEDFE9 2131 00000: 0B 00 01 DB 00 01 D8 00 01 D5 30 82 01 D1 30 82 2132 00010: 01 7E A0 03 02 01 02 02 08 33 FB B2 C0 E9 57 5A 2133 00020: 46 30 0A 06 08 2A 85 03 07 01 01 03 02 30 1F 31 2134 00030: 1D 30 1B 06 03 55 04 03 0C 14 74 65 73 74 5F 73 2135 00040: 65 6C 66 73 69 67 6E 65 64 5F 63 65 72 74 30 1E 2136 00050: 17 0D 31 39 30 36 32 37 31 35 32 34 30 38 5A 17 2137 00060: 0D 32 30 31 32 31 38 31 35 33 34 30 38 5A 30 1F 2138 00070: 31 1D 30 1B 06 03 55 04 03 0C 14 74 65 73 74 5F 2139 00080: 73 65 6C 66 73 69 67 6E 65 64 5F 63 65 72 74 30 2140 00090: 66 30 1F 06 08 2A 85 03 07 01 01 01 01 30 13 06 2141 000A0: 07 2A 85 03 02 02 23 01 06 08 2A 85 03 07 01 01 2142 000B0: 02 02 03 43 00 04 40 67 81 BF E0 60 8C 14 66 73 2143 000C0: 9B C4 D5 10 BF FA 82 02 07 26 3B 29 94 FB 9D FC 2144 000D0: 5B 65 2E A7 D4 31 65 B8 A5 53 B5 77 3E 36 D4 6C 2145 000E0: C2 66 C2 FF B4 70 82 50 27 E7 26 78 6F A6 C4 7F 2146 000F0: 91 5D DC 71 CC F8 37 A3 81 96 30 81 93 30 1D 06 2147 00100: 03 55 1D 0E 04 16 04 14 E7 D0 0B B8 4D 8D 24 18 2148 00110: 29 3E 05 C1 7C E7 77 98 D4 8D 30 16 30 0E 06 03 2149 00120: 55 1D 0F 01 01 FF 04 04 03 02 01 C6 30 12 06 03 2150 00130: 55 1D 13 01 01 FF 04 08 30 06 01 01 FF 02 01 01 2151 00140: 30 4E 06 03 55 1D 23 04 47 30 45 80 14 E7 D0 0B 2152 00150: B8 4D 8D 24 18 29 3E 05 C1 7C E7 77 98 D4 8D 30 2153 00160: 16 A1 23 A4 21 30 1F 31 1D 30 1B 06 03 55 04 03 2154 00170: 0C 14 74 65 73 74 5F 73 65 6C 66 73 69 67 6E 65 2155 00180: 64 5F 63 65 72 74 82 08 33 FB B2 C0 E9 57 5A 46 2156 00190: 30 0A 06 08 2A 85 03 07 01 01 03 02 03 41 00 E2 2157 001A0: 88 44 F9 F1 C8 55 E2 DB 5B 19 79 79 90 E4 B5 45 2158 001B0: 2C F8 2F E1 F1 9E E2 37 B7 54 CB CD 50 78 D7 52 2159 001C0: A2 80 13 DF FC 82 24 AD 11 4B BD 7C 1B B7 1E 48 2160 001D0: 0A D6 EE F9 85 7A 8C 99 C5 95 90 53 EE DF E9 2162 Record layer message: 2163 type: 16 2164 version: 2165 major: 03 2166 minor: 03 2167 length: 01DF 2168 fragment: 0B0001DB0001D80001D5308201D13082 2169 017EA003020102020833FBB2C0E9575A 2170 46300A06082A85030701010302301F31 2171 . . . 2172 8844F9F1C855E2DB5B19797990E4B545 2173 2CF82FE1F19EE237B754CBCD5078D752 2174 A28013DFFC8224AD114BBD7C1BB71E48 2175 0AD6EEF9857A8C99C5959053EEDFE9 2177 00000: 16 03 03 01 DF 0B 00 01 DB 00 01 D8 00 01 D5 30 2178 00010: 82 01 D1 30 82 01 7E A0 03 02 01 02 02 08 33 FB 2179 00020: B2 C0 E9 57 5A 46 30 0A 06 08 2A 85 03 07 01 01 2180 00030: 03 02 30 1F 31 1D 30 1B 06 03 55 04 03 0C 14 74 2181 00040: 65 73 74 5F 73 65 6C 66 73 69 67 6E 65 64 5F 63 2182 00050: 65 72 74 30 1E 17 0D 31 39 30 36 32 37 31 35 32 2183 00060: 34 30 38 5A 17 0D 32 30 31 32 31 38 31 35 33 34 2184 00070: 30 38 5A 30 1F 31 1D 30 1B 06 03 55 04 03 0C 14 2185 00080: 74 65 73 74 5F 73 65 6C 66 73 69 67 6E 65 64 5F 2186 00090: 63 65 72 74 30 66 30 1F 06 08 2A 85 03 07 01 01 2187 000A0: 01 01 30 13 06 07 2A 85 03 02 02 23 01 06 08 2A 2188 000B0: 85 03 07 01 01 02 02 03 43 00 04 40 67 81 BF E0 2189 000C0: 60 8C 14 66 73 9B C4 D5 10 BF FA 82 02 07 26 3B 2190 000D0: 29 94 FB 9D FC 5B 65 2E A7 D4 31 65 B8 A5 53 B5 2191 000E0: 77 3E 36 D4 6C C2 66 C2 FF B4 70 82 50 27 E7 26 2192 000F0: 78 6F A6 C4 7F 91 5D DC 71 CC F8 37 A3 81 96 30 2193 00100: 81 93 30 1D 06 03 55 1D 0E 04 16 04 14 E7 D0 0B 2194 00110: B8 4D 8D 24 18 29 3E 05 C1 7C E7 77 98 D4 8D 30 2195 00120: 16 30 0E 06 03 55 1D 0F 01 01 FF 04 04 03 02 01 2196 00130: C6 30 12 06 03 55 1D 13 01 01 FF 04 08 30 06 01 2197 00140: 01 FF 02 01 01 30 4E 06 03 55 1D 23 04 47 30 45 2198 00150: 80 14 E7 D0 0B B8 4D 8D 24 18 29 3E 05 C1 7C E7 2199 00160: 77 98 D4 8D 30 16 A1 23 A4 21 30 1F 31 1D 30 1B 2200 00170: 06 03 55 04 03 0C 14 74 65 73 74 5F 73 65 6C 66 2201 00180: 73 69 67 6E 65 64 5F 63 65 72 74 82 08 33 FB B2 2202 00190: C0 E9 57 5A 46 30 0A 06 08 2A 85 03 07 01 01 03 2203 001A0: 02 03 41 00 E2 88 44 F9 F1 C8 55 E2 DB 5B 19 79 2204 001B0: 79 90 E4 B5 45 2C F8 2F E1 F1 9E E2 37 B7 54 CB 2205 001C0: CD 50 78 D7 52 A2 80 13 DF FC 82 24 AD 11 4B BD 2206 001D0: 7C 1B B7 1E 48 0A D6 EE F9 85 7A 8C 99 C5 95 90 2207 001E0: 53 EE DF E9 2209 ---------------------------Server--------------------------- 2211 ServerHelloDone message: 2212 msg_type: 0E 2213 length: 000000 2214 body: -- 2216 00000: 0E 00 00 00 2218 Record layer message:: 2219 type: 16 2220 version: 2221 major: 03 2222 minor: 03 2223 length: 0004 2224 fragment: 0E000000 2226 00000: 16 03 03 00 04 0E 00 00 00 2228 ---------------------------Client--------------------------- 2230 PMS: 2231 00000: A5 57 6C E7 92 4A 24 F5 81 13 80 8D BD 9E F8 56 2232 00010: F5 BD C3 B1 83 CE 5D AD CA 36 A5 3A A0 77 65 1D 2234 Random d_eph value: 2235 0xA5C77C7482373DE16CE4A6F73CCE7F78 2236 471493FF2C0709B8B706C9E8A25E6C1E 2238 Q_eph ephemeral key: 2239 x = 0xA8F36D63D262A203978F1B3B6795CDBB 2240 F1AE7FB8EF7F47F1F18871C198E00793 2242 y = 0x34CA5D6B4485640EA195435993BEB1F8 2243 B016ED610496B5CC175AC2EA1F14F887 2245 HASH (r_c | r_s): 2246 00000: C3 EF 04 28 D4 B7 A1 F4 C5 02 5F 2E 65 DD 2B 2E 2247 00010: A5 83 AE EF DB 67 C7 F4 21 4A 6A 29 8E 99 E3 25 2249 Export key generation. r value: 2250 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 2252 Export key generation. UKM value: 2253 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 2255 seed: 2256 00000: A5 83 AE EF DB 67 C7 F4 2258 K_EXP: 2259 00000: 1E 58 54 90 E8 65 FF D1 8F 18 D7 C0 A0 4D 0E E8 2260 00010: 4F 1A 5D 79 7C EF AD A0 1B 1E 3B 7F DB 90 E0 29 2262 Export keys K_Exp_MAC | K_Exp_ENC used in KExp15 algorithm: 2263 00000: 2D 8B A8 C8 4C B2 32 FF 41 F1 0C 3A D9 24 13 42 2264 00010: 23 25 4F 71 E5 69 6D 3D 29 C3 E4 C9 DA A6 B2 93 2265 00020: 84 9E B6 34 0B FF AE 69 28 A3 C3 E4 FF 92 EC CB 2266 00030: 1E 8F 0C F7 A1 88 36 8E 6B 74 8E 52 EA 37 8B 0C 2268 IV: 2269 00000: 21 4A 6A 29 2271 PMSEXP: 2272 00000: D7 F0 F0 42 23 67 86 7B 25 FA 42 33 A9 54 F5 8B 2273 00010: DE 92 E9 C9 BB FB 88 16 C9 9F 15 E6 39 87 22 A0 2274 00020: B2 B7 BF E8 49 3E 9A 5C 2276 ---------------------------Client--------------------------- 2278 ClientKeyExchange message: 2279 msg_type: 10 2280 length: 000095 2281 body: 2282 exchange_keys: 3081920428D7F0F0422367867B25FA42 2283 33A954F58BDE92E9C9BBFB8816C99F15 2284 E6398722A0B2B7BFE8493E9A5C306630 2285 . . . 2286 EFB87FAEF1BBCD95673B1B8F9703A262 2287 D2636DF3A887F8141FEAC25A17CCB596 2288 0461ED16B0F8B1BE93594395A10E6485 2289 446B5DCA34 2291 00000: 10 00 00 95 30 81 92 04 28 D7 F0 F0 42 23 67 86 2292 00010: 7B 25 FA 42 33 A9 54 F5 8B DE 92 E9 C9 BB FB 88 2293 00020: 16 C9 9F 15 E6 39 87 22 A0 B2 B7 BF E8 49 3E 9A 2294 00030: 5C 30 66 30 1F 06 08 2A 85 03 07 01 01 01 01 30 2295 00040: 13 06 07 2A 85 03 02 02 23 01 06 08 2A 85 03 07 2296 00050: 01 01 02 02 03 43 00 04 40 93 07 E0 98 C1 71 88 2297 00060: F1 F1 47 7F EF B8 7F AE F1 BB CD 95 67 3B 1B 8F 2298 00070: 97 03 A2 62 D2 63 6D F3 A8 87 F8 14 1F EA C2 5A 2299 00080: 17 CC B5 96 04 61 ED 16 B0 F8 B1 BE 93 59 43 95 2300 00090: A1 0E 64 85 44 6B 5D CA 34 2302 Record layer message: 2303 type: 16 2304 version: 2305 major: 03 2306 minor: 03 2307 length: 0099 2308 fragment: 100000953081920428D7F0F042236786 2309 7B25FA4233A954F58BDE92E9C9BBFB88 2310 16C99F15E6398722A0B2B7BFE8493E9A 2311 . . . 2312 F1F1477FEFB87FAEF1BBCD95673B1B8F 2313 9703A262D2636DF3A887F8141FEAC25A 2314 17CCB5960461ED16B0F8B1BE93594395 2315 A10E6485446B5DCA34 2317 00000: 16 03 03 00 99 10 00 00 95 30 81 92 04 28 D7 F0 2318 00010: F0 42 23 67 86 7B 25 FA 42 33 A9 54 F5 8B DE 92 2319 00020: E9 C9 BB FB 88 16 C9 9F 15 E6 39 87 22 A0 B2 B7 2320 00030: BF E8 49 3E 9A 5C 30 66 30 1F 06 08 2A 85 03 07 2321 00040: 01 01 01 01 30 13 06 07 2A 85 03 02 02 23 01 06 2322 00050: 08 2A 85 03 07 01 01 02 02 03 43 00 04 40 93 07 2323 00060: E0 98 C1 71 88 F1 F1 47 7F EF B8 7F AE F1 BB CD 2324 00070: 95 67 3B 1B 8F 97 03 A2 62 D2 63 6D F3 A8 87 F8 2325 00080: 14 1F EA C2 5A 17 CC B5 96 04 61 ED 16 B0 F8 B1 2326 00090: BE 93 59 43 95 A1 0E 64 85 44 6B 5D CA 34 2328 ---------------------------Server--------------------------- 2330 PMSEXP extracted: 2331 00000: D7 F0 F0 42 23 67 86 7B 25 FA 42 33 A9 54 F5 8B 2332 00010: DE 92 E9 C9 BB FB 88 16 C9 9F 15 E6 39 87 22 A0 2333 00020: B2 B7 BF E8 49 3E 9A 5C 2335 HASH(r_c | r_s): 2336 00000: C3 EF 04 28 D4 B7 A1 F4 C5 02 5F 2E 65 DD 2B 2E 2337 00010: A5 83 AE EF DB 67 C7 F4 21 4A 6A 29 8E 99 E3 25 2339 Export key generation. r value: 2340 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 2342 Export key generation. UKM value: 2343 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 2345 seed: 2346 00000: A5 83 AE EF DB 67 C7 F4 2348 K_EXP: 2349 00000: 1E 58 54 90 E8 65 FF D1 8F 18 D7 C0 