summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc9367.txt
diff options
context:
space:
mode:
authorThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
committerThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
commit4bfd864f10b68b71482b35c818559068ef8d5797 (patch)
treee3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc9367.txt
parentea76e11061bda059ae9f9ad130a9895cc85607db (diff)
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc9367.txt')
-rw-r--r--doc/rfc/rfc9367.txt4052
1 files changed, 4052 insertions, 0 deletions
diff --git a/doc/rfc/rfc9367.txt b/doc/rfc/rfc9367.txt
new file mode 100644
index 0000000..3af49bd
--- /dev/null
+++ b/doc/rfc/rfc9367.txt
@@ -0,0 +1,4052 @@
+
+
+
+
+Independent Submission S. Smyshlyaev, Ed.
+Request for Comments: 9367 E. Alekseev
+Category: Informational E. Griboedova
+ISSN: 2070-1721 A. Babueva
+ L. Nikiforova
+ CryptoPro
+ February 2023
+
+
+ GOST Cipher Suites for Transport Layer Security (TLS) Protocol
+ Version 1.3
+
+Abstract
+
+ The purpose of this document is to make the Russian cryptographic
+ standards available to the Internet community for their
+ implementation in the Transport Layer Security (TLS) Protocol Version
+ 1.3.
+
+ This document defines the cipher suites, signature schemes, and key
+ exchange mechanisms for using Russian cryptographic standards, called
+ GOST algorithms, with TLS Version 1.3. Additionally, this document
+ specifies a profile of TLS 1.3 with GOST algorithms to facilitate
+ interoperable implementations. The IETF has not endorsed the cipher
+ suites, signature schemes, or key exchange mechanisms described in
+ this document.
+
+Status of This Memo
+
+ This document is not an Internet Standards Track specification; it is
+ published for informational purposes.
+
+ This is a contribution to the RFC Series, independently of any other
+ RFC stream. The RFC Editor has chosen to publish this document at
+ its discretion and makes no statement about its value for
+ implementation or deployment. Documents approved for publication by
+ the RFC Editor are not candidates for any level of Internet Standard;
+ see Section 2 of RFC 7841.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ https://www.rfc-editor.org/info/rfc9367.
+
+Copyright Notice
+
+ Copyright (c) 2023 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document.
+
+Table of Contents
+
+ 1. Introduction
+ 2. Conventions Used in This Document
+ 3. Basic Terms and Definitions
+ 4. Cipher Suite Definition
+ 4.1. Record Protection Algorithm
+ 4.1.1. AEAD Algorithm
+ 4.1.2. TLSTREE
+ 4.1.3. SNMAX Parameter
+ 4.2. Hash Algorithm
+ 5. Signature Scheme Definition
+ 5.1. Signature Algorithm
+ 5.2. Elliptic Curve
+ 5.3. SIGN Function
+ 6. Key Exchange and Authentication
+ 6.1. Key Exchange
+ 6.1.1. ECDHE Shared Secret Calculation
+ 6.1.1.1. ECDHE Shared Secret Calculation on the Client Side
+ 6.1.1.2. ECDHE Shared Secret Calculation on Server Side
+ 6.1.1.3. Public Ephemeral Key Representation
+ 6.1.2. Values for the TLS Supported Groups Registry
+ 6.2. Authentication
+ 6.3. Handshake Messages
+ 6.3.1. Hello Messages
+ 6.3.2. CertificateRequest
+ 6.3.3. Certificate
+ 6.3.4. CertificateVerify
+ 7. IANA Considerations
+ 8. Historical Considerations
+ 9. Security Considerations
+ 10. References
+ 10.1. Normative References
+ 10.2. Informative References
+ Appendix A. Test Examples
+ A.1. Example 1
+ A.1.1. Test Case
+ A.1.2. Test Examples
+ A.2. Example 2
+ A.2.1. Test Case
+ A.2.2. Test Examples
+ Contributors
+ Authors' Addresses
+
+1. Introduction
+
+ This document defines four new cipher suites (the TLS13_GOST cipher
+ suites) and seven new signature schemes (the TLS13_GOST signature
+ schemes) for the Transport Layer Security (TLS) Protocol Version 1.3
+ that are based on Russian cryptographic standards GOST R 34.12-2015
+ [RFC7801], GOST R 34.11-2012 [RFC6986], and GOST R 34.10-2012
+ [RFC7091].
+
+ The TLS13_GOST cipher suites (see Section 4) have the following
+ values:
+
+ TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L = {0xC1, 0x03}
+
+ TLS_GOSTR341112_256_WITH_MAGMA_MGM_L = {0xC1, 0x04}
+
+ TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S = {0xC1, 0x05}
+
+ TLS_GOSTR341112_256_WITH_MAGMA_MGM_S = {0xC1, 0x06}
+
+ Each TLS13_GOST cipher suite specifies a pair (record protection
+ algorithm, hash algorithm) such that:
+
+ * The record protection algorithm is the Authenticated Encryption
+ with Associated Data (AEAD) algorithm (see Section 4.1.1) based on
+ the GOST R 34.12-2015 block cipher [RFC7801] in the Multilinear
+ Galois Mode (MGM) [RFC9058] and the external re-keying approach
+ (see [RFC8645]) intended for increasing the lifetime of symmetric
+ keys used to protect records.
+
+ * The hash algorithm is the GOST R 34.11-2012 algorithm [RFC6986].
+
+ Note: The TLS13_GOST cipher suites are divided into two types: the
+ "_S" (strong) cipher suites and the "_L" (light) cipher suites
+ (depending on the key lifetime limitations, see Sections 4.1.2 and
+ 4.1.3).
+
+ The TLS13_GOST signature schemes have the following values:
+
+ gostr34102012_256a = 0x0709
+
+ gostr34102012_256b = 0x070A
+
+ gostr34102012_256c = 0x070B
+
+ gostr34102012_256d = 0x070C
+
+ gostr34102012_512a = 0x070D
+
+ gostr34102012_512b = 0x070E
+
+ gostr34102012_512c = 0x070F
+
+ Each TLS13_GOST signature scheme specifies a pair (signature
+ algorithm, elliptic curve) such that:
+
+ * The signature algorithm is the GOST R 34.10-2012 algorithm
+ [RFC7091].
