idnits 2.17.1 draft-smyshlyaev-tls12-gost-suites-17.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (2 September 2021) is 967 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'ChangeCipherSpec' is mentioned on line 427, but not defined -- Looks like a reference, but probably isn't: '0' on line 694 ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S.V. Smyshlyaev, Ed. 3 Internet-Draft CryptoPro 4 Intended status: Informational D. Belyavskiy 5 Expires: 6 March 2022 Cryptocom 6 M-J. Saarinen 7 Independent Consultant 8 E.K. Alekseev 9 CryptoPro 10 2 September 2021 12 GOST Cipher Suites for Transport Layer Security (TLS) Protocol Version 13 1.2 14 draft-smyshlyaev-tls12-gost-suites-17 16 Abstract 18 This document specifies three new cipher suites, two new signature 19 algorithms, seven new supported groups and two new certificate types 20 for the Transport Layer Security (TLS) protocol Version 1.2 to 21 support the Russian cryptographic standard algorithms (called GOST 22 algorithms). This document specifies a profile of TLS 1.2 with GOST 23 algorithms so that implementers can produce interoperable 24 implementations. 26 This specification is developed to facilitate implementations that 27 wish to support the GOST algorithms. This document does not imply 28 IETF endorsement of the cipher suites, signature algorithms, 29 supported groups and certificate types. 31 Status of This Memo 33 This Internet-Draft is submitted in full conformance with the 34 provisions of BCP 78 and BCP 79. 36 Internet-Drafts are working documents of the Internet Engineering 37 Task Force (IETF). Note that other groups may also distribute 38 working documents as Internet-Drafts. The list of current Internet- 39 Drafts is at https://datatracker.ietf.org/drafts/current/. 41 Internet-Drafts are draft documents valid for a maximum of six months 42 and may be updated, replaced, or obsoleted by other documents at any 43 time. It is inappropriate to use Internet-Drafts as reference 44 material or to cite them other than as "work in progress." 46 This Internet-Draft will expire on 6 March 2022. 48 Copyright Notice 50 Copyright (c) 2021 IETF Trust and the persons identified as the 51 document authors. All rights reserved. 53 This document is subject to BCP 78 and the IETF Trust's Legal 54 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 55 license-info) in effect on the date of publication of this document. 56 Please review these documents carefully, as they describe your rights 57 and restrictions with respect to this document. Code Components 58 extracted from this document must include Simplified BSD License text 59 as described in Section 4.e of the Trust Legal Provisions and are 60 provided without warranty as described in the Simplified BSD License. 62 Table of Contents 64 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 65 2. Conventions Used in This Document . . . . . . . . . . . . . . 4 66 3. Basic Terms and Definitions . . . . . . . . . . . . . . . . . 4 67 4. Cipher Suite Definitions . . . . . . . . . . . . . . . . . . 6 68 4.1. Record Payload Protection . . . . . . . . . . . . . . . . 6 69 4.1.1. CTR_OMAC . . . . . . . . . . . . . . . . . . . . . . 7 70 4.1.2. CNT_IMIT . . . . . . . . . . . . . . . . . . . . . . 8 71 4.2. Key Exchange and Authentication . . . . . . . . . . . . . 9 72 4.2.1. Hello Messages . . . . . . . . . . . . . . . . . . . 11 73 4.2.2. Server Certificate . . . . . . . . . . . . . . . . . 12 74 4.2.3. CertificateRequest . . . . . . . . . . . . . . . . . 12 75 4.2.4. ClientKeyExchange . . . . . . . . . . . . . . . . . . 12 76 4.2.4.1. CTR_OMAC . . . . . . . . . . . . . . . . . . . . 13 77 4.2.4.2. CNT_IMIT . . . . . . . . . . . . . . . . . . . . 15 78 4.2.5. CertificateVerify . . . . . . . . . . . . . . . . . . 17 79 4.2.6. Finished . . . . . . . . . . . . . . . . . . . . . . 18 80 4.3. Cryptographic Algorithms . . . . . . . . . . . . . . . . 18 81 4.3.1. Block Cipher . . . . . . . . . . . . . . . . . . . . 18 82 4.3.2. MAC algorithm . . . . . . . . . . . . . . . . . . . . 18 83 4.3.3. Encryption algorithm . . . . . . . . . . . . . . . . 19 84 4.3.4. PRF and HASH algorithms . . . . . . . . . . . . . . . 19 85 4.3.5. SNMAX parameter . . . . . . . . . . . . . . . . . . . 19 86 5. New Values for the SignatureAlgorithm Registry . . . . . . . 19 87 6. New Values for the Supported Groups Registry . . . . . . . . 20 88 7. New Values for the ClientCertificateType Identifiers 89 Registry . . . . . . . . . . . . . . . . . . . . . . . . 21 90 8. Additional Algorithms . . . . . . . . . . . . . . . . . . . . 22 91 8.1. TLSTREE . . . . . . . . . . . . . . . . . . . . . . . . . 22 92 8.1.1. Key Tree Parameters . . . . . . . . . . . . . . . . . 22 93 8.2. Key export and key import algorithms . . . . . . . . . . 23 94 8.2.1. KExp15 and KImp15 Algorithms . . . . . . . . . . . . 23 95 8.2.2. KExp28147 and KImp28147 Algorithms . . . . . . . . . 24 97 8.3. Key Exchange Generation Algorithms . . . . . . . . . . . 25 98 8.3.1. KEG Algorithm . . . . . . . . . . . . . . . . . . . . 25 99 8.3.2. KEG_28147 Algorithm . . . . . . . . . . . . . . . . . 27 100 8.4. gostIMIT28147 . . . . . . . . . . . . . . . . . . . . . . 28 101 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 28 102 10. Historical Considerations . . . . . . . . . . . . . . . . . . 30 103 11. Security Considerations . . . . . . . . . . . . . . . . . . . 31 104 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 31 105 12.1. Normative References . . . . . . . . . . . . . . . . . . 31 106 12.2. Informative References . . . . . . . . . . . . . . . . . 33 107 Appendix A. Test Examples . . . . . . . . . . . . . . . . . . . 34 108 A.1. Test Examples for CTR_OMAC cipher suites . . . . . . . . 34 109 A.1.1. TLSTREE Examples . . . . . . . . . . . . . . . . . . 34 110 A.1.1.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 111 ciphersuite . . . . . . . . . . . . . . . . . . . . 34 112 A.1.1.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC 113 ciphersuite . . . . . . . . . . . . . . . . . . . . 36 114 A.1.2. Record Examples . . . . . . . . . . . . . . . . . . . 39 115 A.1.2.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 116 ciphersuite . . . . . . . . . . . . . . . . . . . . 39 117 A.1.2.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC 118 ciphersuite . . . . . . . . . . . . . . . . . . . . 41 119 A.1.3. Handshake Examples . . . . . . . . . . . . . . . . . 44 120 A.1.3.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 121 ciphersuite . . . . . . . . . . . . . . . . . . . . 45 122 A.1.3.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC 123 ciphersuite . . . . . . . . . . . . . . . . . . . . 58 124 A.2. Test Examples for CNT_IMIT cipher suites . . . . . . . . 77 125 A.2.1. Record Examples . . . . . . . . . . . . . . . . . . . 77 126 A.2.2. Handshake Examples . . . . . . . . . . . . . . . . . 78 127 Appendix B. Contributors . . . . . . . . . . . . . . . . . . . . 92 128 Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 92 129 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 92 131 1. Introduction 133 This document specifies three new cipher suites, two new signature 134 algorithms, seven new supported groups and two new certificate types 135 for the Transport Layer Security (TLS) Protocol Version 1.2 [RFC5246] 136 to support the set of Russian cryptographic standard algorithms 137 (called GOST algorithms). This document specifies a profile of TLS 138 1.2 with GOST algorithms so that implementers can produce 139 interoperable implementations. The profile of TLS 1.2 with GOST 140 algorithms uses the hash algorithm GOST R 34.11-2012 [RFC6986] and 141 the signature algorithm GOST R 34.10-2012 [RFC7091] and use two types 142 of cipher suites: the CTR_OMAC cipher suites and the CNT_IMIT cipher 143 suite. 145 The CTR_OMAC cipher suites use the GOST R 34.12-2015 (see [RFC7801], 146 [RFC8891]) block ciphers. 148 The CNT_IMIT cipher suite uses the GOST 28147-89 [RFC5830] block 149 cipher. 151 This document specifies the profile of the TLS protocol version 1.2 152 with GOST algorithms. The profile of the TLS protocol version 1.3 153 [RFC8446] with GOST algorithms is specified in a separate document 154 [DraftGostTLS13]. 156 This specification is developed to facilitate implementations that 157 wish to support the GOST algorithms. This document does not imply 158 IETF endorsement of the cipher suites, signature algorithms, 159 supported groups and certificate types. 161 2. Conventions Used in This Document 163 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 164 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 165 "OPTIONAL" in this document are to be interpreted as described in BCP 166 14 [RFC2119] [RFC8174] when, and only when, they appear in all 167 capitals, as shown here. 169 3. Basic Terms and Definitions 171 This document uses the following terms and definitions for the sets 172 and operations on the elements of these sets: 174 B_t the set of byte strings of length t, t >= 0, for t = 0 the 175 B_t set consists of a single empty string of zero length. If 176 A is an element of B_t, then A = (a_1, a_2, ... , a_t), where 177 a_1, a_2, ... , a_t are in {0, ... , 255}; 179 B* the set of all byte strings of a finite length (hereinafter 180 referred to as strings), including the empty string; 182 A[i..j] the string A[i..j] = (a_i, a_{i+1}, ... , a_j) in B_{j-i+1} 183 where A = (a_1, ... , a_t) in B_t and 1<=i<=j<=t; 185 L(A) the length of the byte string A in bytes; 187 A | C concatenation of strings A and C both belonging to B*, i.e., 188 a string in B_{L(A)+L(C)}, where the left substring in B_L(A) 189 is equal to A, and the right substring in B_L(C) is equal to 190 C; 192 A XOR C bitwise exclusive-or of byte strings A and C both belonging 193 to B_t (i.e. both are of length t bytes), i.e., a string in 194 B_t such that if A = (a_1, a_2, ... , a_t), C = (c_1, c_2, 195 ... , c_t) then A XOR C = (a_1 (xor) c_1, a_2 (xor) c_2, ... 196 , a_t (xor) c_t) where (xor) is bitwise exclusive-or of 197 bytes; 199 i & j bitwise AND of unsigned integers i and j; 201 STR_t the transformation that maps an integer i = 256^{t-1} * i_1 + 202 ... + 256 * i_{t-1} + i_t into the byte string STR_t(i) = 203 (i_1, ... , i_t) in B_t (the interpretation of the integer as 204 a byte string in big-endian format); 206 str_t the transformation that maps an integer i = 256^{t-1} * i_t + 207 ... + 256 * i_2 + i_1 into the byte string str_t(i) = (i_1, 208 ... , i_t) in B_t (the interpretation of the integer as a 209 byte string in little-endian format); 211 INT the transformation that maps a string a = (a_1, ... , a_t) in 212 B_t into the integer INT(a) = 256^{t-1} * a_1 + ... + 256 * 213 a_{t-1} + a_t (the interpretation of the byte string in big- 214 endian format as an integer); 216 int the transformation that maps a string a = (a_1, ... , a_t) in 217 B_t into the integer int(a) = 256^{t-1} * a_t + ... + 256 * 218 a_2 + a_1 (the interpretation of the byte string in little- 219 endian format as an integer); 221 k the length of the block cipher key in bytes; 223 n the length of the block cipher block in bytes; 225 Q_c the public key stored in the client's certificate; 227 d_c the private key that corresponds to the Q_c key; 229 Q_s the public key stored in the server's certificate; 231 d_s the private key that corresponds to the Q_s key; 233 q_s an order of a cyclic subgroup of elliptic curve points group 234 containing point Q_s; 236 P_s the distinguished generator of the subgroup of order q_s that 237 belongs to the same curve as Q_s; 239 r_c the random string contained in ClientHello.random field (see 240 [RFC5246]); 242 r_s the random string contained in ServerHello.random field (see 243 [RFC5246]). 245 4. Cipher Suite Definitions 247 This document specifies the CTR_OMAC cipher suites and the CNT_IMIT 248 cipher suite. 250 The CTR_OMAC cipher suites have the following values: 252 TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC = {0xC1, 0x00}; 253 TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC = {0xC1, 0x01}. 255 The CNT_IMIT cipher suite has the following value: 257 TLS_GOSTR341112_256_WITH_28147_CNT_IMIT = {0xC1, 0x02}. 259 4.1. Record Payload Protection 261 The profile of TLS 1.2 with GOST algorithms requires that the 262 compression is not used. 264 All of the cipher suites described in this document use such modes of 265 operation (see Section 4.3.3) that protect the records in the same 266 way as if they were protected by a stream cipher. The TLSCiphertext 267 structure for the CTR_OMAC and CNT_IMIT cipher suites is specified in 268 accordance with the Standard Stream Cipher case (see Section 6.2.3.1 269 of [RFC5246]): 271 struct { 272 ContentType type; 273 ProtocolVersion version; 274 uint16 length; 275 GenericStreamCipher fragment; 276 } TLSCiphertext; 278 where TLSCiphertext.fragment is generated in accordance with 279 Section 4.1.1 when the CTR_OMAC cipher suite is used and 280 Section 4.1.2 when the CNT_IMIT cipher suite is used. 282 The connection key material is a key material that consists of the 283 sender_write_key (either the client_write_key or the 284 server_write_key), the sender_write_MAC_key (either the 285 client_write_MAC_key or the server_write_MAC_key) and the 286 sender_write_IV (either the client_write_IV or the server_write_IV) 287 parameters that are generated in accordance with Section 6.3 of 288 [RFC5246]. 290 The record key material is a key material that is generated from the 291 connection key material and is used to protect a record with the 292 certain sequence number. Note that with some cipher suites defined 293 in this document the record key material can be equal to the 294 connection key material. 296 In this section the TLSCiphertext.fragment generation is described 297 for one particular endpoint (server or client) with the corresponding 298 connection key material and record key material. 300 4.1.1. CTR_OMAC 302 In case of the CTR_OMAC cipher suites the record key material differs 303 from the connection key material, and for the sequence number seqnum 304 consists of: 306 * K_ENC_seqnum in B_k; 308 * K_MAC_seqnum in B_k; 310 * IV_seqnum in B_{n/2}. 312 The K_ENC_seqnum and K_MAC_seqnum values are calculated using the 313 TLSTREE function defined in Section 8.1, the connection key material 314 and the sequence number seqnum. IV_seqnum is calculated by adding 315 seqnum value to sender_write_IV modulo 2^{(n/2)*8}: 317 * K_ENC_seqnum = TLSTREE(sender_write_key, seqnum); 319 * K_MAC_seqnum = TLSTREE(sender_write_MAC_key, seqnum); 321 * IV_seqnum = STR_{n/2}((INT(sender_write_IV) + seqnum) mod 322 2^{(n/2)*8}). 324 The TLSCiphertext.fragment that corresponds to the sequence number 325 seqnum is equal to the ENCValue_seqnum value that is calculated as 326 follows: 328 1. The MACValue_seqnum value is generated using the MAC algorithm 329 (see Section 4.3.2) similar to Section 6.2.3.1 of [RFC5246] except 330 the sender_write_MAC_key is replaced by the K_MAC_seqnum key: 332 MACValue_seqnum = MAC(K_MAC_seqnum, STR_8(seqnum) | type_seqnum | 333 version_seqnum | length_seqnum | fragment_seqnum), 335 where type_seqnum, version_seqnum, length_seqnum, fragment_seqnum are 336 the TLSCompressed.type, TLSCompressed.version, TLSCompressed.length 337 and TLSCompressed.fragment values of the record with the seqnum 338 sequence number. 340 2. The entire data with the MACValue is encrypted with the ENC 341 stream cipher (see Section 4.3.3): 343 ENCValue_seqnum = ENC(K_ENC_seqnum, IV_seqnum, fragment_seqnum | 344 MACValue_seqnum), 346 where fragment_seqnum is the TLSCompressed.fragment value of the 347 record with the seqnum sequence number. 349 Note that the profile of TLS 1.2 with GOST algorithms uses the 350 authenticate-then-encrypt method (see Appendix F.4 of [RFC5246]). 351 The profile of TLS 1.2 with GOST algorithms requires that the 352 encrypt_then_mac extension is not used in the ServerHello message 353 (see Section 4.2.1). 355 4.1.2. CNT_IMIT 357 In case of the CNT_IMIT cipher suite the record key material is equal 358 to the connection key material and consists of: 360 * sender_write_key in B_k; 362 * sender_write_MAC_key in B_k; 364 * sender_write_IV in B_n. 366 The TLSCiphertext.fragment that corresponds to the sequence number 367 seqnum is equal to the ENCValue_seqnum value that is calculated as 368 follows: 370 1. The MACValue_seqnum value is generated by the MAC algorithm (see 371 Section 4.3.2) as follows: 373 MACValue_seqnum = MAC(sender_write_MAC_key, STR_8(0) | type_0 | 374 version_0 | length_0 | fragment_0 | ... | STR_8(seqnum) | 375 type_seqnum | version_seqnum | length_seqnum | fragment_seqnum), 377 where type_i, version_i, length_i, fragment_i, i in {0, ... , 378 seqnum}, are the TLSCompressed.type, TLSCompressed.version, 379 TLSCompressed.length and TLSCompressed.fragment values of the record 380 with the i sequence number. 382 Due to the use of the CBC-MAC based mode (see Section 4.3.2) 383 producing the MACValue_seqnum value does not mean processing all 384 previous records. It is enough to store only an intermediate 385 internal state of the MAC algorithm. 387 2. The entire data with the MACValue is encrypted with the ENC 388 stream cipher (see Section 4.3.3): 390 ENCValue_0 | ... | ENCValue_seqnum = ENC(sender_write_key, 391 sender_write_IV, fragment_0 | MACValue_0 | ... | fragment_seqnum | 392 MACValue_seqnum), 394 where the length of the byte string ENCValue_i in bytes is equal to 395 the length of the byte string (fragment_i | MACValue_i) in bytes, i 396 in {0, ... , seqnum}. 398 Due to the use of the stream cipher (see Section 4.3.3) producing the 399 ENCValue_seqnum value does not mean processing all previous records. 400 It is enough to store only an intermediate internal state of the ENC 401 stream cipher. 403 Note that the profile of TLS 1.2 with GOST algorithms uses the 404 authenticate-then-encrypt method (see Appendix F.4 of [RFC5246]). 405 The profile of TLS 1.2 with GOST algorithms requires that the 406 encrypt_then_mac extension is not used in the ServerHello message 407 (see Section 4.2.1). 409 4.2. Key Exchange and Authentication 411 The profile of TLS 1.2 with GOST algorithms described in this 412 document uses a key encapsulation mechanism based on Diffie-Hellman 413 to share the TLS premaster secret. 415 Client Server 417 ClientHello --------> 418 ServerHello 419 Certificate 420 CertificateRequest* 421 <-------- ServerHelloDone 422 Certificate* 423 ClientKeyExchange 424 CertificateVerify* 425 [ChangeCipherSpec] 426 Finished --------> 427 [ChangeCipherSpec] 428 <-------- Finished 429 Application Data <-------> Application Data 431 Figure 1: Message flow for a full handshake. 