A0 4D 0E E8 2350 00010: 4F 1A 5D 79 7C EF AD A0 1B 1E 3B 7F DB 90 E0 29 2352 Import keys K_Imp_MAC | K_Imp_ENC used in KImp15 algorithm: 2353 00000: 2D 8B A8 C8 4C B2 32 FF 41 F1 0C 3A D9 24 13 42 2354 00010: 23 25 4F 71 E5 69 6D 3D 29 C3 E4 C9 DA A6 B2 93 2355 00020: 84 9E B6 34 0B FF AE 69 28 A3 C3 E4 FF 92 EC CB 2356 00030: 1E 8F 0C F7 A1 88 36 8E 6B 74 8E 52 EA 37 8B 0C 2358 IV: 2359 00000: 21 4A 6A 29 2361 PMS: 2362 00000: A5 57 6C E7 92 4A 24 F5 81 13 80 8D BD 9E F8 56 2363 00010: F5 BD C3 B1 83 CE 5D AD CA 36 A5 3A A0 77 65 1D 2365 ---------------------------Client--------------------------- 2367 HASH(HM): 2368 00000: 7E 1F 59 D3 64 9D B6 09 00 EA 4F 8A 58 5A 65 7A 2369 00010: 92 77 B3 04 50 58 4C F5 43 51 19 8C DE A3 0C 49 2371 MS: 2372 00000: FD D2 7C B4 04 AD 4E 44 49 68 4F 7C 55 90 E9 E7 2373 00010: 02 EF 41 01 93 3B 52 77 A4 A9 6D F5 00 B0 7C C3 2374 00020: 32 4F D8 A6 D9 07 CB B0 3D F3 FB 33 1F 1C 4D 0C 2376 Client connection key material 2377 K_write_MAC|K_read_MAC|K_write_ENC|K_read_ENC|IV_write|IV_read: 2378 00000: DD 4E 10 17 E3 09 1F FD 86 75 65 8A 78 00 90 09 2379 00010: 3B BE 69 EC A6 93 31 5C A8 5B E0 A6 14 3D C9 F8 2380 00020: 1D 64 D0 23 46 5F 8B EA 17 F8 12 F8 C2 D8 BF C0 2381 00030: D9 BB AB A7 B4 DF D3 A1 7C E0 E1 3B 2D 63 65 F3 2382 00040: FC 8B 34 59 CF 54 FE 44 9A 04 07 64 53 73 08 00 2383 00050: 75 10 32 55 9D 07 B6 C4 EA C6 75 48 71 BC 97 8A 2384 00060: B9 0E 2A EE 98 77 14 BB D8 F7 57 AE F7 84 FF 24 2385 00070: 47 B3 94 2E B4 3E 26 35 73 1C 4C 28 22 D0 2D 79 2386 00080: 2B 6A 81 3F 93 ED A6 FA 2388 ---------------------------Server--------------------------- 2390 HASH(HM): 2391 00000: 7E 1F 59 D3 64 9D B6 09 00 EA 4F 8A 58 5A 65 7A 2392 00010: 92 77 B3 04 50 58 4C F5 43 51 19 8C DE A3 0C 49 2394 MS: 2395 00000: FD D2 7C B4 04 AD 4E 44 49 68 4F 7C 55 90 E9 E7 2396 00010: 02 EF 41 01 93 3B 52 77 A4 A9 6D F5 00 B0 7C C3 2397 00020: 32 4F D8 A6 D9 07 CB B0 3D F3 FB 33 1F 1C 4D 0C 2399 Server connection key material 2400 K_read_MAC|K_write_MAC|K_read_ENC|K_write_ENC|IV_read|IV_write: 2401 00000: DD 4E 10 17 E3 09 1F FD 86 75 65 8A 78 00 90 09 2402 00010: 3B BE 69 EC A6 93 31 5C A8 5B E0 A6 14 3D C9 F8 2403 00020: 1D 64 D0 23 46 5F 8B EA 17 F8 12 F8 C2 D8 BF C0 2404 00030: D9 BB AB A7 B4 DF D3 A1 7C E0 E1 3B 2D 63 65 F3 2405 00040: FC 8B 34 59 CF 54 FE 44 9A 04 07 64 53 73 08 00 2406 00050: 75 10 32 55 9D 07 B6 C4 EA C6 75 48 71 BC 97 8A 2407 00060: B9 0E 2A EE 98 77 14 BB D8 F7 57 AE F7 84 FF 24 2408 00070: 47 B3 94 2E B4 3E 26 35 73 1C 4C 28 22 D0 2D 79 2409 00080: 2B 6A 81 3F 93 ED A6 FA 2411 ---------------------------Client--------------------------- 2413 ChangeCipherSpec message: 2414 type: 01 2416 00000: 01 2418 Record layer message: 2419 type: 14 2420 version: 2421 major: 03 2422 minor: 03 2423 length: 0001 2424 fragment: 01 2425 00000: 14 03 03 00 01 01 2427 ---------------------------Client--------------------------- 2429 HASH(HM): 2430 00000: 7E 1F 59 D3 64 9D B6 09 00 EA 4F 8A 58 5A 65 7A 2431 00010: 92 77 B3 04 50 58 4C F5 43 51 19 8C DE A3 0C 49 2433 client_verify_data: 2434 00000: B4 61 C5 AD 25 EA 1E 62 B3 70 BD 1F 1B CB 16 91 2435 00010: FC CC BA 37 8B BC 13 43 BE 54 B3 8D F5 53 B7 A5 2437 ---------------------------Client--------------------------- 2439 Finished message: 2440 msg_type: 14 2441 length: 000020 2442 body: 2443 verify_data: B461C5AD25EA1E62B370BD1F1BCB1691 2444 FCCCBA378BBC1343BE54B38DF553B7A5 2446 00000: 14 00 00 20 B4 61 C5 AD 25 EA 1E 62 B3 70 BD 1F 2447 00010: 1B CB 16 91 FC CC BA 37 8B BC 13 43 BE 54 B3 8D 2448 00020: F5 53 B7 A5 2450 Record layer message: 2451 type: 16 2452 version: 2453 major: 03 2454 minor: 03 2455 length: 002C 2456 fragment: 0C630271D4DA39DD8D6BD040302D9B8F 2457 33D5F7B967EED155F7D65592892C03C7 2458 885C249B1225B184AB4D5DBF 2460 00000: 16 03 03 00 2C 0C 63 02 71 D4 DA 39 DD 8D 6B D0 2461 00010: 40 30 2D 9B 8F 33 D5 F7 B9 67 EE D1 55 F7 D6 55 2462 00020: 92 89 2C 03 C7 88 5C 24 9B 12 25 B1 84 AB 4D 5D 2463 00030: BF 2465 ---------------------------Server--------------------------- 2467 ChangeCipherSpec message: 2468 type: 01 2469 00000: 01 2471 Record layer message: 2472 type: 14 2473 version: 2474 major: 03 2475 minor: 03 2476 length: 0001 2477 fragment: 01 2479 00000: 14 03 03 00 01 01 2481 ---------------------------Server--------------------------- 2483 HASH(HM): 2484 00000: DB D7 D8 93 82 4A ED FD D5 FB 7B 75 4B 47 E1 E6 2485 00010: AF E0 77 DA E6 D1 13 63 42 07 C7 EE 0F C6 F3 B1 2487 server_verify_data: 2488 00000: 45 39 EC 8D 0A F7 B1 A6 20 41 AB 43 4A 43 77 71 2489 00010: D3 4C 47 19 D8 6E BB FD 0F 28 C3 E9 53 55 0C D0 2491 ---------------------------Server--------------------------- 2493 Finished message: 2494 msg_type: 14 2495 length: 000020 2496 body: 2497 verify_data: 4539EC8D0AF7B1A62041AB434A437771 2498 D34C4719D86EBBFD0F28C3E953550CD0 2500 00000: 14 00 00 20 45 39 EC 8D 0A F7 B1 A6 20 41 AB 43 2501 00010: 4A 43 77 71 D3 4C 47 19 D8 6E BB FD 0F 28 C3 E9 2502 00020: 53 55 0C D0 2504 Record layer message: 2505 type: 16 2506 version: 2507 major: 03 2508 minor: 03 2509 length: 002C 2510 fragment: E6A94A4BF70886566A2316811E57B483 2511 BB1E47950A1FF820A80DCA77A4DF9954 2512 2DAB6953F3ED03D95CCA4748 2514 00000: 16 03 03 00 2C E6 A9 4A 4B F7 08 86 56 6A 23 16 2515 00010: 81 1E 57 B4 83 BB 1E 47 95 0A 1F F8 20 A8 0D CA 2516 00020: 77 A4 DF 99 54 2D AB 69 53 F3 ED 03 D9 5C CA 47 2517 00030: 48 2519 ---------------------------Client--------------------------- 2521 Application data: 2522 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2523 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2525 Record layer message: 2526 type: 17 2527 version: 2528 major: 03 2529 minor: 03 2530 length: 0028 2531 fragment: 38807B6E5E0C3F4F7E0DBF7758031BF0 2532 7F100C4B63ADBC75F49BCBF428572D37 2533 7CAED097336DB203 2535 00000: 17 03 03 00 28 38 80 7B 6E 5E 0C 3F 4F 7E 0D BF 2536 00010: 77 58 03 1B F0 7F 10 0C 4B 63 AD BC 75 F4 9B CB 2537 00020: F4 28 57 2D 37 7C AE D0 97 33 6D B2 03 2539 ---------------------------Server--------------------------- 2541 Application data: 2542 00000: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 2543 00010: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 2545 Record layer message: 2546 type: 17 2547 version: 2548 major: 03 2549 minor: 03 2550 length: 0028 2551 fragment: 05B869E5C979C3B9D4837B8E39D9BBEE 2552 1BBD0052D3D48340D0CDE082B33BC07F 2553 4E742D1113249AD8 2555 00000: 17 03 03 00 28 05 B8 69 E5 C9 79 C3 B9 D4 83 7B 2556 00010: 8E 39 D9 BB EE 1B BD 00 52 D3 D4 83 40 D0 CD E0 2557 00020: 82 B3 3B C0 7F 4E 74 2D 11 13 24 9A D8 2559 ---------------------------Client--------------------------- 2560 close_notify alert: 2561 Alert: 2562 level: 01 2563 description: 00 2565 00000: 01 00 2567 Record layer message: 2568 type: 15 2569 version: 2570 major: 03 2571 minor: 03 2572 length: 000A 2573 fragment: 4F2A0807A0374E28C632 2575 00000: 15 03 03 00 0A 4F 2A 08 07 A0 37 4E 28 C6 32 2577 ---------------------------Server--------------------------- 2579 close_notify alert: 2580 Alert: 2581 level: 01 2582 description: 00 2584 00000: 01 00 2586 Record layer message: 2587 type: 15 2588 version: 2589 major: 03 2590 minor: 03 2591 length: 000A 2592 fragment: 999468B49AC5B0DE512C 2594 00000: 15 03 03 00 0A 99 94 68 B4 9A C5 B0 DE 51 2C 2596 A.1.3.