+
+ * The elliptic curve is one of the curves defined in Section 5.2.
+
+ This document also specifies the key exchange mechanism with GOST
+ algorithms for the TLS 1.3 protocol (see Section 6.1).
+
+ Additionally, this document specifies a TLS13_GOST profile of the TLS
+ 1.3 protocol with GOST algorithms so that implementers can produce
+ interoperable implementations. It uses TLS13_GOST cipher suites,
+ TLS13_GOST signature schemes, and key exchange mechanisms that are
+ defined in this document.
+
+2. Conventions Used in This Document
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
+ "OPTIONAL" in this document are to be interpreted as described in
+ BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
+ capitals, as shown here.
+
+3. Basic Terms and Definitions
+
+ This document follows the terminology from [RFC8446BIS] for "main
+ secret".
+
+ This document uses the following terms and definitions for the sets
+ and operations on the elements of these sets:
+
+ B_t The set of byte strings of length t, t >= 0; for t =
+ 0, the B_t set consists of a single empty string of
+ zero length. If A is an element in B_t, then A =
+ (a_1, a_2, ... , a_t), where a_1, a_2, ... , a_t are
+ in {0, ... , 255}.
+
+ B* The set of all byte strings of a finite length
+ (hereinafter referred to as strings) including the
+ empty string.
+
+ A[i..j] The string A[i..j] = (a_i, a_{i+1}, ... , a_j) in
+ B_{j-i+1}, where A = (a_1, a_2, ... , a_t) in B_t and
+ 1<=i<=j<=t.
+
+ A[i] The integer a_i in {0, ... , 255}, where A = (a_1,
+ a_2, ... , a_t) in B_t and 1<=i<=t.
+
+ |A| The length of the byte string A in bytes.
+
+ A | C The concatenation of strings A and C both belonging
+ to B*; i.e., a string in B_{|A|+|C|}, where the left
+ substring in B_|A| is equal to A and the right
+ substring in B_|C| is equal to C.
+
+ i & j Bitwise AND of integers i and j.
+
+ STR_t The transformation that maps an integer i = 256^(t-1)
+ * i_1 + ... + 256 * i_{t-1} + i_t into the byte
+ string STR_t(i) = (i_1, ... , i_t) in B_t (the
+ interpretation of the integer as a byte string in
+ big-endian format).
+
+ str_t The transformation that maps an integer i = 256^(t-1)
+ * i_t + ... + 256 * i_2 + i_1 into the byte string
+ str_t(i) = (i_1, ... , i_t) in B_t (the
+ interpretation of the integer as a byte string in
+ little-endian format).
+
+ k The length of the block cipher key in bytes.
+
+ n The length of the block cipher block in bytes.
+
+ IVlen The length of the initialization vector in bytes.
+
+ S The length of the authentication tag in bytes.
+
+ E_i The elliptic curve indicated by the client in
+ "supported_groups" extension.
+
+ O_i The zero point of the elliptic curve E_i.
+
+ m_i The order of the group of points belonging to the
+ elliptic curve E_i.
+
+ q_i The order of the cyclic subgroup of the group of
+ points belonging to the elliptic curve E_i.
+
+ h_i The cofactor of the cyclic subgroup that is equal to
+ m_i / q_i.
+
+ Q_sign The public key stored in the endpoint's certificate.
+
+ d_sign The private key that corresponds to the Q_sign key.
+
+ P_i The point of the elliptic curve E_i of the order q_i.
+
+ (d_C^i, Q_C^i) The client's ephemeral key pair that consists of the
+ private key and the public key corresponding to the
+ elliptic curve E_i.
+
+ (d_S^i, Q_S^i) The server's ephemeral key pair that consists of the
+ private key and the public key corresponding to the
+ elliptic curve E_i.
+
+4. Cipher Suite Definition
+
+ This section defines the following four TLS13_GOST cipher suites:
+
+ * CipherSuite TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L = {0xC1,
+ 0x03};
+
+ * CipherSuite TLS_GOSTR341112_256_WITH_MAGMA_MGM_L = {0xC1, 0x04};
+
+ * CipherSuite TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S = {0xC1,
+ 0x05};
+
+ * CipherSuite TLS_GOSTR341112_256_WITH_MAGMA_MGM_S = {0xC1, 0x06}.
+
+ Each cipher suite specifies a pair consisting of a record protection
+ algorithm (see Section 4.1) and a hash algorithm (Section 4.2).
+
+4.1. Record Protection Algorithm
+
+ In accordance with Section 5.2 of [RFC8446], the record protection
+ algorithm translates a TLSPlaintext structure into a TLSCiphertext
+ structure. If the TLS13_GOST cipher suite is negotiated, the
+ encrypted_record field of the TLSCiphertext structure MUST be set to
+ the AEADEncrypted value computed as follows:
+
+ AEADEncrypted = AEAD-Encrypt(sender_record_write_key, nonce,
+ additional_data, plaintext),
+
+ where
+
+ * the AEAD-Encrypt function is defined in Section 4.1.1;
+
+ * the sender_record_write_key is a key derived from sender_write_key
+ (see Section 7.3 of [RFC8446]) using the TLSTREE function defined
+ in Section 4.1.2 and sequence number seqnum as follows:
+
+ sender_record_write_key = TLSTREE(sender_write_key, seqnum);
+
+ * the nonce is a value derived from sequence number seqnum and
+ sender_write_iv (see Section 7.3 of [RFC8446]) in accordance with
+ Section 5.3 of [RFC8446];
+
+ * the additional_data value is a record header that is generated in
+ accordance with Section 5.2 of [RFC8446];
+
+ * the plaintext value is the TLSInnerPlaintext structure encoded in
+ accordance with Section 5.2 of [RFC8446].
+
+ Note 1: The AEAD-Encrypt function is exactly the same as the AEAD-
+ Encrypt function defined in [RFC8446], such that the key (the first
+ argument) is calculated from sender_write_key and sequence number
+ seqnum for each message separately to support the external re-keying
+ approach according to [RFC8645].
+
+ Note 2: Sequence number is a value in the range 0-SNMAX, where the
+ SNMAX value is defined in Section 4.1.3. The SNMAX parameter is
+ specified by a particular TLS13_GOST cipher suite to limit an amount
+ of data that can be encrypted under the same traffic key material
+ (sender_write_key, sender_write_iv).