433 * Indicates optional messages that are sent for 434 the client authentication. 436 Note: To help avoid pipeline stalls, ChangeCipherSpec is an 437 independent TLS protocol content type, and is not actually 438 a TLS handshake message. 440 Figure 1 shows all messages involved in the TLS key establishment 441 protocol (full handshake). A ServerKeyExchange MUST NOT be sent (the 442 server's certificate contains enough data to allow client to exchange 443 the premaster secret). 445 The server side of the channel is always authenticated; the client 446 side is optionally authenticated. The server is authenticated by 447 proving that it knows the premaster secret that is encrypted with the 448 public key Q_s from the server's certificate. The client is 449 authenticated via its signature over the handshake transcript. 451 In general the key exchange process for both CTR_OMAC and CNT_IMIT 452 cipher suites consists of the following steps: 454 1. The client generates the ephemeral key pair (d_eph, Q_eph) that 455 corresponds to the server's public key Q_s stored in its 456 certificate. 458 2. The client generates the premaster secret PS. The PS value is 459 chosen from B_32 at random. 461 3. Using d_eph and Q_s the client generates the export key material 462 (see Section 4.2.4.1 and Section 4.2.4.2) for the particular key 463 export algorithm (see Section 8.2.1 and Section 8.2.2) to 464 generate the export representation PSExp of the PS value. 466 4. The client sends its ephemeral public key Q_eph and PSExp value 467 in the ClientKeyExchange message. 469 5. Using its private key d_s the server generates the import key 470 material (see Section 4.2.4.1 and Section 4.2.4.2) for the 471 particular key import algorithm (see Section 8.2.1 and 472 Section 8.2.2) to extract the premaster secret PS from the export 473 representation PSExp. 475 This section specifies the data structures and computations used by 476 the profile of TLS 1.2 with GOST algorithms. The specifications for 477 the ClientHello, ServerHello, server Certificate, CertificateRequest, 478 ClientKeyExchange, CertificateVerify and Finished handshake messages 479 are described in further detail below. 481 4.2.1. Hello Messages 483 The ClientHello message is generated in accordance with 484 Section 7.4.1.2 of [RFC5246] and must meet the following 485 requirements: 487 * The ClientHello.compression_methods field MUST contain exactly one 488 byte, set to zero, which corresponds to the "null" compression 489 method. 491 * The ClientHello.extensions field MUST contain the 492 signature_algorithms extension (see [RFC5246]). 494 If the negotiated cipher suite is one of CTR_OMAC/CTR_IMIT and the 495 signature_algorithms extension in the ClientHello message does not 496 contain the values defined in Section 5, the server MUST either 497 abort the connection or ignore this extension and behave as if the 498 client had sent the signature_algorithms extension with the values 499 {8, 64} and {8, 65}. 501 The ServerHello message is generated in accordance with 502 Section 7.4.1.3 of [RFC5246] and must meet the following 503 requirements: 505 * The ServerHello.compression_method field MUST contain exactly one 506 byte, set to zero, which corresponds to the "null" compression 507 method. 509 * The ServerHello.extensions field MUST NOT contain the 510 encrypt_then_mac extension (see [RFC7366]). 512 4.2.2. Server Certificate 514 This message is used to authentically convey the server's public key 515 Q_s to the client and is generated in accordance with Section 7.4.2 516 of [RFC5246]. 518 Upon receiving this message the client validates the certificate 519 chain, extracts the server's public key, and checks that the key type 520 is appropriate for the negotiated key exchange algorithm. (A 521 possible reason for a fatal handshake failure is that the client's 522 capabilities for handling elliptic curves and point formats are 523 exceeded). 525 4.2.3. CertificateRequest 527 This message is sent by the server when requesting client 528 authentication and is generated in accordance with Section 7.4.4 of 529 [RFC5246]. 531 If the CTR_OMAC or CNT_IMIT cipher suite is negotiated, the 532 CertificateRequest message MUST meet the following requirements: 534 * the CertificateRequest.supported_signature_algorithm field MUST 535 contain only signature/hash algorithm pairs with the values {8, 536 64} or {8, 65} defined in Section 5; 538 * the CertificateRequest.certificate_types field MUST contain only 539 the gost_sign256 (67) or gost_sign512 (68) values defined in 540 Section 7. 542 4.2.4. ClientKeyExchange 544 The ClientKeyExchange message is defined as follows. 546 enum { vko_kdf_gost, vko_gost } KeyExchangeAlgorithm; 548 struct { 549 select (KeyExchangeAlgorithm) { 550 case vko_kdf_gost: GostKeyTransport; 551 case vko_gost: TLSGostKeyTransportBlob; 552 } exchange_keys; 553 } ClientKeyExchange; 554 The body of the ClientKeyExchange message consists of a 555 GostKeyTransport/TLSGostKeyTransportBlob structure that contains an 556 export representation of the premaster secret PS. 558 The GostKeyTransport structure corresponds to the CTR_OMAC cipher 559 suites and is described in Section 4.2.4.1 and the 560 TLSGostKeyTransportBlob structure corresponds to CNT_IMIT cipher 561 suite and is described in Section 4.2.4.2. 563 The DER encoding rules are used to encode the GostKeyTransport and 564 the TLSGostKeyTransportBlob structures. 566 4.2.4.1. CTR_OMAC 568 In case of the CTR_OMAC cipher suites the body of the 569 ClientKeyExchange message consists of the GostKeyTransport structure 570 that is defined bellow. 572 The client generates the ClientKeyExchange message in accordance with 573 the following steps: 575 1. Generates the ephemeral key pair (Q_eph, d_eph), where: 577 d_eph is chosen from {1, ... , q_s - 1} at random; 579 Q_eph = d_eph * P_s. 581 2. Generates the premaster secret PS, where PS is chosen from B_32 582 at random. 584 3. Generates export keys (K_EXP_MAC and K_EXP_ENC) using the KEG 585 algorithm defined in Section 8.3.1: 587 H = HASH(r_c | r_s); 589 K_EXP_MAC | K_EXP_ENC = KEG(d_eph, Q_s, H). 591 4. Generates an export representation PSExp of the premaster secret 592 PS using the KExp15 algorithm defined in Section 8.2.1: 594 IV = H[25..24 + n / 2]; 596 PSExp = KExp15(PS, K_EXP_MAC, K_EXP_ENC, IV). 598 5. Generates the ClientKeyExchange message using the 599 GostKeyTransport structure that is defined as follows: 601 GostKeyTransport ::= SEQUENCE { 602 keyExp OCTET STRING, 603 ephemeralPublicKey SubjectPublicKeyInfo, 604 ukm OCTET STRING OPTIONAL 605 } 607 SubjectPublicKeyInfo ::= SEQUENCE { 608 algorithm AlgorithmIdentifier, 609 subjectPublicKey BIT STRING 610 } 611 AlgorithmIdentifier ::= SEQUENCE { 612 algorithm OBJECT IDENTIFIER, 613 parameters ANY OPTIONAL 614 } 616 where the keyExp field contains the PSExp value, the 617 ephemeralPublicKey field contains the Q_eph value and the ukm field 618 MUST be ignored by the server. 620 Upon receiving the ClientKeyExchange message, the server process it 621 as follows. 623 1. Checks the following three conditions. If either of these checks 624 fails, then the server MUST abort the handshake with an alert. 626 * Q_eph belongs to the same curve as server public key Q_s; 628 * Q_eph is not equal to zero point; 630 * q_s * Q_eph is equal to zero point. 632 2. Generates export keys (K_EXP_MAC and K_EXP_ENC) using the KEG 633 algorithm defined in Section 8.3.1: 635 H = HASH(r_c | r_s); 637 K_EXP_MAC | K_EXP_ENC = KEG(d_s, Q_eph, H). 639 3. Extracts the premaster secret PS from the export representation 640 PSExp using the KImp15 algorithm defined in Section 8.2.1: 642 IV = H[25..24 + n / 2]; 644 PS = KImp15(PSExp, K_EXP_MAC, K_EXP_ENC, IV). 646 4.2.4.2. CNT_IMIT 648 In case of the CNT_IMIT cipher suite the body of the 649 ClientKeyExchange message consists of a TLSGostKeyTransportBlob 650 structure that is defined bellow. 652 The client generates the ClientKeyExchange message in accordance with 653 the following steps: 655 1. Generates the ephemeral key pair (Q_eph, d_eph), where: 657 d_eph is chosen from {1, ... , q_s - 1} at random; 659 Q_eph = d_eph * P_s. 661 2. Generates the premaster secret PS, where PS is chosen from B_32 662 at random. 664 3. Generates export key (K_EXP) using the KEG_28147 algorithm 665 defined in Section 8.3.2: 667 * H = HASH(r_c | r_s); 669 * K_EXP = KEG_28147(d_eph, Q_s, H). 671 4. Generates an export representation PSExp of the premaster secret 672 PS using the KExp28147 algorithm defined in Section 8.2.2: 674 PSExp = IV | CEK_ENC | CEK_MAC = KExp28147(PS, K_EXP, H[1..8]). 676 5. Generates the ClientKeyExchange message using the 677 TLSGostKeyTransportBlob structure that is defined as follows: 679 TLSGostKeyTransportBlob ::= SEQUENCE { 680 keyBlob GostR3410-KeyTransport, 681 } 682 GostR3410-KeyTransport ::= SEQUENCE { 683 sessionEncryptedKey Gost28147-89-EncryptedKey, 684 transportParameters [0] IMPLICIT GostR3410-TransportParameters 685 OPTIONAL 686 } 687 Gost28147-89-EncryptedKey ::= SEQUENCE { 688 encryptedKey Gost28147-89-Key, 689 maskKey [0] IMPLICIT Gost28147-89-Key OPTIONAL, 690 macKey Gost28147-89-MAC 691 } 692 GostR3410-TransportParameters ::= SEQUENCE { 693 encryptionParamSet OBJECT IDENTIFIER, 694 ephemeralPublicKey [0] IMPLICIT SubjectPublicKeyInfo OPTIONAL, 695 ukm OCTET STRING 696 } 698 where GostR3410-KeyTransport, Gost28147-89-EncryptedKey and 699 GostR3410-TransportParameters are defined according to Section 4.2.1 700 of [RFC4490]. 702 In the context of this document the 703 GostR3410-KeyTransport.transportParameters field is always used, the 704 Gost28147-89-EncryptedKey.maskKey field is omitted, the 705 GostR3410-KeyTransport.transportParameters.ephemeralPublicKey field 706 is always used. 708 The Gost28147-89-EncryptedKey.encryptedKey field contains the CEK_ENC 709 value, the Gost28147-89-EncryptedKey.macKey field contains the 710 CEK_MAC value, and GostR3410-TransportParameters.ukm field contains 711 the IV value. 713 The keyBlob.transportParameters.ephemeralPublicKey field contains the 714 client ephemeral public key Q_eph. The encryptionParamSet contains 715 value 1.2.643.7.1.2.5.1.1 that corresponds to the id-tc26-gost- 716 28147-param-Z parameters set defined in [RFC7836]. 718 Upon receiving the ClientKeyExchange message, the server process it 719 as follows. 721 1. Checks the following three conditions. If either of these checks 722 fails, then the server MUST abort the handshake with an alert. 724 * Q_eph belongs to the same curve as server public key Q_s; 725 * Q_eph is not equal to zero point; 727 * q_s * Q_eph is equal to zero point; 729 2. Generates export key (K_EXP) using the KEG_28147 algorithm 730 defined in Section 8.3.2: 732 * H = HASH(r_c | r_s); 734 * K_EXP = KEG_28147(d_s, Q_eph, H). 736 3. Extracts the premaster secret PS from the export representation 737 PSExp using the KImp28147 algorithm defined in Section 8.2.2: 739 PS = KImp28147(PSExp, K_EXP, H[1..8]). 741 4.2.5. CertificateVerify 743 Client generates the value sgn as follows: 745 sgn = SIGN_{d_c}(handshake_messages) = str_l(r) | str_l(s) 747 where SIGN_{d_c} is the GOST R 34.10-2012 [RFC7091] signature 748 algorithm, d_c is a client long-term private key that corresponds to 749 the client long-term public key Q_c from the client's certificate, l 750 = 32 for gostr34102012_256 value of the SignatureAndHashAlgorithm 751 field and l = 64 for gostr34102012_512 value of the 752 SignatureAndHashAlgorithm field. 754 Here handshake_messages refers to all handshake messages sent or 755 received, starting at ClientHello and up to CertificateVerify, but 756 not including the last message, including the type and length fields 757 of the handshake messages. 759 The TLS CertificateVerify message is specified as follows. 761 struct { 762 SignatureAndHashAlgorithm algorithm; 763 opaque signature<0..2^16-1>; 764 } CertificateVerify; 766 where SignatureAndHashAlgorithm structure is specified in Section 5 767 and CertificateVerify.signature field contains sgn value. 769 4.2.6. Finished 771 The TLS Finished message is generated in accordance with 772 Section 7.4.9 of [RFC5246]. 774 The verify_data_length value is equal to 32 for the CTR_OMAC cipher 775 suites and is equal to 12 for the CNT_IMIT cipher suite. The PRF 776 function is defined in Section 4.3.4. 778 4.3. Cryptographic Algorithms 780 4.3.1. Block Cipher 782 The cipher suite TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC MUST 783 use Kuznyechik [RFC7801] as a base block cipher for the encryption 784 and MAC algorithm. The block length n is 16 bytes and the key length 785 k is 32 bytes. 787 The cipher suite TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC MUST use 788 Magma [RFC8891] as a base block cipher for the encryption and MAC 789 algorithm. The block length n is 8 bytes and the key length k is 32 790 bytes. 792 The cipher suite TLS_GOSTR341112_256_WITH_28147_CNT_IMIT MUST use 793 GOST 28147-89 as a base block cipher [RFC5830] with the set of 794 parameters id-tc26-gost-28147-param-Z defined in [RFC7836]. The 795 block length n is 8 bytes and the key length k is 32 bytes. 797 4.3.2. MAC algorithm 799 The CTR_OMAC cipher suites use the OMAC message authentication code 800 construction defined in [GOST3413-2015], which can be considered as 801 the CMAC mode defined in [CMAC] where Kuznyechik or Magma block 802 cipher (see Section 4.3.1) are used instead of AES block cipher (see 803 [IK2003] for more detail) as the MAC function. The resulting MAC 804 length is equal to the block length and the MAC key length is 32 805 bytes. 807 The CNT_IMIT cipher suite uses the message authentication code 808 function gostIMIT28147 defined in Section 8.4 with the initialization 809 vector IV = IV0, where IV0 in B_8 is a string of all zeros, with the 810 CryptoPro Key Meshing algorithm defined in [RFC4357]. The resulting 811 MAC length is 4 bytes and the MAC key length is 32 bytes. 813 4.3.3. Encryption algorithm 815 The CTR_OMAC cipher suites use the block cipher in CTR-ACPKM 816 encryption mode defined in [RFC8645] as the ENC function. The 817 section size N is 4 KB for 818 TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC cipher suite and 1 KB 819 for TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC cipher suite. 821 The CNT_IMIT cipher suite uses the block cipher in counter encryption 822 mode (CNT) defined in Section 6 of [RFC5830] with the CryptoPro Key 823 Meshing algorithm defined in [RFC4357] as the ENC function. 825 Note that the counter modes used in cipher suites described in this 826 document act as stream ciphers. 828 4.3.4. PRF and HASH algorithms 830 The pseudorandom function (PRF) for all the cipher suites defined in 831 this document is the PRF_TLS_GOSTR3411_2012_256 function defined in 832 [RFC7836]. 834 The hash function HASH for all the cipher suites defined in this 835 document is the GOST R 34.11-2012 [RFC6986] hash algorithm with 836 32-byte (256-bit) hash code. 838 4.3.5. SNMAX parameter 840 The SNMAX parameter defines the maximal value of the sequence number 841 seqnum during one TLS 1.2 connection and is defined as follows: 843 +---------------------------------------------+--------------------+ 844 | CipherSuites | SNMAX | 845 +---------------------------------------------+--------------------+ 846 |TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC | SNMAX = 2^64 - 1 | 847 |TLS_GOSTR341112_256_WITH_28147_CNT_IMIT | | 848 +---------------------------------------------+--------------------+ 849 |TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC | SNMAX = 2^32 - 1 | 850 +---------------------------------------------+--------------------+ 851 Table 1 853 5. New Values for the SignatureAlgorithm Registry 855 The signature/hash algorithm pairs are used to indicate to the 856 server/client which algorithms can be used in digital signatures and 857 are defined by the SignatureAndHashAlgorithm structure (see 858 Section 7.4.1.4.1 of [RFC5246]). 860 This document defines new values for the "SignatureAlgorithm 861 Registry" that can be used in the SignatureAndHashAlgorithm.signature 862 field for the particular signature/hash algorithm pair: 864 enum { 865 gostr34102012_256(64), 866 gostr34102012_512(65), 867 } SignatureAlgorithm; 869 where the gostr34102012_256 and gostr34102012_512 values correspond 870 to the GOST R 34.10-2012 [RFC7091] signature algorithm with 32-byte 871 (256-bit) and 64-byte (512-bit) key length respectively. 873 According to [RFC7091] the GOST R 34.10-2012 signature algorithm with 874 32-byte (256-bit) or 64-byte (512-bit) key length use the GOST R 875 34.11-2012 [RFC6986] hash algorithm with 32-byte (256-bit) or 64-byte 876 (512-bit) hash code respectively (the hash algorithm is intrinsic to 877 the signature algorithm). Therefore, if the 878 SignatureAndHashAlgorithm.signature field of a particular hash/ 879 signature pair listed in the Signature Algorithms Extension is equal 880 to the 64 (gostr34102012_256) or 65 (gostr34102012_512) value, the 881 SignatureAndHashAlgorithm.hash field of this pair MUST contain the 882 "Intrinsic" value 8 (see [RFC8422]). 884 So, to represent gostr34102012_256 and gostr34102012_512 in the 885 signature_algorithms extension, the value shall be (8,64) and (8,65), 886 respectively. 888 6. New Values for the Supported Groups Registry 890 The Supported Groups Extension indicates the set of elliptic curves 891 supported by the client and is defined in [RFC8422] and [RFC7919]. 893 This document defines new values for the "Supported Groups" registry: 895 enum { 896 GC256A(34), GC256B(35), GC256C(36), GC256D(37), 897 GC512A(38), GC512B(39), GC512C(40), 898 } NamedGroup; 900 Where the values corresponds to the following curves: 902 +-------------+--------------------------------------+-----------+ 903 | Description | Curve Identifier Value | Reference | 904 +-------------+--------------------------------------+-----------+ 905 | GC256A | id-tc26-gost-3410-2012-256-paramSetA | RFC 7836 | 906 +-------------+--------------------------------------+-----------+ 907 | GC256B |id-GostR3410-2001-CryptoPro-A-ParamSet| RFC 4357 | 908 +-------------+--------------------------------------+-----------+ 909 | GC256C |id-GostR3410-2001-CryptoPro-B-ParamSet| RFC 4357 | 910 +-------------+--------------------------------------+-----------+ 911 | GC256D |id-GostR3410-2001-CryptoPro-C-ParamSet| RFC 4357 | 912 +-------------+--------------------------------------+-----------+ 913 | GC512A | id-tc26-gost-3410-12-512-paramSetA | RFC 7836 | 914 +-------------+--------------------------------------+-----------+ 915 | GC512B | id-tc26-gost-3410-12-512-paramSetB | RFC 7836 | 916 +-------------+--------------------------------------+-----------+ 917 | GC512C | id-tc26-gost-3410-2012-512-paramSetC | RFC 7836 | 918 +-------------+--------------------------------------+-----------+ 919 Table 2 921 7. New Values for the ClientCertificateType Identifiers Registry 923 The ClientCertificateType field of the CertificateRequest message 924 contains a list of the types of certificate types that the client may 925 offer and is defined in Section 7.4.4 of [RFC5246]. 