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC ciphersuite 2597 Server certificate curve OID: 2598 id-tc26-gost-3410-2012-512-paramSetC, "1.2.643.7.1.2.1.2.3" 2600 Server public key Q_s: 2601 x = 0xF14589DA479AD972C66563669B3FF580 2602 92E6A30A288BF447CD9FF6C3133E9724 2603 7A9706B267703C9B4E239F0D7C7E3310 2604 C22D2752B35BD2E4FD39B8F11DEB833A 2606 y = 0xF305E95B36502D4E60A1059FB20AB30B 2607 FC7C95727F3A2C04B1DFDDB53B0413F2 2608 99F2DFE66A5E1CCB4101A7A01D612BE6 2609 BD78E1E3B3D567EBB16ABE587A11F4EA 2611 Server private key d_s: 2612 0x12FD7A70067479A0F66C59F9A25534AD 2613 FBC7ABFD3CC72D79806F8B402601644B 2614 3005ED365A2D8989A8CCAE640D5FC08D 2615 D27DFBBFE137CF528E1AC6D445192E01 2617 Client certificate curve OID: 2618 id-tc26-gost-3410-2012-256-paramSetA, "1.2.643.7.1.2.1.1.1" 2620 Client public key Q_c: 2621 x = 0x0F5DB18A9E15F324B778676025BFD7B5 2622 DF066566EABAA1C51CD879F87B0B4975 2624 y = 0x9EE5BBF18361F842D3F087DEC2943939 2625 E0FA2BFB4EDEC25A8D10ABB22C48F386 2627 Client private key d_c: 2628 0x0918AD3F7D209ABF89F1E8505DA894CE 2629 E10DA09D32E72E815D9C0ADA30B5A103 2631 ---------------------------Client--------------------------- 2633 ClientHello message: 2634 msg_type: 01 2635 length: 000040 2636 body: 2637 client_version: 2638 major: 03 2639 minor: 03 2640 random: 933EA21EC3802A561550EC78D6ED51AC 2641 2439D7E749C31BC3A3456165889684CA 2642 session_id: 2643 length: 00 2644 vector: -- 2645 cipher_suites: 2646 length: 0004 2647 vector: 2648 CipherSuite: C100 2649 CipherSuite: C101 2650 compression_methods: 2651 length: 01 2652 vector: 2653 CompressionMethod: 00 2654 extensions: 2655 length: 0013 2656 vector: 2657 Extension: /* signature_algorithms */ 2658 extension_type: 000D 2659 extension_data: 2660 length: 0006 2661 vector: 2662 supported_signature_algorithms: 2663 length: 0004 2664 vector: 2665 /* 1 pair of algorithms */ 2666 hash: 08 2667 signature: 2668 40 2669 /* 2 pair of algorithms */ 2670 hash: 08 2671 signature: 2672 41 2673 Extension: /* renegotiation_info */ 2674 extension_type: FF01 2675 extension_data: 2676 length: 0001 2677 vector: 2678 renegotiated_connection: 2679 length: 00 2680 vector: -- 2681 Extension: /* extended_master_secret */ 2682 extension_type: 0017 2683 extension_data: 2684 length: 0000 2685 vector: -- 2687 00000: 01 00 00 40 03 03 93 3E A2 1E C3 80 2A 56 15 50 2688 00010: EC 78 D6 ED 51 AC 24 39 D7 E7 49 C3 1B C3 A3 45 2689 00020: 61 65 88 96 84 CA 00 00 04 C1 00 C1 01 01 00 00 2690 00030: 13 00 0D 00 06 00 04 08 40 08 41 FF 01 00 01 00 2691 00040: 00 17 00 00 2692 Record layer message: 2693 type: 16 2694 version: 2695 major: 03 2696 minor: 03 2697 length: 0044 2698 fragment: 010000400303933EA21EC3802A561550 2699 EC78D6ED51AC2439D7E749C31BC3A345 2700 6165889684CA000004C100C101010000 2701 13000D0006000408400841FF01000100 2702 00170000 2704 00000: 16 03 03 00 44 01 00 00 40 03 03 93 3E A2 1E C3 2705 00010: 80 2A 56 15 50 EC 78 D6 ED 51 AC 24 39 D7 E7 49 2706 00020: C3 1B C3 A3 45 61 65 88 96 84 CA 00 00 04 C1 00 2707 00030: C1 01 01 00 00 13 00 0D 00 06 00 04 08 40 08 41 2708 00040: FF 01 00 01 00 00 17 00 00 2710 ---------------------------Server--------------------------- 2712 ServerHello message: 2713 msg_type: 02 2714 length: 000041 2715 body: 2716 server_version: 2717 major: 03 2718 minor: 03 2719 random: 933EA21E49C31BC3A3456165889684CA 2720 A5576CE7924A24F58113808DBD9EF856 2721 session_id: 2722 length: 10 2723 vector: C3802A561550EC78D6ED51AC2439D7E7 2724 cipher_suite: 2725 CipherSuite: C100 2726 compression_method: 2727 CompressionMethod: 00 2728 extensions: 2729 length: 0009 2730 vector: 2731 Extension: /* renegotiation_info */ 2732 extension_type: FF01 2733 extension_data: 2734 length: 0001 2735 vector: 2736 renegotiated_connection: 2737 length: 00 2738 vector: -- 2740 Extension: /* extended_master_secret */ 2741 extension_type: 0017 2742 extension_data: 2743 length: 0000 2744 vector: -- 2746 00000: 02 00 00 41 03 03 93 3E A2 1E 49 C3 1B C3 A3 45 2747 00010: 61 65 88 96 84 CA A5 57 6C E7 92 4A 24 F5 81 13 2748 00020: 80 8D BD 9E F8 56 10 C3 80 2A 56 15 50 EC 78 D6 2749 00030: ED 51 AC 24 39 D7 E7 C1 00 00 00 09 FF 01 00 01 2750 00040: 00 00 17 00 00 2752 Record layer message: 2753 type: 16 2754 version: 2755 major: 03 2756 minor: 03 2757 length: 0045 2758 fragment: 020000410303933EA21E49C31BC3A345 2759 6165889684CAA5576CE7924A24F58113 2760 808DBD9EF85610C3802A561550EC78D6 2761 ED51AC2439D7E7C100000009FF010001 2762 0000170000 2764 00000: 16 03 03 00 45 02 00 00 41 03 03 93 3E A2 1E 49 2765 00010: C3 1B C3 A3 45 61 65 88 96 84 CA A5 57 6C E7 92 2766 00020: 4A 24 F5 81 13 80 8D BD 9E F8 56 10 C3 80 2A 56 2767 00030: 15 50 EC 78 D6 ED 51 AC 24 39 D7 E7 C1 00 00 00 2768 00040: 09 FF 01 00 01 00 00 17 00 00 2770 ---------------------------Server--------------------------- 2772 Certificate message: 2773 msg_type: 0B 2774 length: 00024C 2775 body: 2776 certificate_list: 2777 length: 000249 2778 vector: 2779 ASN.1Cert: 2780 length: 000246 2781 vector: 30820242308201AEA003020102020101 2782 300A06082A850307010103033042312C 2783 302A06092A864886F70D010901161D74 2784 . . . 2785 371AF83C5BC58B366DFEFA7345D50317 2786 867C177AC84AC07EE8612164629AB7BD 2787 C48AA0F64A741FE7298E82C5BFCE8672 2788 029F875391F7 2790 00000: 0B 00 02 4C 00 02 49 00 02 46 30 82 02 42 30 82 2791 00010: 01 AE A0 03 02 01 02 02 01 01 30 0A 06 08 2A 85 2792 00020: 03 07 01 01 03 03 30 42 31 2C 30 2A 06 09 2A 86 2793 00030: 48 86 F7 0D 01 09 01 16 1D 74 6C 73 31 32 5F 73 2794 00040: 65 72 76 65 72 35 31 32 43 40 63 72 79 70 74 6F 2795 00050: 70 72 6F 2E 72 75 31 12 30 10 06 03 55 04 03 13 2796 00060: 09 53 65 72 76 65 72 35 31 32 30 1E 17 0D 31 37 2797 00070: 30 35 32 35 30 39 32 35 31 38 5A 17 0D 33 30 30 2798 00080: 35 30 31 30 39 32 35 31 38 5A 30 42 31 2C 30 2A 2799 00090: 06 09 2A 86 48 86 F7 0D 01 09 01 16 1D 74 6C 73 2800 000A0: 31 32 5F 73 65 72 76 65 72 35 31 32 43 40 63 72 2801 000B0: 79 70 74 6F 70 72 6F 2E 72 75 31 12 30 10 06 03 2802 000C0: 55 04 03 13 09 53 65 72 76 65 72 35 31 32 30 81 2803 000D0: AA 30 21 06 08 2A 85 03 07 01 01 01 02 30 15 06 2804 000E0: 09 2A 85 03 07 01 02 01 02 03 06 08 2A 85 03 07 2805 000F0: 01 01 02 03 03 81 84 00 04 81 80 3A 83 EB 1D F1 2806 00100: B8 39 FD E4 D2 5B B3 52 27 2D C2 10 33 7E 7C 0D 2807 00110: 9F 23 4E 9B 3C 70 67 B2 06 97 7A 24 97 3E 13 C3 2808 00120: F6 9F CD 47 F4 8B 28 0A A3 E6 92 80 F5 3F 9B 66 2809 00130: 63 65 C6 72 D9 9A 47 DA 89 45 F1 EA F4 11 7A 58 2810 00140: BE 6A B1 EB 67 D5 B3 E3 E1 78 BD E6 2B 61 1D A0 2811 00150: A7 01 41 CB 1C 5E 6A E6 DF F2 99 F2 13 04 3B B5 2812 00160: DD DF B1 04 2C 3A 7F 72 95 7C FC 0B B3 0A B2 9F 2813 00170: 05 A1 60 4E 2D 50 36 5B E9 05 F3 A3 43 30 41 30 2814 00180: 1D 06 03 55 1D 0E 04 16 04 14 87 9C C6 5A 0F 4A 2815 00190: 89 CB 4A 58 49 DF 05 61 56 9B AA DC 11 69 30 0B 2816 001A0: 06 03 55 1D 0F 04 04 03 02 03 28 30 13 06 03 55 2817 001B0: 1D 25 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 2818 001C0: 30 0A 06 08 2A 85 03 07 01 01 03 03 03 81 81 00 2819 001D0: 35 BE 38 51 EC B6 E9 2D 32 40 01 81 0F 8C 89 03 2820 001E0: 52 42 F4 05 46 9F 4C 4E CB 05 02 7C 57 E2 71 52 2821 001F0: 12 AF D7 CD BB 0C ED 7A 8B 4D 33 42 CC 50 1A BD 2822 00200: 99 99 75 A5 8A DE 0E 58 4F CA 35 F5 2E 45 58 B7 2823 00210: 31 1D 49 D0 A0 51 32 79 F7 39 37 1A F8 3C 5B C5 2824 00220: 8B 36 6D FE FA 73 45 D5 03 17 86 7C 17 7A C8 4A 2825 00230: C0 7E E8 61 21 64 62 9A B7 BD C4 8A A0 F6 4A 74 2826 00240: 1F E7 29 8E 82 C5 BF CE 86 72 02 9F 87 53 91 F7 2828 Record layer message: 2829 type: 16 2830 version: 2831 major: 03 2832 minor: 03 2833 length: 0250 2834 fragment: 0B00024C000249000246308202423082 2835 01AEA003020102020101300A06082A85 2836 0307010103033042312C302A06092A86 2837 . . . 2838 8B366DFEFA7345D50317867C177AC84A 2839 C07EE8612164629AB7BDC48AA0F64A74 2840 1FE7298E82C5BFCE8672029F875391F7 2842 00000: 16 03 03 02 50 0B 00 02 4C 00 02 49 00 02 46 30 2843 00010: 82 02 42 30 82 01 AE A0 03 02 01 02 02 01 01 30 2844 00020: 0A 06 08 2A 85 03 07 01 01 03 03 30 42 31 2C 30 2845 00030: 2A 06 09 2A 86 48 86 F7 0D 01 09 01 16 1D 74 6C 2846 00040: 73 31 32 5F 73 65 72 76 65 72 35 31 32 43 40 63 2847 00050: 72 79 70 74 6F 70 72 6F 2E 72 75 31 12 30 10 06 2848 00060: 03 55 04 03 13 09 53 65 72 76 65 72 35 31 32 30 2849 00070: 1E 17 0D 31 37 30 35 32 35 30 39 32 35 31 38 5A 2850 00080: 17 0D 33 30 30 35 30 31 30 39 32 35 31 38 5A 30 2851 00090: 42 31 2C 30 2A 06 09 2A 86 48 86 F7 0D 01 09 01 2852 000A0: 16 1D 74 6C 73 31 32 5F 73 65 72 76 65 72 35 31 2853 000B0: 32 43 40 63 72 79 70 74 6F 70 72 6F 2E 72 75 31 2854 000C0: 12 30 10 06 03 55 04 03 13 09 53 65 72 76 65 72 2855 000D0: 35 31 32 30 81 AA 30 21 06 08 2A 85 03 07 01 01 2856 000E0: 01 02 30 15 06 09 2A 85 03 07 01 02 01 02 03 06 2857 000F0: 08 2A 85 03 07 01 01 02 03 03 81 84 00 04 81 80 2858 00100: 3A 83 EB 1D F1 B8 39 FD E4 D2 5B B3 52 27 2D C2 2859 00110: 10 33 7E 7C 0D 9F 23 4E 9B 3C 70 67 B2 06 97 7A 2860 00120: 24 97 3E 13 C3 F6 9F CD 47 F4 8B 28 0A A3 E6 92 2861 00130: 80 F5 3F 9B 66 63 65 C6 72 D9 9A 47 DA 89 45 F1 2862 00140: EA F4 11 7A 58 BE 6A B1 EB 67 D5 B3 E3 E1 78 BD 2863 00150: E6 2B 61 1D A0 A7 01 41 CB 1C 5E 6A E6 DF F2 99 2864 00160: F2 13 04 3B B5 DD DF B1 04 2C 3A 7F 72 95 7C FC 2865 00170: 0B B3 0A B2 9F 05 A1 60 4E 2D 50 36 5B E9 05 F3 2866 00180: A3 43 30 41 30 1D 06 03 55 1D 0E 04 16 04 14 87 2867 00190: 9C C6 5A 0F 4A 89 CB 4A 58 49 DF 05 61 56 9B AA 2868 001A0: DC 11 69 30 0B 06 03 55 1D 0F 04 04 03 02 03 28 2869 001B0: 30 13 06 03 55 1D 25 04 0C 30 0A 06 08 2B 06 01 2870 001C0: 05 05 07 03 01 30 0A 06 08 2A 85 03 07 01 01 03 2871 001D0: 03 03 81 81 00 35 BE 38 51 EC B6 E9 2D 32 40 01 2872 001E0: 81 0F 8C 89 03 52 42 F4 05 46 9F 4C 4E CB 05 02 2873 001F0: 7C 57 E2 71 52 12 AF D7 CD BB 0C ED 7A 8B 4D 33 2874 00200: 42 CC 