+
+ The record deprotection algorithm reverses the process of the record
+ protection. In order to decrypt and verify a protected record with
+ sequence number seqnum, the algorithm takes sender_record_write_key
+ as an input, which is derived from sender_write_key, nonce,
+ additional_data, and the AEADEncrypted value. The algorithm outputs
+ the res value that is either plaintext or an error indicating that
+ the decryption failed. If a TLS13_GOST cipher suite is negotiated,
+ the res value MUST be computed as follows:
+
+ res = AEAD-Decrypt(sender_record_write_key, nonce,
+ additional_data, AEADEncrypted),
+
+ where the AEAD-Decrypt function is as defined in Section 4.1.1.
+
+ Note: The AEAD-Decrypt function is exactly the same as the AEAD-
+ Decrypt function defined in [RFC8446], such that the key (the first
+ argument) is calculated from sender_write_key and sequence number
+ seqnum for each message separately to support the external re-keying
+ approach according to [RFC8645].
+
+4.1.1. AEAD Algorithm
+
+ The AEAD-Encrypt and AEAD-Decrypt functions are defined as follows:
+
+ +-------------------------------------------------------------------+
+ | AEAD-Encrypt(K, nonce, A, P) |
+ |-------------------------------------------------------------------|
+ | Input: |
+ | - encryption key K in B_k, |
+ | - unique vector nonce in B_IVlen, |
+ | - additional authenticated data A in B_r, r >= 0, |
+ | - plaintext P in B_t, t >= 0. |
+ | Output: |
+ | - ciphertext C in B_{|P|}, |
+ | - authentication tag T in B_S. |
+ |-------------------------------------------------------------------|
+ | 1. MGMnonce = STR_1(nonce[1] & 0x7f) | nonce[2..IVlen]; |
+ | 2. (MGMnonce, A, C, T) = MGM-Encrypt(K, MGMnonce, A, P); |
+ | 3. Return C | T. |
+ +-------------------------------------------------------------------+
+
+ +-------------------------------------------------------------------+
+ | AEAD-Decrypt(K, nonce, A, C | T) |
+ |-------------------------------------------------------------------|
+ | Input: |
+ | - encryption key K in B_k, |
+ | - unique vector nonce in B_IVlen, |
+ | - additional authenticated data A in B_r, r >= 0, |
+ | - ciphertext C in B_t, t >= 0, |
+ | - authentication tag T in B_S. |
+ | Output: |
+ | - plaintext P in B_{|C|} or FAIL. |
+ |-------------------------------------------------------------------|
+ | 1. MGMnonce = STR_1(nonce[1] & 0x7f) | nonce[2..IVlen]; |
+ | 2. res' = MGM-Decrypt(K, MGMnonce, A, C, T); |
+ | 3. IF res' = FAIL then return FAIL; |
+ | 4. IF res' = (A, P) then return P. |
+ +-------------------------------------------------------------------+
+
+ where
+
+ * the MGM-Encrypt and MGM-Decrypt functions are defined in
+ [RFC9058];
+
+ * the length of authentication tag T is equal to n bytes (S = n);
+
+ * the length of the nonce parameter is equal to n bytes (IVlen = n).
+
+ Cipher suites TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L and
+ TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S MUST use Kuznyechik
+ [RFC7801] as a base block cipher for the AEAD algorithm. The block
+ length n is 16 bytes (n = 16) and the key length k is 32 bytes (k =
+ 32).
+
+ Cipher suites TLS_GOSTR341112_256_WITH_MAGMA_MGM_L and
+ TLS_GOSTR341112_256_WITH_MAGMA_MGM_S MUST use Magma [RFC8891] as a
+ base block cipher for the AEAD algorithm. The block length n is 8
+ bytes (n = 8) and the key length k is 32 bytes (k = 32).
+
+4.1.2. TLSTREE
+
+ The TLS13_GOST cipher suites use the TLSTREE function to support the
+ external re-keying approach (see [RFC8645]). The TLSTREE function is
+ defined as follows:
+
+ TLSTREE(K_root, i) = KDF_3(KDF_2(KDF_1(K_root, STR_8(i & C_1)),
+ STR_8(i & C_2)), STR_8(i & C_3)),
+
+ where
+
+ * K_root in B_32;
+
+ * i in {0, 1, ... , 2^64 - 1};
+
+ * KDF_j(K, D), j = 1, 2, 3, is the key derivation function defined
+ as follows:
+
+ - KDF_1(K, D) = KDF_GOSTR3411_2012_256(K, "level1", D),
+
+ - KDF_2(K, D) = KDF_GOSTR3411_2012_256(K, "level2", D),
+
+ - KDF_3(K, D) = KDF_GOSTR3411_2012_256(K, "level3", D),
+
+ where the KDF_GOSTR3411_2012_256 function is defined in [RFC7836],
+ K in B_32, D in B_8;
+
+ * C_1, C_2, C_3 are the constants defined by each cipher suite as
+ follows:
+
+ +===========================================+======================+
+ | CipherSuites |C_1, C_2, C_3 |
+ +===========================================+======================+
+ | TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L |C_1=0xf800000000000000|
+ | | |
+ | |C_2=0xfffffff000000000|
+ | | |
+ | |C_3=0xffffffffffffe000|
+ +-------------------------------------------+----------------------+
+ | TLS_GOSTR341112_256_WITH_MAGMA_MGM_L |C_1=0xffe0000000000000|
+ | | |
+ | |C_2=0xffffffffc0000000|
+ | | |
+ | |C_3=0xffffffffffffff80|
+ +-------------------------------------------+----------------------+
+ | TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S |C_1=0xffffffffe0000000|
+ | | |
+ | |C_2=0xffffffffffff0000|
+ | | |
+ | |C_3=0xfffffffffffffff8|
+ +-------------------------------------------+----------------------+
+ | TLS_GOSTR341112_256_WITH_MAGMA_MGM_S |C_1=0xfffffffffc000000|
+ | | |
+ | |C_2=0xffffffffffffe000|
+ | | |
+ | |C_3=0xffffffffffffffff|
+ +-------------------------------------------+----------------------+
+
+ Table 1
+
+4.1.3. SNMAX Parameter
+
+ The SNMAX parameter is the maximum number of records encrypted under
+ the same traffic key material (sender_write_key and sender_write_iv)
+ and is defined by each cipher suite as follows:
+
+ +===========================================+==================+
+ | CipherSuites | SNMAX |
+ +===========================================+==================+
+ | TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L | SNMAX = 2^64 - 1 |
+ +-------------------------------------------+------------------+
+ | TLS_GOSTR341112_256_WITH_MAGMA_MGM_L | SNMAX = 2^64 - 1 |
+ +-------------------------------------------+------------------+
+ | TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S | SNMAX = 2^42 - 1 |
+ +-------------------------------------------+------------------+
+ | TLS_GOSTR341112_256_WITH_MAGMA_MGM_S | SNMAX = 2^39 - 1 |
+ +-------------------------------------------+------------------+
+
+ Table 2
+
+4.2. Hash Algorithm
+
+ The Hash algorithm is used for the key derivation process (see
+ Section 7.1 of [RFC8446]), Finished message calculation (see
+ Section 4.4.4 of [RFC8446]), Transcript-Hash function computation
+ (see Section 4.4.1 of [RFC8446]), Pre-Shared Key (PSK) binder value
+ calculation (see Section 4.2.11.2 of [RFC8446]), external re-keying
+ approach (see Section 4.1.2), and other purposes.