927 This document defines new values for the "ClientCertificateType 928 Identifiers" registry: 930 enum { 931 gost_sign256(67), 932 gost_sign512(68), 933 } ClientCertificateType; 935 To use the gost_sign256 or gost_sign512 authentication mechanism, the 936 client MUST possess a certificate containing a GOST R 937 34.10-2012-capable public key that corresponds to the 32-byte 938 (256-bit) or 64-byte (512-bit) signature key respectively. 940 The client proves possession of the private key corresponding to the 941 certified key by including a signature in the CertificateVerify 942 message as described in Section 4.2.5. 944 8. Additional Algorithms 946 The cipher suites specified in this document rely on some additional 947 algorithms, specified below; the use of these algorithms is not 948 confined to the use in TLS specified in this document. 950 8.1. TLSTREE 952 The TLSTREE function is defined as follows: 954 TLSTREE(K_root, i) = KDF_3(KDF_2(KDF_1(K_root, STR_8(i & C_1)), 955 STR_8(i & C_2)), STR_8(i & C_3)), 957 where 959 * K_root in B_32; 961 * i in {0, 1, ... , 2^64 - 1}; 963 * C_1, C_2, C_3 are constants defined by the particular cipher suite 964 (see Section 8.1.1); 966 * KDF_j(K, D), j = 1, 2, 3, K in B_32, D in B_8, is the key 967 derivation function based on the KDF_GOSTR3411_2012_256 function 968 defined in [RFC7836]: 970 KDF_1(K, D) = KDF_GOSTR3411_2012_256(K, "level1", D); 972 KDF_2(K, D) = KDF_GOSTR3411_2012_256(K, "level2", D); 974 KDF_3(K, D) = KDF_GOSTR3411_2012_256(K, "level3", D). 976 8.1.1. Key Tree Parameters 978 The CTR_OMAC cipher suites use the TLSTREE function for the re-keying 979 approach. The constants for it are defined as in the table below. 981 +--------------------------------------------+----------------------+ 982 | CipherSuites | C_1, C_2, C_3 | 983 +--------------------------------------------+----------------------+ 984 |TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC|C_1=0xFFFFFFFF00000000| 985 | |C_2=0xFFFFFFFFFFF80000| 986 | |C_3=0xFFFFFFFFFFFFFFC0| 987 +--------------------------------------------+----------------------+ 988 |TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC |C_1=0xFFFFFFC000000000| 989 | |C_2=0xFFFFFFFFFE000000| 990 | |C_3=0xFFFFFFFFFFFFF000| 991 +--------------------------------------------+----------------------+ 992 Table 3 994 8.2. Key export and key import algorithms 996 8.2.1. KExp15 and KImp15 Algorithms 998 Algorithms KExp15 and KImp15 use the block cipher determined by the 999 particular cipher suite. 1001 The KExp15 key export algorithm is defined as follows. 1003 +------------------------------------------------------------+ 1004 | KExp15(S, K_Exp_MAC, K_Exp_ENC, IV) | 1005 |------------------------------------------------------------| 1006 | Input: | 1007 | - secret S to be exported, S in B*, | 1008 | - key K_Exp_MAC in B_k, | 1009 | - key K_Exp_ENC in B_k, | 1010 | - IV in B_{n/2} | 1011 | Output: | 1012 | - export representation SExp in B_{L(S)+n} | 1013 |------------------------------------------------------------| 1014 | 1. CEK_MAC = OMAC(K_Exp_MAC, IV | S), CEK_MAC in B_n | 1015 | 2. SExp = CTR-Encrypt(K_Exp_ENC, IV, S | CEK_MAC) | 1016 | 3. return SExp | 1017 +------------------------------------------------------------+ 1019 where the OMAC function is defined in [MODES], the CTR-Encrypt(K, IV, 1020 S) function denotes the encryption of message S on key K and nonce IV 1021 in the CTR mode with s = n (see [MODES]). 1023 The KImp15 key import algorithm is defined as follows. 1025 +-------------------------------------------------------------------+ 1026 | KImp15(SExp, K_Exp_MAC, K_Exp_ENC, IV) | 1027 |-------------------------------------------------------------------| 1028 | Input: | 1029 | - export representation SExp in B* | 1030 | - key K_Exp_MAC in B_k, | 1031 | - key K_Exp_ENC in B_k, | 1032 | - IV in B_{n/2} | 1033 | Output: | 1034 | - secret S in B_{L(SExp)-n} or FAIL | 1035 |-------------------------------------------------------------------| 1036 | 1. S | CEK_MAC = CTR-Decrypt(K_Exp_ENC, IV, SExp), CEK_MAC in B_n| 1037 | 2. If CEK_MAC = OMAC(K_Exp_MAC, IV | S) | 1038 | then return S; else return FAIL | 1039 +-------------------------------------------------------------------+ 1041 where the OMAC function is defined in [MODES], the CTR-Decrypt(K, IV, 1042 S) function denotes the decryption of message S on key K and nonce IV 1043 in the CTR mode (see [MODES]). 1045 The keys K_Exp_MAC and K_Exp_ENC MUST be independent. For every pair 1046 of keys (K_Exp_ENC, K_Exp_MAC) the IV values MUST be unique. For the 1047 import of key with the KImp15 algorithm, the IV value may be sent 1048 with the export key representation. 1050 8.2.2. KExp28147 and KImp28147 Algorithms 1052 The KExp28147 key export algorithm is defined as follows. 1054 +----------------------------------------------------------------+ 1055 | KExp28147(S, K, IV) | 1056 |----------------------------------------------------------------| 1057 | Input: | 1058 | - secret S to be exported, S in B_32, | 1059 | - key K in B_32, | 1060 | - IV in B_8. | 1061 | Output: | 1062 | - export representation SExp in B_44 | 1063 |----------------------------------------------------------------| 1064 | 1. CEK_MAC = gost28147IMIT(IV, K, S), CEK_MAC in B_4 | 1065 | 2. CEK_ENC = ECB-Encrypt(K, S), CEK_ENC in B_32 | 1066 | 3. return SExp = IV | CEK_ENC | CEK_MAC | 1067 +----------------------------------------------------------------+ 1068 where the gost28147IMIT function is defined in Section 8.4, the ECB- 1069 Encrypt(K, S) function denotes the encryption of message S on key K 1070 with the block cipher GOST 28147-89 in the ECB mode (see [RFC5830]). 1072 The KImp28147 key import algorithm is defined as follows. 1074 +----------------------------------------------------------------+ 1075 | KImp28147(SExp, K, IV) | 1076 |----------------------------------------------------------------| 1077 | Input: | 1078 | - export representation SExp in B_44, | 1079 | - key K in B_32, | 1080 | - IV in B_8. | 1081 | Output: | 1082 | - imported secret S in B_32 or FAIL | 1083 |----------------------------------------------------------------| 1084 | 1. extract from SExp | 1085 | IV' = SExp[1..8], | 1086 | CEK_ENC = SExp[9..40], | 1087 | CEK_MAC = SExp[41..44] | 1088 | 2. if IV' != IV then return FAIL; else | 1089 | 3. S = ECB-Decrypt(K, CEK_ENC), S in B_32 | 1090 | 4. If CEK_MAC = gost28147IMIT(IV, K, S) | 1091 | then return S; else return FAIL | 1092 +----------------------------------------------------------------+ 1094 where the gost28147IMIT function is defined in Section 8.4, the ECB- 1095 Decrypt(CEK_ENC, M) function denotes the decryption of ciphertext 1096 CEK_ENC on key K with a block cipher GOST 28147-89 in the ECB mode 1097 (see [RFC5830]). 1099 8.3. Key Exchange Generation Algorithms 1101 8.3.1. KEG Algorithm 1103 The KEG algorithm is defined as follows: 1105 +----------------------------------------------------------------+ 1106 | KEG(d, Q, H) | 1107 |----------------------------------------------------------------| 1108 | Input: | 1109 | - private key d, | 1110 | - public key Q, | 1111 | - H in B_32. | 1112 | Output: | 1113 | - key material K in B_64. | 1114 |----------------------------------------------------------------| 1115 | 1. If q * Q is not equal to zero point | 1116 | return FAIL | 1117 | 2. If 2^{254} < q < 2^{256} | 1118 | return KEG_256(d, Q, H) | 1119 | 3. If 2^{508} < q < 2^{512} | 1120 | return KEG_512(d, Q, H) | 1121 | 4. return FAIL | 1122 +----------------------------------------------------------------+ 1124 where q is an order of a cyclic subgroup of elliptic curve points 1125 group containing point Q, d in {1, ... , q - 1}. 1127 The KEG_256 algorithm is defined as follows: 1129 +----------------------------------------------------------------+ 1130 | KEG_256(d, Q, H) | 1131 |----------------------------------------------------------------| 1132 | Input: | 1133 | - private key d, | 1134 | - public key Q, | 1135 | - H in B_32. | 1136 | Output: | 1137 | - key material K in B_64. | 1138 |----------------------------------------------------------------| 1139 | 1. r = INT(H[1..16]) | 1140 | 2. If r = 0 | 1141 | UKM = 1; else UKM = r | 1142 | 3. K_EXP = VKO_256(d, Q, UKM) | 1143 | 4. seed = H[17..24] | 1144 | 5. return KDFTREE_256(K_EXP, "kdf tree", seed, 1) | 1145 +----------------------------------------------------------------+ 1147 where VKO_256 is the function VKO_GOSTR3410_2012_256 defined in 1148 [RFC7836] and KDFTREE_256 is the KDF_TREE_GOSTR3411_2012_256 function 1149 defined in [RFC7836] with the parameter L equal to 512. 1151 The KEG_512 algorithm is defined as follows: 1153 +----------------------------------------------------------------+ 1154 | KEG_512(d, Q, H) | 1155 |----------------------------------------------------------------| 1156 | Input: | 1157 | - private key d, | 1158 | - public key Q, | 1159 | - H in B_32. | 1160 | Output: | 1161 | - key material K in B_64. | 1162 |----------------------------------------------------------------| 1163 | 1. r = INT(H[1..16]) | 1164 | 2. If r = 0 | 1165 | UKM = 1; else UKM = r | 1166 | 3. return VKO_512(d, Q, UKM) | 1167 +----------------------------------------------------------------+ 1169 where VKO_512 is the VKO_GOSTR3410_2012_512 function defined in 1170 [RFC7836]. 1172 8.3.2. KEG_28147 Algorithm 1174 The KEG_28147 algorithm is defined as follows: 1176 +----------------------------------------------------------------+ 1177 | KEG_28147(d, Q, H) | 1178 |----------------------------------------------------------------| 1179 | Input: | 1180 | - private key d, | 1181 | - public key Q, | 1182 | - H in B_32. | 1183 | Output: | 1184 | - key material K in B_32. | 1185 |----------------------------------------------------------------| 1186 | 1. If q * Q is not equal to zero point | 1187 | return FAIL | 1188 | 2. UKM = H[1..8] | 1189 | 3. R = VKO_256(d, Q, int(UKM)) | 1190 | 4. return K = CPDivers(UKM, R) | 1191 +----------------------------------------------------------------+ 1193 where the VKO_256 function is equal to the VKO_GOSTR3410_2012_256 1194 function defined in [RFC7836], the CPDivers function corresponds to 1195 the CryptoPro KEK Diversification Algorithm defined in [RFC4357], 1196 which takes as input the UKM value and the key value. 1198 8.4. gostIMIT28147 1200 gost28147IMIT(IV, K, M) is a MAC algorithm with 4 bytes output and is 1201 defined as follows: 1203 +----------------------------------------------------------------+ 1204 | gost28147IMIT(IV, K, M) | 1205 |----------------------------------------------------------------| 1206 | Input: | 1207 | - initial value IV in B_8, | 1208 | - key K in B_32, | 1209 | - message M in B*. | 1210 | Output: | 1211 | - MAC value T in B_4. | 1212 |----------------------------------------------------------------| 1213 | 1. M' = PAD(M) | 1214 | 2. M' = M'_0 | ... | M'_r, L(M'_i) = 8, i in {0, ... , r} | 1215 | 3. M'' = (M'_0 XOR IV) | M'_1 | ... | M'_r | 1216 | 4. return T = MAC28147(K, M'') | 1217 +----------------------------------------------------------------+ 1219 where the PAD function is the padding function that adds m zero bytes 1220 to the end of the message, where m is the smallest, non-negative 1221 solution to the equation (L(M) + m) mod 8 = 0, the MAC28147 function 1222 corresponds to Message Authentication Code Generation Mode defined in 1223 [RFC5830] with 4 byte length output. 1225 9. IANA Considerations 1227 IANA is asked to update the registry entries to reference this 1228 document when it is published as an RFC. 1230 IANA has added numbers {0xC1, 0x00}, {0xC1, 0x01} and {0xC1, 0x02} 1231 with the names TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC, 1232 TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC, 1233 TLS_GOSTR341112_256_WITH_28147_CNT_IMIT to the "TLS Cipher Suite" 1234 registry with this document as reference, as shown below. 1236 +-------------+-----------------------------+---------+----------+ 1237 | Value | Description | DTLS-OK | Reference| 1238 +-------------+-----------------------------+---------+----------+ 1239 | 0xC1, 0x00 | TLS_GOSTR341112_256_ | N | this RFC | 1240 | | _WITH_KUZNYECHIK_CTR_OMAC | | | 1241 +-------------+-----------------------------+---------+----------+ 1242 | 0xC1, 0x01 | TLS_GOSTR341112_256_ | N | this RFC | 1243 | | _WITH_MAGMA_CTR_OMAC | | | 1244 +-------------+-----------------------------+---------+----------+ 1245 | 0xC1, 0x02 | TLS_GOSTR341112_256_ | N | this RFC | 1246 | | _WITH_28147_CNT_IMIT | | | 1247 +-------------+-----------------------------+---------+----------+ 1248 Table 4 1250 IANA has added numbers 64, 65 with the names gostr34102012_256, 1251 gostr34102012_512, to the "TLS SignatureAlgorithm" registry, as shown 1252 below. 1254 +-----------+---------------------+---------+----------+ 1255 | Value | Description | DTLS-OK | Reference| 1256 +-----------+---------------------+---------+----------+ 1257 | 64 | gostr34102012_256 | Y | this RFC | 1258 +-----------+---------------------+---------+----------+ 1259 | 65 | gostr34102012_512 | Y | this RFC | 1260 +-----------+---------------------+---------+----------+ 1261 Table 5 1263 IANA is asked to reserve the numbers 0x0840, 0x0841 for backward 1264 compatibility to the "TLS SignatureScheme" registry with this 1265 document as reference, as shown below. 1267 +--------+-------------------------------------+----------+---------+ 1268 | Value | Description |Recomended|Reference| 1269 +--------+-------------------------------------+----------+---------+ 1270 | 0x0840 | Reserved for backward compatibility | N |this RFC | 1271 +--------+-------------------------------------+----------+---------+ 1272 | 0x0841 | Reserved for backward compatibility | N |this RFC | 1273 +--------+-------------------------------------+----------+---------+ 1274 Table 6 1276 IANA has added numbers 34, 35, 36, 37, 38, 39, 40 with the names 1277 GC256A, GC256B, GC256C, GC256D, GC512A, GC512B, GC512C to the "TLS 1278 Supported Groups" registry, as shown below. 1280 +-----------+----------------+---------+------------+-----------+ 1281 | Value | Description | DTLS-OK | Recomended | Reference | 1282 +-----------+----------------+---------+------------+-----------+ 1283 | 34 | GC256A | Y | N | this RFC | 1284 +-----------+----------------+---------+------------+-----------+ 1285 | 35 | GC256B | Y | N | this RFC | 1286 +-----------+----------------+---------+------------+-----------+ 1287 | 36 | GC256C | Y | N | this RFC | 1288 +-----------+----------------+---------+------------+-----------+ 1289 | 37 | GC256D | Y | N | this RFC | 1290 +-----------+----------------+---------+------------+-----------+ 1291 | 38 | GC512A | Y | N | this RFC | 1292 +-----------+----------------+---------+------------+-----------+ 1293 | 39 | GC512B | Y | N | this RFC | 1294 +-----------+----------------+---------+------------+-----------+ 1295 | 40 | GC512C | Y | N | this RFC | 1296 +-----------+----------------+---------+------------+-----------+ 1297 Table 7 1299 IANA has added numbers 67, 68 with the names gost_sign256, 1300 gost_sign512 to the "ClientCertificateType Identifiers" registry, as 1301 shown below. 1303 +-----------+---------------------+---------+----------+ 1304 | Value | Description | DTLS-OK | Reference| 1305 +-----------+---------------------+---------+----------+ 1306 | 67 | gost_sign256 | Y | this RFC | 1307 +-----------+---------------------+---------+----------+ 1308 | 68 | gost_sign512 | Y | this RFC | 1309 +-----------+---------------------+---------+----------+ 1310 Table 8 1312 10. Historical Considerations 1314 Note that prior to the existence of this document implementations 1315 could use only the values from the Private Use space in order to use 1316 the GOST-based algorithms. So some old implementations can still use 1317 the old value {0xFF, 0x85} instead of the {0xC1, 0x02} value to 1318 indicate the TLS_GOSTR341112_256_WITH_28147_CNT_IMIT cipher suite; 1319 one old value 0xEE instead of the values 64, 8 and 67 (to indicate 1320 the gostr34102012_256 signature algorithm, the Intrinsic hash 1321 algorithm and the gost_sign256 certificate type respectively); one 1322 old value 0xEF instead of the values 65, 8 and 68 (to indicate the 1323 gostr34102012_512 signature algorithm, the Intrinsic hash algorithm 1324 and the gost_sign512 certificate type respectively). 1326 Due to historical reasons in addition to the curve identifier values 1327 listed in Table 2 there exist some extra identifier values that 1328 correspond to the curves GC256B, GC256C and GC256D as follows (see 1329 [RFC4357], [R-1323565.1.024-2019]). 1331 +-------------+-----------------------------------------+ 1332 | Description | Curve Identifier Values | 1333 +-------------+-----------------------------------------+ 1334 | GC256B |id-GostR3410_2001-CryptoPro-XchA-ParamSet| 1335 | |id-tc26-gost-3410-2012-256-paramSetB | 1336 +-------------+-----------------------------------------+ 1337 | GC256C |id-tc26-gost-3410-2012-256-paramSetC | 1338 +-------------+-----------------------------------------+ 1339 | GC256D |id-GostR3410-2001-CryptoPro-XchB-ParamSet| 1340 | |id-tc26-gost-3410-2012-256-paramSetD | 1341 +-------------+-----------------------------------------+ 1342 Table 9 1344 Client should be prepared to handle any of them correctly if 1345 corresponding group is included in the supported_groups extension 1346 (see [RFC8422] and [RFC7919]). 1348 11. Security Considerations 1350 The profile of TLS 1.2 with GOST algorithms does not provide Perfect 1351 Forward Secrecy. 1353 The authenticate-then-encrypt method is crucial for the CNT_IMIT 1354 cipher suite. Encryption of the MAC value is conducted to reduce the 1355 possibility of forgery to guessing. Here the probability of guess is 1356 approximately equal to 2^{-32}, which is acceptable in some practical 1357 cases. 1359 12. References 1361 12.1. Normative References 1363 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1364 Requirement Levels", BCP 14, RFC 2119, 1365 DOI 10.17487/RFC2119, March 1997, 1366 . 1368 [RFC4357] Popov, V., Kurepkin, I., and S. Leontiev, "Additional 1369 Cryptographic Algorithms for Use with GOST 28147-89, GOST 1370 R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 1371 Algorithms", RFC 4357, DOI 10.17487/RFC4357, January 2006, 1372 . 