50 1A BD 99 99 75 A5 8A DE 0E 58 4F CA 35 2875 00210: F5 2E 45 58 B7 31 1D 49 D0 A0 51 32 79 F7 39 37 2876 00220: 1A F8 3C 5B C5 8B 36 6D FE FA 73 45 D5 03 17 86 2877 00230: 7C 17 7A C8 4A C0 7E E8 61 21 64 62 9A B7 BD C4 2878 00240: 8A A0 F6 4A 74 1F E7 29 8E 82 C5 BF CE 86 72 02 2879 00250: 9F 87 53 91 F7 2881 ---------------------------Server--------------------------- 2882 CertificateRequest message: 2883 msg_type: 0D 2884 length: 00000B 2885 body: 2886 certificate_types: 2887 length: 02 2888 vector: 2889 /* gost_sign256 */ 2890 43 2891 /* gost_sign512 */ 2892 44 2893 supported_signature_algorithms: 2894 length: 0004 2895 vector: 2896 /* 1 pair of algorithms */ 2897 hash: 08 2898 signature: 40 2899 /* 2 pair of algorithms */ 2900 hash: 08 2901 signature: 41 2902 certificate_authorities: 2903 length: 0000 2904 vector: -- 2906 00000: 0D 00 00 0B 02 43 44 00 04 08 40 08 41 00 00 2908 Record layer message: 2909 type: 16 2910 version: 2911 major: 03 2912 minor: 03 2913 length: 000F 2914 fragment: 0D00000B0243440004084008410000 2916 00000: 16 03 03 00 0F 0D 00 00 0B 02 43 44 00 04 08 40 2917 00010: 08 41 00 00 2919 ---------------------------Server--------------------------- 2921 ServerHelloDone message: 2922 msg_type: 0E 2923 length: 000000 2924 body: -- 2926 00000: 0E 00 00 00 2928 Record layer message: 2930 type: 16 2931 version: 2932 major: 03 2933 minor: 03 2934 length: 0004 2935 fragment: 0E000000 2937 00000: 16 03 03 00 04 0E 00 00 00 2939 ---------------------------Client--------------------------- 2941 Certificate message: 2942 msg_type: 0B 2943 length: 0001EA 2944 body: 2945 certificate_list: 2946 length: 0001E7 2947 vector: 2948 ASN.1Cert: 2949 length: 0001E4 2950 vector: 308201E03082018DA003020102020101 2951 300A06082A850307010103023053312E 2952 302C06092A864886F70D010901161F74 2953 . . . 2954 C1CAB43AC01AFB0F3451BDC2DB188BBC 2955 B77884251CDF6037BA830F4B31D5E96F 2956 DC9BC1C95ABE658266C48402E070DE1F 2957 292724E8 2959 00000: 0B 00 01 EA 00 01 E7 00 01 E4 30 82 01 E0 30 82 2960 00010: 01 8D A0 03 02 01 02 02 01 01 30 0A 06 08 2A 85 2961 00020: 03 07 01 01 03 02 30 53 31 2E 30 2C 06 09 2A 86 2962 00030: 48 86 F7 0D 01 09 01 16 1F 74 6C 73 31 32 5F 63 2963 00040: 6C 69 65 6E 74 32 35 36 41 5F 45 40 63 72 79 70 2964 00050: 74 6F 70 72 6F 2E 72 75 31 21 30 1F 06 03 55 04 2965 00060: 03 1E 18 00 43 00 6C 00 69 00 65 00 6E 00 74 00 2966 00070: 32 00 35 00 36 00 41 00 5F 00 45 30 1E 17 0D 31 2967 00080: 37 30 35 32 35 30 39 33 31 31 38 5A 17 0D 33 30 2968 00090: 30 35 30 31 30 39 33 31 31 38 5A 30 53 31 2E 30 2969 000A0: 2C 06 09 2A 86 48 86 F7 0D 01 09 01 16 1F 74 6C 2970 000B0: 73 31 32 5F 63 6C 69 65 6E 74 32 35 36 41 5F 45 2971 000C0: 40 63 72 79 70 74 6F 70 72 6F 2E 72 75 31 21 30 2972 000D0: 1F 06 03 55 04 03 1E 18 00 43 00 6C 00 69 00 65 2973 000E0: 00 6E 00 74 00 32 00 35 00 36 00 41 00 5F 00 45 2974 000F0: 30 68 30 21 06 08 2A 85 03 07 01 01 01 01 30 15 2975 00100: 06 09 2A 85 03 07 01 02 01 01 01 06 08 2A 85 03 2976 00110: 07 01 01 02 02 03 43 00 04 40 75 49 0B 7B F8 79 2977 00120: D8 1C C5 A1 BA EA 66 65 06 DF B5 D7 BF 25 60 67 2978 00130: 78 B7 24 F3 15 9E 8A B1 5D 0F 86 F3 48 2C B2 AB 2979 00140: 10 8D 5A C2 DE 4E FB 2B FA E0 39 39 94 C2 DE 87 2980 00150: F0 D3 42 F8 61 83 F1 BB E5 9E A3 43 30 41 30 1D 2981 00160: 06 03 55 1D 0E 04 16 04 14 74 49 1E 77 30 D3 42 2982 00170: A6 28 0E 72 A1 13 9D D9 90 8B FA F1 03 30 0B 06 2983 00180: 03 55 1D 0F 04 04 03 02 07 80 30 13 06 03 55 1D 2984 00190: 25 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 02 30 2985 001A0: 0A 06 08 2A 85 03 07 01 01 03 02 03 41 00 1C 2D 2986 001B0: 35 22 B4 11 02 D6 20 1F 23 50 C1 CA B4 3A C0 1A 2987 001C0: FB 0F 34 51 BD C2 DB 18 8B BC B7 78 84 25 1C DF 2988 001D0: 60 37 BA 83 0F 4B 31 D5 E9 6F DC 9B C1 C9 5A BE 2989 001E0: 65 82 66 C4 84 02 E0 70 DE 1F 29 27 24 E8 2991 Record layer message: 2992 type: 16 2993 version: 2994 major: 03 2995 minor: 03 2996 length: 01EE 2997 fragment: 0B0001EA0001E70001E4308201E03082 2998 018DA003020102020101300A06082A85 2999 0307010103023053312E302C06092A86 3000 . . . 3001 3522B41102D6201F2350C1CAB43AC01A 3002 FB0F3451BDC2DB188BBCB77884251CDF 3003 6037BA830F4B31D5E96FDC9BC1C95ABE 3004 658266C48402E070DE1F292724E8 3006 00000: 16 03 03 01 EE 0B 00 01 EA 00 01 E7 00 01 E4 30 3007 00010: 82 01 E0 30 82 01 8D A0 03 02 01 02 02 01 01 30 3008 00020: 0A 06 08 2A 85 03 07 01 01 03 02 30 53 31 2E 30 3009 00030: 2C 06 09 2A 86 48 86 F7 0D 01 09 01 16 1F 74 6C 3010 00040: 73 31 32 5F 63 6C 69 65 6E 74 32 35 36 41 5F 45 3011 00050: 40 63 72 79 70 74 6F 70 72 6F 2E 72 75 31 21 30 3012 00060: 1F 06 03 55 04 03 1E 18 00 43 00 6C 00 69 00 65 3013 00070: 00 6E 00 74 00 32 00 35 00 36 00 41 00 5F 00 45 3014 00080: 30 1E 17 0D 31 37 30 35 32 35 30 39 33 31 31 38 3015 00090: 5A 17 0D 33 30 30 35 30 31 30 39 33 31 31 38 5A 3016 000A0: 30 53 31 2E 30 2C 06 09 2A 86 48 86 F7 0D 01 09 3017 000B0: 01 16 1F 74 6C 73 31 32 5F 63 6C 69 65 6E 74 32 3018 000C0: 35 36 41 5F 45 40 63 72 79 70 74 6F 70 72 6F 2E 3019 000D0: 72 75 31 21 30 1F 06 03 55 04 03 1E 18 00 43 00 3020 000E0: 6C 00 69 00 65 00 6E 00 74 00 32 00 35 00 36 00 3021 000F0: 41 00 5F 00 45 30 68 30 21 06 08 2A 85 03 07 01 3022 00100: 01 01 01 30 15 06 09 2A 85 03 07 01 02 01 01 01 3023 00110: 06 08 2A 85 03 07 01 01 02 02 03 43 00 04 40 75 3024 00120: 49 0B 7B F8 79 D8 1C C5 A1 BA EA 66 65 06 DF B5 3025 00130: D7 BF 25 60 67 78 B7 24 F3 15 9E 8A B1 5D 0F 86 3026 00140: F3 48 2C B2 AB 10 8D 5A C2 DE 4E FB 2B FA E0 39 3027 00150: 39 94 C2 DE 87 F0 D3 42 F8 61 83 F1 BB E5 9E A3 3028 00160: 43 30 41 30 1D 06 03 55 1D 0E 04 16 04 14 74 49 3029 00170: 1E 77 30 D3 42 A6 28 0E 72 A1 13 9D D9 90 8B FA 3030 00180: F1 03 30 0B 06 03 55 1D 0F 04 04 03 02 07 80 30 3031 00190: 13 06 03 55 1D 25 04 0C 30 0A 06 08 2B 06 01 05 3032 001A0: 05 07 03 02 30 0A 06 08 2A 85 03 07 01 01 03 02 3033 001B0: 03 41 00 1C 2D 35 22 B4 11 02 D6 20 1F 23 50 C1 3034 001C0: CA B4 3A C0 1A FB 0F 34 51 BD C2 DB 18 8B BC B7 3035 001D0: 78 84 25 1C DF 60 37 BA 83 0F 4B 31 D5 E9 6F DC 3036 001E0: 9B C1 C9 5A BE 65 82 66 C4 84 02 E0 70 DE 1F 29 3037 001F0: 27 24 E8 3039 ---------------------------Client--------------------------- 3041 PMS value: 3042 00000: A5 57 6C E7 92 4A 24 F5 81 13 80 8D BD 9E F8 56 3043 00010: F5 BD C3 B1 83 CE 5D AD CA 36 A5 3A A0 77 65 1D 3045 Random d_eph value: 3046 0x150ACD11B66DD695AD18418FA7A2DC63 3047 6B7E29DCA24536AABC826EE3175BB1FA 3048 DC3AA0D01D3092E120B0FCF7EB872F4B 3049 7E26EA17849D689222A48CF95A6E4831 3051 Q_eph ephemeral key: 3052 x = 0xC941BE5193189B476D5A0334114A3E04 3053 BBE5B37C738AE40F150B334135288664 3054 FEBFC5622818894A07B1F7AD60E28480 3055 B4B637B90EA7D4BA980186B605D75BC6 3057 y = 0xA154F7B93E8148652011F4FD52C9A06A 3058 6471ADB28D0A949AE26BC786DE874153 3059 ABC00B35164F3214A8A83C00ECE27831 3060 B093528456234EFE766224FC2A7E9ABE 3062 HASH (r_c | r_s): 3063 00000: C3 EF 04 28 D4 B7 A1 F4 C5 02 5F 2E 65 DD 2B 2E 3064 00010: A5 83 AE EF DB 67 C7 F4 21 4A 6A 29 8E 99 E3 25 3066 Export key generation. r value: 3067 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 3069 Export key generation. UKM value: 3070 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 3071 Export keys K_Exp_MAC | K_Exp_ENC used in KExp15 algorithm: 3072 00000: 7D AC 56 E4 8A 4D C1 70 FA A8 FC BA E2 0D B8 45 3073 00010: 45 0C CC C4 C6 32 8B DC 8D 01 15 7C EF A2 A5 F1 3074 00020: 1F 1C BA D8 86 61 66 F0 1F FA AB 01 52 E2 4B F4 3075 00030: 60 9D 5F 46 A5 C8 99 C7 87 90 0D 08 B9 FC AD 24 3077 IV: 3078 00000: 21 4A 6A 29 8E 99 E3 25 3080 PMSEXP: 3081 00000: 25 0D 1B 67 A2 70 AB 04 D3 F6 54 18 E1 D3 80 B4 3082 00010: CB 94 5F 0A 3D CA 51 50 0C F3 A1 BE F3 7F 76 C0 3083 00020: 73 41 A9 83 9C CF 6C BA 71 89 DA 61 EB 67 17 6C 3085 ---------------------------Client--------------------------- 3087 ClientKeyExchange message: 3088 msg_type: 10 3089 length: 0000E2 3090 body: 3091 exchange_keys: 3081DF0430250D1B67A270AB04D3F654 3092 18E1D380B4CB945F0A3DCA51500CF3A1 3093 BEF37F76C07341A9839CCF6CBA7189DA 3094 . . . 