+
+ If a TLS13_GOST cipher suite is negotiated, the Hash algorithm MUST
+ be the GOST R 34.11-2012 hash algorithm [RFC6986] with a 32-byte
+ (256-bit) hash value.
+
+5. Signature Scheme Definition
+
+ This section defines the following seven TLS13_GOST signature
+ schemes:
+
+ enum {
+ gostr34102012_256a(0x0709),
+ gostr34102012_256b(0x070A),
+ gostr34102012_256c(0x070B),
+ gostr34102012_256d(0x070C),
+ gostr34102012_512a(0x070D),
+ gostr34102012_512b(0x070E),
+ gostr34102012_512c(0x070F)
+ } SignatureScheme;
+
+ One of the TLS13_GOST signature schemes listed above SHOULD be used
+ with the TLS13_GOST profile.
+
+ Each signature scheme specifies a pair consisting of the signature
+ algorithm (see Section 5.1) and the elliptic curve (see Section 5.2).
+ The procedure to calculate the signature value using TLS13_GOST
+ signature schemes is defined in Section 5.3.
+
+5.1. Signature Algorithm
+
+ Signature algorithms corresponding to the TLS13_GOST signature
+ schemes are defined as follows:
+
+ +=======================+=====================+============+
+ | SignatureScheme Value | Signature Algorithm | References |
+ +=======================+=====================+============+
+ | gostr34102012_256a | GOST R 34.10-2012, | RFC 7091 |
+ | | 32-byte key length | |
+ +-----------------------+---------------------+------------+
+ | gostr34102012_256b | GOST R 34.10-2012, | RFC 7091 |
+ | | 32-byte key length | |
+ +-----------------------+---------------------+------------+
+ | gostr34102012_256c | GOST R 34.10-2012, | RFC 7091 |
+ | | 32-byte key length | |
+ +-----------------------+---------------------+------------+
+ | gostr34102012_256d | GOST R 34.10-2012, | RFC 7091 |
+ | | 32-byte key length | |
+ +-----------------------+---------------------+------------+
+ | gostr34102012_512a | GOST R 34.10-2012, | RFC 7091 |
+ | | 64-byte key length | |
+ +-----------------------+---------------------+------------+
+ | gostr34102012_512b | GOST R 34.10-2012, | RFC 7091 |
+ | | 64-byte key length | |
+ +-----------------------+---------------------+------------+
+ | gostr34102012_512c | GOST R 34.10-2012, | RFC 7091 |
+ | | 64-byte key length | |
+ +-----------------------+---------------------+------------+
+
+ Table 3
+
+5.2. Elliptic Curve
+
+ Elliptic curves corresponding to the TLS13_GOST signature schemes are
+ defined as follows:
+
+ +=======================+=========================+============+
+ | SignatureScheme Value | Curve Identifier Value | References |
+ +=======================+=========================+============+
+ | gostr34102012_256a | id-tc26-gost- | RFC 7836 |
+ | | 3410-2012-256-paramSetA | |
+ +-----------------------+-------------------------+------------+
+ | gostr34102012_256b | id-GostR3410-2001- | RFC 4357 |
+ | | CryptoPro-A-ParamSet | |
+ +-----------------------+-------------------------+------------+
+ | gostr34102012_256c | id-GostR3410-2001- | RFC 4357 |
+ | | CryptoPro-B-ParamSet | |
+ +-----------------------+-------------------------+------------+
+ | gostr34102012_256d | id-GostR3410-2001- | RFC 4357 |
+ | | CryptoPro-C-ParamSet | |
+ +-----------------------+-------------------------+------------+
+ | gostr34102012_512a | id-tc26-gost- | RFC 7836 |
+ | | 3410-12-512-paramSetA | |
+ +-----------------------+-------------------------+------------+
+ | gostr34102012_512b | id-tc26-gost- | RFC 7836 |
+ | | 3410-12-512-paramSetB | |
+ +-----------------------+-------------------------+------------+
+ | gostr34102012_512c | id-tc26-gost- | RFC 7836 |
+ | | 3410-2012-512-paramSetC | |
+ +-----------------------+-------------------------+------------+
+
+ Table 4
+
+5.3. SIGN Function
+
+ If the TLS13_GOST signature scheme is used, the signature value in
+ the CertificateVerify message (see Section 6.3.4) MUST be calculated
+ using the SIGN function defined as follows:
+
+ +-----------------------------------------------------+
+ | SIGN(d_sign, M) |
+ |-----------------------------------------------------|
+ | Input: |
+ | - the sign key d_sign: 0 < d_sign < q; |
+ | - the byte string M in B*. |
+ | Output: |
+ | - signature value sgn in B_{2*l}. |
+ |-----------------------------------------------------|
+ | 1. (r, s) = SIGNGOST(d_sign, M) |
+ | 2. Return str_l(r) | str_l(s). |
+ |-----------------------------------------------------+
+
+ where
+
+ * q is the subgroup order of the group of points of the elliptic
+ curve;
+
+ * l is defined as follows:
+
+ - l = 32 for the gostr34102012_256a, gostr34102012_256b,
+ gostr34102012_256c, and gostr34102012_256d signature schemes;
+
+ - l = 64 for the gostr34102012_512a, gostr34102012_512b, and
+ gostr34102012_512c signature schemes;
+
+ * SIGNGOST is an algorithm that takes a private key d_sign and a
+ message M as an input and returns a pair of integers (r, s) that
+ is calculated during the signature generation process in
+ accordance with the GOST R 34.10-2012 signature algorithm (see
+ Section 6.1 of [RFC7091]).