1374 [RFC4490] Leontiev, S., Ed. and G. Chudov, Ed., "Using the GOST 1375 28147-89, GOST R 34.11-94, GOST R 34.10-94, and GOST R 1376 34.10-2001 Algorithms with Cryptographic Message Syntax 1377 (CMS)", RFC 4490, DOI 10.17487/RFC4490, May 2006, 1378 . 1380 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 1381 (TLS) Protocol Version 1.2", RFC 5246, 1382 DOI 10.17487/RFC5246, August 2008, 1383 . 1385 [RFC5746] Rescorla, E., Ray, M., Dispensa, S., and N. Oskov, 1386 "Transport Layer Security (TLS) Renegotiation Indication 1387 Extension", RFC 5746, DOI 10.17487/RFC5746, February 2010, 1388 . 1390 [RFC5830] Dolmatov, V., Ed., "GOST 28147-89: Encryption, Decryption, 1391 and Message Authentication Code (MAC) Algorithms", 1392 RFC 5830, DOI 10.17487/RFC5830, March 2010, 1393 . 1395 [RFC6986] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.11-2012: 1396 Hash Function", RFC 6986, DOI 10.17487/RFC6986, August 1397 2013, . 1399 [RFC7091] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.10-2012: 1400 Digital Signature Algorithm", RFC 7091, 1401 DOI 10.17487/RFC7091, December 2013, 1402 . 1404 [RFC7366] Gutmann, P., "Encrypt-then-MAC for Transport Layer 1405 Security (TLS) and Datagram Transport Layer Security 1406 (DTLS)", RFC 7366, DOI 10.17487/RFC7366, September 2014, 1407 . 1409 [RFC7627] Bhargavan, K., Ed., Delignat-Lavaud, A., Pironti, A., 1410 Langley, A., and M. Ray, "Transport Layer Security (TLS) 1411 Session Hash and Extended Master Secret Extension", 1412 RFC 7627, DOI 10.17487/RFC7627, September 2015, 1413 . 1415 [RFC7801] Dolmatov, V., Ed., "GOST R 34.12-2015: Block Cipher 1416 "Kuznyechik"", RFC 7801, DOI 10.17487/RFC7801, March 2016, 1417 . 1419 [RFC7836] Smyshlyaev, S., Ed., Alekseev, E., Oshkin, I., Popov, V., 1420 Leontiev, S., Podobaev, V., and D. Belyavsky, "Guidelines 1421 on the Cryptographic Algorithms to Accompany the Usage of 1422 Standards GOST R 34.10-2012 and GOST R 34.11-2012", 1423 RFC 7836, DOI 10.17487/RFC7836, March 2016, 1424 . 1426 [RFC7919] Gillmor, D., "Negotiated Finite Field Diffie-Hellman 1427 Ephemeral Parameters for Transport Layer Security (TLS)", 1428 RFC 7919, DOI 10.17487/RFC7919, August 2016, 1429 . 1431 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1432 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1433 May 2017, . 1435 [RFC8422] Nir, Y., Josefsson, S., and M. Pegourie-Gonnard, "Elliptic 1436 Curve Cryptography (ECC) Cipher Suites for Transport Layer 1437 Security (TLS) Versions 1.2 and Earlier", RFC 8422, 1438 DOI 10.17487/RFC8422, August 2018, 1439 . 1441 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 1442 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 1443 . 1445 [RFC8645] Smyshlyaev, S., Ed., "Re-keying Mechanisms for Symmetric 1446 Keys", RFC 8645, DOI 10.17487/RFC8645, August 2019, 1447 . 1449 [RFC8891] Dolmatov, V., Ed. and D. Baryshkov, "GOST R 34.12-2015: 1450 Block Cipher "Magma"", RFC 8891, DOI 10.17487/RFC8891, 1451 September 2020, . 1453 12.2. Informative References 1455 [CMAC] Dworkin, M., "Recommendation for Block Cipher Modes of 1456 Operation: the CMAC Mode for Authentication", NIST Special 1457 Publication 800-38B, 2005. 1459 [DraftGostTLS13] 1460 Smyshlyaev, S., Alekseev, E., Griboedova, E., and A. 1461 Babueva, "GOST Cipher Suites for Transport Layer Security 1462 (TLS) Protocol Version 1.3", 2021, 1463 . 1466 [GOST3413-2015] 1467 Federal Agency on Technical Regulating and Metrology, 1468 "Information technology. Cryptographic data security. 1469 Modes of operation for block ciphers", GOST R 34.13-2015, 1470 2015. 1472 [IK2003] Iwata T., Kurosawa K. (2003), "OMAC: One-Key CBC MAC.", 1473 FSE 2003. Lecture Notes in Computer Science, vol 2887. 1474 Springer, Berlin, Heidelberg, 2003. 1476 [MODES] Dworkin, M., "Recommendation for Block Cipher Modes of 1477 Operation: Methods and Techniques", NIST Special 1478 Publication 800-38A, December 2001. 1480 [R-1323565.1.024-2019] 1481 Federal Agency on Technical Regulating and Metrology, 1482 "Information technology. Cryptographic data security. 1483 Elliptic curve parameters for the cryptographic algorithms 1484 and protocols", R 1323565.1.024-2019, 2019. 1486 Appendix A. Test Examples 1488 A.1. Test Examples for CTR_OMAC cipher suites 1490 A.1.1. TLSTREE Examples 1492 A.1.1.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC ciphersuite 1494 TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 1495 *********************************************** 1496 Root Key K_root: 1497 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 1498 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 1500 seqnum = 0 1501 First level key from Divers_1: 1502 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1503 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1505 Second level key from Divers_2: 1507 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1508 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1510 The resulting key from Divers 3: 1511 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1512 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1514 seqnum = 4095 1515 First level key from Divers_1: 1516 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1517 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1519 Second level key from Divers_2: 1520 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1521 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1523 The resulting key from Divers 3: 1524 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1525 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1527 seqnum = 4096 1528 First level key from Divers_1: 1529 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1530 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1532 Second level key from Divers_2: 1533 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1534 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1536 The resulting key from Divers 3: 1537 FB 30 EE 53 CF CF 89 D7 48 FC 0C 72 EF 16 0B 8B 1538 53 CB BB FD 03 12 82 B0 26 21 4A B2 E0 77 58 FF 1540 seqnum = 33554431 1541 First level key from Divers_1: 1542 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1543 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1545 Second level key from Divers_2: 1546 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1547 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1549 The resulting key from Divers 3: 1550 B8 5B 36 DC 22 82 32 6B C0 35 C5 72 DC 93 F1 8D 1551 83 AA 01 74 F3 94 20 9A 51 3B B3 74 DC 09 35 AE 1553 seqnum = 33554432 1554 First level key from Divers_1: 1556 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1557 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1559 Second level key from Divers_2: 1560 3F EA 59 38 DA 2B F8 DD C4 7E C1 DC 55 61 89 66 1561 79 02 BE 42 0D F4 C3 7D AF 21 75 3B CB 1D C7 F3 1563 The resulting key from Divers 3: 1564 0F D7 C0 9E FD F8 E8 15 73 EE CC F8 6E 4B 95 E3 1565 AF 7F 34 DA B1 17 7C FD 7D B9 7B 6D A9 06 40 8A 1567 seqnum = 274877906943 1568 First level key from Divers_1: 1569 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1570 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1572 Second level key from Divers_2: 1573 AB F3 A5 37 98 3A 1B 98 40 06 6D E6 8A 49 BF 25 1574 97 7E E5 C3 F5 2D 33 3E 3C 22 0F 1D 15 C5 08 93 1576 The resulting key from Divers 3: 1577 48 0F 99 72 BA F2 5D 4C 36 9A 96 AF 91 BC A4 55 1578 3F 79 D8 F0 C5 61 8B 19 FD 44 CF DC 57 FA 37 33 1580 seqnum = 274877906944 1581 First level key from Divers_1: 1582 15 60 0D 9E 8F A6 85 54 CF 15 2D C7 4F BC 42 51 1583 17 B0 3E 09 76 BB 28 EA 98 24 C3 B7 0F 28 CB D8 1585 Second level key from Divers_2: 1586 6C C2 8E B0 93 24 72 12 5C 7A D3 F8 09 73 B3 C8 1587 C4 13 7D A5 73 BC 17 1A 24 ED D4 A3 71 F1 F8 73 1589 The resulting key from Divers 3: 1590 25 28 C1 C6 A8 F0 92 7B F2 BE 27 BB 78 D2 7F 21 1591 46 D6 55 93 B0 C7 17 3A 06 CB 9D 88 DF 92 32 65 1593 A.1.1.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC ciphersuite 1595 TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC 1596 *********************************************** 1597 Root Key K_root: 1598 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 1599 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 1600 seqnum = 0 1601 First level key from Divers_1: 1602 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1603 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1605 Second level key from Divers_2: 1606 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1607 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1609 The resulting key from Divers 3: 1610 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1611 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1613 seqnum = 63 1614 First level key from Divers_1: 1615 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1616 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1618 Second level key from Divers_2: 1619 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1620 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1622 The resulting key from Divers 3: 1623 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1624 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1626 seqnum = 64 1627 First level key from Divers_1: 1628 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1629 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1631 Second level key from Divers_2: 1632 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1633 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1635 The resulting key from Divers 3: 1636 AE BE 1E F4 18 71 3B F0 44 B9 FC D9 E5 72 D4 37 1637 FB 38 B5 D8 29 56 7A 6F 79 18 39 6D 9F 4E 09 6B 1639 seqnum = 524287 1640 First level key from Divers_1: 1641 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1642 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1644 Second level key from Divers_2: 1645 51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F 1646 08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4 1647 The resulting key from Divers 3: 1648 6F 18 D4 00 3E A2 CB 30 F5 FE C1 93 A2 34 F0 7D 1649 7C 43 94 98 7F 50 75 8D E2 2B 22 0D 8A 10 51 06 1651 seqnum = 524288 1652 First level key from Divers_1: 1653 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1654 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1656 Second level key from Divers_2: 1657 F6 59 EB 85 EE BD 2A 8D CC 1B B3 F7 C6 00 57 FF 1658 6D 33 B6 0F 74 65 DD 42 B5 11 2C F3 A6 B1 AB 66 1660 The resulting key from Divers 3: 1661 E5 4B 16 41 5B 3B 66 3E 78 0B 06 2D 24 F7 36 C4 1662 49 54 63 C3 A8 91 E1 FA 46 F7 AE 99 FF F9 F3 78 1664 seqnum = 4294967295 1665 First level key from Divers_1: 1666 F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1 1667 39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42 1669 Second level key from Divers_2: 1670 F4 BC 10 1A BB 68 86 2A 8C E3 1E A0 0D DF A7 FE 1671 B8 29 10 F1 24 F4 B1 E2 9E A8 3B E0 06 C2 26 8D 1673 The resulting key from Divers 3: 1674 CF 60 09 04 C7 1E 7B 88 A4 9A C8 E2 45 77 4B 3D 1675 BE ED FB 81 DE 9A 0E 2F 4E 46 C3 56 07 BC 2F 04 1677 seqnum = 4294967296 1678 First level key from Divers_1: 1679 55 CC 95 E0 D1 FB 54 85 AF 8E F6 9A CD 72 B2 32 1680 79 7C D2 E8 5D 86 CD FD 1D E5 5B D1 FA 14 37 78 1682 Second level key from Divers_2: 1683 72 16 91 E1 01 C4 28 96 A6 40 AE 18 3F BB 44 5B 1684 76 37 9C 57 E1 FD 8A 7D 49 A6 23 E4 23 8C 0E 1D 1686 The resulting key from Divers 3: 1687 16 18 0B 24 64 54 00 B8 36 14 38 37 D8 6A AC 93 1688 95 2A E3 EB 82 44 D5 EC 2A B0 2C FF 30 78 11 38 1690 A.1.2. Record Examples 1692 A.1.2.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC ciphersuite 1694 TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 1695 ******************************************************** 1696 It is assumed that during Handshake following keys were established: 1698 - MAC key: 1699 00000: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 1700 00010: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 1701 - Encryption key: 1702 00000: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 1703 00010: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 1704 - IV: 1705 00000: 00 00 00 00 1706 --------------------------------------------------------- 1707 seqnum = 0 1709 Application data: 1710 00000: 00 00 00 00 00 00 00 1712 TLSPlaintext: 1713 00000: 17 03 03 00 07 00 00 00 00 00 00 00 1715 K_MAC_0: 1716 00000: 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1717 00010: 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1719 MAC value: 1720 00000: F3 3E B6 89 6F EC E2 86 1722 K_ENC_0: 1723 00000: 58 AF BE 9A 4C 31 98 AA AB AA 26 92 C4 19 F1 79 1724 00010: 7C 9B 92 DE B3 CC 74 46 B3 63 57 71 13 F0 FB 56 1726 IV_0: 1727 00000: 00 00 00 00 1729 TLSCiphertext: 1730 00000: 17 03 03 00 0F 9B 42 0D A8 6F AF 36 7F 05 14 43 1731 00010: CE 9C 10 72 1732 --------------------------------------------------------- 1733 seqnum = 4095 1735 Application data: 1736 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1737 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1738 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1739 . . . 1740 003D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1741 003E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1742 003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1744 TLSPlaintext: 1745 00000: 17 03 03 04 00 00 00 00 00 00 00 00 00 00 00 00 1746 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1747 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1748 . . . 1749 003D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1750 003E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1751 003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1752 00400: 00 00 00 00 00 1754 K_MAC_4095: 1755 00000: 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1756 00010: 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1758 MAC value: 1759 00000: 58 D3 BB 60 8F BC 98 B8 1761 K_ENC_4095: 1762 00000: 58 AF BE 9A 4C 31 98 AA AB AA 26 92 C4 19 F1 79 1763 00010: 7C 9B 92 DE B3 CC 74 46 B3 63 57 71 13 F0 FB 56 1765 IV_4095: 1766 00000: 00 00 0F FF 1768 TLSCiphertext: 1769 00000: 17 03 03 04 08 B7 11 43 8B 16 20 1F 3C 49 33 95 1770 00010: 21 C9 C8 CA 75 66 D4 C2 0F D3 3E 58 1F 80 07 DC 1771 00020: 76 04 3E 2B 35 C8 E8 4B B2 55 08 27 66 13 59 6F 1772 . . . 1773 003D0: E7 77 70 BF 45 17 E1 F8 DD 1B 2C 05 64 AD 68 FC 1774 003E0: 4A 88 9A 48 B8 B1 FF 0E A4 E1 BB 70 4D 56 A4 75 1775 003F0: 2F 51 A5 82 CC 54 1A 80 8F 8C 8B 62 97 68 88 C8 1776 00400: 10 59 DE 41 27 63 A3 E0 99 9A CD DA 77 1778 --------------------------------------------------------- 1779 seqnum = 4096 1781 Application data: 1782 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1783 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1784 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1785 . . . 1786 007D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1787 007E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1788 007F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1790 TLSPlaintext: 1791 00000: 17 03 03 08 00 00 00 00 00 00 00 00 00 00 00 00 1792 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1793 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1794 . . . 1795 007D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1796 007E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1797 007F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1798 00800: 00 00 00 00 00 1800 K_MAC_4096: 1801 00000: FB 30 EE 53 CF CF 89 D7 48 FC 0C 72 EF 16 0B 8B 1802 00010: 53 CB BB FD 03 12 82 B0 26 21 4A B2 E0 77 58 FF 1804 MAC value: 1805 00000: 50 55 A2 6A BE 19 63 81 1807 K_ENC_4096: 1808 00000: ED F2 FD 02 47 71 60 23 83 09 00 2D 1D 57 DF 9F 1809 00010: D2 ED 18 D6 45 66 C7 6F 4B F0 3D 3A BF 7B BB 1E 1811 IV_4096: 1812 00000: 00 00 10 00 1814 TLSCiphertext: 1815 00000: 17 03 03 08 08 99 95 26 07 03 47 1D ED A2 E6 55 1816 00010: B6 B3 93 83 5E 33 8B 1E D0 0E DD 22 47 A2 FB 88 1817 00020: FB B7 A8 94 80 62 08 8A F3 2C AE B6 AA 2C 4F 2A 1818 . . . 1819 007D0: 7F 0B 24 61 E7 5F E1 06 34 B8 4D C5 70 35 72 5A 1820 007E0: CA 4F 0C BC A9 B0 6C B9 F7 6F BD 2F 80 46 2B 8D 1821 007F0: 77 5E BD 41 6F 63 41 39 AC 89 C2 ED 3D F1 9F E2 1822 00800: 4E F8 C0 5A A8 90 93 1B 01 86 FD 7D DF 1824 A.1.2.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC ciphersuite 1825 TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC 1826 *********************************************** 1827 It is assumed that during Handshake following keys were established: 1829 - MAC key: 1830 00000: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 1831 00010: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 1832 - Encryption key: 1833 00000: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 1834 00010: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22 1835 - IV: 1836 00000: 00 00 00 00 00 00 00 00 1838 --------------------------------------------------------- 1839 seqnum = 0 1841 Application data: 1842 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1844 TLSPlaintext: 1845 00000: 17 03 03 00 0F 00 00 00 00 00 00 00 00 00 00 00 1846 00010: 00 00 00 00 1848 K_MAC_0: 1849 00000: 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1850 00010: 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1852 MAC value: 1853 00000: FD 17 19 DD 95 08 37 EB 7C 7B B8 F5 00 37 99 81 1855 K_ENC_0: 1856 00000: 58 AF BE 9A 4C 31 98 AA AB AA 26 92 C4 19 F1 79 1857 00010: 7C 9B 92 DE B3 CC 74 46 B3 63 57 71 13 F0 FB 56 1859 IV_0: 1860 00000: 00 00 00 00 00 00 00 00 1862 TLSCiphertext: 1863 00000: 17 03 03 00 1F 4D 1A 30 52 36 57 3B FF C1 4E 46 1864 00010: DC BE 74 6D B6 C9 9A 17 5A 81 C4 71 1E 2F 84 C3 1865 00020: 92 C5 40 7C 1867 --------------------------------------------------------- 1868 seqnum = 63 1870 Application data: 1871 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1872 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1873 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1874 . . . 1875 00FD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1876 00FE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1877 00FF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1879 TLSPlaintext: 1880 00000: 17 03 03 10 00 00 00 00 00 00 00 00 00 00 00 00 1881 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1882 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1883 . . . 1884 00FD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1885 00FE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1886 00FF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1887 01000: 00 00 00 00 00 1889 K_MAC_63: 1890 00000: 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38 1891 00010: 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 1893 Mac value: 1894 00000: 98 46 27 61 D0 26 24 4A 2C 0B 7D 1B CC CB E7 B0 1896 K_ENC_63: 1897 00000: 58 AF BE 9A 4C 31 98 AA AB AA 26 92 C4 19 F1 79 1898 00010: 7C 9B 92 DE B3 CC 74 46 B3 63 57 71 13 F0 FB 56 1900 IV_63: 1901 00000: 00 00 00 00 00 00 00 3F 1903 TLSCiphertext: 1904 00000: 17 03 03 10 10 12 93 51 D2 6E 14 07 13 A2 1B 37 1905 00010: 68 24 A2 23 17 CD C0 D8 8E 01 CF A3 FE 21 41 5F 1906 00020: 5C 5E 05 86 9C CF 38 A5 1B C2 E0 ED 68 94 46 A8 1907 . . . 