3095 93B03178E2EC003CA8A814324F16350B 3096 C0AB534187DE86C76BE29A940A8DB2AD 3097 71646AA0C952FDF411206548813EB9F7 3098 54A1 3100 00000: 10 00 00 E2 30 81 DF 04 30 25 0D 1B 67 A2 70 AB 3101 00010: 04 D3 F6 54 18 E1 D3 80 B4 CB 94 5F 0A 3D CA 51 3102 00020: 50 0C F3 A1 BE F3 7F 76 C0 73 41 A9 83 9C CF 6C 3103 00030: BA 71 89 DA 61 EB 67 17 6C 30 81 AA 30 21 06 08 3104 00040: 2A 85 03 07 01 01 01 02 30 15 06 09 2A 85 03 07 3105 00050: 01 02 01 02 03 06 08 2A 85 03 07 01 01 02 03 03 3106 00060: 81 84 00 04 81 80 C6 5B D7 05 B6 86 01 98 BA D4 3107 00070: A7 0E B9 37 B6 B4 80 84 E2 60 AD F7 B1 07 4A 89 3108 00080: 18 28 62 C5 BF FE 64 86 28 35 41 33 0B 15 0F E4 3109 00090: 8A 73 7C B3 E5 BB 04 3E 4A 11 34 03 5A 6D 47 9B 3110 000A0: 18 93 51 BE 41 C9 BE 9A 7E 2A FC 24 62 76 FE 4E 3111 000B0: 23 56 84 52 93 B0 31 78 E2 EC 00 3C A8 A8 14 32 3112 000C0: 4F 16 35 0B C0 AB 53 41 87 DE 86 C7 6B E2 9A 94 3113 000D0: 0A 8D B2 AD 71 64 6A A0 C9 52 FD F4 11 20 65 48 3114 000E0: 81 3E B9 F7 54 A1 3116 Record layer message: 3117 type: 16 3118 version: 3119 major: 03 3120 minor: 03 3121 length: 00E6 3122 fragment: 100000E23081DF0430250D1B67A270AB 3123 04D3F65418E1D380B4CB945F0A3DCA51 3124 500CF3A1BEF37F76C07341A9839CCF6C 3125 . . . 3126 2356845293B03178E2EC003CA8A81432 3127 4F16350BC0AB534187DE86C76BE29A94 3128 0A8DB2AD71646AA0C952FDF411206548 3129 813EB9F754A1 3131 00000: 16 03 03 00 E6 10 00 00 E2 30 81 DF 04 30 25 0D 3132 00010: 1B 67 A2 70 AB 04 D3 F6 54 18 E1 D3 80 B4 CB 94 3133 00020: 5F 0A 3D CA 51 50 0C F3 A1 BE F3 7F 76 C0 73 41 3134 00030: A9 83 9C CF 6C BA 71 89 DA 61 EB 67 17 6C 30 81 3135 00040: AA 30 21 06 08 2A 85 03 07 01 01 01 02 30 15 06 3136 00050: 09 2A 85 03 07 01 02 01 02 03 06 08 2A 85 03 07 3137 00060: 01 01 02 03 03 81 84 00 04 81 80 C6 5B D7 05 B6 3138 00070: 86 01 98 BA D4 A7 0E B9 37 B6 B4 80 84 E2 60 AD 3139 00080: F7 B1 07 4A 89 18 28 62 C5 BF FE 64 86 28 35 41 3140 00090: 33 0B 15 0F E4 8A 73 7C B3 E5 BB 04 3E 4A 11 34 3141 000A0: 03 5A 6D 47 9B 18 93 51 BE 41 C9 BE 9A 7E 2A FC 3142 000B0: 24 62 76 FE 4E 23 56 84 52 93 B0 31 78 E2 EC 00 3143 000C0: 3C A8 A8 14 32 4F 16 35 0B C0 AB 53 41 87 DE 86 3144 000D0: C7 6B E2 9A 94 0A 8D B2 AD 71 64 6A A0 C9 52 FD 3145 000E0: F4 11 20 65 48 81 3E B9 F7 54 A1 3147 ---------------------------Server--------------------------- 3149 PMSEXP extracted: 3150 00000: 25 0D 1B 67 A2 70 AB 04 D3 F6 54 18 E1 D3 80 B4 3151 00010: CB 94 5F 0A 3D CA 51 50 0C F3 A1 BE F3 7F 76 C0 3152 00020: 73 41 A9 83 9C CF 6C BA 71 89 DA 61 EB 67 17 6C 3154 HASH(r_c | r_s): 3155 00000: C3 EF 04 28 D4 B7 A1 F4 C5 02 5F 2E 65 DD 2B 2E 3156 00010: A5 83 AE EF DB 67 C7 F4 21 4A 6A 29 8E 99 E3 25 3158 Export key generation. r value: 3159 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 3161 Export key generation. UKM value: 3162 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 3163 Export keys K_Exp_MAC | K_Exp_ENC used in KImp15 algorithm: 3164 00000: 7D AC 56 E4 8A 4D C1 70 FA A8 FC BA E2 0D B8 45 3165 00010: 45 0C CC C4 C6 32 8B DC 8D 01 15 7C EF A2 A5 F1 3166 00020: 1F 1C BA D8 86 61 66 F0 1F FA AB 01 52 E2 4B F4 3167 00030: 60 9D 5F 46 A5 C8 99 C7 87 90 0D 08 B9 FC AD 24 3169 IV: 3170 00000: 21 4A 6A 29 8E 99 E3 25 3172 PMS: 3173 00000: A5 57 6C E7 92 4A 24 F5 81 13 80 8D BD 9E F8 56 3174 00010: F5 BD C3 B1 83 CE 5D AD CA 36 A5 3A A0 77 65 1D 3176 ---------------------------Client--------------------------- 3178 Random value k used in signature generation: 3179 0x163962EEA268203E7C6B3F70BF8D4A36 3180 34CE6E2CFC424687951D70ACE0B4292A 3182 Signature value sgn_c = SIGN_d_c(HM): 3183 00000: F7 1F 43 62 45 5B C5 5B A8 9A 8F AF 01 82 88 EC 3184 00010: 00 B3 27 17 48 2E 76 24 B2 57 D9 79 7C 8F F6 02 3185 00020: E3 15 FD BD 8D E5 6D 08 54 18 04 0E 1B 61 BB F6 3186 00030: B3 01 AC 26 3D 50 03 8B 30 31 13 DB 36 17 50 3A 3188 ---------------------------Client--------------------------- 3190 CertificateVerify message: 3191 msg_type: 0F 3192 length: 000044 3193 body: 3194 algorithm: 3195 hash: 08 3196 signature: 40 3197 signature: 3198 length: 0040 3199 vector: F71F4362455BC55BA89A8FAF018288EC 3200 00B32717482E7624B257D9797C8FF602 3201 E315FDBD8DE56D085418040E1B61BBF6 3202 B301AC263D50038B303113DB3617503A 3204 00000: 0F 00 00 44 08 40 00 40 F7 1F 43 62 45 5B C5 5B 3205 00010: A8 9A 8F AF 01 82 88 EC 00 B3 27 17 48 2E 76 24 3206 00020: B2 57 D9 79 7C 8F F6 02 E3 15 FD BD 8D E5 6D 08 3207 00030: 54 18 04 0E 1B 61 BB F6 B3 01 AC 26 3D 50 03 8B 3208 00040: 30 31 13 DB 36 17 50 3A 3209 Record layer message: 3210 type: 16 3211 version: 3212 major: 03 3213 minor: 03 3214 length: 0048 3215 fragment: 0F00004408400040F71F4362455BC55B 3216 A89A8FAF018288EC00B32717482E7624 3217 B257D9797C8FF602E315FDBD8DE56D08 3218 5418040E1B61BBF6B301AC263D50038B 3219 303113DB3617503A 3221 00000: 16 03 03 00 48 0F 00 00 44 08 40 00 40 F7 1F 43 3222 00010: 62 45 5B C5 5B A8 9A 8F AF 01 82 88 EC 00 B3 27 3223 00020: 17 48 2E 76 24 B2 57 D9 79 7C 8F F6 02 E3 15 FD 3224 00030: BD 8D E5 6D 08 54 18 04 0E 1B 61 BB F6 B3 01 AC 3225 00040: 26 3D 50 03 8B 30 31 13 DB 36 17 50 3A 3227 ---------------------------Client--------------------------- 3229 HASH(HM): 3230 00000: 9D 64 0D D8 B2 54 6B 87 05 CC 3E 67 F3 BB 83 2F 3231 00010: 89 2A 5B D5 D4 5C A0 44 85 01 14 C2 E6 56 02 69 3233 MS: 3234 00000: E3 18 17 B0 EC 7F 3B C9 4A 8B C4 5F 89 12 DE C5 3235 00010: 71 2A 7A 34 78 56 31 C0 4B AE 81 43 EE 17 90 B4 3236 00020: C9 D3 68 0F 6C 9D E1 70 74 58 C8 75 62 4D B6 ED 3238 Client connection key material 3239 K_write_MAC|K_read_MAC|K_write_ENC|K_read_ENC|IV_write|IV_read: 3240 00000: 50 52 5D 33 4E F7 00 6C 1D ED B8 B8 08 EA 03 CC 3241 00010: CF 1F CB 3D 33 65 F9 72 E1 7C 7C 31 4E DD 97 90 3242 00020: 6C 74 35 22 0A A1 B0 C6 DE 6A 1B 0F AC 29 B6 17 3243 00030: 9E B3 23 86 62 25 E0 7F 30 4C A1 D1 27 75 86 29 3244 00040: 7B 97 20 5D 7A 08 C2 CD 7F 60 3C 09 46 75 E6 C4 3245 00050: CC 15 F2 84 0D 9A EC 63 F0 2A FF 51 DB D5 74 D2 3246 00060: 76 6C 77 2B 83 2F CE 58 CB 4D E5 49 88 77 A6 7A 3247 00070: A4 51 40 B2 ED 52 6E 61 65 0A 28 1B 32 56 35 BC 3248 00080: CB 8E F9 4C 5B DF 5B 9F 47 48 B9 5B F1 B0 E0 BF 3250 ---------------------------Server--------------------------- 3252 HASH(HM): 3253 00000: 9D 64 0D D8 B2 54 6B 87 05 CC 3E 67 F3 BB 83 2F 3254 00010: 89 2A 5B D5 D4 5C A0 44 85 01 14 C2 E6 56 02 69 3255 MS: 3256 00000: E3 18 17 B0 EC 7F 3B C9 4A 8B C4 5F 89 12 DE C5 3257 00010: 71 2A 7A 34 78 56 31 C0 4B AE 81 43 EE 17 90 B4 3258 00020: C9 D3 68 0F 6C 9D E1 70 74 58 C8 75 62 4D B6 ED 3260 Server connection key material 3261 K_read_MAC|K_write_MAC|K_read_ENC|K_write_ENC|IV_read|IV_write: 3262 00000: 50 52 5D 33 4E F7 00 6C 1D ED B8 B8 08 EA 03 CC 3263 00010: CF 1F CB 3D 33 65 F9 72 E1 7C 7C 31 4E DD 97 90 3264 00020: 6C 74 35 22 0A A1 B0 C6 DE 6A 1B 0F AC 29 B6 17 3265 00030: 9E B3 23 86 62 25 E0 7F 30 4C A1 D1 27 75 86 29 3266 00040: 7B 97 20 5D 7A 08 C2 CD 7F 60 3C 09 46 75 E6 C4 3267 00050: CC 15 F2 84 0D 9A EC 63 F0 2A FF 51 DB D5 74 D2 3268 00060: 76 6C 77 2B 83 2F CE 58 CB 4D E5 49 88 77 A6 7A 3269 00070: A4 51 40 B2 ED 52 6E 61 65 0A 28 1B 32 56 35 BC 3270 00080: CB 8E F9 4C 5B DF 5B 9F 47 48 B9 5B F1 B0 E0 BF 3272 ---------------------------Client--------------------------- 3274 ChangeCipherSpec message: 3275 type: 01 3277 00000: 01 3279 Record layer message: 3280 type: 14 3281 version: 3282 major: 03 3283 minor: 03 3284 length: 0001 3285 fragment: 01 3287 00000: 14 03 03 00 01 01 3289 ---------------------------Client--------------------------- 3291 HASH(HM): 3292 00000: C9 A4 80 DA 29 6C DD 12 3E 9A EB 26 88 8B 86 19 3293 00010: EA 67 78 B7 23 FA A8 B2 DC 70 6A CB A5 AB AF 11 3295 client_verify_data: 3296 00000: 98 7C 13 E6 FA 16 F3 D5 10 AE 83 00 23 58 72 27 3297 00010: 32 90 09 4C 8F C7 B5 F0 C7 D7 47 C4 27 35 F8 F1 3299 ---------------------------Client--------------------------- 3300 Finished message: 3301 msg_type: 14 3302 length: 000020 3303 body: 3304 verify_data: 987C13E6FA16F3D510AE830023587227 3305 3290094C8FC7B5F0C7D747C42735F8F1 3307 00000: 14 00 00 20 98 7C 13 E6 FA 16 F3 D5 10 AE 83 00 3308 00010: 23 58 72 27 32 90 09 4C 8F C7 B5 F0 C7 D7 47 C4 3309 00020: 27 35 F8 F1 3311 Record layer message: 3312 type: 16 3313 version: 3314 major: 03 3315 minor: 03 3316 length: 0034 3317 fragment: 4DC53D655EDFD1843AF69ADBDE989C0B 3318 1F0C0A1A0FD1B3F458029D8F9989FBF9 3319 6C5C42971063A9B70714F412E4F6280F 3320 7C21601B 3322 00000: 16 03 03 00 34 4D C5 3D 65 5E DF D1 84 3A F6 9A 3323 00010: DB DE 98 9C 0B 1F 0C 0A 1A 0F D1 B3 F4 58 02 9D 3324 00020: 8F 99 89 FB F9 6C 5C 42 97 10 63 A9 B7 07 14 F4 3325 00030: 12 E4 F6 28 0F 7C 21 60 1B 3327 ---------------------------Server--------------------------- 3329 ChangeCipherSpec message: 3330 type: 01 3332 00000: 01 3334 Record layer message: 3335 type: 14 3336 version: 3337 major: 03 3338 minor: 03 3339 length: 0001 3340 fragment: 01 3342 00000: 14 03 03 00 01 01 3344 ---------------------------Server--------------------------- 3345 HASH(HM): 3346 00000: 4A 41 4C AD 20 F8 46 D8 F5 D1 05 26 10 A5 9D ED 3347 00010: 6D 2B 1B B2 A8 9E 13 51 01 FC 9E 49 ED A8 0F B4 