+
+ Note: The signature value sgn is the concatenation of two strings
+ that are byte representations of r and s values in the little-endian
+ format.
+
+6. Key Exchange and Authentication
+
+ The key exchange and authentication process for using the TLS13_GOST
+ profile is defined in Sections 6.1, 6.2, and 6.3.
+
+6.1. Key Exchange
+
+ The TLS13_GOST profile supports three basic key exchange modes that
+ are defined in [RFC8446]: Ephemeral Elliptic Curve Diffie-Hellman
+ (ECDHE), PSK-only, and PSK with ECDHE.
+
+ Note: In accordance with [RFC8446], TLS 1.3 also supports key
+ exchange modes based on the Diffie-Hellman protocol over finite
+ fields. However, the TLS13_GOST profile MUST use modes based on the
+ Diffie-Hellman protocol over elliptic curves.
+
+ In accordance with [RFC8446], PSKs can be divided into two types:
+
+ * internal PSKs that can be established during the previous
+ connection;
+
+ * external PSKs that can be established out of band.
+
+ If the TLS13_GOST profile is used, PSK-only key exchange mode SHOULD
+ be established via the internal PSKs, and external PSKs SHOULD be
+ used only in PSK with ECDHE mode (see more in Section 9).
+
+ If the TLS13_GOST profile is used and ECDHE or PSK with ECDHE key
+ exchange mode is used, the ECDHE shared secret SHOULD be calculated
+ in accordance with Section 6.1.1 on the basis of one of the elliptic
+ curves defined in Section 6.1.2.
+
+6.1.1. ECDHE Shared Secret Calculation
+
+ If the TLS13_GOST profile is used, the ECDHE shared secret SHOULD be
+ calculated in accordance with Sections 6.1.1.1 and 6.1.1.2. The
+ public ephemeral keys used to obtain the ECDHE shared secret SHOULD
+ be represented in the format described in Section 6.1.1.3.
+
+6.1.1.1. ECDHE Shared Secret Calculation on the Client Side
+
+ The client calculates the ECDHE shared secret in accordance with the
+ following steps:
+
+ Step 1. The client chooses from all supported curves E_1, ..., E_R
+ the set of curves E_{i_1}, ..., E_{i_r}, 1 <= i_1 <= i_r <=
+ R, where
+
+ * r >= 1 in the case of the first ClientHello message;
+
+ * r = 1 in the case of responding to the HelloRetryRequest
+ message; E_{i_1} corresponds to the curve indicated in
+ the "key_share" extension in the HelloRetryRequest
+ message.
+
+ Step 2. The client generates ephemeral key pairs (d_C^{i_1},
+ Q_C^{i_1}), ..., (d_C^{i_r}, Q_C^{i_r}) corresponding to the
+ curves E_{i_1}, ..., E_{i_r}, where for each i in {i_1, ...,
+ i_r}:
+
+ * d_C^i is chosen from {1, ..., q_i - 1} at random;
+
+ * Q_C^i = d_C^i * P_i.
+
+ Step 3. The client sends the ClientHello message specified in
+ accordance with Section 4.1.2 of [RFC8446] and Section 6.3.1
+ that contains:
+
+ * "key_share" extension with public ephemeral keys
+ Q_C^{i_1}, ..., Q_C^{i_r} built in accordance with
+ Section 4.2.8 of [RFC8446];
+
+ * "supported_groups" extension with supported curves E_1,
+ ..., E_R built in accordance with Section 4.2.7 of
+ [RFC8446].
+
+ Note: The client MAY send an empty "key_share" extension
+ in the first ClientHello message to request a group
+ selection from the server in the HelloRetryRequest
+ message and to generate an ephemeral key for the selected
+ group only. The ECDHE shared secret may be calculated
+ without sending HelloRetryRequest message if the
+ "key_share" extension in the first ClientHello message
+ contains the value corresponding to the curve that is
+ selected by the server.
+
+ Step 4. If the HelloRetryRequest message is received, the client
+ MUST return to Step 1 and choose correct parameters in
+ accordance with Section 4.1.2 of [RFC8446]. If the
+ ServerHello message is received, the client proceeds to the
+ next step. In other cases, the client MUST terminate the
+ connection with the "unexpected_message" alert.
+
+ Step 5. The client extracts curve E_res and ephemeral key Q_S^res,
+ res in {1, ..., R}, from the ServerHello message and checks
+ whether Q_S^res belongs to E_res. If this check fails, the
+ client MUST terminate the connection with
+ "handshake_failure" alert.
+
+ Step 6. The client generates Q^ECDHE:
+
+ Q^ECDHE = (X^ECDHE, Y^ECDHE) = (h_res * d_C^res) *
+ Q_S^res.
+
+ Step 7. The client MUST check whether the calculated shared secret
+ Q^ECDHE is not equal to the zero point O_res. If this check
+ fails, the client MUST terminate the connection with
+ "handshake_failure" alert.
+
+ Step 8. The ECDHE shared secret is the byte representation of the
+ coordinate X^ECDHE of the point Q^ECDHE in the little-endian
+ format:
+
+ ECDHE = str_{coordinate_length}(X^ECDHE),
+
+ where the coordinate_length value is defined by the
+ particular elliptic curve (see Section 6.1.2).