1908 00FE0: 19 AD 99 8C 06 25 21 E6 7B 63 59 A4 F5 C8 16 F9 1909 00FF0: 47 6B A7 13 26 82 BB A8 CE 0B ED AD 65 E4 20 A2 1910 01000: 97 B6 E2 C6 1F A4 06 D9 B8 CA 36 FD 9F CD 3A EE 1911 01010: 24 78 F4 D1 96 1913 --------------------------------------------------------- 1914 seqnum = 64 1916 Application data: 1917 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1918 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1919 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1920 . . . 1922 01FD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1923 01FE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1924 01FF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1926 TLSPlaintext: 1927 00000: 17 03 03 20 00 00 00 00 00 00 00 00 00 00 00 00 1928 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1929 00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1930 . . . 1931 01FD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1932 01FE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1933 01FF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1934 02000: 00 00 00 00 00 1936 K_MAC_64: 1937 00000: AE BE 1E F4 18 71 3B F0 44 B9 FC D9 E5 72 D4 37 1938 00010: FB 38 B5 D8 29 56 7A 6F 79 18 39 6D 9F 4E 09 6B 1940 Mac value: 1941 00000: EA C3 97 87 84 2B 1D BD 60 80 CC 3F BF AE 5C 2F 1943 K_ENC_64: 1944 00000: 64 F5 5A FC 37 A1 74 D9 53 3E 70 8B CD 14 FA 4A 1945 00010: EE C3 7B C0 E3 2B A4 99 01 B4 66 9E 96 A6 3D 96 1947 IV_64: 1948 00000: 00 00 00 00 00 00 00 40 1950 TLSCiphertext: 1951 00000: 17 03 03 20 10 E6 66 BB 98 AC 5B 0F 39 31 D8 55 1952 00010: 1B 93 36 85 96 EE F0 EB A8 26 9C B8 BD AA E7 EB 1953 00020: 80 C8 30 D7 5A B7 D4 6C 25 06 DC 8B 83 E1 F2 D3 1954 . . . 1955 01FE0: B3 02 67 2C CB 02 86 CD 40 48 FB D5 38 1A 65 55 1956 01FF0: 26 11 25 51 01 4F A8 ED F5 C2 1B 7D 1D B3 9D 6B 1957 02000: AD EC 0D 7C 07 05 34 8B 5C 55 6C 4D 50 81 69 1A 1958 02010: A9 EC 36 F8 B5 1960 A.1.3. Handshake Examples 1962 The ClientHello.extensions and the ServerHello.extensions fields 1963 contain the extended_master_secret extension (see [RFC7627]) and the 1964 renegotiation_info extension (see [RFC5746]) in the following 1965 examples. 1967 A.1.3.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC ciphersuite 1969 Server certificate curve OID: 1970 id-GostR3410-2001-CryptoPro-A-ParamSet, "1.2.643.2.2.35.1" 1972 Server public key Q_s: 1973 x = 0x6531D4A72E655BFC9DFB94293B260702 1974 82FABF10D5C49B7366148C60E0BF8167 1976 y = 0x37F8CC71DC5D917FC4A66F7826E72750 1977 8270B4FFC266C26CD4363E77B553A5B8 1979 Server private key d_s: 1980 0x5F308355DFD6A8ACAEE0837B100A3B1F 1981 6D63FB29B78EF27D3967757F0527144C 1983 ---------------------------Client--------------------------- 1985 ClientHello message: 1986 msg_type: 01 1987 length: 000040 1988 body: 1989 client_version: 1990 major: 03 1991 minor: 03 1992 random: 933EA21EC3802A561550EC78D6ED51AC 1993 2439D7E749C31BC3A3456165889684CA 1994 session_id: 1995 length: 00 1996 vector: -- 1997 cipher_suites: 1998 length: 0004 1999 vector: 2000 CipherSuite: C100 2001 CipherSuite: C101 2002 compression_methods: 2003 length: 01 2004 vector: 2005 CompressionMethod: 00 2006 extensions: 2007 length: 0013 2008 vector: 2009 Extension: /* signature_algorithms */ 2010 extension_type: 000D 2011 extension_data: 2013 length: 0006 2014 vector: 2015 supported_signature_algorithms: 2016 length: 0004 2017 vector: 2018 /* 1 pair of algorithms */ 2019 hash: 08 2020 signature: 2021 40 2022 /* 2 pair of algorithms */ 2023 hash: 08 2024 signature: 2025 41 2026 Extension: /* renegotiation_info */ 2027 extension_type: FF01 2028 extension_data: 2029 length: 0001 2030 vector: 2031 renegotiated_connection: 2032 length: 00 2033 vector: -- 2034 Extension: /* extended_master_secret */ 2035 extension_type: 0017 2036 extension_data: 2037 length: 0000 2038 vector: -- 2040 00000: 01 00 00 40 03 03 93 3E A2 1E C3 80 2A 56 15 50 2041 00010: EC 78 D6 ED 51 AC 24 39 D7 E7 49 C3 1B C3 A3 45 2042 00020: 61 65 88 96 84 CA 00 00 04 C1 00 C1 01 01 00 00 2043 00030: 13 00 0D 00 06 00 04 08 40 08 41 FF 01 00 01 00 2044 00040: 00 17 00 00 2046 Record layer message: 2047 type: 16 2048 version: 2049 major: 03 2050 minor: 03 2051 length: 0044 2052 fragment: 010000400303933EA21EC3802A561550 2053 EC78D6ED51AC2439D7E749C31BC3A345 2054 6165889684CA000004C100C101010000 2055 13000D0006000408400841FF01000100 2056 00170000 2058 00000: 16 03 03 00 44 01 00 00 40 03 03 93 3E A2 1E C3 2059 00010: 80 2A 56 15 50 EC 78 D6 ED 51 AC 24 39 D7 E7 49 2060 00020: C3 1B C3 A3 45 61 65 88 96 84 CA 00 00 04 C1 00 2061 00030: C1 01 01 00 00 13 00 0D 00 06 00 04 08 40 08 41 2062 00040: FF 01 00 01 00 00 17 00 00 2064 ---------------------------Server--------------------------- 2066 ServerHello message: 2067 msg_type: 02 2068 length: 000041 2069 body: 2070 server_version: 2071 major: 03 2072 minor: 03 2073 random: 933EA21E49C31BC3A3456165889684CA 2074 A5576CE7924A24F58113808DBD9EF856 2075 session_id: 2076 length: 10 2077 vector: C3802A561550EC78D6ED51AC2439D7E7 2078 cipher_suite: 2079 CipherSuite: C101 2080 compression_method: 2081 CompressionMethod: 00 2082 extensions: 2083 length: 0009 2084 vector: 2085 Extension: /* renegotiation_info */ 2086 extension_type: FF01 2087 extension_data: 2088 length: 0001 2089 vector: 2090 renegotiated_connection: 2091 length: 00 2092 vector: -- 2093 Extension: /* extended_master_secret */ 2094 extension_type: 0017 2095 extension_data: 2096 length: 0000 2097 vector: -- 2099 00000: 02 00 00 41 03 03 93 3E A2 1E 49 C3 1B C3 A3 45 2100 00010: 61 65 88 96 84 CA A5 57 6C E7 92 4A 24 F5 81 13 2101 00020: 80 8D BD 9E F8 56 10 C3 80 2A 56 15 50 EC 78 D6 2102 00030: ED 51 AC 24 39 D7 E7 C1 01 00 00 09 FF 01 00 01 2103 00040: 00 00 17 00 00 2105 Record layer message: 2106 type: 16 2107 version: 2109 major: 03 2110 minor: 03 2111 length: 0045 2112 fragment: 020000410303933EA21E49C31BC3A345 2113 6165889684CAA5576CE7924A24F58113 2114 808DBD9EF85610C3802A561550EC78D6 2115 ED51AC2439D7E7C101000009FF010001 2116 0000170000 2118 00000: 16 03 03 00 45 02 00 00 41 03 03 93 3E A2 1E 49 2119 00010: C3 1B C3 A3 45 61 65 88 96 84 CA A5 57 6C E7 92 2120 00020: 4A 24 F5 81 13 80 8D BD 9E F8 56 10 C3 80 2A 56 2121 00030: 15 50 EC 78 D6 ED 51 AC 24 39 D7 E7 C1 01 00 00 2122 00040: 09 FF 01 00 01 00 00 17 00 00 2124 ---------------------------Server--------------------------- 2126 Certificate message: 2127 msg_type: 0B 2128 length: 0001DB 2129 body: 2130 certificate_list: 2131 length: 0001D8 2132 vector: 2133 ASN.1Cert: 2134 length: 0001D5 2135 vector: 308201D13082017EA003020102020833 2136 FBB2C0E9575A46300A06082A85030701 2137 010302301F311D301B06035504030C14 2138 . . . 2139 797990E4B5452CF82FE1F19EE237B754 2140 CBCD5078D752A28013DFFC8224AD114B 2141 BD7C1BB71E480AD6EEF9857A8C99C595 2142 9053EEDFE9 2144 00000: 0B 00 01 DB 00 01 D8 00 01 D5 30 82 01 D1 30 82 2145 00010: 01 7E A0 03 02 01 02 02 08 33 FB B2 C0 E9 57 5A 2146 00020: 46 30 0A 06 08 2A 85 03 07 01 01 03 02 30 1F 31 2147 00030: 1D 30 1B 06 03 55 04 03 0C 14 74 65 73 74 5F 73 2148 00040: 65 6C 66 73 69 67 6E 65 64 5F 63 65 72 74 30 1E 2149 00050: 17 0D 31 39 30 36 32 37 31 35 32 34 30 38 5A 17 2150 00060: 0D 32 30 31 32 31 38 31 35 33 34 30 38 5A 30 1F 2151 00070: 31 1D 30 1B 06 03 55 04 03 0C 14 74 65 73 74 5F 2152 00080: 73 65 6C 66 73 69 67 6E 65 64 5F 63 65 72 74 30 2153 00090: 66 30 1F 06 08 2A 85 03 07 01 01 01 01 30 13 06 2154 000A0: 07 2A 85 03 02 02 23 01 06 08 2A 85 03 07 01 01 2155 000B0: 02 02 03 43 00 04 40 67 81 BF E0 60 8C 14 66 73 2156 000C0: 9B C4 D5 10 BF FA 82 02 07 26 3B 29 94 FB 9D FC 2157 000D0: 5B 65 2E A7 D4 31 65 B8 A5 53 B5 77 3E 36 D4 6C 2158 000E0: C2 66 C2 FF B4 70 82 50 27 E7 26 78 6F A6 C4 7F 2159 000F0: 91 5D DC 71 CC F8 37 A3 81 96 30 81 93 30 1D 06 2160 00100: 03 55 1D 0E 04 16 04 14 E7 D0 0B B8 4D 8D 24 18 2161 00110: 29 3E 05 C1 7C E7 77 98 D4 8D 30 16 30 0E 06 03 2162 00120: 55 1D 0F 01 01 FF 04 04 03 02 01 C6 30 12 06 03 2163 00130: 55 1D 13 01 01 FF 04 08 30 06 01 01 FF 02 01 01 2164 00140: 30 4E 06 03 55 1D 23 04 47 30 45 80 14 E7 D0 0B 2165 00150: B8 4D 8D 24 18 29 3E 05 C1 7C E7 77 98 D4 8D 30 2166 00160: 16 A1 23 A4 21 30 1F 31 1D 30 1B 06 03 55 04 03 2167 00170: 0C 14 74 65 73 74 5F 73 65 6C 66 73 69 67 6E 65 2168 00180: 64 5F 63 65 72 74 82 08 33 FB B2 C0 E9 57 5A 46 2169 00190: 30 0A 06 08 2A 85 03 07 01 01 03 02 03 41 00 E2 2170 001A0: 88 44 F9 F1 C8 55 E2 DB 5B 19 79 79 90 E4 B5 45 2171 001B0: 2C F8 2F E1 F1 9E E2 37 B7 54 CB CD 50 78 D7 52 2172 001C0: A2 80 13 DF FC 82 24 AD 11 4B BD 7C 1B B7 1E 48 2173 001D0: 0A D6 EE F9 85 7A 8C 99 C5 95 90 53 EE DF E9 2175 Record layer message: 2176 type: 16 2177 version: 2178 major: 03 2179 minor: 03 2180 length: 01DF 2181 fragment: 0B0001DB0001D80001D5308201D13082 2182 017EA003020102020833FBB2C0E9575A 2183 46300A06082A85030701010302301F31 2184 . . . 2185 8844F9F1C855E2DB5B19797990E4B545 2186 2CF82FE1F19EE237B754CBCD5078D752 2187 A28013DFFC8224AD114BBD7C1BB71E48 2188 0AD6EEF9857A8C99C5959053EEDFE9 2190 00000: 16 03 03 01 DF 0B 00 01 DB 00 01 D8 00 01 D5 30 2191 00010: 82 01 D1 30 82 01 7E A0 03 02 01 02 02 08 33 FB 2192 00020: B2 C0 E9 57 5A 46 30 0A 06 08 2A 85 03 07 01 01 2193 00030: 03 02 30 1F 31 1D 30 1B 06 03 55 04 03 0C 14 74 2194 00040: 65 73 74 5F 73 65 6C 66 73 69 67 6E 65 64 5F 63 2195 00050: 65 72 74 30 1E 17 0D 31 39 30 36 32 37 31 35 32 2196 00060: 34 30 38 5A 17 0D 32 30 31 32 31 38 31 35 33 34 2197 00070: 30 38 5A 30 1F 31 1D 30 1B 06 03 55 04 03 0C 14 2198 00080: 74 65 73 74 5F 73 65 6C 66 73 69 67 6E 65 64 5F 2199 00090: 63 65 72 74 30 66 30 1F 06 08 2A 85 03 07 01 01 2200 000A0: 01 01 30 13 06 07 2A 85 03 02 02 23 01 06 08 2A 2201 000B0: 85 03 07 01 01 02 02 03 43 00 04 40 67 81 BF E0 2202 000C0: 60 8C 14 66 73 9B C4 D5 10 BF FA 82 02 07 26 3B 2203 000D0: 29 94 FB 9D FC 5B 65 2E A7 D4 31 65 B8 A5 53 B5 2204 000E0: 77 3E 36 D4 6C C2 66 C2 FF B4 70 82 50 27 E7 26 2205 000F0: 78 6F A6 C4 7F 91 5D DC 71 CC F8 37 A3 81 96 30 2206 00100: 81 93 30 1D 06 03 55 1D 0E 04 16 04 14 E7 D0 0B 2207 00110: B8 4D 8D 24 18 29 3E 05 C1 7C E7 77 98 D4 8D 30 2208 00120: 16 30 0E 06 03 55 1D 0F 01 01 FF 04 04 03 02 01 2209 00130: C6 30 12 06 03 55 1D 13 01 01 FF 04 08 30 06 01 2210 00140: 01 FF 02 01 01 30 4E 06 03 55 1D 23 04 47 30 45 2211 00150: 80 14 E7 D0 0B B8 4D 8D 24 18 29 3E 05 C1 7C E7 2212 00160: 77 98 D4 8D 30 16 A1 23 A4 21 30 1F 31 1D 30 1B 2213 00170: 06 03 55 04 03 0C 14 74 65 73 74 5F 73 65 6C 66 2214 00180: 73 69 67 6E 65 64 5F 63 65 72 74 82 08 33 FB B2 2215 00190: C0 E9 57 5A 46 30 0A 06 08 2A 85 03 07 01 01 03 2216 001A0: 02 03 41 00 E2 88 44 F9 F1 C8 55 E2 DB 5B 19 79 2217 001B0: 79 90 E4 B5 45 2C F8 2F E1 F1 9E E2 37 B7 54 CB 2218 001C0: CD 50 78 D7 52 A2 80 13 DF FC 82 24 AD 11 4B BD 2219 001D0: 7C 1B B7 1E 48 0A D6 EE F9 85 7A 8C 99 C5 95 90 2220 001E0: 53 EE DF E9 2222 ---------------------------Server--------------------------- 2224 ServerHelloDone message: 2225 msg_type: 0E 2226 length: 000000 2227 body: -- 2229 00000: 0E 00 00 00 2231 Record layer message:: 2232 type: 16 2233 version: 2234 major: 03 2235 minor: 03 2236 length: 0004 2237 fragment: 0E000000 2239 00000: 16 03 03 00 04 0E 00 00 00 2241 ---------------------------Client--------------------------- 2243 PMS: 2244 00000: A5 57 6C E7 92 4A 24 F5 81 13 80 8D BD 9E F8 56 2245 00010: F5 BD C3 B1 83 CE 5D AD CA 36 A5 3A A0 77 65 1D 2247 Random d_eph value: 2248 0xA5C77C7482373DE16CE4A6F73CCE7F78 2249 471493FF2C0709B8B706C9E8A25E6C1E 2251 Q_eph ephemeral key: 2252 x = 0xA8F36D63D262A203978F1B3B6795CDBB 2253 F1AE7FB8EF7F47F1F18871C198E00793 2255 y = 0x34CA5D6B4485640EA195435993BEB1F8 2256 B016ED610496B5CC175AC2EA1F14F887 2258 HASH (r_c | r_s): 2259 00000: C3 EF 04 28 D4 B7 A1 F4 C5 02 5F 2E 65 DD 2B 2E 2260 00010: A5 83 AE EF DB 67 C7 F4 21 4A 6A 29 8E 99 E3 25 2262 Export key generation. r value: 2263 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 2265 Export key generation. UKM value: 2266 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 2268 seed: 2269 00000: A5 83 AE EF DB 67 C7 F4 2271 K_EXP: 2272 00000: 1E 58 54 90 E8 65 FF D1 8F 18 D7 C0 A0 4D 0E E8 2273 00010: 4F 1A 5D 79 7C EF AD A0 1B 1E 3B 7F DB 90 E0 29 2275 Export keys K_Exp_MAC | K_Exp_ENC used in KExp15 algorithm: 2276 00000: 2D 8B A8 C8 4C B2 32 FF 41 F1 0C 3A D9 24 13 42 2277 00010: 23 25 4F 71 E5 69 6D 3D 29 C3 E4 C9 DA A6 B2 93 2278 00020: 84 9E B6 34 0B FF AE 69 28 A3 C3 E4 FF 92 EC CB 2279 00030: 1E 8F 0C F7 A1 88 36 8E 6B 74 8E 52 EA 37 8B 0C 2281 IV: 2282 00000: 21 4A 6A 29 2284 PMSEXP: 2285 00000: D7 F0 F0 42 23 67 86 7B 25 FA 42 33 A9 54 F5 8B 2286 00010: DE 92 E9 C9 BB FB 88 16 C9 9F 15 E6 39 87 22 A0 2287 00020: B2 B7 BF E8 49 3E 9A 5C 2289 ---------------------------Client--------------------------- 2291 ClientKeyExchange message: 2292 msg_type: 10 2293 length: 000095 2294 body: 2295 exchange_keys: 3081920428D7F0F0422367867B25FA42 2296 33A954F58BDE92E9C9BBFB8816C99F15 2297 E6398722A0B2B7BFE8493E9A5C306630 2298 . . . 2299 EFB87FAEF1BBCD95673B1B8F9703A262 2300 D2636DF3A887F8141FEAC25A17CCB596 2301 0461ED16B0F8B1BE93594395A10E6485 2302 446B5DCA34 2304 00000: 10 00 00 95 30 81 92 04 28 D7 F0 F0 42 23 67 86 2305 00010: 7B 25 FA 42 33 A9 54 F5 8B DE 92 E9 C9 BB FB 88 2306 00020: 16 C9 9F 15 E6 39 87 22 A0 B2 B7 BF E8 49 3E 9A 2307 00030: 5C 30 66 30 1F 06 08 2A 85 03 07 01 01 01 01 30 2308 00040: 13 06 07 2A 85 03 02 02 23 01 06 08 2A 85 03 07 2309 00050: 01 01 02 02 03 43 00 04 40 93 07 E0 98 C1 71 88 2310 00060: F1 F1 47 7F EF B8 7F AE F1 BB CD 95 67 3B 1B 8F 2311 00070: 97 03 A2 62 D2 63 6D F3 A8 87 F8 14 1F EA C2 5A 2312 00080: 17 CC B5 96 04 61 ED 16 B0 F8 B1 BE 93 59 43 95 2313 00090: A1 0E 64 85 44 6B 5D CA 34 2315 Record layer message: 2316 type: 16 2317 version: 2318 major: 03 2319 minor: 03 2320 length: 0099 2321 fragment: 100000953081920428D7F0F042236786 2322 7B25FA4233A954F58BDE92E9C9BBFB88 2323 16C99F15E6398722A0B2B7BFE8493E9A 2324 . . . 2325 F1F1477FEFB87FAEF1BBCD95673B1B8F 2326 9703A262D2636DF3A887F8141FEAC25A 2327 17CCB5960461ED16B0F8B1BE93594395 2328 A10E6485446B5DCA34 2330 00000: 16 03 03 00 99 10 00 00 95 30 81 92 04 28 D7 F0 2331 00010: F0 42 23 67 86 7B 25 FA 42 33 A9 54 F5 8B DE 92 2332 00020: E9 C9 BB FB 88 16 C9 9F 15 E6 39 87 22 A0 B2 B7 2333 00030: BF E8 49 3E 9A 5C 30 66 30 1F 06 08 2A 85 03 07 2334 00040: 01 01 01 01 30 13 06 07 2A 85 03 02 02 23 01 06 2335 00050: 08 2A 85 03 07 01 01 02 02 03 43 00 04 40 93 07 2336 00060: E0 98 C1 71 88 F1 F1 47 7F EF B8 7F AE F1 BB CD 2337 00070: 95 67 3B 1B 8F 97 03 A2 62 D2 63 6D F3 A8 87 F8 2338 00080: 14 1F EA C2 5A 17 CC B5 96 04 61 ED 16 B0 F8 B1 2339 00090: BE 93 59 43 95 A1 0E 64 85 44 6B 5D CA 34 2341 ---------------------------Server--------------------------- 2343 PMSEXP extracted: 2344 00000: D7 F0 F0 42 23 67 86 7B 25 FA 42 33 A9 54 F5 8B 2345 00010: DE 92 E9 C9 BB FB 88 16 C9 9F 15 E6 39 87 22 A0 2346 00020: B2 B7 BF E8 49 3E 9A 5C 2348 HASH(r_c | r_s): 2349 00000: C3 EF 04 28 D4 B7 A1 F4 C5 02 5F 2E 65 DD 2B 2E 2350 00010: A5 83 AE EF DB 67 C7 F4 21 4A 6A 29 8E 99 E3 25 2352 Export key generation. r value: 2353 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 2355 Export key generation. UKM value: 2356 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 2358 seed: 2359 00000: A5 83 AE EF DB 67 C7 F4 2361 K_EXP: 2362 00000: 1E 58 54 90 E8 65 FF D1 8F 18 D7 C0 A0 4D 0E E8 2363 00010: 4F 1A 5D 79 7C EF AD A0 1B 1E 3B 7F DB 90 E0 29 2365 Import keys K_Imp_MAC | K_Imp_ENC used in KImp15 algorithm: 2366 00000: 2D 8B A8 C8 4C B2 32 FF 41 F1 0C 3A D9 24 13 42 2367 00010: 23 25 4F 71 E5 69 6D 3D 29 C3 E4 C9 DA A6 B2 93 2368 00020: 84 9E B6 34 0B FF AE 69 28 A3 C3 E4 FF 92 EC CB 2369 00030: 1E 8F 0C F7 A1 88 36 8E 6B 74 8E 52 EA 37 8B 0C 2371 IV: 2372 00000: 21 4A 6A 29 2374 PMS: 2375 00000: A5 57 6C E7 92 4A 24 F5 81 13 80 8D BD 9E F8 56 2376 00010: F5 BD C3 B1 83 CE 5D AD CA 36 A5 3A A0 77 65 1D 2378 ---------------------------Client--------------------------- 2380 HASH(HM): 2381 00000: 7E 1F 59 D3 64 9D B6 09 00 EA 4F 8A 58 5A 65 7A 2382 00010: 92 77 B3 04 50 58 4C F5 43 51 19 8C DE A3 0C 49 2384 MS: 2385 00000: FD D2 7C B4 04 AD 4E 44 49 68 4F 7C 55 90 E9 E7 2386 00010: 02 EF 41 01 93 3B 52 77 A4 A9 6D F5 00 B0 7C C3 2387 00020: 32 4F D8 A6 D9 07 CB B0 3D F3 FB 33 1F 1C 4D 0C 2389 Client connection key material 2390 K_write_MAC|K_read_MAC|K_write_ENC|K_read_ENC|IV_write|IV_read: 2391 00000: DD 4E 10 17 E3 09 1F FD 86 75 65 8A 78 00 90 09 2392 00010: 3B BE 69 EC A6 93 31 5C A8 5B E0 A6 14 3D C9 F8 2393 00020: 1D 64 D0 23 46 5F 8B EA 17 F8 12 F8 C2 D8 BF C0 2394 00030: D9 BB AB A7 B4 DF D3 A1 7C E0 E1 3B 2D 63 65 F3 2395 00040: FC 8B 34 59 CF 54 FE 44 9A 04 07 64 53 73 08 00 2396 00050: 75 10 32 55 9D 07 B6 C4 EA C6 75 48 71 BC 97 8A 2397 00060: B9 0E 2A EE 98 77 14 BB D8 F7 57 AE F7 84 FF 24 2398 00070: 47 B3 94 2E B4 3E 26 35 73 1C 4C 28 22 D0 2D 79 2399 00080: 2B 6A 81 3F 93 ED A6 FA 2401 ---------------------------Server--------------------------- 2403 HASH(HM): 2404 00000: 7E 1F 59 D3 64 9D B6 09 00 EA 4F 8A 58 5A 65 7A 2405 00010: 92 77 B3 04 50 58 4C F5 43 51 19 8C DE A3 0C 49 2407 MS: 2408 00000: FD D2 7C B4 04 AD 4E 44 49 68 4F 7C 55 90 E9 E7 2409 00010: 02 EF 41 01 93 3B 52 77 A4 A9 6D F5 00 B0 7C C3 2410 00020: 32 4F D8 A6 D9 07 CB B0 3D F3 FB 33 1F 1C 4D 0C 2412 Server connection key material 2413 K_read_MAC|K_write_MAC|K_read_ENC|K_write_ENC|IV_read|IV_write: 2414 00000: DD 4E 10 17 E3 09 1F FD 86 75 65 8A 78 00 90 09 2415 00010: 3B BE 69 EC A6 93 31 5C A8 5B E0 A6 14 3D C9 F8 2416 00020: 1D 64 D0 23 46 5F 8B EA 17 F8 12 F8 C2 D8 BF C0 2417 00030: D9 BB AB A7 B4 DF D3 A1 7C E0 E1 3B 2D 63 65 F3 2418 00040: FC 8B 34 59 CF 54 FE 44 9A 04 07 64 53 73 08 00 2419 00050: 75 10 32 55 9D 07 B6 C4 EA C6 75 48 71 BC 97 8A 2420 00060: B9 0E 2A EE 98 77 14 BB D8 F7 57 AE F7 84 FF 24 2421 00070: 47 B3 94 2E B4 3E 26 35 73 1C 4C 28 22 D0 2D 79 2422 00080: 2B 6A 81 3F 93 ED A6 FA 2424 ---------------------------Client--------------------------- 2426 ChangeCipherSpec message: 2427 type: 01 2429 00000: 01 2431 Record layer message: 2432 type: 14 2433 version: 2434 major: 03 2435 minor: 03 2436 length: 0001 2437 fragment: 01 2438 00000: 14 03 03 00 01 01 2440 ---------------------------Client--------------------------- 2442 HASH(HM): 2443 00000: 7E 1F 59 D3 64 9D B6 09 00 EA 4F 8A 58 5A 65 7A 2444 00010: 92 77 B3 04 50 58 4C F5 43 51 19 8C DE A3 0C 49 2446 client_verify_data: 2447 00000: B4 61 C5 AD 25 EA 1E 62 B3 70 BD 1F 1B CB 16 91 2448 00010: FC CC BA 37 8B BC 13 43 BE 54 B3 8D F5 53 B7 