3349 server_verify_data: 3350 00000: 1E 93 7D A4 77 EE 1F 23 0A 41 D6 E9 D4 14 46 B7 3351 00010: F2 1C A1 B2 E2 32 4A 55 2D 52 B3 25 5E B4 3D DF 3353 ---------------------------Server--------------------------- 3355 Finished message: 3356 msg_type: 14 3357 length: 000020 3358 body: 3359 verify_data: 1E937DA477EE1F230A41D6E9D41446B7 3360 F21CA1B2E2324A552D52B3255EB43DDF 3362 00000: 14 00 00 20 1E 93 7D A4 77 EE 1F 23 0A 41 D6 E9 3363 00010: D4 14 46 B7 F2 1C A1 B2 E2 32 4A 55 2D 52 B3 25 3364 00020: 5E B4 3D DF 3366 Record layer message: 3367 type: 16 3368 version: 3369 major: 03 3370 minor: 03 3371 length: 0034 3372 fragment: F9887C3654B6CCC6AE7D7B18A46C663F 3373 3D1DAF30C9A853A9871077FDD5CA063B 3374 2C81BCC9D59FA6E3F5FAD9B2599BB586 3375 854A2D76 3377 00000: 16 03 03 00 34 F9 88 7C 36 54 B6 CC C6 AE 7D 7B 3378 00010: 18 A4 6C 66 3F 3D 1D AF 30 C9 A8 53 A9 87 10 77 3379 00020: FD D5 CA 06 3B 2C 81 BC C9 D5 9F A6 E3 F5 FA D9 3380 00030: B2 59 9B B5 86 85 4A 2D 76 3382 ---------------------------Client--------------------------- 3384 Application data: 3385 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3386 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3388 Record layer message: 3389 type: 17 3390 version: 3392 major: 03 3393 minor: 03 3394 length: 0030 3395 fragment: F14F06FB8557408846080690E7A5525D 3396 1C6E9C901D24025486AB79728BF63D06 3397 5C09C27233006D65CFF0B5BA87504969 3399 00000: 17 03 03 00 30 F1 4F 06 FB 85 57 40 88 46 08 06 3400 00010: 90 E7 A5 52 5D 1C 6E 9C 90 1D 24 02 54 86 AB 79 3401 00020: 72 8B F6 3D 06 5C 09 C2 72 33 00 6D 65 CF F0 B5 3402 00030: BA 87 50 49 69 3404 ---------------------------Server--------------------------- 3406 Application data: 3407 00000: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3408 00010: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3410 Record layer message: 3411 type: 17 3412 version: 3413 major: 03 3414 minor: 03 3415 length: 0030 3416 fragment: 1561E52A8B6DB258746FFE18F3CDCB11 3417 1D0173AF2E5C13741C99BFF13B47CD32 3418 B3CED856A9506E706A2340D5841AB114 3420 00000: 17 03 03 00 30 15 61 E5 2A 8B 6D B2 58 74 6F FE 3421 00010: 18 F3 CD CB 11 1D 01 73 AF 2E 5C 13 74 1C 99 BF 3422 00020: F1 3B 47 CD 32 B3 CE D8 56 A9 50 6E 70 6A 23 40 3423 00030: D5 84 1A B1 14 3425 ---------------------------Client--------------------------- 3427 close_notify alert: 3428 Alert: 3429 level: 01 3430 description: 00 3432 00000: 01 00 3434 Record layer message: 3435 type: 15 3436 version: 3437 major: 03 3438 minor: 03 3439 length: 0012 3440 fragment: E530C164642A078CEF528CB465E9DA7E 3441 AD4D 3443 00000: 15 03 03 00 12 E5 30 C1 64 64 2A 07 8C EF 52 8C 3444 00010: B4 65 E9 DA 7E AD 4D 3446 ---------------------------Server--------------------------- 3448 close_notify alert: 3449 Alert: 3450 level: 01 3451 description: 00 3453 00000: 01 00 3455 Record layer message: 3456 type: 15 3457 version: 3458 major: 03 3459 minor: 03 3460 length: 0012 3461 fragment: EB62E5AB78BF2A4B678920A11027EC43 3462 0C3F 3464 00000: 15 03 03 00 12 EB 62 E5 AB 78 BF 2A 4B 67 89 20 3465 00010: A1 10 27 EC 43 0C 3F 3467 A.2. Test Examples for CNT_IMIT cipher suites 3469 A.2.1. Record Examples 3471 It is assumed that during Handshake following keys were established: 3473 - MAC key: 3474 00000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 3475 00010: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 3476 - Encryption key: 3477 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3478 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3479 - IV: 3480 00000: 00 00 00 00 00 00 00 00 3482 --------------------------------------------------------- 3483 seqnum = 0 3485 Application data: 3486 00000: 00 00 00 00 00 00 00 3488 Plaintext: 3489 00000: 17 03 03 00 07 00 00 00 00 00 00 00 3491 MAC: 3492 00000: 30 01 34 a1 3494 Ciphertext: 3495 00000: 17 03 03 00 0b 86 71 cd bf 3c 1a ae 0f 62 4b 04 3497 --------------------------------------------------------- 3498 seqnum = 1 3500 Application data: 3502 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3503 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3504 .... 3505 007f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3507 Plaintext: 3508 00000: 17 03 03 08 00 00 00 00 00 00 00 00 00 00 00 00 3509 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3510 .... 3511 007f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3512 00804: 00 00 00 00 00 3514 MAC: 3515 00000: f7 c3 8b 8a 3517 Ciphertext: 3518 00000: 17 03 03 08 04 cf aa 0c b4 2f a5 a4 7a 13 3d 73 3519 00010: b9 f2 c0 b0 4f 8c a2 55 52 f8 56 bc be 6a 58 fa 3520 .... 3521 007f0: 3e e2 c7 6f a2 30 a0 44 be 21 dc 8e 1a 96 f9 a8 3522 00804: 88 1f ad 83 45 96 96 84 47 3524 A.2.2. Handshake Examples 3526 The ClientHello.extensions and the ServerHello.extensions fields 3527 contain the renegotiation_info extension (see [RFC5746]) in the 3528 following examples. 3530 Server certificate curve OID: 3531 id-tc26-gost-3410-12-512-paramSetA, "1.2.643.7.1.2.1.2.1" 3533 Server public key Q_s: 3534 x = 0x16DB0566C0278AC8204143994824236D 3535 97F36A13D5433E990B2EAC859D2E9B7A 3536 E054794655389158B8242923E3841B14 3537 24FD89F221701C89D9A3BF6A9F946795 3539 y = 0xD01E80DEC5BD23C8BC6B85F12BBB1635 3540 A5AE7AD50DE24FB8FD02CB285A4AE65A 3541 7D6FBB99AAFFDA80629826F2F7F73282 3542 220444761615A06D082077C4A00FD4CF 3544 Server private key d_s: 3545 0x5F1E83AFA2C4CB2C5633C51380E84E37 3546 4B013EE7C238330709080CE914B442D4 3547 34EB016D23FB63FEDC18B62D9DA93D26 3548 B3B9CE6F663B383303BD5930ED41608B 3550 ---------------------------Client--------------------------- 3552 ClientHello message: 3553 msg_type: 01 3554 length: 00003a 3555 body: 3556 client_version: 3557 major: 03 3558 minor: 03 3559 random: 6A523D6880DCC2DC75CCC43CFD04B616 3560 F5C3757B8077B76A9B504949FD3BFDB8 3561 session_id: 3562 length: 00 3563 vector: -- 3564 cipher_suites: 3565 length: 0002 3566 vector: 3567 CipherSuite: C102 3568 compression_methods: 3569 length: 01 3570 vector: 3571 CompressionMethod: 00 3572 extensions: 3573 length: 000F 3574 Extension: /* signature_algorithms */ 3575 extension_type: 000D 3576 extension_data: 3578 length: 0006 3579 vector: 3580 supported_signature_algorithms: 3581 length: 0004 3582 vector: 3583 /* 1 pair of algorithms */ 3584 hash: 08 3585 signature: 3586 41 3587 /* 2 pair of algorithms */ 3588 hash: 08 3589 signature: 3590 40 3591 Extension: /* renegotiation_info */ 3592 extension_type: FF01 3593 extension_data: 3594 length: 0001 3595 vector: 3596 renegotiated_connection: 3597 length: 00 3598 vector: -- 3600 00000: 01 00 00 3A 03 03 6A 52 3D 68 80 DC C2 DC 75 CC 3601 00010: C4 3C FD 04 B6 16 F5 C3 75 7B 80 77 B7 6A 9B 50 3602 00020: 49 49 FD 3B FD B8 00 00 02 C1 02 01 00 00 0F 00 3603 00030: 0D 00 06 00 04 08 41 08 40 FF 01 00 01 00 3605 Record layer message: 3606 type: 16 3607 version: 3608 major: 03 3609 minor: 03 3610 length: 003e 3611 fragment: 0100003A03036A523D6880DCC2DC75CC 3612 C43CFD04B616F5C3757B8077B76A9B50 3613 4949FD3BFDB8000002C1020100000F00 3614 0D0006000408410840FF01000100 3616 00000: 16 03 03 00 3E 01 00 00 3A 03 03 6A 52 3D 68 80 3617 00010: DC C2 DC 75 CC C4 3C FD 04 B6 16 F5 C3 75 7B 80 3618 00020: 77 B7 6A 9B 50 49 49 FD 3B FD B8 00 00 02 C1 02 3619 00030: 01 00 00 0F 00 0D 00 06 00 04 08 41 08 40 FF 01 3620 00040: 00 01 00 3622 ---------------------------Server--------------------------- 3624 ServerHello message: 3626 msg_type: 02 3627 length: 00004D 3628 body: 3629 client_version: 3630 major: 03 3631 minor: 03 3632 random: FE92C9516D0E1A67A04C33CD7F2C90B1 3633 5E76DCC30815C19F92A6D100915AF2DB 3634 session_id: 3635 length: 20 3636 vector: 12AAA5E5779014711CCD6D265BDEE519 3637 1026431C83768EE5EB5A157F940BE9FB 3638 cipher_suite: 3639 CipherSuite: C102 3640 compression_method: 3641 CompressionMethod: 00 3642 extensions: 3643 length: 0005 3644 Extension: /* renegotiation_info */ 3645 extension_type: FF01 3646 extension_data: 3647 length: 0001 3648 vector: 3649 renegotiated_connection: 3650 length: 00 3651 vector: -- 3653 00000: 02 00 00 4D 03 03 FE 92 C9 51 6D 0E 1A 67 A0 4C 3654 00010: 33 CD 7F 2C 90 B1 5E 76 DC C3 08 15 C1 9F 92 A6 3655 00020: D1 00 91 5A F2 DB 20 12 AA A5 E5 77 90 14 71 1C 3656 00030: CD 6D 26 5B DE E5 19 10 26 43 1C 83 76 8E E5 EB 3657 00040: 5A 15 7F 94 0B E9 FB C1 02 00 00 05 FF 01 00 01 3658 00050: 00 3660 Record layer message: 3661 type: 16 3662 version: 3663 major: 03 3664 minor: 03 3665 length: 0051 3666 fragment: 0200004D0303FE92C9516D0E1A67A04C 3667 33CD7F2C90B15E76DCC30815C19F92A6 3668 D100915AF2DB2012AAA5E5779014711C 3669 CD6D265BDEE5191026431C83768EE5EB 3670 5A157F940BE9FBC102000005FF010001 3671 00 3673 00000: 16 03 03 00 51 02 00 00 4D 03 03 FE 92 C9 51 6D 3674 00010: 0E 1A 67 A0 4C 33 CD 7F 2C 90 B1 5E 76 DC C3 08 3675 00020: 15 C1 9F 92 A6 D1 00 91 5A F2 DB 20 12 AA A5 E5 3676 00030: 77 90 14 71 1C CD 6D 26 5B DE E5 19 10 26 43 1C 3677 00040: 83 76 8E E5 EB 5A 15 7F 94 0B E9 FB C1 02 00 00 3678 00050: 05 FF 01 00 01 00 3680 ---------------------------Server--------------------------- 3682 Certificate message: 3683 msg_type: 0B 3684 length: 000266 3685 body: 3686 certificate_list: 3687 length: 000263 3688 vector: 3689 ASN.1Cert: 3690 length: 000260 3691 vector: 3082025C308201C8A003020102021478 3692 94DC9D920977809191642F1DAEDC26BA 3693 3B5104300A06082A8503070101030330 3694 . . . 