+
+6.1.1.2. ECDHE Shared Secret Calculation on Server Side
+
+ Upon receiving the ClientHello message, the server calculates the
+ ECDHE shared secret in accordance with the following steps:
+
+ Step 1. The server chooses the curve E_res, res in {1, ..., R}, from
+ the list of the curves E_1, ..., E_R indicated in the
+ "supported_groups" extension in the ClientHello message and
+ the corresponding public ephemeral key Q_C^res from the list
+ Q_C^{i_1}, ..., Q_C^{i_r}, 1 <= i_1 <= i_r <= R, indicated
+ in the "key_share" extension. If the corresponding public
+ ephemeral key is not found (res in {1, ..., R}\{i_1, ...,
+ i_r}), the server MUST send the HelloRetryRequest message
+ with the "key_share" extension indicating the selected
+ elliptic curve E_res and wait for the new ClientHello
+ message.
+
+ Step 2. The server checks whether Q_C^res belongs to E_res. If this
+ check fails, the server MUST terminate the connection with
+ "handshake_failure" alert.
+
+ Step 3. The server generates ephemeral key pair (d_S^res, Q_S^res)
+ corresponding to E_res:
+
+ * d_S^res is chosen from {1, ..., q_res - 1} at random;
+
+ * Q_S^res = d_S^res * P_res.
+
+ Step 4. The server sends the ServerHello message generated in
+ accordance with Section 4.1.3 of [RFC8446] and Section 6.3.1
+ with the "key_share" extension that contains public
+ ephemeral key Q_S^res corresponding to E_res.
+
+ Step 5. The server generates Q^ECDHE:
+
+ Q^ECDHE = (X^ECDHE, Y^ECDHE) = (h_res * d_S^res) *
+ Q_C^res.
+
+ Step 6. The server MUST check whether the calculated shared secret
+ Q^ECDHE is not equal to the zero point O_res. If this check
+ fails, the server MUST abort the handshake with
+ "handshake_failure" alert.
+
+ Step 7. The ECDHE shared secret is the byte representation of the
+ coordinate X^ECDHE of the point Q^ECDHE in the little-endian
+ format:
+
+ ECDHE = str_{coordinate_length}(X^ECDHE),
+
+ where the coordinate_length value is defined by the
+ particular elliptic curve (see Section 6.1.2).
+
+6.1.1.3. Public Ephemeral Key Representation
+
+ This section defines the representation format of the public
+ ephemeral keys generated during the ECDHE shared secret calculation
+ (see Sections 6.1.1.1 and 6.1.1.2).
+
+ If the TLS13_GOST profile is used and ECDHE or PSK with ECDHE key
+ exchange mode is used, the public ephemeral key Q indicated in the
+ KeyShareEntry.key_exchange field MUST contain the data defined by the
+ following structure:
+
+ struct {
+ opaque X[coordinate_length];
+ opaque Y[coordinate_length];
+ } PlainPointRepresentation;
+
+ where X and Y, respectively, contain the byte representations of x
+ and y values of the point Q (Q = (x, y)) in the little-endian format
+ and are specified as follows:
+
+ * X = str_{coordinate_length}(x);
+
+ * Y = str_{coordinate_length}(y).
+
+ The coordinate_length value is defined by the particular elliptic
+ curve (see Section 6.1.2).
+
+6.1.2. Values for the TLS Supported Groups Registry
+
+ The "supported_groups" extension is used to indicate the set of the
+ elliptic curves supported by an endpoint and is defined in
+ Section 4.2.7 of [RFC8446]. This extension is always contained in
+ the ClientHello message and optionally in the EncryptedExtensions
+ message.
+
+ This section defines the following seven elliptic curves:
+
+ enum {
+ GC256A(0x22), GC256B(0x23), GC256C(0x24), GC256D(0x25),
+ GC512A(0x26), GC512B(0x27), GC512C(0x28)
+ } NamedGroup;
+
+ If the TLS13_GOST profile is used and ECDHE or PSK with ECDHE key
+ exchange mode is used, one of the elliptic curves listed above SHOULD
+ be used.
+
+ Each curve corresponds to the particular identifier and specifies the
+ value of coordinate_length parameter (see "cl" column) as follows:
+
+ +===========+========================================+==+=========+
+ |Description| Curve Identifier Value |cl|Reference|
+ +===========+========================================+==+=========+
+ |GC256A | id-tc26-gost-3410-2012-256-paramSetA |32|RFC 7836 |
+ +-----------+----------------------------------------+--+---------+
+ |GC256B | id-GostR3410-2001-CryptoPro-A-ParamSet |32|RFC 4357 |
+ +-----------+----------------------------------------+--+---------+
+ |GC256C | id-GostR3410-2001-CryptoPro-B-ParamSet |32|RFC 4357 |
+ +-----------+----------------------------------------+--+---------+
+ |GC256D | id-GostR3410-2001-CryptoPro-C-ParamSet |32|RFC 4357 |
+ +-----------+----------------------------------------+--+---------+
+ |GC512A | id-tc26-gost-3410-12-512-paramSetA |64|RFC 7836 |
+ +-----------+----------------------------------------+--+---------+
+ |GC512B | id-tc26-gost-3410-12-512-paramSetB |64|RFC 7836 |
+ +-----------+----------------------------------------+--+---------+
+ |GC512C | id-tc26-gost-3410-2012-512-paramSetC |64|RFC 7836 |
+ +-----------+----------------------------------------+--+---------+
+
+ Table 5
+
+ Note: The identifier values and the corresponding elliptic curves are
+ the same as in [RFC9189].
+
+6.2. Authentication
+
+ In accordance with [RFC8446], authentication can be performed via a
+ signature with a certificate or via a symmetric PSK. The server side
+ is always authenticated; the client side is optionally authenticated.
+
+ PSK-based authentication is performed as a side effect of key
+ exchange. If the TLS13_GOST profile is used, external PSKs SHOULD be
+ combined only with mutual authentication (see Section 9).
+
+ Certificate-based authentication is performed via Authentication
+ messages and an optional CertificateRequest message (sent if client
+ authentication is required). If the TLS13_GOST profile is used, the
+ signature schemes used for certificate-based authentication are
+ defined in Section 5 and Authentication messages are specified in
+ Sections 6.3.3 and 6.3.4. The CertificateRequest message is
+ specified in Section 6.3.2.