A5 2450 ---------------------------Client--------------------------- 2452 Finished message: 2453 msg_type: 14 2454 length: 000020 2455 body: 2456 verify_data: B461C5AD25EA1E62B370BD1F1BCB1691 2457 FCCCBA378BBC1343BE54B38DF553B7A5 2459 00000: 14 00 00 20 B4 61 C5 AD 25 EA 1E 62 B3 70 BD 1F 2460 00010: 1B CB 16 91 FC CC BA 37 8B BC 13 43 BE 54 B3 8D 2461 00020: F5 53 B7 A5 2463 Record layer message: 2464 type: 16 2465 version: 2466 major: 03 2467 minor: 03 2468 length: 002C 2469 fragment: 0C630271D4DA39DD8D6BD040302D9B8F 2470 33D5F7B967EED155F7D65592892C03C7 2471 885C249B1225B184AB4D5DBF 2473 00000: 16 03 03 00 2C 0C 63 02 71 D4 DA 39 DD 8D 6B D0 2474 00010: 40 30 2D 9B 8F 33 D5 F7 B9 67 EE D1 55 F7 D6 55 2475 00020: 92 89 2C 03 C7 88 5C 24 9B 12 25 B1 84 AB 4D 5D 2476 00030: BF 2478 ---------------------------Server--------------------------- 2480 ChangeCipherSpec message: 2481 type: 01 2482 00000: 01 2484 Record layer message: 2485 type: 14 2486 version: 2487 major: 03 2488 minor: 03 2489 length: 0001 2490 fragment: 01 2492 00000: 14 03 03 00 01 01 2494 ---------------------------Server--------------------------- 2496 HASH(HM): 2497 00000: DB D7 D8 93 82 4A ED FD D5 FB 7B 75 4B 47 E1 E6 2498 00010: AF E0 77 DA E6 D1 13 63 42 07 C7 EE 0F C6 F3 B1 2500 server_verify_data: 2501 00000: 45 39 EC 8D 0A F7 B1 A6 20 41 AB 43 4A 43 77 71 2502 00010: D3 4C 47 19 D8 6E BB FD 0F 28 C3 E9 53 55 0C D0 2504 ---------------------------Server--------------------------- 2506 Finished message: 2507 msg_type: 14 2508 length: 000020 2509 body: 2510 verify_data: 4539EC8D0AF7B1A62041AB434A437771 2511 D34C4719D86EBBFD0F28C3E953550CD0 2513 00000: 14 00 00 20 45 39 EC 8D 0A F7 B1 A6 20 41 AB 43 2514 00010: 4A 43 77 71 D3 4C 47 19 D8 6E BB FD 0F 28 C3 E9 2515 00020: 53 55 0C D0 2517 Record layer message: 2518 type: 16 2519 version: 2520 major: 03 2521 minor: 03 2522 length: 002C 2523 fragment: E6A94A4BF70886566A2316811E57B483 2524 BB1E47950A1FF820A80DCA77A4DF9954 2525 2DAB6953F3ED03D95CCA4748 2527 00000: 16 03 03 00 2C E6 A9 4A 4B F7 08 86 56 6A 23 16 2528 00010: 81 1E 57 B4 83 BB 1E 47 95 0A 1F F8 20 A8 0D CA 2529 00020: 77 A4 DF 99 54 2D AB 69 53 F3 ED 03 D9 5C CA 47 2530 00030: 48 2532 ---------------------------Client--------------------------- 2534 Application data: 2535 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2536 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2538 Record layer message: 2539 type: 17 2540 version: 2541 major: 03 2542 minor: 03 2543 length: 0028 2544 fragment: 38807B6E5E0C3F4F7E0DBF7758031BF0 2545 7F100C4B63ADBC75F49BCBF428572D37 2546 7CAED097336DB203 2548 00000: 17 03 03 00 28 38 80 7B 6E 5E 0C 3F 4F 7E 0D BF 2549 00010: 77 58 03 1B F0 7F 10 0C 4B 63 AD BC 75 F4 9B CB 2550 00020: F4 28 57 2D 37 7C AE D0 97 33 6D B2 03 2552 ---------------------------Server--------------------------- 2554 Application data: 2555 00000: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 2556 00010: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 2558 Record layer message: 2559 type: 17 2560 version: 2561 major: 03 2562 minor: 03 2563 length: 0028 2564 fragment: 05B869E5C979C3B9D4837B8E39D9BBEE 2565 1BBD0052D3D48340D0CDE082B33BC07F 2566 4E742D1113249AD8 2568 00000: 17 03 03 00 28 05 B8 69 E5 C9 79 C3 B9 D4 83 7B 2569 00010: 8E 39 D9 BB EE 1B BD 00 52 D3 D4 83 40 D0 CD E0 2570 00020: 82 B3 3B C0 7F 4E 74 2D 11 13 24 9A D8 2572 ---------------------------Client--------------------------- 2573 close_notify alert: 2574 Alert: 2575 level: 01 2576 description: 00 2578 00000: 01 00 2580 Record layer message: 2581 type: 15 2582 version: 2583 major: 03 2584 minor: 03 2585 length: 000A 2586 fragment: 4F2A0807A0374E28C632 2588 00000: 15 03 03 00 0A 4F 2A 08 07 A0 37 4E 28 C6 32 2590 ---------------------------Server--------------------------- 2592 close_notify alert: 2593 Alert: 2594 level: 01 2595 description: 00 2597 00000: 01 00 2599 Record layer message: 2600 type: 15 2601 version: 2602 major: 03 2603 minor: 03 2604 length: 000A 2605 fragment: 999468B49AC5B0DE512C 2607 00000: 15 03 03 00 0A 99 94 68 B4 9A C5 B0 DE 51 2C 2609 A.1.3.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC ciphersuite 2610 Server certificate curve OID: 2611 id-tc26-gost-3410-2012-512-paramSetC, "1.2.643.7.1.2.1.2.3" 2613 Server public key Q_s: 2614 x = 0xF14589DA479AD972C66563669B3FF580 2615 92E6A30A288BF447CD9FF6C3133E9724 2616 7A9706B267703C9B4E239F0D7C7E3310 2617 C22D2752B35BD2E4FD39B8F11DEB833A 2619 y = 0xF305E95B36502D4E60A1059FB20AB30B 2620 FC7C95727F3A2C04B1DFDDB53B0413F2 2621 99F2DFE66A5E1CCB4101A7A01D612BE6 2622 BD78E1E3B3D567EBB16ABE587A11F4EA 2624 Server private key d_s: 2625 0x12FD7A70067479A0F66C59F9A25534AD 2626 FBC7ABFD3CC72D79806F8B402601644B 2627 3005ED365A2D8989A8CCAE640D5FC08D 2628 D27DFBBFE137CF528E1AC6D445192E01 2630 Client certificate curve OID: 2631 id-tc26-gost-3410-2012-256-paramSetA, "1.2.643.7.1.2.1.1.1" 2633 Client public key Q_c: 2634 x = 0x0F5DB18A9E15F324B778676025BFD7B5 2635 DF066566EABAA1C51CD879F87B0B4975 2637 y = 0x9EE5BBF18361F842D3F087DEC2943939 2638 E0FA2BFB4EDEC25A8D10ABB22C48F386 2640 Client private key d_c: 2641 0x0918AD3F7D209ABF89F1E8505DA894CE 2642 E10DA09D32E72E815D9C0ADA30B5A103 2644 ---------------------------Client--------------------------- 2646 ClientHello message: 2647 msg_type: 01 2648 length: 000040 2649 body: 2650 client_version: 2651 major: 03 2652 minor: 03 2653 random: 933EA21EC3802A561550EC78D6ED51AC 2654 2439D7E749C31BC3A3456165889684CA 2655 session_id: 2656 length: 00 2657 vector: -- 2658 cipher_suites: 2659 length: 0004 2660 vector: 2661 CipherSuite: C100 2662 CipherSuite: C101 2663 compression_methods: 2664 length: 01 2665 vector: 2666 CompressionMethod: 00 2667 extensions: 2668 length: 0013 2669 vector: 2670 Extension: /* signature_algorithms */ 2671 extension_type: 000D 2672 extension_data: 2673 length: 0006 2674 vector: 2675 supported_signature_algorithms: 2676 length: 0004 2677 vector: 2678 /* 1 pair of algorithms */ 2679 hash: 08 2680 signature: 2681 40 2682 /* 2 pair of algorithms */ 2683 hash: 08 2684 signature: 2685 41 2686 Extension: /* renegotiation_info */ 2687 extension_type: FF01 2688 extension_data: 2689 length: 0001 2690 vector: 2691 renegotiated_connection: 2692 length: 00 2693 vector: -- 2694 Extension: /* extended_master_secret */ 2695 extension_type: 0017 2696 extension_data: 2697 length: 0000 2698 vector: -- 2700 00000: 01 00 00 40 03 03 93 3E A2 1E C3 80 2A 56 15 50 2701 00010: EC 78 D6 ED 51 AC 24 39 D7 E7 49 C3 1B C3 A3 45 2702 00020: 61 65 88 96 84 CA 00 00 04 C1 00 C1 01 01 00 00 2703 00030: 13 00 0D 00 06 00 04 08 40 08 41 FF 01 00 01 00 2704 00040: 00 17 00 00 2705 Record layer message: 2706 type: 16 2707 version: 2708 major: 03 2709 minor: 03 2710 length: 0044 2711 fragment: 010000400303933EA21EC3802A561550 2712 EC78D6ED51AC2439D7E749C31BC3A345 2713 6165889684CA000004C100C101010000 2714 13000D0006000408400841FF01000100 2715 00170000 2717 00000: 16 03 03 00 44 01 00 00 40 03 03 93 3E A2 1E C3 2718 00010: 80 2A 56 15 50 EC 78 D6 ED 51 AC 24 39 D7 E7 49 2719 00020: C3 1B C3 A3 45 61 65 88 96 84 CA 00 00 04 C1 00 2720 00030: C1 01 01 00 00 13 00 0D 00 06 00 04 08 40 08 41 2721 00040: FF 01 00 01 00 00 17 00 00 2723 ---------------------------Server--------------------------- 2725 ServerHello message: 2726 msg_type: 02 2727 length: 000041 2728 body: 2729 server_version: 2730 major: 03 2731 minor: 03 2732 random: 933EA21E49C31BC3A3456165889684CA 2733 A5576CE7924A24F58113808DBD9EF856 2734 session_id: 2735 length: 10 2736 vector: C3802A561550EC78D6ED51AC2439D7E7 2737 cipher_suite: 2738 CipherSuite: C100 2739 compression_method: 2740 CompressionMethod: 00 2741 extensions: 2742 length: 0009 2743 vector: 2744 Extension: /* renegotiation_info */ 2745 extension_type: FF01 2746 extension_data: 2747 length: 0001 2748 vector: 2749 renegotiated_connection: 2750 length: 00 2751 vector: -- 2753 Extension: /* extended_master_secret */ 2754 extension_type: 0017 2755 extension_data: 2756 length: 0000 2757 vector: -- 2759 00000: 02 00 00 41 03 03 93 3E A2 1E 49 C3 1B C3 A3 45 2760 00010: 61 65 88 96 84 CA A5 57 6C E7 92 4A 24 F5 81 13 2761 00020: 80 8D BD 9E F8 56 10 C3 80 2A 56 15 50 EC 78 D6 2762 00030: ED 51 AC 24 39 D7 E7 C1 00 00 00 09 FF 01 00 01 2763 00040: 00 00 17 00 00 2765 Record layer message: 2766 type: 16 2767 version: 2768 major: 03 2769 minor: 03 2770 length: 0045 2771 fragment: 020000410303933EA21E49C31BC3A345 2772 6165889684CAA5576CE7924A24F58113 2773 808DBD9EF85610C3802A561550EC78D6 2774 ED51AC2439D7E7C100000009FF010001 2775 0000170000 2777 00000: 16 03 03 00 45 02 00 00 41 03 03 93 3E A2 1E 49 2778 00010: C3 1B C3 A3 45 61 65 88 96 84 CA A5 57 6C E7 92 2779 00020: 4A 24 F5 81 13 80 8D BD 9E F8 56 10 C3 80 2A 56 2780 00030: 15 50 EC 78 D6 ED 51 AC 24 39 D7 E7 C1 00 00 00 2781 00040: 09 FF 01 00 01 00 00 17 00 00 2783 ---------------------------Server--------------------------- 2785 Certificate message: 2786 msg_type: 0B 2787 length: 00024C 2788 body: 2789 certificate_list: 2790 length: 000249 2791 vector: 2792 ASN.1Cert: 2793 length: 000246 2794 vector: 30820242308201AEA003020102020101 2795 300A06082A850307010103033042312C 2796 302A06092A864886F70D010901161D74 2797 . . . 2798 371AF83C5BC58B366DFEFA7345D50317 2799 867C177AC84AC07EE8612164629AB7BD 2800 C48AA0F64A741FE7298E82C5BFCE8672 2801 029F875391F7 2803 00000: 0B 00 02 4C 00 02 49 00 02 46 30 82 02 42 30 82 2804 00010: 01 AE A0 03 02 01 02 02 01 01 30 0A 06 08 2A 85 2805 00020: 03 07 01 01 03 03 30 42 31 2C 30 2A 06 09 2A 86 2806 00030: 48 86 F7 0D 01 09 01 16 1D 74 6C 73 31 32 5F 73 2807 00040: 65 72 76 65 72 35 31 32 43 40 63 72 79 70 74 6F 2808 00050: 70 72 6F 2E 72 75 31 12 30 10 06 03 55 04 03 13 2809 00060: 09 53 65 72 76 65 72 35 31 32 30 1E 17 0D 31 37 2810 00070: 30 35 32 35 30 39 32 35 31 38 5A 17 0D 33 30 30 2811 00080: 35 30 31 30 39 32 35 31 38 5A 30 42 31 2C 30 2A 2812 00090: 06 09 2A 86 48 86 F7 0D 01 09 01 16 1D 74 6C 73 2813 000A0: 31 32 5F 73 65 72 76 65 72 35 31 32 43 40 63 72 2814 000B0: 79 70 74 6F 70 72 6F 2E 72 75 31 12 30 10 06 03 2815 000C0: 55 04 03 13 09 53 65 72 76 65 72 35 31 32 30 81 2816 000D0: AA 30 21 06 08 2A 85 03 07 01 01 01 02 30 15 06 2817 000E0: 09 2A 85 03 07 01 02 01 02 03 06 08 2A 85 03 07 2818 000F0: 01 01 02 03 03 81 84 00 04 81 80 3A 83 EB 1D F1 2819 00100: B8 39 FD E4 D2 5B B3 52 27 2D C2 10 33 7E 7C 0D 2820 00110: 9F 23 4E 9B 3C 70 67 B2 06 97 7A 24 97 3E 13 C3 2821 00120: F6 9F CD 47 F4 8B 28 0A A3 E6 92 80 F5 3F 9B 66 2822 00130: 63 65 C6 72 D9 9A 47 DA 89 45 F1 EA F4 11 7A 58 2823 00140: BE 6A B1 EB 67 D5 B3 E3 E1 78 BD E6 2B 61 1D A0 2824 00150: A7 01 41 CB 1C 5E 6A E6 DF F2 99 F2 13 04 3B B5 2825 00160: DD DF B1 04 2C 3A 7F 72 95 7C FC 0B B3 0A B2 9F 2826 00170: 05 A1 60 4E 2D 50 36 5B E9 05 F3 A3 43 30 41 30 2827 00180: 1D 06 03 55 1D 0E 04 16 04 14 87 9C C6 5A 0F 4A 2828 00190: 89 CB 4A 58 49 DF 05 61 56 9B AA DC 11 69 30 0B 2829 001A0: 06 03 55 1D 0F 04 04 03 02 03 28 30 13 06 03 55 2830 001B0: 1D 25 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 2831 001C0: 30 0A 06 08 2A 85 03 07 01 01 03 03 03 81 81 00 2832 001D0: 35 BE 38 51 EC B6 E9 2D 32 40 01 81 0F 8C 89 03 2833 001E0: 52 42 F4 05 46 9F 4C 4E CB 05 02 7C 57 E2 71 52 2834 001F0: 12 AF D7 CD BB 0C ED 7A 8B 4D 33 42 CC 50 1A BD 2835 00200: 99 99 75 A5 8A DE 0E 58 4F CA 35 F5 2E 45 58 B7 2836 00210: 31 1D 49 D0 A0 51 32 79 F7 39 37 1A F8 3C 5B C5 2837 00220: 8B 36 6D FE FA 73 45 D5 03 17 86 7C 17 7A C8 4A 2838 00230: C0 7E E8 61 21 64 62 9A B7 BD C4 8A A0 F6 4A 74 2839 00240: 1F E7 29 8E 82 C5 BF CE 86 72 02 9F 87 53 91 F7 2841 Record layer message: 2842 type: 16 2843 version: 2844 major: 03 2845 minor: 03 2846 length: 0250 2847 fragment: 0B00024C000249000246308202423082 2848 01AEA003020102020101300A06082A85 2849 0307010103033042312C302A06092A86 2850 . . . 2851 8B366DFEFA7345D50317867C177AC84A 2852 C07EE8612164629AB7BDC48AA0F64A74 2853 1FE7298E82C5BFCE8672029F875391F7 2855 00000: 16 03 03 02 50 0B 00 02 4C 00 02 49 00 02 46 30 2856 00010: 82 02 42 30 82 01 AE A0 03 02 01 02 02 01 01 30 2857 00020: 0A 06 08 2A 85 03 07 01 01 03 03 30 42 31 2C 30 2858 00030: 2A 06 09 2A 86 48 86 F7 0D 01 09 01 16 1D 74 6C 2859 00040: 73 31 32 5F 73 65 72 76 65 72 35 31 32 43 40 63 2860 00050: 72 79 70 74 6F 70 72 6F 2E 72 75 31 12 30 10 06 2861 00060: 03 55 04 03 13 09 53 65 72 76 65 72 35 31 32 30 2862 00070: 1E 17 0D 31 37 30 35 32 35 30 39 32 35 31 38 5A 2863 00080: 17 0D 33 30 30 35 30 31 30 39 32 35 31 38 5A 30 2864 00090: 42 31 2C 30 2A 06 09 2A 86 48 86 F7 0D 01 09 01 2865 000A0: 16 1D 74 6C 73 31 32 5F 73 65 72 76 65 72 35 31 2866 000B0: 32 43 40 63 72 79 70 74 6F 70 72 6F 2E 72 75 31 2867 000C0: 12 30 10 06 03 55 04 03 13 09 53 65 72 76 65 72 2868 000D0: 35 31 32 30 81 AA 30 21 06 08 2A 85 03 07 01 01 2869 000E0: 01 02 30 15 06 09 2A 85 03 07 01 02 01 02 03 06 2870 000F0: 08 2A 85 03 07 01 01 02 03 03 81 84 00 04 81 80 2871 00100: 3A 83 EB 1D F1 B8 39 FD E4 D2 5B B3 52 27 2D C2 2872 00110: 10 33 7E 7C 0D 9F 23 4E 9B 3C 70 67 B2 06 97 7A 2873 00120: 24 97 3E 13 C3 F6 9F CD 47 F4 8B 28 0A A3 E6 92 2874 00130: 80 F5 3F 9B 66 63 65 C6 72 D9 9A 47 DA 89 45 F1 2875 00140: EA F4 11 7A 58 BE 6A B1 EB 67 D5 B3 E3 E1 78 BD 2876 00150: E6 2B 61 1D A0 A7 01 41 CB 1C 5E 6A E6 DF F2 99 2877 00160: F2 13 04 3B B5 DD DF B1 04 2C 3A 7F 72 95 7C FC 2878 00170: 0B B3 0A B2 9F 05 A1 60 4E 2D 50 36 5B E9 05 F3 2879 00180: A3 43 30 41 30 1D 06 03 55 1D 0E 04 16 04 14 87 2880 00190: 9C C6 5A 0F 4A 89 CB 4A 58 49 DF 05 61 56 9B AA 2881 001A0: DC 11 69 30 0B 06 03 55 1D 0F 04 04 03 02 03 28 2882 001B0: 30 13 06 03 55 1D 25 04 0C 30 0A 06 08 2B 06 01 2883 001C0: 05 05 07 03 01 30 0A 06 08 2A 85 03 07 01 01 03 2884 001D0: 03 03 81 81 00 35 BE 38 51 EC B6 E9 2D 32 40 01 2885 001E0: 81 0F 8C 89 03 52 42 F4 05 46 9F 4C 4E CB 05 02 2886 001F0: 7C 57 E2 71 52 12 AF D7 CD BB 0C ED 7A 8B 4D 33 2887 00200: 42 CC 50 1A BD 99 99 75 A5 8A DE 0E 58 4F CA 35 2888 00210: F5 2E 45 58 B7 31 1D 49 D0 A0 51 32 79 F7 39 37 2889 00220: 1A F8 3C 5B C5 8B 36 6D FE FA 73 45 D5 03 17 86 2890 00230: 7C 17 7A C8 4A C0 7E E8 61 21 64 62 9A B7 BD C4 2891 00240: 8A A0 F6 4A 74 1F E7 29 8E 82 C5 BF CE 86 72 02 2892 00250: 9F 87 53 91 F7 2894 ---------------------------Server--------------------------- 2895 CertificateRequest message: 2896 msg_type: 0D 2897 length: 00000B 2898 body: 2899 certificate_types: 2900 length: 02 2901 vector: 2902 /* gost_sign256 */ 2903 43 2904 /* gost_sign512 */ 2905 44 2906 supported_signature_algorithms: 2907 length: 0004 2908 vector: 2909 /* 1 pair of algorithms */ 2910 hash: 08 2911 signature: 40 2912 /* 2 pair of algorithms */ 2913 hash: 08 2914 signature: 41 2915 certificate_authorities: 2916 length: 0000 2917 vector: -- 2919 00000: 0D 00 00 0B 02 43 44 00 04 08 40 08 41 00 00 2921 Record layer message: 2922 type: 16 2923 version: 2924 major: 03 2925 minor: 03 2926 length: 000F 2927 fragment: 0D00000B0243440004084008410000 2929 00000: 16 03 03 00 0F 0D 00 00 0B 02 43 44 00 04 08 40 2930 00010: 08 41 00 00 2932 ---------------------------Server--------------------------- 2934 ServerHelloDone message: 2935 msg_type: 0E 2936 length: 000000 2937 body: -- 2939 00000: 0E 00 00 00 2941 Record layer message: 2943 type: 16 2944 version: 2945 major: 03 2946 minor: 03 2947 length: 0004 2948 fragment: 0E000000 2950 00000: 16 03 03 00 04 0E 00 00 00 2952 ---------------------------Client--------------------------- 2954 Certificate message: 2955 msg_type: 0B 2956 length: 0001EA 2957 body: 2958 certificate_list: 2959 length: 0001E7 2960 vector: 2961 ASN.1Cert: 2962 length: 0001E4 2963 vector: 308201E03082018DA003020102020101 2964 300A06082A850307010103023053312E 2965 302C06092A864886F70D010901161F74 2966 . . . 2967 C1CAB43AC01AFB0F3451BDC2DB188BBC 2968 B77884251CDF6037BA830F4B31D5E96F 2969 DC9BC1C95ABE658266C48402E070DE1F 2970 292724E8 2972 00000: 0B 00 01 EA 00 01 E7 00 01 E4 30 82 01 E0 30 82 2973 00010: 01 8D A0 03 02 01 02 02 01 01 30 0A 06 08 2A 85 2974 00020: 03 07 01 01 03 02 30 53 31 2E 30 2C 06 09 2A 86 2975 00030: 48 86 F7 0D 01 09 01 16 1F 74 6C 73 31 32 5F 63 2976 00040: 6C 69 65 6E 74 32 35 36 41 5F 45 40 63 72 79 70 2977 00050: 74 6F 70 72 6F 2E 72 75 31 21 30 1F 06 03 55 04 2978 00060: 03 1E 18 00 43 00 6C 00 69 00 65 00 6E 00 74 00 2979 00070: 32 00 35 00 36 00 41 00 5F 00 45 30 1E 17 0D 31 2980 00080: 37 30 35 32 35 30 39 33 31 31 38 5A 17 0D 33 30 2981 00090: 30 35 30 31 30 39 33 31 31 38 5A 30 53 31 2E 30 2982 000A0: 2C 06 09 2A 86 48 86 F7 0D 01 09 01 16 1F 74 6C 2983 000B0: 73 31 32 5F 63 6C 69 65 6E 74 32 35 36 41 5F 45 2984 000C0: 40 63 72 79 70 74 6F 70 72 6F 2E 72 75 31 21 30 2985 000D0: 1F 06 03 55 04 03 1E 18 00 43 00 6C 00 69 00 65 2986 000E0: 00 6E 00 74 00 32 00 35 00 36 00 41 00 5F 00 45 2987 000F0: 30 68 30 21 06 08 2A 85 03 07 01 01 01 01 30 15 2988 00100: 06 09 2A 85 03 07 01 02 01 01 01 06 08 2A 85 03 2989 00110: 07 01 01 02 02 03 43 00 04 40 75 49 0B 7B F8 79 2990 00120: D8 1C C5 A1 BA EA 66 65 06 DF B5 D7 BF 25 60 67 2991 00130: 78 B7 24 F3 15 9E 8A B1 5D 0F 86 F3 48 2C B2 AB 2992 00140: 10 8D 5A C2 DE 4E FB 2B FA E0 39 39 94 C2 DE 87 2993 00150: F0 D3 42 F8 61 83 F1 BB E5 9E A3 43 30 41 30 1D 2994 00160: 06 03 55 1D 0E 04 16 04 14 74 49 1E 77 30 D3 42 2995 00170: A6 28 0E 72 A1 13 9D D9 90 8B FA F1 03 30 0B 06 2996 00180: 03 55 1D 0F 04 04 03 02 07 80 30 13 06 03 55 1D 2997 00190: 25 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 02 30 2998 001A0: 0A 06 08 2A 85 03 07 01 01 03 02 03 41 00 1C 2D 2999 001B0: 35 22 B4 11 02 D6 20 1F 23 50 C1 CA B4 3A C0 1A 3000 001C0: FB 0F 34 51 BD C2 DB 18 8B BC B7 78 84 25 1C DF 3001 001D0: 60 37 BA 83 0F 4B 31 D5 E9 6F DC 9B C1 C9 5A BE 3002 001E0: 65 82 66 C4 84 02 E0 70 DE 1F 29 27 24 E8 3004 Record layer message: 3005 type: 16 3006 version: 3007 major: 03 3008 minor: 03 3009 length: 01EE 3010 fragment: 0B0001EA0001E70001E4308201E03082 3011 018DA003020102020101300A06082A85 3012 0307010103023053312E302C06092A86 3013 . . . 