3695 6C12D51F99C98A4A9904F0EA5486FED7 3696 FF66AB8EB2425E1ACEAE8A758BDF843B 3697 E1A8F6FEBF673015FED7AB86533DBF20 3699 00000: 0B 00 02 66 00 02 63 00 02 60 30 82 02 5C 30 82 3700 00010: 01 C8 A0 03 02 01 02 02 14 78 94 DC 9D 92 09 77 3701 00020: 80 91 91 64 2F 1D AE DC 26 BA 3B 51 04 30 0A 06 3702 00030: 08 2A 85 03 07 01 01 03 03 30 19 31 17 30 15 06 3703 00040: 03 55 04 03 13 0E 43 41 20 43 65 72 74 69 66 69 3704 00050: 63 61 74 65 30 1E 17 0D 31 38 30 31 30 32 30 30 3705 00060: 30 30 31 31 5A 17 0D 32 32 30 31 30 32 30 30 30 3706 00070: 30 32 31 5A 30 21 31 1F 30 1D 06 03 55 04 03 13 3707 00080: 16 53 65 72 76 65 72 20 35 31 32 20 43 65 72 74 3708 00090: 69 66 69 63 61 74 65 30 81 AA 30 21 06 08 2A 85 3709 000a0: 03 07 01 01 01 02 30 15 06 09 2A 85 03 07 01 02 3710 000b0: 01 02 01 06 08 2A 85 03 07 01 01 02 03 03 81 84 3711 000c0: 00 04 81 80 95 67 94 9F 6A BF A3 D9 89 1C 70 21 3712 000d0: F2 89 FD 24 14 1B 84 E3 23 29 24 B8 58 91 38 55 3713 000e0: 46 79 54 E0 7A 9B 2E 9D 85 AC 2E 0B 99 3E 43 D5 3714 000f0: 13 6A F3 97 6D 23 24 48 99 43 41 20 C8 8A 27 C0 3715 00100: 66 05 DB 16 CF D4 0F A0 C4 77 20 08 6D A0 15 16 3716 00110: 76 44 04 22 82 32 F7 F7 F2 26 98 62 80 DA FF AA 3717 00120: 99 BB 6F 7D 5A E6 4A 5A 28 CB 02 FD B8 4F E2 0D 3718 00130: D5 7A AE A5 35 16 BB 2B F1 85 6B BC C8 23 BD C5 3719 00140: DE 80 1E D0 A3 81 93 30 81 90 30 0C 06 03 55 1D 3720 00150: 13 01 01 FF 04 02 30 00 30 1A 06 03 55 1D 11 04 3721 00160: 13 30 11 82 09 6C 6F 63 61 6C 68 6F 73 74 87 04 3722 00170: 7F 00 00 01 30 13 06 03 55 1D 25 04 0C 30 0A 06 3723 00180: 08 2B 06 01 05 05 07 03 01 30 0F 06 03 55 1D 0F 3724 00190: 01 01 FF 04 05 03 03 07 B0 00 30 1D 06 03 55 1D 3725 001a0: 0E 04 16 04 14 AE 46 41 1B FD B3 08 C3 39 03 47 3726 001b0: 57 57 2B 0F BF A3 6F 9A 99 30 1F 06 03 55 1D 23 3727 001c0: 04 18 30 16 80 14 7F 7B 7A 15 61 A6 F2 18 A2 E3 3728 001d0: 48 3B C6 39 D9 7F 42 DB 6D AF 30 0A 06 08 2A 85 3729 001e0: 03 07 01 01 03 03 03 81 81 00 9C 49 78 F7 1B AB 3730 001f0: 54 8A 25 6D 2A 18 7C A8 4D 72 4F E1 EF A7 E5 36 3731 00200: 67 2E 79 1F 8A 0C B6 74 1E B1 63 E2 96 37 8C 5B 3732 00210: 82 83 EE DA B4 1B A4 22 1E BC E2 05 F6 F8 79 CF 3733 00220: EB F0 AD E9 36 07 0F B2 40 E5 0D 04 37 03 7F 2A 3734 00230: EC 99 C7 CD 23 9F 6F 20 25 A8 6C 12 D5 1F 99 C9 3735 00240: 8A 4A 99 04 F0 EA 54 86 FE D7 FF 66 AB 8E B2 42 3736 00250: 5E 1A CE AE 8A 75 8B DF 84 3B E1 A8 F6 FE BF 67 3737 00260: 30 15 FE D7 AB 86 53 3D BF 20 3739 Record layer message: 3740 type: 16 3741 version: 3742 major: 03 3743 minor: 03 3744 length: 026A 3745 fragment: 0B0002660002630002603082025C3082 3746 01C8A00302010202147894DC9D920977 3747 809191642F1DAEDC26BA3B5104300A06 3748 . . . 3749 EC99C7CD239F6F2025A86C12D51F99C9 3750 8A4A9904F0EA5486FED7FF66AB8EB242 3751 5E1ACEAE8A758BDF843BE1A8F6FEBF67 3752 3015FED7AB86533DBF20 3754 00000: 16 03 03 02 6A 0B 00 02 66 00 02 63 00 02 60 30 3755 00010: 82 02 5C 30 82 01 C8 A0 03 02 01 02 02 14 78 94 3756 00020: DC 9D 92 09 77 80 91 91 64 2F 1D AE DC 26 BA 3B 3757 00030: 51 04 30 0A 06 08 2A 85 03 07 01 01 03 03 30 19 3758 00040: 31 17 30 15 06 03 55 04 03 13 0E 43 41 20 43 65 3759 00050: 72 74 69 66 69 63 61 74 65 30 1E 17 0D 31 38 30 3760 00060: 31 30 32 30 30 30 30 31 31 5A 17 0D 32 32 30 31 3761 00070: 30 32 30 30 30 30 32 31 5A 30 21 31 1F 30 1D 06 3762 00080: 03 55 04 03 13 16 53 65 72 76 65 72 20 35 31 32 3763 00090: 20 43 65 72 74 69 66 69 63 61 74 65 30 81 AA 30 3764 000a0: 21 06 08 2A 85 03 07 01 01 01 02 30 15 06 09 2A 3765 000b0: 85 03 07 01 02 01 02 01 06 08 2A 85 03 07 01 01 3766 000c0: 02 03 03 81 84 00 04 81 80 95 67 94 9F 6A BF A3 3767 000d0: D9 89 1C 70 21 F2 89 FD 24 14 1B 84 E3 23 29 24 3768 000e0: B8 58 91 38 55 46 79 54 E0 7A 9B 2E 9D 85 AC 2E 3769 000f0: 0B 99 3E 43 D5 13 6A F3 97 6D 23 24 48 99 43 41 3770 00100: 20 C8 8A 27 C0 66 05 DB 16 CF D4 0F A0 C4 77 20 3771 00110: 08 6D A0 15 16 76 44 04 22 82 32 F7 F7 F2 26 98 3772 00120: 62 80 DA FF AA 99 BB 6F 7D 5A E6 4A 5A 28 CB 02 3773 00130: FD B8 4F E2 0D D5 7A AE A5 35 16 BB 2B F1 85 6B 3774 00140: BC C8 23 BD C5 DE 80 1E D0 A3 81 93 30 81 90 30 3775 00150: 0C 06 03 55 1D 13 01 01 FF 04 02 30 00 30 1A 06 3776 00160: 03 55 1D 11 04 13 30 11 82 09 6C 6F 63 61 6C 68 3777 00170: 6F 73 74 87 04 7F 00 00 01 30 13 06 03 55 1D 25 3778 00180: 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 30 0F 3779 00190: 06 03 55 1D 0F 01 01 FF 04 05 03 03 07 B0 00 30 3780 001a0: 1D 06 03 55 1D 0E 04 16 04 14 AE 46 41 1B FD B3 3781 001b0: 08 C3 39 03 47 57 57 2B 0F BF A3 6F 9A 99 30 1F 3782 001c0: 06 03 55 1D 23 04 18 30 16 80 14 7F 7B 7A 15 61 3783 001d0: A6 F2 18 A2 E3 48 3B C6 39 D9 7F 42 DB 6D AF 30 3784 001e0: 0A 06 08 2A 85 03 07 01 01 03 03 03 81 81 00 9C 3785 001f0: 49 78 F7 1B AB 54 8A 25 6D 2A 18 7C A8 4D 72 4F 3786 00200: E1 EF A7 E5 36 67 2E 79 1F 8A 0C B6 74 1E B1 63 3787 00210: E2 96 37 8C 5B 82 83 EE DA B4 1B A4 22 1E BC E2 3788 00220: 05 F6 F8 79 CF EB F0 AD E9 36 07 0F B2 40 E5 0D 3789 00230: 04 37 03 7F 2A EC 99 C7 CD 23 9F 6F 20 25 A8 6C 3790 00240: 12 D5 1F 99 C9 8A 4A 99 04 F0 EA 54 86 FE D7 FF 3791 00250: 66 AB 8E B2 42 5E 1A CE AE 8A 75 8B DF 84 3B E1 3792 00260: A8 F6 FE BF 67 30 15 FE D7 AB 86 53 3D BF 20 3794 ---------------------------Server--------------------------- 3796 ServerHelloDone message: 3797 msg_type: 0E 3798 length: 000000 3799 body: -- 3801 00000: 0E 00 00 00 3803 Record layer message:: 3804 type: 16 3805 version: 3806 major: 03 3807 minor: 03 3808 length: 0004 3809 fragment: 0E000000 3811 00000: 16 03 03 00 04 0E 00 00 00 3813 ---------------------------Client--------------------------- 3815 PMS: 3817 00000: CE 0D D6 B6 70 42 12 15 2B E4 69 5A 7E 89 F6 4C 3818 00010: 89 29 A4 0D BF 0A 5A 55 C2 CE 00 2B 06 BA B6 2F 3820 Random d_eph value: 3821 0xC96486B1A3732389A162F5AD0145D537 3822 43C9AC27D42ACF1091CE7EF67E6C3CCA 3823 0F6C879B2DA3C1607648BAEB96471BD2 3824 078DF5CAAA4FA83ECC0FFD6D3C8E5D56 3826 Q_eph ephemeral key: 3827 x = 0x4B9CB381BCC737E493E43B2D7FD95BFE 3828 2AEF6BE8F6224882E5E559ADA08170DC 3829 49A815B3A1B3B323D2B50195153CFC60 3830 DD6139C3770C5762A6A7719FABF84BFB 3832 y = 0x95CEF28392C846A5EEFCB51C84E4960A 3833 77B77D0D85EBD22061BFDA0013C5AB6C 3834 42DDD04973F65D2AEB8A5427A53D6872 3835 CF2D68F5F722C4640D7AAF2E0194FBD0 3837 HASH(r_c | r_s): 3838 00000: FB F3 9D 10 E8 00 AF 70 E7 AA 22 C1 10 DA 94 A9 3839 00010: 9A 58 98 D8 45 27 C7 CB DE C1 1E 53 39 90 6A 1A 3841 K_EXP: 3842 00000: 3F D9 99 D1 68 4A 15 CC 9B DD 5A 35 06 7A F6 98 3843 00010: 17 15 00 22 E0 95 54 AC 79 1A 60 F1 61 F5 53 49 3845 IV: 3846 00000: FB F3 9D 10 E8 00 AF 70 3848 CEK_ENC: 3849 00000: D6 22 D1 67 A5 64 2E 29 52 5A 29 5C B9 F2 8F 96 3850 00010: F2 8B 0E FA A7 D3 A2 BE E1 49 B0 11 78 C2 DF D5 3852 CEK_MAC: 3853 00000: 4C 93 36 57 3855 PMSEXP: 3856 00000: FB F3 9D 10 E8 00 AF 70 D6 22 D1 67 A5 64 2E 29 3857 00010: 52 5A 29 5C B9 F2 8F 96 F2 8B 0E FA A7 D3 A2 BE 3858 00020: E1 49 B0 11 78 C2 DF D5 4C 93 36 57 3860 ---------------------------Client--------------------------- 3862 ClientKeyExchange message: 3863 msg_type: 10 3864 length: 0000F5 3865 body: 3866 exchange_keys: 3081F23081EF30280420D622D167A564 3867 2E29525A295CB9F28F96F28B0EFAA7D3 3868 A2BEE149B01178C2DFD504044C933657 3869 . . . 