+
+6.3. Handshake Messages
+
+ The TLS13_GOST profile specifies the ClientHello, ServerHello,
+ CertificateRequest, Certificate and CertificateVerify handshake
+ messages that are described in further detail below.
+
+6.3.1. Hello Messages
+
+ The ClientHello message is sent when the client first connects to the
+ server or responds to the HelloRetryRequest message and is specified
+ in accordance with Section 4.1.2 of [RFC8446].
+
+ If the TLS13_GOST profile is used, the ClientHello message MUST meet
+ the following requirements:
+
+ * The ClientHello.cipher_suites field MUST contain the values
+ defined in Section 4.
+
+ * If server authentication via a certificate is required, the
+ extension_data field of the "signature_algorithms" extension MUST
+ contain the values defined in Section 5 that correspond to the
+ GOST R 34.10-2012 signature algorithm.
+
+ * If server authentication via a certificate is required and the
+ client uses optional "signature_algorithms_cert" extension, the
+ extension_data field of this extension SHOULD contain the values
+ defined in Section 5 that correspond to the GOST R 34.10-2012
+ signature algorithm.
+
+ * If the client wants to establish a TLS 1.3 connection using the
+ ECDHE shared secret, the extension_data field of the
+ "supported_groups" extension MUST contain the elliptic curve
+ identifiers defined in Section 6.1.2.
+
+ The ServerHello message is sent by the server in response to the
+ ClientHello message to negotiate an acceptable set of handshake
+ parameters based on the ClientHello message and is specified in
+ accordance with Section 4.1.3 of [RFC8446].
+
+ If the TLS13_GOST profile is used, the ServerHello message MUST meet
+ the following requirements:
+
+ * The ServerHello.cipher_suite field MUST contain one of the values
+ defined in Section 4.
+
+ * If the server decides to establish a TLS 1.3 connection using the
+ ECDHE shared secret, the extension_data field of the "key_share"
+ extension MUST contain the elliptic curve identifier and the
+ public ephemeral key that satisfy the following conditions:
+
+ - The elliptic curve identifier corresponds to the value that was
+ indicated in the "supported_groups" and the "key_share"
+ extensions in the ClientHello message.
+
+ - The elliptic curve identifier is one of the values defined in
+ Section 6.1.2.
+
+ - The public ephemeral key corresponds to the elliptic curve
+ specified by the KeyShareEntry.group identifier.
+
+6.3.2. CertificateRequest
+
+ This message is sent when the server requests client authentication
+ via a certificate and is specified in accordance with Section 4.3.2
+ of [RFC8446].
+
+ If the TLS13_GOST profile is used, the CertificateRequest message
+ MUST meet the following requirements:
+
+ * The extension_data field of the "signature_algorithms" extension
+ MUST contain only the values defined in Section 5.
+
+ * If the server uses optional "signature_algorithms_cert" extension,
+ the extension_data field of this extension SHOULD contain only the
+ values defined in Section 5.
+
+6.3.3. Certificate
+
+ This message is sent to convey the endpoint's certificate chain to
+ the peer and is specified in accordance with Section 4.4.2 of
+ [RFC8446].
+
+ If the TLS13_GOST profile is used, the Certificate message MUST meet
+ the following requirements.
+
+ * Each endpoint's certificate provided to the peer MUST be signed
+ using the algorithm that corresponds to a signature scheme
+ indicated by the peer in its "signature_algorithms_cert"
+ extension, if present (or in the "signature_algorithms" extension,
+ otherwise).
+
+ * The signature algorithm used for signing certificates SHOULD
+ correspond to one of the signature schemes defined in Section 5.
+
+6.3.4. CertificateVerify
+
+ This message is sent to provide explicit proof that the endpoint has
+ the private key corresponding to the public key indicated in its
+ certificate and is specified in accordance with Section 4.4.3 of
+ [RFC8446].
+
+ If the TLS13_GOST profile is used, the CertificateVerify message MUST
+ meet the following requirements:
+
+ * The CertificateVerify.algorithm field MUST contain the signature
+ scheme identifier that corresponds to the value indicated in the
+ peer's "signature_algorithms" extension and is one of the values
+ defined in Section 5.
+
+ * The CertificateVerify.signature field contains the sgn value that
+ is computed as follows:
+
+ sgn = SIGN(d_sign, M),
+
+ where
+
+ - the SIGN function is defined in Section 5.3;
+
+ - d_sign is the sender's long-term private key that corresponds
+ to the sender's long-term public key Q_sign from the sender's
+ certificate;
+
+ - the message M is defined in accordance with Section 4.4.3 of
+ [RFC8446].
+
+7. IANA Considerations
+
+ IANA has added the following values to the "TLS Cipher Suites"
+ registry with a reference to this RFC:
+
+ +=====+=========================================+=======+===========+
+ |Value|Description |DTLS-OK|Recommended|
+ +=====+=========================================+=======+===========+
+ |0xC1,|TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L|N |N |
+ |0x03 | | | |
+ +-----+-----------------------------------------+-------+-----------+
+ |0xC1,|TLS_GOSTR341112_256_WITH_MAGMA_MGM_L |N |N |
+ |0x04 | | | |
+ +-----+-----------------------------------------+-------+-----------+
+ |0xC1,|TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S|N |N |
+ |0x05 | | | |
+ +-----+-----------------------------------------+-------+-----------+
+ |0xC1,|TLS_GOSTR341112_256_WITH_MAGMA_MGM_S |N |N |
+ |0x06 | | | |
+ +-----+-----------------------------------------+-------+-----------+
+
+ Table 6
+
+ IANA has added the following values to the "TLS SignatureScheme"
+ registry with a reference to this RFC:
+
+ +========+====================+=============+
+ | Value | Description | Recommended |
+ +========+====================+=============+
+ | 0x0709 | gostr34102012_256a | N |
+ +--------+--------------------+-------------+
+ | 0x070A | gostr34102012_256b | N |
+ +--------+--------------------+-------------+
+ | 0x070B | gostr34102012_256c | N |
+ +--------+--------------------+-------------+
+ | 0x070C | gostr34102012_256d | N |
+ +--------+--------------------+-------------+
+ | 0x070D | gostr34102012_512a | N |
+ +--------+--------------------+-------------+
+ | 0x070E | gostr34102012_512b | N |
+ +--------+--------------------+-------------+
+ | 0x070F | gostr34102012_512c | N |
+ +--------+--------------------+-------------+
+
+ Table 7
+
+8. Historical Considerations
+
+ In addition to the curve identifier values listed in Table 5, there
+ are some additional identifier values that correspond to the
+ signature schemes for historical reasons. They are as follows:
+
+ +====================+============================================+
+ | Description | Curve Identifier Value |
+ +====================+============================================+
+ | gostr34102012_256b | id-GostR3410-2001-CryptoPro-XchA-ParamSet, |
+ | | id-tc26-gost-3410-2012-256-paramSetB |
+ +--------------------+--------------------------------------------+
+ | gostr34102012_256c | id-tc26-gost-3410-2012-256-paramSetC |
+ +--------------------+--------------------------------------------+
+ | gostr34102012_256d | id-GostR3410-2001-CryptoPro-XchB-ParamSet, |
+ | | id-tc26-gost-3410-2012-256-paramSetD |
+ +--------------------+--------------------------------------------+
+
+ Table 8
+
+ The client should be prepared to handle any of them correctly if the
+ corresponding signature scheme is included in the
+ "signature_algorithms" or "signature_algorithms_cert" extensions.