3014 3522B41102D6201F2350C1CAB43AC01A 3015 FB0F3451BDC2DB188BBCB77884251CDF 3016 6037BA830F4B31D5E96FDC9BC1C95ABE 3017 658266C48402E070DE1F292724E8 3019 00000: 16 03 03 01 EE 0B 00 01 EA 00 01 E7 00 01 E4 30 3020 00010: 82 01 E0 30 82 01 8D A0 03 02 01 02 02 01 01 30 3021 00020: 0A 06 08 2A 85 03 07 01 01 03 02 30 53 31 2E 30 3022 00030: 2C 06 09 2A 86 48 86 F7 0D 01 09 01 16 1F 74 6C 3023 00040: 73 31 32 5F 63 6C 69 65 6E 74 32 35 36 41 5F 45 3024 00050: 40 63 72 79 70 74 6F 70 72 6F 2E 72 75 31 21 30 3025 00060: 1F 06 03 55 04 03 1E 18 00 43 00 6C 00 69 00 65 3026 00070: 00 6E 00 74 00 32 00 35 00 36 00 41 00 5F 00 45 3027 00080: 30 1E 17 0D 31 37 30 35 32 35 30 39 33 31 31 38 3028 00090: 5A 17 0D 33 30 30 35 30 31 30 39 33 31 31 38 5A 3029 000A0: 30 53 31 2E 30 2C 06 09 2A 86 48 86 F7 0D 01 09 3030 000B0: 01 16 1F 74 6C 73 31 32 5F 63 6C 69 65 6E 74 32 3031 000C0: 35 36 41 5F 45 40 63 72 79 70 74 6F 70 72 6F 2E 3032 000D0: 72 75 31 21 30 1F 06 03 55 04 03 1E 18 00 43 00 3033 000E0: 6C 00 69 00 65 00 6E 00 74 00 32 00 35 00 36 00 3034 000F0: 41 00 5F 00 45 30 68 30 21 06 08 2A 85 03 07 01 3035 00100: 01 01 01 30 15 06 09 2A 85 03 07 01 02 01 01 01 3036 00110: 06 08 2A 85 03 07 01 01 02 02 03 43 00 04 40 75 3037 00120: 49 0B 7B F8 79 D8 1C C5 A1 BA EA 66 65 06 DF B5 3038 00130: D7 BF 25 60 67 78 B7 24 F3 15 9E 8A B1 5D 0F 86 3039 00140: F3 48 2C B2 AB 10 8D 5A C2 DE 4E FB 2B FA E0 39 3040 00150: 39 94 C2 DE 87 F0 D3 42 F8 61 83 F1 BB E5 9E A3 3041 00160: 43 30 41 30 1D 06 03 55 1D 0E 04 16 04 14 74 49 3042 00170: 1E 77 30 D3 42 A6 28 0E 72 A1 13 9D D9 90 8B FA 3043 00180: F1 03 30 0B 06 03 55 1D 0F 04 04 03 02 07 80 30 3044 00190: 13 06 03 55 1D 25 04 0C 30 0A 06 08 2B 06 01 05 3045 001A0: 05 07 03 02 30 0A 06 08 2A 85 03 07 01 01 03 02 3046 001B0: 03 41 00 1C 2D 35 22 B4 11 02 D6 20 1F 23 50 C1 3047 001C0: CA B4 3A C0 1A FB 0F 34 51 BD C2 DB 18 8B BC B7 3048 001D0: 78 84 25 1C DF 60 37 BA 83 0F 4B 31 D5 E9 6F DC 3049 001E0: 9B C1 C9 5A BE 65 82 66 C4 84 02 E0 70 DE 1F 29 3050 001F0: 27 24 E8 3052 ---------------------------Client--------------------------- 3054 PMS value: 3055 00000: A5 57 6C E7 92 4A 24 F5 81 13 80 8D BD 9E F8 56 3056 00010: F5 BD C3 B1 83 CE 5D AD CA 36 A5 3A A0 77 65 1D 3058 Random d_eph value: 3059 0x150ACD11B66DD695AD18418FA7A2DC63 3060 6B7E29DCA24536AABC826EE3175BB1FA 3061 DC3AA0D01D3092E120B0FCF7EB872F4B 3062 7E26EA17849D689222A48CF95A6E4831 3064 Q_eph ephemeral key: 3065 x = 0xC941BE5193189B476D5A0334114A3E04 3066 BBE5B37C738AE40F150B334135288664 3067 FEBFC5622818894A07B1F7AD60E28480 3068 B4B637B90EA7D4BA980186B605D75BC6 3070 y = 0xA154F7B93E8148652011F4FD52C9A06A 3071 6471ADB28D0A949AE26BC786DE874153 3072 ABC00B35164F3214A8A83C00ECE27831 3073 B093528456234EFE766224FC2A7E9ABE 3075 HASH (r_c | r_s): 3076 00000: C3 EF 04 28 D4 B7 A1 F4 C5 02 5F 2E 65 DD 2B 2E 3077 00010: A5 83 AE EF DB 67 C7 F4 21 4A 6A 29 8E 99 E3 25 3079 Export key generation. r value: 3080 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 3082 Export key generation. UKM value: 3083 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 3084 Export keys K_Exp_MAC | K_Exp_ENC used in KExp15 algorithm: 3085 00000: 7D AC 56 E4 8A 4D C1 70 FA A8 FC BA E2 0D B8 45 3086 00010: 45 0C CC C4 C6 32 8B DC 8D 01 15 7C EF A2 A5 F1 3087 00020: 1F 1C BA D8 86 61 66 F0 1F FA AB 01 52 E2 4B F4 3088 00030: 60 9D 5F 46 A5 C8 99 C7 87 90 0D 08 B9 FC AD 24 3090 IV: 3091 00000: 21 4A 6A 29 8E 99 E3 25 3093 PMSEXP: 3094 00000: 25 0D 1B 67 A2 70 AB 04 D3 F6 54 18 E1 D3 80 B4 3095 00010: CB 94 5F 0A 3D CA 51 50 0C F3 A1 BE F3 7F 76 C0 3096 00020: 73 41 A9 83 9C CF 6C BA 71 89 DA 61 EB 67 17 6C 3098 ---------------------------Client--------------------------- 3100 ClientKeyExchange message: 3101 msg_type: 10 3102 length: 0000E2 3103 body: 3104 exchange_keys: 3081DF0430250D1B67A270AB04D3F654 3105 18E1D380B4CB945F0A3DCA51500CF3A1 3106 BEF37F76C07341A9839CCF6CBA7189DA 3107 . . . 3108 93B03178E2EC003CA8A814324F16350B 3109 C0AB534187DE86C76BE29A940A8DB2AD 3110 71646AA0C952FDF411206548813EB9F7 3111 54A1 3113 00000: 10 00 00 E2 30 81 DF 04 30 25 0D 1B 67 A2 70 AB 3114 00010: 04 D3 F6 54 18 E1 D3 80 B4 CB 94 5F 0A 3D CA 51 3115 00020: 50 0C F3 A1 BE F3 7F 76 C0 73 41 A9 83 9C CF 6C 3116 00030: BA 71 89 DA 61 EB 67 17 6C 30 81 AA 30 21 06 08 3117 00040: 2A 85 03 07 01 01 01 02 30 15 06 09 2A 85 03 07 3118 00050: 01 02 01 02 03 06 08 2A 85 03 07 01 01 02 03 03 3119 00060: 81 84 00 04 81 80 C6 5B D7 05 B6 86 01 98 BA D4 3120 00070: A7 0E B9 37 B6 B4 80 84 E2 60 AD F7 B1 07 4A 89 3121 00080: 18 28 62 C5 BF FE 64 86 28 35 41 33 0B 15 0F E4 3122 00090: 8A 73 7C B3 E5 BB 04 3E 4A 11 34 03 5A 6D 47 9B 3123 000A0: 18 93 51 BE 41 C9 BE 9A 7E 2A FC 24 62 76 FE 4E 3124 000B0: 23 56 84 52 93 B0 31 78 E2 EC 00 3C A8 A8 14 32 3125 000C0: 4F 16 35 0B C0 AB 53 41 87 DE 86 C7 6B E2 9A 94 3126 000D0: 0A 8D B2 AD 71 64 6A A0 C9 52 FD F4 11 20 65 48 3127 000E0: 81 3E B9 F7 54 A1 3129 Record layer message: 3130 type: 16 3131 version: 3132 major: 03 3133 minor: 03 3134 length: 00E6 3135 fragment: 100000E23081DF0430250D1B67A270AB 3136 04D3F65418E1D380B4CB945F0A3DCA51 3137 500CF3A1BEF37F76C07341A9839CCF6C 3138 . . . 3139 2356845293B03178E2EC003CA8A81432 3140 4F16350BC0AB534187DE86C76BE29A94 3141 0A8DB2AD71646AA0C952FDF411206548 3142 813EB9F754A1 3144 00000: 16 03 03 00 E6 10 00 00 E2 30 81 DF 04 30 25 0D 3145 00010: 1B 67 A2 70 AB 04 D3 F6 54 18 E1 D3 80 B4 CB 94 3146 00020: 5F 0A 3D CA 51 50 0C F3 A1 BE F3 7F 76 C0 73 41 3147 00030: A9 83 9C CF 6C BA 71 89 DA 61 EB 67 17 6C 30 81 3148 00040: AA 30 21 06 08 2A 85 03 07 01 01 01 02 30 15 06 3149 00050: 09 2A 85 03 07 01 02 01 02 03 06 08 2A 85 03 07 3150 00060: 01 01 02 03 03 81 84 00 04 81 80 C6 5B D7 05 B6 3151 00070: 86 01 98 BA D4 A7 0E B9 37 B6 B4 80 84 E2 60 AD 3152 00080: F7 B1 07 4A 89 18 28 62 C5 BF FE 64 86 28 35 41 3153 00090: 33 0B 15 0F E4 8A 73 7C B3 E5 BB 04 3E 4A 11 34 3154 000A0: 03 5A 6D 47 9B 18 93 51 BE 41 C9 BE 9A 7E 2A FC 3155 000B0: 24 62 76 FE 4E 23 56 84 52 93 B0 31 78 E2 EC 00 3156 000C0: 3C A8 A8 14 32 4F 16 35 0B C0 AB 53 41 87 DE 86 3157 000D0: C7 6B E2 9A 94 0A 8D B2 AD 71 64 6A A0 C9 52 FD 3158 000E0: F4 11 20 65 48 81 3E B9 F7 54 A1 3160 ---------------------------Server--------------------------- 3162 PMSEXP extracted: 3163 00000: 25 0D 1B 67 A2 70 AB 04 D3 F6 54 18 E1 D3 80 B4 3164 00010: CB 94 5F 0A 3D CA 51 50 0C F3 A1 BE F3 7F 76 C0 3165 00020: 73 41 A9 83 9C CF 6C BA 71 89 DA 61 EB 67 17 6C 3167 HASH(r_c | r_s): 3168 00000: C3 EF 04 28 D4 B7 A1 F4 C5 02 5F 2E 65 DD 2B 2E 3169 00010: A5 83 AE EF DB 67 C7 F4 21 4A 6A 29 8E 99 E3 25 3171 Export key generation. r value: 3172 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 3174 Export key generation. UKM value: 3175 0xC3EF0428D4B7A1F4C5025F2E65DD2B2E 3176 Export keys K_Exp_MAC | K_Exp_ENC used in KImp15 algorithm: 3177 00000: 7D AC 56 E4 8A 4D C1 70 FA A8 FC BA E2 0D B8 45 3178 00010: 45 0C CC C4 C6 32 8B DC 8D 01 15 7C EF A2 A5 F1 3179 00020: 1F 1C BA D8 86 61 66 F0 1F FA AB 01 52 E2 4B F4 3180 00030: 60 9D 5F 46 A5 C8 99 C7 87 90 0D 08 B9 FC AD 24 3182 IV: 3183 00000: 21 4A 6A 29 8E 99 E3 25 3185 PMS: 3186 00000: A5 57 6C E7 92 4A 24 F5 81 13 80 8D BD 9E F8 56 3187 00010: F5 BD C3 B1 83 CE 5D AD CA 36 A5 3A A0 77 65 1D 3189 ---------------------------Client--------------------------- 3191 Random value k used in signature generation: 3192 0x163962EEA268203E7C6B3F70BF8D4A36 3193 34CE6E2CFC424687951D70ACE0B4292A 3195 Signature value sgn_c = SIGN_d_c(HM): 3196 00000: F7 1F 43 62 45 5B C5 5B A8 9A 8F AF 01 82 88 EC 3197 00010: 00 B3 27 17 48 2E 76 24 B2 57 D9 79 7C 8F F6 02 3198 00020: E3 15 FD BD 8D E5 6D 08 54 18 04 0E 1B 61 BB F6 3199 00030: B3 01 AC 26 3D 50 03 8B 30 31 13 DB 36 17 50 3A 3201 ---------------------------Client--------------------------- 3203 CertificateVerify message: 3204 msg_type: 0F 3205 length: 000044 3206 body: 3207 algorithm: 3208 hash: 08 3209 signature: 40 3210 signature: 3211 length: 0040 3212 vector: F71F4362455BC55BA89A8FAF018288EC 3213 00B32717482E7624B257D9797C8FF602 3214 E315FDBD8DE56D085418040E1B61BBF6 3215 B301AC263D50038B303113DB3617503A 3217 00000: 0F 00 00 44 08 40 00 40 F7 1F 43 62 45 5B C5 5B 3218 00010: A8 9A 8F AF 01 82 88 EC 00 B3 27 17 48 2E 76 24 3219 00020: B2 57 D9 79 7C 8F F6 02 E3 15 FD BD 8D E5 6D 08 3220 00030: 54 18 04 0E 1B 61 BB F6 B3 01 AC 26 3D 50 03 8B 3221 00040: 30 31 13 DB 36 17 50 3A 3222 Record layer message: 3223 type: 16 3224 version: 3225 major: 03 3226 minor: 03 3227 length: 0048 3228 fragment: 0F00004408400040F71F4362455BC55B 3229 A89A8FAF018288EC00B32717482E7624 3230 B257D9797C8FF602E315FDBD8DE56D08 3231 5418040E1B61BBF6B301AC263D50038B 3232 303113DB3617503A 3234 00000: 16 03 03 00 48 0F 00 00 44 08 40 00 40 F7 1F 43 3235 00010: 62 45 5B C5 5B A8 9A 8F AF 01 82 88 EC 00 B3 27 3236 00020: 17 48 2E 76 24 B2 57 D9 79 7C 8F F6 02 E3 15 FD 3237 00030: BD 8D E5 6D 08 54 18 04 0E 1B 61 BB F6 B3 01 AC 3238 00040: 26 3D 50 03 8B 30 31 13 DB 36 17 50 3A 3240 ---------------------------Client--------------------------- 3242 HASH(HM): 3243 00000: 9D 64 0D D8 B2 54 6B 87 05 CC 3E 67 F3 BB 83 2F 3244 00010: 89 2A 5B D5 D4 5C A0 44 85 01 14 C2 E6 56 02 69 3246 MS: 3247 00000: E3 18 17 B0 EC 7F 3B C9 4A 8B C4 5F 89 12 DE C5 3248 00010: 71 2A 7A 34 78 56 31 C0 4B AE 81 43 EE 17 90 B4 3249 00020: C9 D3 68 0F 6C 9D E1 70 74 58 C8 75 62 4D B6 ED 3251 Client connection key material 3252 K_write_MAC|K_read_MAC|K_write_ENC|K_read_ENC|IV_write|IV_read: 3253 00000: 50 52 5D 33 4E F7 00 6C 1D ED B8 B8 08 EA 03 CC 3254 00010: CF 1F CB 3D 33 65 F9 72 E1 7C 7C 31 4E DD 97 90 3255 00020: 6C 74 35 22 0A A1 B0 C6 DE 6A 1B 0F AC 29 B6 17 3256 00030: 9E B3 23 86 62 25 E0 7F 30 4C A1 D1 27 75 86 29 3257 00040: 7B 97 20 5D 7A 08 C2 CD 7F 60 3C 09 46 75 E6 C4 3258 00050: CC 15 F2 84 0D 9A EC 63 F0 2A FF 51 DB D5 74 D2 3259 00060: 76 6C 77 2B 83 2F CE 58 CB 4D E5 49 88 77 A6 7A 3260 00070: A4 51 40 B2 ED 52 6E 61 65 0A 28 1B 32 56 35 BC 3261 00080: CB 8E F9 4C 5B DF 5B 9F 47 48 B9 5B F1 B0 E0 BF 3263 ---------------------------Server--------------------------- 3265 HASH(HM): 3266 00000: 9D 64 0D D8 B2 54 6B 87 05 CC 3E 67 F3 BB 83 2F 3267 00010: 89 2A 5B D5 D4 5C A0 44 85 01 14 C2 E6 56 02 69 3268 MS: 3269 00000: E3 18 17 B0 EC 7F 3B C9 4A 8B C4 5F 89 12 DE C5 3270 00010: 71 2A 7A 34 78 56 31 C0 4B AE 81 43 EE 17 90 B4 3271 00020: C9 D3 68 0F 6C 9D E1 70 74 58 C8 75 62 4D B6 ED 3273 Server connection key material 3274 K_read_MAC|K_write_MAC|K_read_ENC|K_write_ENC|IV_read|IV_write: 3275 00000: 50 52 5D 33 4E F7 00 6C 1D ED B8 B8 08 EA 03 CC 3276 00010: CF 1F CB 3D 33 65 F9 72 E1 7C 7C 31 4E DD 97 90 3277 00020: 6C 74 35 22 0A A1 B0 C6 DE 6A 1B 0F AC 29 B6 17 3278 00030: 9E B3 23 86 62 25 E0 7F 30 4C A1 D1 27 75 86 29 3279 00040: 7B 97 20 5D 7A 08 C2 CD 7F 60 3C 09 46 75 E6 C4 3280 00050: CC 15 F2 84 0D 9A EC 63 F0 2A FF 51 DB D5 74 D2 3281 00060: 76 6C 77 2B 83 2F CE 58 CB 4D E5 49 88 77 A6 7A 3282 00070: A4 51 40 B2 ED 52 6E 61 65 0A 28 1B 32 56 35 BC 3283 00080: CB 8E F9 4C 5B DF 5B 9F 47 48 B9 5B F1 B0 E0 BF 3285 ---------------------------Client--------------------------- 3287 ChangeCipherSpec message: 3288 type: 01 3290 00000: 01 3292 Record layer message: 3293 type: 14 3294 version: 3295 major: 03 3296 minor: 03 3297 length: 0001 3298 fragment: 01 3300 00000: 14 03 03 00 01 01 3302 ---------------------------Client--------------------------- 3304 HASH(HM): 3305 00000: C9 A4 80 DA 29 6C DD 12 3E 9A EB 26 88 8B 86 19 3306 00010: EA 67 78 B7 23 FA A8 B2 DC 70 6A CB A5 AB AF 11 3308 client_verify_data: 3309 00000: 98 7C 13 E6 FA 16 F3 D5 10 AE 83 00 23 58 72 27 3310 00010: 32 90 09 4C 8F C7 B5 F0 C7 D7 47 C4 27 35 F8 F1 3312 ---------------------------Client--------------------------- 3313 Finished message: 3314 msg_type: 14 3315 length: 000020 3316 body: 3317 verify_data: 987C13E6FA16F3D510AE830023587227 3318 3290094C8FC7B5F0C7D747C42735F8F1 3320 00000: 14 00 00 20 98 7C 13 E6 FA 16 F3 D5 10 AE 83 00 3321 00010: 23 58 72 27 32 90 09 4C 8F C7 B5 F0 C7 D7 47 C4 3322 00020: 27 35 F8 F1 3324 Record layer message: 3325 type: 16 3326 version: 3327 major: 03 3328 minor: 03 3329 length: 0034 3330 fragment: 4DC53D655EDFD1843AF69ADBDE989C0B 3331 1F0C0A1A0FD1B3F458029D8F9989FBF9 3332 6C5C42971063A9B70714F412E4F6280F 3333 7C21601B 3335 00000: 16 03 03 00 34 4D C5 3D 65 5E DF D1 84 3A F6 9A 3336 00010: DB DE 98 9C 0B 1F 0C 0A 1A 0F D1 B3 F4 58 02 9D 3337 00020: 8F 99 89 FB F9 6C 5C 42 97 10 63 A9 B7 07 14 F4 3338 00030: 12 E4 F6 28 0F 7C 21 60 1B 3340 ---------------------------Server--------------------------- 3342 ChangeCipherSpec message: 3343 type: 01 3345 00000: 01 3347 Record layer message: 3348 type: 14 3349 version: 3350 major: 03 3351 minor: 03 3352 length: 0001 3353 fragment: 01 3355 00000: 14 03 03 00 01 01 3357 ---------------------------Server--------------------------- 3358 HASH(HM): 3359 00000: 4A 41 4C AD 20 F8 46 D8 F5 D1 05 26 10 A5 9D ED 3360 00010: 6D 2B 1B B2 A8 9E 13 51 01 FC 9E 49 ED A8 0F B4 3362 server_verify_data: 3363 00000: 1E 93 7D A4 77 EE 1F 23 0A 41 D6 E9 D4 14 46 B7 3364 00010: F2 1C A1 B2 E2 32 4A 55 2D 52 B3 25 5E B4 3D DF 3366 ---------------------------Server--------------------------- 3368 Finished message: 3369 msg_type: 14 3370 length: 000020 3371 body: 3372 verify_data: 1E937DA477EE1F230A41D6E9D41446B7 3373 F21CA1B2E2324A552D52B3255EB43DDF 3375 00000: 14 00 00 20 1E 93 7D A4 77 EE 1F 23 0A 41 D6 E9 3376 00010: D4 14 46 B7 F2 1C A1 B2 E2 32 4A 55 2D 52 B3 25 3377 00020: 5E B4 3D DF 3379 Record layer message: 3380 type: 16 3381 version: 3382 major: 03 3383 minor: 03 3384 length: 0034 3385 fragment: F9887C3654B6CCC6AE7D7B18A46C663F 3386 3D1DAF30C9A853A9871077FDD5CA063B 3387 2C81BCC9D59FA6E3F5FAD9B2599BB586 3388 854A2D76 3390 00000: 16 03 03 00 34 F9 88 7C 36 54 B6 CC C6 AE 7D 7B 3391 00010: 18 A4 6C 66 3F 3D 1D AF 30 C9 A8 53 A9 87 10 77 3392 00020: FD D5 CA 06 3B 2C 81 BC C9 D5 9F A6 E3 F5 FA D9 3393 00030: B2 59 9B B5 86 85 4A 2D 76 3395 ---------------------------Client--------------------------- 3397 Application data: 3398 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3399 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3401 Record layer message: 3402 type: 17 3403 version: 3405 major: 03 3406 minor: 03 3407 length: 0030 3408 fragment: F14F06FB8557408846080690E7A5525D 3409 1C6E9C901D24025486AB79728BF63D06 3410 5C09C27233006D65CFF0B5BA87504969 3412 00000: 17 03 03 00 30 F1 4F 06 FB 85 57 40 88 46 08 06 3413 00010: 90 E7 A5 52 5D 1C 6E 9C 90 1D 24 02 54 86 AB 79 3414 00020: 72 8B F6 3D 06 5C 09 C2 72 33 00 6D 65 CF F0 B5 3415 00030: BA 87 50 49 69 3417 ---------------------------Server--------------------------- 3419 Application data: 3420 00000: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3421 00010: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3423 Record layer message: 3424 type: 17 3425 version: 3426 major: 03 3427 minor: 03 3428 length: 0030 3429 fragment: 1561E52A8B6DB258746FFE18F3CDCB11 3430 1D0173AF2E5C13741C99BFF13B47CD32 3431 B3CED856A9506E706A2340D5841AB114 3433 00000: 17 03 03 00 30 15 61 E5 2A 8B 6D B2 58 74 6F FE 3434 00010: 18 F3 CD CB 11 1D 01 73 AF 2E 5C 13 74 1C 99 BF 3435 00020: F1 3B 47 CD 32 B3 CE D8 56 A9 50 6E 70 6A 23 40 3436 00030: D5 84 1A B1 14 3438 ---------------------------Client--------------------------- 3440 close_notify alert: 3441 Alert: 3442 level: 01 3443 description: 00 3445 00000: 01 00 3447 Record layer message: 3448 type: 15 3449 version: 3450 major: 03 3451 minor: 03 3452 length: 0012 3453 fragment: E530C164642A078CEF528CB465E9DA7E 3454 AD4D 3456 00000: 15 03 03 00 12 E5 30 C1 64 64 2A 07 8C EF 52 8C 3457 00010: B4 65 E9 DA 7E AD 4D 3459 ---------------------------Server--------------------------- 3461 close_notify alert: 3462 Alert: 3463 level: 01 3464 description: 00 3466 00000: 01 00 3468 Record layer message: 3469 type: 15 3470 version: 3471 major: 03 3472 minor: 03 3473 length: 0012 3474 fragment: EB62E5AB78BF2A4B678920A11027EC43 3475 0C3F 3477 00000: 15 03 03 00 12 EB 62 E5 AB 78 BF 2A 4B 67 89 20 3478 00010: A1 10 27 EC 43 0C 3F 3480 A.2. Test Examples for CNT_IMIT cipher suites 3482 A.2.1. Record Examples 3484 It is assumed that during Handshake following keys were established: 3486 - MAC key: 3487 00000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 3488 00010: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 3489 - Encryption key: 3490 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3491 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3492 - IV: 3493 00000: 00 00 00 00 00 00 00 00 3495 --------------------------------------------------------- 3496 seqnum = 0 3498 Application data: 3499 00000: 00 00 00 00 00 00 00 3501 Plaintext: 3502 00000: 17 03 03 00 07 00 00 00 00 00 00 00 3504 MAC: 3505 00000: 30 01 34 a1 3507 Ciphertext: 3508 00000: 17 03 03 00 0b 86 71 cd bf 3c 1a ae 0f 62 4b 04 3510 --------------------------------------------------------- 3511 seqnum = 1 3513 Application data: 3515 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3516 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3517 .... 3518 007f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3520 Plaintext: 3521 00000: 17 03 03 08 00 00 00 00 00 00 00 00 00 00 00 00 3522 00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3523 .... 3524 007f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3525 00804: 00 00 00 00 00 3527 MAC: 3528 00000: f7 c3 8b 8a 3530 Ciphertext: 3531 00000: 17 03 03 08 04 cf aa 0c b4 2f a5 a4 7a 13 3d 73 3532 00010: b9 f2 c0 b0 4f 8c a2 55 52 f8 56 bc be 6a 58 fa 3533 .... 3534 007f0: 3e e2 c7 6f a2 30 a0 44 be 21 dc 8e 1a 96 f9 a8 3535 00804: 88 1f ad 83 45 96 96 84 47 3537 A.2.2. Handshake Examples 3539 The ClientHello.extensions and the ServerHello.extensions fields 3540 contain the renegotiation_info extension (see [RFC5746]) in the 3541 following examples. 