3870 DABF6120D2EB850D7DB7770A96E4841C 3871 B5FCEEA546C89283F2CE950408FBF39D 3872 10E800AF70 3874 00000: 10 00 00 F5 30 81 F2 30 81 EF 30 28 04 20 D6 22 3875 00010: D1 67 A5 64 2E 29 52 5A 29 5C B9 F2 8F 96 F2 8B 3876 00020: 0E FA A7 D3 A2 BE E1 49 B0 11 78 C2 DF D5 04 04 3877 00030: 4C 93 36 57 A0 81 C2 06 09 2A 85 03 07 01 02 05 3878 00040: 01 01 A0 81 AA 30 21 06 08 2A 85 03 07 01 01 01 3879 00050: 02 30 15 06 09 2A 85 03 07 01 02 01 02 01 06 08 3880 00060: 2A 85 03 07 01 01 02 03 03 81 84 00 04 81 80 FB 3881 00070: 4B F8 AB 9F 71 A7 A6 62 57 0C 77 C3 39 61 DD 60 3882 00080: FC 3C 15 95 01 B5 D2 23 B3 B3 A1 B3 15 A8 49 DC 3883 00090: 70 81 A0 AD 59 E5 E5 82 48 22 F6 E8 6B EF 2A FE 3884 000A0: 5B D9 7F 2D 3B E4 93 E4 37 C7 BC 81 B3 9C 4B D0 3885 000B0: FB 94 01 2E AF 7A 0D 64 C4 22 F7 F5 68 2D CF 72 3886 000C0: 68 3D A5 27 54 8A EB 2A 5D F6 73 49 D0 DD 42 6C 3887 000D0: AB C5 13 00 DA BF 61 20 D2 EB 85 0D 7D B7 77 0A 3888 000E0: 96 E4 84 1C B5 FC EE A5 46 C8 92 83 F2 CE 95 04 3889 000F0: 08 FB F3 9D 10 E8 00 AF 70 3891 Record layer message: 3892 type: 16 3893 version: 3894 major: 03 3895 minor: 03 3896 length: 00F9 3897 fragment: 100000F53081F23081EF30280420D622 3898 D167A5642E29525A295CB9F28F96F28B 3899 0EFAA7D3A2BEE149B01178C2DFD50404 3900 . . . 3901 ABC51300DABF6120D2EB850D7DB7770A 3902 96E4841CB5FCEEA546C89283F2CE9504 3903 08FBF39D10E800AF70 3905 00000: 16 03 03 00 F9 10 00 00 F5 30 81 F2 30 81 EF 30 3906 00010: 28 04 20 D6 22 D1 67 A5 64 2E 29 52 5A 29 5C B9 3907 00020: F2 8F 96 F2 8B 0E FA A7 D3 A2 BE E1 49 B0 11 78 3908 00030: C2 DF D5 04 04 4C 93 36 57 A0 81 C2 06 09 2A 85 3909 00040: 03 07 01 02 05 01 01 A0 81 AA 30 21 06 08 2A 85 3910 00050: 03 07 01 01 01 02 30 15 06 09 2A 85 03 07 01 02 3911 00060: 01 02 01 06 08 2A 85 03 07 01 01 02 03 03 81 84 3912 00070: 00 04 81 80 FB 4B F8 AB 9F 71 A7 A6 62 57 0C 77 3913 00080: C3 39 61 DD 60 FC 3C 15 95 01 B5 D2 23 B3 B3 A1 3914 00090: B3 15 A8 49 DC 70 81 A0 AD 59 E5 E5 82 48 22 F6 3915 000A0: E8 6B EF 2A FE 5B D9 7F 2D 3B E4 93 E4 37 C7 BC 3916 000B0: 81 B3 9C 4B D0 FB 94 01 2E AF 7A 0D 64 C4 22 F7 3917 000C0: F5 68 2D CF 72 68 3D A5 27 54 8A EB 2A 5D F6 73 3918 000D0: 49 D0 DD 42 6C AB C5 13 00 DA BF 61 20 D2 EB 85 3919 000E0: 0D 7D B7 77 0A 96 E4 84 1C B5 FC EE A5 46 C8 92 3920 000F0: 83 F2 CE 95 04 08 FB F3 9D 10 E8 00 AF 70 3922 ---------------------------Client--------------------------- 3924 HASH(HM): 3925 00000: F8 D6 FE EB 17 64 4D 17 B0 38 36 A6 51 EB 87 69 3926 00010: BD EA A2 D3 EB 18 47 F6 91 91 42 7C 30 D0 17 8E 3928 MS: 3929 00000: BE 57 46 C8 BB B7 84 7E 97 8F D4 C9 4F 52 34 52 3930 00010: 44 2C 8E B1 72 FD E6 28 1C 18 C5 44 63 B1 F9 4C 3931 00020: 2B D9 81 40 05 41 6D BB 0F 90 A5 7E A4 E0 6B 50 3933 Client connection key material 3934 K_write_MAC|K_read_MAC|K_write_ENC|K_read_ENC|IV_write|IV_read: 3935 00000: F3 37 F6 A8 6F F3 1F CA 52 EA 64 7C DE E3 B7 83 3936 00010: 34 AB 77 B5 7F E0 DB 2F C0 C8 71 EC DC AC A5 A8 3937 00020: FB A0 4C 21 32 82 3A 24 96 EF 93 6F 0E BC F3 0E 3938 00030: A0 CB 7E AF 6C A7 94 75 4F 1F 45 B1 77 22 DE B4 3939 00040: 4E 5B C3 2D 44 30 AF 58 93 11 6A CF 81 A3 BE 0C 3940 00050: 90 D2 EA 8E 76 E0 84 07 28 BA F5 E2 B2 F9 40 C0 3941 00060: AE 18 26 7B B6 34 C1 6A 1D 1A C1 24 73 50 95 4B 3942 00070: 2F EE 9B 77 F3 0D 18 D5 54 01 2B 43 78 60 87 0A 3943 00080: D9 21 A8 4B 07 FF 98 AF 8C 82 38 6B 91 FB BA 64 3945 ---------------------------Server--------------------------- 3947 PMSEXP extracted: 3948 00000: FB F3 9D 10 E8 00 AF 70 D6 22 D1 67 A5 64 2E 29 3949 00010: 52 5A 29 5C B9 F2 8F 96 F2 8B 0E FA A7 D3 A2 BE 3950 00020: E1 49 B0 11 78 C2 DF D5 4C 93 36 57 3952 HASH(r_c | r_s): 3953 00000: FB F3 9D 10 E8 00 AF 70 E7 AA 22 C1 10 DA 94 A9 3954 00010: 9A 58 98 D8 45 27 C7 CB DE C1 1E 53 39 90 6A 1A 3956 K_EXP: 3957 00000: 3F D9 99 D1 68 4A 15 CC 9B DD 5A 35 06 7A F6 98 3958 00010: 17 15 00 22 E0 95 54 AC 79 1A 60 F1 61 F5 53 49 3959 PMS: 3960 00000: CE 0D D6 B6 70 42 12 15 2B E4 69 5A 7E 89 F6 4C 3961 00010: 89 29 A4 0D BF 0A 5A 55 C2 CE 00 2B 06 BA B6 2F 3963 ---------------------------Server--------------------------- 3965 HASH(HM): 3966 00000: F8 D6 FE EB 17 64 4D 17 B0 38 36 A6 51 EB 87 69 3967 00010: BD EA A2 D3 EB 18 47 F6 91 91 42 7C 30 D0 17 8E 3969 MS: 3970 00000: BE 57 46 C8 BB B7 84 7E 97 8F D4 C9 4F 52 34 52 3971 00010: 44 2C 8E B1 72 FD E6 28 1C 18 C5 44 63 B1 F9 4C 3972 00020: 2B D9 81 40 05 41 6D BB 0F 90 A5 7E A4 E0 6B 50 3974 Client connection key material 3975 K_read_MAC|K_write_MAC|K_read_ENC|K_write_ENC|IV_read|IV_write: 3976 00000: F3 37 F6 A8 6F F3 1F CA 52 EA 64 7C DE E3 B7 83 3977 00010: 34 AB 77 B5 7F E0 DB 2F C0 C8 71 EC DC AC A5 A8 3978 00020: FB A0 4C 21 32 82 3A 24 96 EF 93 6F 0E BC F3 0E 3979 00030: A0 CB 7E AF 6C A7 94 75 4F 1F 45 B1 77 22 DE B4 3980 00040: 4E 5B C3 2D 44 30 AF 58 93 11 6A CF 81 A3 BE 0C 3981 00050: 90 D2 EA 8E 76 E0 84 07 28 BA F5 E2 B2 F9 40 C0 3982 00060: AE 18 26 7B B6 34 C1 6A 1D 1A C1 24 73 50 95 4B 3983 00070: 2F EE 9B 77 F3 0D 18 D5 54 01 2B 43 78 60 87 0A 3984 00080: D9 21 A8 4B 07 FF 98 AF 8C 82 38 6B 91 FB BA 64 3986 ---------------------------Client--------------------------- 3988 ChangeCipherSpec message: 3989 type: 01 3991 00000: 01 3993 Record layer message: 3994 type: 14 3995 version: 3996 major: 03 3997 minor: 03 3998 length: 0001 3999 fragment: 01 4001 00000: 14 03 03 00 01 01 4003 ---------------------------Client--------------------------- 4005 HASH(HM): 4007 00000: F8 D6 FE EB 17 64 4D 17 B0 38 36 A6 51 EB 87 69 4008 00010: BD EA A2 D3 EB 18 47 F6 91 91 42 7C 30 D0 17 8E 4010 Finished message: 4011 msg_type: 14 4012 length: 00000C 4013 body: 4014 verify_data: D3EE1DEA725CD7080C744311 4016 00000: 14 00 00 0C D3 EE 1D EA 72 5C D7 08 0C 74 43 11 4018 Record layer message: 4019 type: 16 4020 version: 4021 major: 03 4022 minor: 03 4023 length: 0014 4024 fragment: 8854A0ED0CCBDAE076FA7D22D763A8D1 4025 AF701BBB 4027 00000: 16 03 03 00 14 88 54 A0 ED 0C CB DA E0 76 FA 7D 4028 00010: 22 D7 63 A8 D1 AF 70 1B BB 4030 ---------------------------Server--------------------------- 4032 ChangeCipherSpec message: 4033 type: 01 4035 00000: 01 4037 Record layer message: 4038 type: 14 4039 version: 4040 major: 03 4041 minor: 03 4042 length: 0001 4043 fragment: 01 4045 00000: 14 03 03 00 01 01 4047 ---------------------------Server--------------------------- 4049 HASH(HM): 4050 00000: 9C 9F C4 E3 32 5B 5F B3 70 B9 94 2A 71 D2 6E F0 4051 00010: 10 71 D8 A5 A1 8F 69 E8 C2 0B 70 CC 90 E9 A9 46 4052 Finished message: 4053 msg_type: 14 4054 length: 00000C 4055 body: 4056 verify_data: D6A2A697E9F23DB0F9017A79 4058 00000: 14 00 00 0C D6 A2 A6 97 E9 F2 3D B0 F9 01 7A 79 4060 Record layer message: 4061 type: 16 4062 version: 4063 major: 03 4064 minor: 03 4065 length: 0014 4066 fragment: 7BDDBB3C0A6A4A9E302B468CCD5CF786 4067 665FFEBC 4069 00000: 16 03 03 00 14 7B DD BB 3C 0A 6A 4A 9E 30 2B 46 4070 00010: 8C CD 5C F7 86 66 5F FE BC 4072 ---------------------------Client--------------------------- 4074 Application data: 4075 00000: 48 45 4C 4F 0A 4077 Record layer message: 4078 type: 17 4079 version: 4080 major: 03 4081 minor: 03 4082 length: 0009 4083 fragment: A8951D9389D1AEFE3B 4085 00000: 17 03 03 00 09 A8 95 1D 93 89 D1 AE FE 3B 4087 ---------------------------Server--------------------------- 4089 Application data: 4090 00000: 48 45 4C 4F 0A 4092 Record layer message: 4093 type: 17 4094 version: 4095 major: 03 4096 minor: 03 4097 length: 0009 4098 fragment: 0F368E5CEC86B4F8D7 4100 00000: 17 03 03 00 09 0F 36 8E 5C EC 86 B4 F8 D7 4102 ---------------------------Client--------------------------- 4104 close_notify alert: 4105 Alert: 4106 level: 01 4107 description: 00 4109 00000: 01 00 4111 Record layer message: 4112 type: 15 4113 version: 4114 major: 03 4115 minor: 03 4116 length: 0006 4117 fragment: F91FCD98F309 4119 00000: 15 03 03 00 06 F9 1F CD 98 F3 09 4121 ---------------------------Server--------------------------- 4123 close_notify alert: 4124 Alert: 4125 level: 01 4126 description: 00 4128 00000: 01 00 4130 Record layer message: 4131 type: 15 4132 version: 4133 major: 03 4134 minor: 03 4135 length: 0006 4136 fragment: 117B57AD5FED 4138 00000: 15 03 03 00 06 11 7B 57 AD 5F ED 4140 Appendix B. Contributors 4142 * Ekaterina Griboedova 4144 CryptoPro 4146 griboedova.e.s@gmail.com 4148 * Grigory Sedov 4150 CryptoPro 4152 sedovgk@cryptopro.ru 4154 * Dmitry Eremin-Solenikov 4156 Auriga 4158 dbaryshkov@gmail.com 4160 * Lidiia Nikiforova 4162 CryptoPro 4164 nikiforova@cryptopro.ru 4166 Appendix C. Acknowledgments 4168 Authors' Addresses 4170 Stanislav Smyshlyaev (editor) 4171 CryptoPro 4172 18, Suschevsky val 4173 Moscow 4174 127018 4175 Russian Federation 4177 Phone: +7 (495) 995-48-20 4178 Email: svs@cryptopro.ru 4180 Dmitry Belyavskiy 4181 Cryptocom 4182 14/2 Kedrova st 4183 Moscow 4184 117218 4185 Russian Federation 4186 Email: beldmit@gmail.com 4188 Markku-Juhani O. Saarinen 4189 Independent Consultant 4191 Email: mjos@iki.fi 4193 Evgeny Alekseev 4194 CryptoPro 4195 18, Suschevsky val 4196 Moscow 4197 127018 4198 Russian Federation 4200 Email: alekseev@cryptopro.ru