3543 Server certificate curve OID: 3544 id-tc26-gost-3410-12-512-paramSetA, "1.2.643.7.1.2.1.2.1" 3546 Server public key Q_s: 3547 x = 0x16DB0566C0278AC8204143994824236D 3548 97F36A13D5433E990B2EAC859D2E9B7A 3549 E054794655389158B8242923E3841B14 3550 24FD89F221701C89D9A3BF6A9F946795 3552 y = 0xD01E80DEC5BD23C8BC6B85F12BBB1635 3553 A5AE7AD50DE24FB8FD02CB285A4AE65A 3554 7D6FBB99AAFFDA80629826F2F7F73282 3555 220444761615A06D082077C4A00FD4CF 3557 Server private key d_s: 3558 0x5F1E83AFA2C4CB2C5633C51380E84E37 3559 4B013EE7C238330709080CE914B442D4 3560 34EB016D23FB63FEDC18B62D9DA93D26 3561 B3B9CE6F663B383303BD5930ED41608B 3563 ---------------------------Client--------------------------- 3565 ClientHello message: 3566 msg_type: 01 3567 length: 00003a 3568 body: 3569 client_version: 3570 major: 03 3571 minor: 03 3572 random: 6A523D6880DCC2DC75CCC43CFD04B616 3573 F5C3757B8077B76A9B504949FD3BFDB8 3574 session_id: 3575 length: 00 3576 vector: -- 3577 cipher_suites: 3578 length: 0002 3579 vector: 3580 CipherSuite: C102 3581 compression_methods: 3582 length: 01 3583 vector: 3584 CompressionMethod: 00 3585 extensions: 3586 length: 000F 3587 Extension: /* signature_algorithms */ 3588 extension_type: 000D 3589 extension_data: 3591 length: 0006 3592 vector: 3593 supported_signature_algorithms: 3594 length: 0004 3595 vector: 3596 /* 1 pair of algorithms */ 3597 hash: 08 3598 signature: 3599 41 3600 /* 2 pair of algorithms */ 3601 hash: 08 3602 signature: 3603 40 3604 Extension: /* renegotiation_info */ 3605 extension_type: FF01 3606 extension_data: 3607 length: 0001 3608 vector: 3609 renegotiated_connection: 3610 length: 00 3611 vector: -- 3613 00000: 01 00 00 3A 03 03 6A 52 3D 68 80 DC C2 DC 75 CC 3614 00010: C4 3C FD 04 B6 16 F5 C3 75 7B 80 77 B7 6A 9B 50 3615 00020: 49 49 FD 3B FD B8 00 00 02 C1 02 01 00 00 0F 00 3616 00030: 0D 00 06 00 04 08 41 08 40 FF 01 00 01 00 3618 Record layer message: 3619 type: 16 3620 version: 3621 major: 03 3622 minor: 03 3623 length: 003e 3624 fragment: 0100003A03036A523D6880DCC2DC75CC 3625 C43CFD04B616F5C3757B8077B76A9B50 3626 4949FD3BFDB8000002C1020100000F00 3627 0D0006000408410840FF01000100 3629 00000: 16 03 03 00 3E 01 00 00 3A 03 03 6A 52 3D 68 80 3630 00010: DC C2 DC 75 CC C4 3C FD 04 B6 16 F5 C3 75 7B 80 3631 00020: 77 B7 6A 9B 50 49 49 FD 3B FD B8 00 00 02 C1 02 3632 00030: 01 00 00 0F 00 0D 00 06 00 04 08 41 08 40 FF 01 3633 00040: 00 01 00 3635 ---------------------------Server--------------------------- 3637 ServerHello message: 3639 msg_type: 02 3640 length: 00004D 3641 body: 3642 client_version: 3643 major: 03 3644 minor: 03 3645 random: FE92C9516D0E1A67A04C33CD7F2C90B1 3646 5E76DCC30815C19F92A6D100915AF2DB 3647 session_id: 3648 length: 20 3649 vector: 12AAA5E5779014711CCD6D265BDEE519 3650 1026431C83768EE5EB5A157F940BE9FB 3651 cipher_suite: 3652 CipherSuite: C102 3653 compression_method: 3654 CompressionMethod: 00 3655 extensions: 3656 length: 0005 3657 Extension: /* renegotiation_info */ 3658 extension_type: FF01 3659 extension_data: 3660 length: 0001 3661 vector: 3662 renegotiated_connection: 3663 length: 00 3664 vector: -- 3666 00000: 02 00 00 4D 03 03 FE 92 C9 51 6D 0E 1A 67 A0 4C 3667 00010: 33 CD 7F 2C 90 B1 5E 76 DC C3 08 15 C1 9F 92 A6 3668 00020: D1 00 91 5A F2 DB 20 12 AA A5 E5 77 90 14 71 1C 3669 00030: CD 6D 26 5B DE E5 19 10 26 43 1C 83 76 8E E5 EB 3670 00040: 5A 15 7F 94 0B E9 FB C1 02 00 00 05 FF 01 00 01 3671 00050: 00 3673 Record layer message: 3674 type: 16 3675 version: 3676 major: 03 3677 minor: 03 3678 length: 0051 3679 fragment: 0200004D0303FE92C9516D0E1A67A04C 3680 33CD7F2C90B15E76DCC30815C19F92A6 3681 D100915AF2DB2012AAA5E5779014711C 3682 CD6D265BDEE5191026431C83768EE5EB 3683 5A157F940BE9FBC102000005FF010001 3684 00 3686 00000: 16 03 03 00 51 02 00 00 4D 03 03 FE 92 C9 51 6D 3687 00010: 0E 1A 67 A0 4C 33 CD 7F 2C 90 B1 5E 76 DC C3 08 3688 00020: 15 C1 9F 92 A6 D1 00 91 5A F2 DB 20 12 AA A5 E5 3689 00030: 77 90 14 71 1C CD 6D 26 5B DE E5 19 10 26 43 1C 3690 00040: 83 76 8E E5 EB 5A 15 7F 94 0B E9 FB C1 02 00 00 3691 00050: 05 FF 01 00 01 00 3693 ---------------------------Server--------------------------- 3695 Certificate message: 3696 msg_type: 0B 3697 length: 000266 3698 body: 3699 certificate_list: 3700 length: 000263 3701 vector: 3702 ASN.1Cert: 3703 length: 000260 3704 vector: 3082025C308201C8A003020102021478 3705 94DC9D920977809191642F1DAEDC26BA 3706 3B5104300A06082A8503070101030330 3707 . . . 3708 6C12D51F99C98A4A9904F0EA5486FED7 3709 FF66AB8EB2425E1ACEAE8A758BDF843B 3710 E1A8F6FEBF673015FED7AB86533DBF20 3712 00000: 0B 00 02 66 00 02 63 00 02 60 30 82 02 5C 30 82 3713 00010: 01 C8 A0 03 02 01 02 02 14 78 94 DC 9D 92 09 77 3714 00020: 80 91 91 64 2F 1D AE DC 26 BA 3B 51 04 30 0A 06 3715 00030: 08 2A 85 03 07 01 01 03 03 30 19 31 17 30 15 06 3716 00040: 03 55 04 03 13 0E 43 41 20 43 65 72 74 69 66 69 3717 00050: 63 61 74 65 30 1E 17 0D 31 38 30 31 30 32 30 30 3718 00060: 30 30 31 31 5A 17 0D 32 32 30 31 30 32 30 30 30 3719 00070: 30 32 31 5A 30 21 31 1F 30 1D 06 03 55 04 03 13 3720 00080: 16 53 65 72 76 65 72 20 35 31 32 20 43 65 72 74 3721 00090: 69 66 69 63 61 74 65 30 81 AA 30 21 06 08 2A 85 3722 000a0: 03 07 01 01 01 02 30 15 06 09 2A 85 03 07 01 02 3723 000b0: 01 02 01 06 08 2A 85 03 07 01 01 02 03 03 81 84 3724 000c0: 00 04 81 80 95 67 94 9F 6A BF A3 D9 89 1C 70 21 3725 000d0: F2 89 FD 24 14 1B 84 E3 23 29 24 B8 58 91 38 55 3726 000e0: 46 79 54 E0 7A 9B 2E 9D 85 AC 2E 0B 99 3E 43 D5 3727 000f0: 13 6A F3 97 6D 23 24 48 99 43 41 20 C8 8A 27 C0 3728 00100: 66 05 DB 16 CF D4 0F A0 C4 77 20 08 6D A0 15 16 3729 00110: 76 44 04 22 82 32 F7 F7 F2 26 98 62 80 DA FF AA 3730 00120: 99 BB 6F 7D 5A E6 4A 5A 28 CB 02 FD B8 4F E2 0D 3731 00130: D5 7A AE A5 35 16 BB 2B F1 85 6B BC C8 23 BD C5 3732 00140: DE 80 1E D0 A3 81 93 30 81 90 30 0C 06 03 55 1D 3733 00150: 13 01 01 FF 04 02 30 00 30 1A 06 03 55 1D 11 04 3734 00160: 13 30 11 82 09 6C 6F 63 61 6C 68 6F 73 74 87 04 3735 00170: 7F 00 00 01 30 13 06 03 55 1D 25 04 0C 30 0A 06 3736 00180: 08 2B 06 01 05 05 07 03 01 30 0F 06 03 55 1D 0F 3737 00190: 01 01 FF 04 05 03 03 07 B0 00 30 1D 06 03 55 1D 3738 001a0: 0E 04 16 04 14 AE 46 41 1B FD B3 08 C3 39 03 47 3739 001b0: 57 57 2B 0F BF A3 6F 9A 99 30 1F 06 03 55 1D 23 3740 001c0: 04 18 30 16 80 14 7F 7B 7A 15 61 A6 F2 18 A2 E3 3741 001d0: 48 3B C6 39 D9 7F 42 DB 6D AF 30 0A 06 08 2A 85 3742 001e0: 03 07 01 01 03 03 03 81 81 00 9C 49 78 F7 1B AB 3743 001f0: 54 8A 25 6D 2A 18 7C A8 4D 72 4F E1 EF A7 E5 36 3744 00200: 67 2E 79 1F 8A 0C B6 74 1E B1 63 E2 96 37 8C 5B 3745 00210: 82 83 EE DA B4 1B A4 22 1E BC E2 05 F6 F8 79 CF 3746 00220: EB F0 AD E9 36 07 0F B2 40 E5 0D 04 37 03 7F 2A 3747 00230: EC 99 C7 CD 23 9F 6F 20 25 A8 6C 12 D5 1F 99 C9 3748 00240: 8A 4A 99 04 F0 EA 54 86 FE D7 FF 66 AB 8E B2 42 3749 00250: 5E 1A CE AE 8A 75 8B DF 84 3B E1 A8 F6 FE BF 67 3750 00260: 30 15 FE D7 AB 86 53 3D BF 20 3752 Record layer message: 3753 type: 16 3754 version: 3755 major: 03 3756 minor: 03 3757 length: 026A 3758 fragment: 0B0002660002630002603082025C3082 3759 01C8A00302010202147894DC9D920977 3760 809191642F1DAEDC26BA3B5104300A06 3761 . . . 3762 EC99C7CD239F6F2025A86C12D51F99C9 3763 8A4A9904F0EA5486FED7FF66AB8EB242 3764 5E1ACEAE8A758BDF843BE1A8F6FEBF67 3765 3015FED7AB86533DBF20 3767 00000: 16 03 03 02 6A 0B 00 02 66 00 02 63 00 02 60 30 3768 00010: 82 02 5C 30 82 01 C8 A0 03 02 01 02 02 14 78 94 3769 00020: DC 9D 92 09 77 80 91 91 64 2F 1D AE DC 26 BA 3B 3770 00030: 51 04 30 0A 06 08 2A 85 03 07 01 01 03 03 30 19 3771 00040: 31 17 30 15 06 03 55 04 03 13 0E 43 41 20 43 65 3772 00050: 72 74 69 66 69 63 61 74 65 30 1E 17 0D 31 38 30 3773 00060: 31 30 32 30 30 30 30 31 31 5A 17 0D 32 32 30 31 3774 00070: 30 32 30 30 30 30 32 31 5A 30 21 31 1F 30 1D 06 3775 00080: 03 55 04 03 13 16 53 65 72 76 65 72 20 35 31 32 3776 00090: 20 43 65 72 74 69 66 69 63 61 74 65 30 81 AA 30 3777 000a0: 21 06 08 2A 85 03 07 01 01 01 02 30 15 06 09 2A 3778 000b0: 85 03 07 01 02 01 02 01 06 08 2A 85 03 07 01 01 3779 000c0: 02 03 03 81 84 00 04 81 80 95 67 94 9F 6A BF A3 3780 000d0: D9 89 1C 70 21 F2 89 FD 24 14 1B 84 E3 23 29 24 3781 000e0: B8 58 91 38 55 46 79 54 E0 7A 9B 2E 9D 85 AC 2E 3782 000f0: 0B 99 3E 43 D5 13 6A F3 97 6D 23 24 48 99 43 41 3783 00100: 20 C8 8A 27 C0 66 05 DB 16 CF D4 0F A0 C4 77 20 3784 00110: 08 6D A0 15 16 76 44 04 22 82 32 F7 F7 F2 26 98 3785 00120: 62 80 DA FF AA 99 BB 6F 7D 5A E6 4A 5A 28 CB 02 3786 00130: FD B8 4F E2 0D D5 7A AE A5 35 16 BB 2B F1 85 6B 3787 00140: BC C8 23 BD C5 DE 80 1E D0 A3 81 93 30 81 90 30 3788 00150: 0C 06 03 55 1D 13 01 01 FF 04 02 30 00 30 1A 06 3789 00160: 03 55 1D 11 04 13 30 11 82 09 6C 6F 63 61 6C 68 3790 00170: 6F 73 74 87 04 7F 00 00 01 30 13 06 03 55 1D 25 3791 00180: 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 30 0F 3792 00190: 06 03 55 1D 0F 01 01 FF 04 05 03 03 07 B0 00 30 3793 001a0: 1D 06 03 55 1D 0E 04 16 04 14 AE 46 41 1B FD B3 3794 001b0: 08 C3 39 03 47 57 57 2B 0F BF A3 6F 9A 99 30 1F 3795 001c0: 06 03 55 1D 23 04 18 30 16 80 14 7F 7B 7A 15 61 3796 001d0: A6 F2 18 A2 E3 48 3B C6 39 D9 7F 42 DB 6D AF 30 3797 001e0: 0A 06 08 2A 85 03 07 01 01 03 03 03 81 81 00 9C 3798 001f0: 49 78 F7 1B AB 54 8A 25 6D 2A 18 7C A8 4D 72 4F 3799 00200: E1 EF A7 E5 36 67 2E 79 1F 8A 0C B6 74 1E B1 63 3800 00210: E2 96 37 8C 5B 82 83 EE DA B4 1B A4 22 1E BC E2 3801 00220: 05 F6 F8 79 CF EB F0 AD E9 36 07 0F B2 40 E5 0D 3802 00230: 04 37 03 7F 2A EC 99 C7 CD 23 9F 6F 20 25 A8 6C 3803 00240: 12 D5 1F 99 C9 8A 4A 99 04 F0 EA 54 86 FE D7 FF 3804 00250: 66 AB 8E B2 42 5E 1A CE AE 8A 75 8B DF 84 3B E1 3805 00260: A8 F6 FE BF 67 30 15 FE D7 AB 86 53 3D BF 20 3807 ---------------------------Server--------------------------- 3809 ServerHelloDone message: 3810 msg_type: 0E 3811 length: 000000 3812 body: -- 3814 00000: 0E 00 00 00 3816 Record layer message:: 3817 type: 16 3818 version: 3819 major: 03 3820 minor: 03 3821 length: 0004 3822 fragment: 0E000000 3824 00000: 16 03 03 00 04 0E 00 00 00 3826 ---------------------------Client--------------------------- 3828 PMS: 3830 00000: CE 0D D6 B6 70 42 12 15 2B E4 69 5A 7E 89 F6 4C 3831 00010: 89 29 A4 0D BF 0A 5A 55 C2 CE 00 2B 06 BA B6 2F 3833 Random d_eph value: 3834 0xC96486B1A3732389A162F5AD0145D537 3835 43C9AC27D42ACF1091CE7EF67E6C3CCA 3836 0F6C879B2DA3C1607648BAEB96471BD2 3837 078DF5CAAA4FA83ECC0FFD6D3C8E5D56 3839 Q_eph ephemeral key: 3840 x = 0x4B9CB381BCC737E493E43B2D7FD95BFE 3841 2AEF6BE8F6224882E5E559ADA08170DC 3842 49A815B3A1B3B323D2B50195153CFC60 3843 DD6139C3770C5762A6A7719FABF84BFB 3845 y = 0x95CEF28392C846A5EEFCB51C84E4960A 3846 77B77D0D85EBD22061BFDA0013C5AB6C 3847 42DDD04973F65D2AEB8A5427A53D6872 3848 CF2D68F5F722C4640D7AAF2E0194FBD0 3850 HASH(r_c | r_s): 3851 00000: FB F3 9D 10 E8 00 AF 70 E7 AA 22 C1 10 DA 94 A9 3852 00010: 9A 58 98 D8 45 27 C7 CB DE C1 1E 53 39 90 6A 1A 3854 K_EXP: 3855 00000: 3F D9 99 D1 68 4A 15 CC 9B DD 5A 35 06 7A F6 98 3856 00010: 17 15 00 22 E0 95 54 AC 79 1A 60 F1 61 F5 53 49 3858 IV: 3859 00000: FB F3 9D 10 E8 00 AF 70 3861 CEK_ENC: 3862 00000: D6 22 D1 67 A5 64 2E 29 52 5A 29 5C B9 F2 8F 96 3863 00010: F2 8B 0E FA A7 D3 A2 BE E1 49 B0 11 78 C2 DF D5 3865 CEK_MAC: 3866 00000: 4C 93 36 57 3868 PMSEXP: 3869 00000: FB F3 9D 10 E8 00 AF 70 D6 22 D1 67 A5 64 2E 29 3870 00010: 52 5A 29 5C B9 F2 8F 96 F2 8B 0E FA A7 D3 A2 BE 3871 00020: E1 49 B0 11 78 C2 DF D5 4C 93 36 57 3873 ---------------------------Client--------------------------- 3875 ClientKeyExchange message: 3876 msg_type: 10 3877 length: 0000F5 3878 body: 3879 exchange_keys: 3081F23081EF30280420D622D167A564 3880 2E29525A295CB9F28F96F28B0EFAA7D3 3881 A2BEE149B01178C2DFD504044C933657 3882 . . . 3883 DABF6120D2EB850D7DB7770A96E4841C 3884 B5FCEEA546C89283F2CE950408FBF39D 3885 10E800AF70 3887 00000: 10 00 00 F5 30 81 F2 30 81 EF 30 28 04 20 D6 22 3888 00010: D1 67 A5 64 2E 29 52 5A 29 5C B9 F2 8F 96 F2 8B 3889 00020: 0E FA A7 D3 A2 BE E1 49 B0 11 78 C2 DF D5 04 04 3890 00030: 4C 93 36 57 A0 81 C2 06 09 2A 85 03 07 01 02 05 3891 00040: 01 01 A0 81 AA 30 21 06 08 2A 85 03 07 01 01 01 3892 00050: 02 30 15 06 09 2A 85 03 07 01 02 01 02 01 06 08 3893 00060: 2A 85 03 07 01 01 02 03 03 81 84 00 04 81 80 FB 3894 00070: 4B F8 AB 9F 71 A7 A6 62 57 0C 77 C3 39 61 DD 60 3895 00080: FC 3C 15 95 01 B5 D2 23 B3 B3 A1 B3 15 A8 49 DC 3896 00090: 70 81 A0 AD 59 E5 E5 82 48 22 F6 E8 6B EF 2A FE 3897 000A0: 5B D9 7F 2D 3B E4 93 E4 37 C7 BC 81 B3 9C 4B D0 3898 000B0: FB 94 01 2E AF 7A 0D 64 C4 22 F7 F5 68 2D CF 72 3899 000C0: 68 3D A5 27 54 8A EB 2A 5D F6 73 49 D0 DD 42 6C 3900 000D0: AB C5 13 00 DA BF 61 20 D2 EB 85 0D 7D B7 77 0A 3901 000E0: 96 E4 84 1C B5 FC EE A5 46 C8 92 83 F2 CE 95 04 3902 000F0: 08 FB F3 9D 10 E8 00 AF 70 3904 Record layer message: 3905 type: 16 3906 version: 3907 major: 03 3908 minor: 03 3909 length: 00F9 3910 fragment: 100000F53081F23081EF30280420D622 3911 D167A5642E29525A295CB9F28F96F28B 3912 0EFAA7D3A2BEE149B01178C2DFD50404 3913 . . . 3914 ABC51300DABF6120D2EB850D7DB7770A 3915 96E4841CB5FCEEA546C89283F2CE9504 3916 08FBF39D10E800AF70 3918 00000: 16 03 03 00 F9 10 00 00 F5 30 81 F2 30 81 EF 30 3919 00010: 28 04 20 D6 22 D1 67 A5 64 2E 29 52 5A 29 5C B9 3920 00020: F2 8F 96 F2 8B 0E FA A7 D3 A2 BE E1 49 B0 11 78 3921 00030: C2 DF D5 04 04 4C 93 36 57 A0 81 C2 06 09 2A 85 3922 00040: 03 07 01 02 05 01 01 A0 81 AA 30 21 06 08 2A 85 3923 00050: 03 07 01 01 01 02 30 15 06 09 2A 85 03 07 01 02 3924 00060: 01 02 01 06 08 2A 85 03 07 01 01 02 03 03 81 84 3925 00070: 00 04 81 80 FB 4B F8 AB 9F 71 A7 A6 62 57 0C 77 3926 00080: C3 39 61 DD 60 FC 3C 15 95 01 B5 D2 23 B3 B3 A1 3927 00090: B3 15 A8 49 DC 70 81 A0 AD 59 E5 E5 82 48 22 F6 3928 000A0: E8 6B EF 2A FE 5B D9 7F 2D 3B E4 93 E4 37 C7 BC 3929 000B0: 81 B3 9C 4B D0 FB 94 01 2E AF 7A 0D 64 C4 22 F7 3930 000C0: F5 68 2D CF 72 68 3D A5 27 54 8A EB 2A 5D F6 73 3931 000D0: 49 D0 DD 42 6C AB C5 13 00 DA BF 61 20 D2 EB 85 3932 000E0: 0D 7D B7 77 0A 96 E4 84 1C B5 FC EE A5 46 C8 92 3933 000F0: 83 F2 CE 95 04 08 FB F3 9D 10 E8 00 AF 70 3935 ---------------------------Client--------------------------- 3937 HASH(HM): 3938 00000: F8 D6 FE EB 17 64 4D 17 B0 38 36 A6 51 EB 87 69 3939 00010: BD EA A2 D3 EB 18 47 F6 91 91 42 7C 30 D0 17 8E 3941 MS: 3942 00000: BE 57 46 C8 BB B7 84 7E 97 8F D4 C9 4F 52 34 52 3943 00010: 44 2C 8E B1 72 FD E6 28 1C 18 C5 44 63 B1 F9 4C 3944 00020: 2B D9 81 40 05 41 6D BB 0F 90 A5 7E A4 E0 6B 50 3946 Client connection key material 3947 K_write_MAC|K_read_MAC|K_write_ENC|K_read_ENC|IV_write|IV_read: 3948 00000: F3 37 F6 A8 6F F3 1F CA 52 EA 64 7C DE E3 B7 83 3949 00010: 34 AB 77 B5 7F E0 DB 2F C0 C8 71 EC DC AC A5 A8 3950 00020: FB A0 4C 21 32 82 3A 24 96 EF 93 6F 0E BC F3 0E 3951 00030: A0 CB 7E AF 6C A7 94 75 4F 1F 45 B1 77 22 DE B4 3952 00040: 4E 5B C3 2D 44 30 AF 58 93 11 6A CF 81 A3 BE 0C 3953 00050: 90 D2 EA 8E 76 E0 84 07 28 BA F5 E2 B2 F9 40 C0 3954 00060: AE 18 26 7B B6 34 C1 6A 1D 1A C1 24 73 50 95 4B 3955 00070: 2F EE 9B 77 F3 0D 18 D5 54 01 2B 43 78 60 87 0A 3956 00080: D9 21 A8 4B 07 FF 98 AF 8C 82 38 6B 91 FB BA 64 3958 ---------------------------Server--------------------------- 3960 PMSEXP extracted: 3961 00000: FB F3 9D 10 E8 00 AF 70 D6 22 D1 67 A5 64 2E 29 3962 00010: 52 5A 29 5C B9 F2 8F 96 F2 8B 0E FA A7 D3 A2 BE 3963 00020: E1 49 B0 11 78 C2 DF D5 4C 93 36 57 3965 HASH(r_c | r_s): 3966 00000: FB F3 9D 10 E8 00 AF 70 E7 AA 22 C1 10 DA 94 A9 3967 00010: 9A 58 98 D8 45 27 C7 CB DE C1 1E 53 39 90 6A 1A 3969 K_EXP: 3970 00000: 3F D9 99 D1 68 4A 15 CC 9B DD 5A 35 06 7A F6 98 3971 00010: 17 15 00 22 E0 95 54 AC 79 1A 60 F1 61 F5 53 49 3972 PMS: 3973 00000: CE 0D D6 B6 70 42 12 15 2B E4 69 5A 7E 89 F6 4C 3974 00010: 89 29 A4 0D BF 0A 5A 55 C2 CE 00 2B 06 BA B6 2F 3976 ---------------------------Server--------------------------- 3978 HASH(HM): 3979 00000: F8 D6 FE EB 17 64 4D 17 B0 38 36 A6 51 EB 87 69 3980 00010: BD EA A2 D3 EB 18 47 F6 91 91 42 7C 30 D0 17 8E 3982 MS: 3983 00000: BE 57 46 C8 BB B7 84 7E 97 8F D4 C9 4F 52 34 52 3984 00010: 44 2C 8E B1 72 FD E6 28 1C 18 C5 44 63 B1 F9 4C 3985 00020: 2B D9 81 40 05 41 6D BB 0F 90 A5 7E A4 E0 6B 50 3987 Client connection key material 3988 K_read_MAC|K_write_MAC|K_read_ENC|K_write_ENC|IV_read|IV_write: 3989 00000: F3 37 F6 A8 6F F3 1F CA 52 EA 64 7C DE E3 B7 83 3990 00010: 34 AB 77 B5 7F E0 DB 2F C0 C8 71 EC DC AC A5 A8 3991 00020: FB A0 4C 21 32 82 3A 24 96 EF 93 6F 0E BC F3 0E 3992 00030: A0 CB 7E AF 6C A7 94 75 4F 1F 45 B1 77 22 DE B4 3993 00040: 4E 5B C3 2D 44 30 AF 58 93 11 6A CF 81 A3 BE 0C 3994 00050: 90 D2 EA 8E 76 E0 84 07 28 BA F5 E2 B2 F9 40 C0 3995 00060: AE 18 26 7B B6 34 C1 6A 1D 1A C1 24 73 50 95 4B 3996 00070: 2F EE 9B 77 F3 0D 18 D5 54 01 2B 43 78 60 87 0A 3997 00080: D9 21 A8 4B 07 FF 98 AF 8C 82 38 6B 91 FB BA 64 3999 ---------------------------Client--------------------------- 4001 ChangeCipherSpec message: 4002 type: 01 4004 00000: 01 4006 Record layer message: 4007 type: 14 4008 version: 4009 major: 03 4010 minor: 03 4011 length: 0001 4012 fragment: 01 4014 00000: 14 03 03 00 01 01 4016 ---------------------------Client--------------------------- 4018 HASH(HM): 4020 00000: F8 D6 FE EB 17 64 4D 17 B0 38 36 A6 51 EB 87 69 4021 00010: BD EA A2 D3 EB 18 47 F6 91 91 42 7C 30 D0 17 8E 4023 Finished message: 4024 msg_type: 14 4025 length: 00000C 4026 body: 4027 verify_data: D3EE1DEA725CD7080C744311 4029 00000: 14 00 00 0C D3 EE 1D EA 72 5C D7 08 0C 74 43 11 4031 Record layer message: 4032 type: 16 4033 version: 4034 major: 03 4035 minor: 03 4036 length: 0014 4037 fragment: 8854A0ED0CCBDAE076FA7D22D763A8D1 4038 AF701BBB 4040 00000: 16 03 03 00 14 88 54 A0 ED 0C CB DA E0 76 FA 7D 4041 00010: 22 D7 63 A8 D1 AF 70 1B BB 4043 ---------------------------Server--------------------------- 4045 ChangeCipherSpec message: 4046 type: 01 4048 00000: 01 4050 Record layer message: 4051 type: 14 4052 version: 4053 major: 03 4054 minor: 03 4055 length: 0001 4056 fragment: 01 4058 00000: 14 03 03 00 01 01 4060 ---------------------------Server--------------------------- 4062 HASH(HM): 4063 00000: 9C 9F C4 E3 32 5B 5F B3 70 B9 94 2A 71 D2 6E F0 4064 00010: 10 71 D8 A5 A1 8F 69 E8 C2 0B 70 CC 90 E9 A9 46 4065 Finished message: 4066 msg_type: 14 4067 length: 00000C 4068 body: 4069 verify_data: D6A2A697E9F23DB0F9017A79 4071 00000: 14 00 00 0C D6 A2 A6 97 E9 F2 3D B0 F9 01 7A 79 4073 Record layer message: 4074 type: 16 4075 version: 4076 major: 03 4077 minor: 03 4078 length: 0014 4079 fragment: 7BDDBB3C0A6A4A9E302B468CCD5CF786 4080 665FFEBC 4082 00000: 16 03 03 00 14 7B DD BB 3C 0A 6A 4A 9E 30 2B 46 4083 00010: 8C CD 5C F7 86 66 5F FE BC 4085 ---------------------------Client--------------------------- 4087 Application data: 4088 00000: 48 45 4C 4F 0A 4090 Record layer message: 4091 type: 17 4092 version: 4093 major: 03 4094 minor: 03 4095 length: 0009 4096 fragment: A8951D9389D1AEFE3B 4098 00000: 17 03 03 00 09 A8 95 1D 93 89 D1 AE FE 3B 4100 ---------------------------Server--------------------------- 4102 Application data: 4103 00000: 48 45 4C 4F 0A 4105 Record layer message: 4106 type: 17 4107 version: 4108 major: 03 4109 minor: 03 4110 length: 0009 4111 fragment: 0F368E5CEC86B4F8D7 4113 00000: 17 03 03 00 09 0F 36 8E 5C EC 86 B4 F8 D7 4115 ---------------------------Client--------------------------- 4117 close_notify alert: 4118 Alert: 4119 level: 01 4120 description: 00 4122 00000: 01 00 4124 Record layer message: 4125 type: 15 4126 version: 4127 major: 03 4128 minor: 03 4129 length: 0006 4130 fragment: F91FCD98F309 4132 00000: 15 03 03 00 06 F9 1F CD 98 F3 09 4134 ---------------------------Server--------------------------- 4136 close_notify alert: 4137 Alert: 4138 level: 01 4139 description: 00 4141 00000: 01 00 4143 Record layer message: 4144 type: 15 4145 version: 4146 major: 03 4147 minor: 03 4148 length: 0006 4149 fragment: 117B57AD5FED 4151 00000: 15 03 03 00 06 11 7B 57 AD 5F ED 4153 Appendix B. Contributors 4155 * Ekaterina Griboedova 4157 CryptoPro 4159 griboedova.e.s@gmail.com 4161 * Grigory Sedov 4163 CryptoPro 4165 sedovgk@cryptopro.ru 4167 * Dmitry Eremin-Solenikov 4169 Auriga 4171 dbaryshkov@gmail.com 4173 * Lidiia Nikiforova 4175 CryptoPro 4177 nikiforova@cryptopro.ru 4179 Appendix C. Acknowledgments 4181 Authors' Addresses 4183 Stanislav Smyshlyaev (editor) 4184 CryptoPro 4185 18, Suschevsky val 4186 Moscow 4187 127018 4188 Russian Federation 4190 Phone: +7 (495) 995-48-20 4191 Email: svs@cryptopro.ru 4193 Dmitry Belyavskiy 4194 Cryptocom 4195 14/2 Kedrova st 4196 Moscow 4197 117218 4198 Russian Federation 4199 Email: beldmit@gmail.com 4201 Markku-Juhani O. Saarinen 4202 Independent Consultant 4204 Email: mjos@iki.fi 4206 Evgeny Alekseev 4207 CryptoPro 4208 18, Suschevsky val 4209 Moscow 4210 127018 4211 Russian Federation 4213 Email: alekseev@cryptopro.ru