+
+9. Security Considerations
+
+ In order to create an efficient and side-channel resistant
+ implementation while using the TLSTREE algorithm, the functions
+ KDF_j, j = 1, 2, 3, SHOULD be called only when necessary (when the
+ record sequence number seqnum reaches such a value that seqnum & C_j
+ != (seqnum - 1) & C_j). Otherwise, the previous value should be
+ used.
+
+10. References
+
+10.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119,
+ DOI 10.17487/RFC2119, March 1997,
+ <https://www.rfc-editor.org/info/rfc2119>.
+
+ [RFC6986] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.11-2012:
+ Hash Function", RFC 6986, DOI 10.17487/RFC6986, August
+ 2013, <https://www.rfc-editor.org/info/rfc6986>.
+
+ [RFC7091] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.10-2012:
+ Digital Signature Algorithm", RFC 7091,
+ DOI 10.17487/RFC7091, December 2013,
+ <https://www.rfc-editor.org/info/rfc7091>.
+
+ [RFC7801] Dolmatov, V., Ed., "GOST R 34.12-2015: Block Cipher
+ "Kuznyechik"", RFC 7801, DOI 10.17487/RFC7801, March 2016,
+ <https://www.rfc-editor.org/info/rfc7801>.
+
+ [RFC7836] Smyshlyaev, S., Ed., Alekseev, E., Oshkin, I., Popov, V.,
+ Leontiev, S., Podobaev, V., and D. Belyavsky, "Guidelines
+ on the Cryptographic Algorithms to Accompany the Usage of
+ Standards GOST R 34.10-2012 and GOST R 34.11-2012",
+ RFC 7836, DOI 10.17487/RFC7836, March 2016,
+ <https://www.rfc-editor.org/info/rfc7836>.
+
+ [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
+ 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
+ May 2017, <https://www.rfc-editor.org/info/rfc8174>.
+
+ [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
+ Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
+ <https://www.rfc-editor.org/info/rfc8446>.
+
+ [RFC8645] Smyshlyaev, S., Ed., "Re-keying Mechanisms for Symmetric
+ Keys", RFC 8645, DOI 10.17487/RFC8645, August 2019,
+ <https://www.rfc-editor.org/info/rfc8645>.
+
+ [RFC8891] Dolmatov, V., Ed. and D. Baryshkov, "GOST R 34.12-2015:
+ Block Cipher "Magma"", RFC 8891, DOI 10.17487/RFC8891,
+ September 2020, <https://www.rfc-editor.org/info/rfc8891>.
+
+ [RFC9058] Smyshlyaev, S., Ed., Nozdrunov, V., Shishkin, V., and E.
+ Griboedova, "Multilinear Galois Mode (MGM)", RFC 9058,
+ DOI 10.17487/RFC9058, June 2021,
+ <https://www.rfc-editor.org/info/rfc9058>.
+
+ [RFC9189] Smyshlyaev, S., Ed., Belyavsky, D., and E. Alekseev, "GOST
+ Cipher Suites for Transport Layer Security (TLS) Protocol
+ Version 1.2", RFC 9189, DOI 10.17487/RFC9189, March 2022,
+ <https://www.rfc-editor.org/info/rfc9189>.
+
+10.2. Informative References
+
+ [RFC8446BIS]
+ Rescorla, E., "The Transport Layer Security (TLS) Protocol
+ Version 1.3", Work in Progress, Internet-Draft, draft-
+ ietf-tls-rfc8446bis-05, 24 October 2022,
+ <https://datatracker.ietf.org/doc/html/draft-ietf-tls-
+ rfc8446bis-05>.
+
+Appendix A. Test Examples
+
+A.1. Example 1
+
+A.1.1. Test Case
+
+ Test examples are given for the following instance of the TLS13_GOST
+ profile:
+
+ 1. Full TLS Handshake is used.
+
+ 2. ECDHE key exchange mode is used. The elliptic curve GC512C is
+ used for ECDHE shared secret calculation.
+
+ 3. Authentication is only used on the server side. The signature
+ scheme gost34102012_256b is used.
+
+ 4. TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S cipher suite is
+ negotiated.
+
+ 5. Application Data is sent by the server prior to receiving the
+ Finished message from the client.
+
+ 6. NewSessionTicket is sent after establishing a secure connection.
+
+ 7. Nine Application Data records are sent during the operation of
+ the Record protocol. The sequence numbers are selected to
+ demonstrate the operation of the TLSTREE function.
+
+ 8. Alert protocol is used for closure of the connection.
+
+A.1.2. Test Examples
+
+ ---------------------------Client---------------------------
+
+ ClientHello message:
+ msg_type: 01
+ length: 0000DE
+ body:
+ legacy_version: 0303
+ random: 03030303030303030303030303030303
+ 03030303030303030303030303030303
+ legacy_session_id:
+ length: 00
+ vector: --
+ cipher_suites:
+ length: 0002
+ vector:
+ CipherSuite: C105
+ compression_methods:
+ length: 01
+ vector:
+ CompressionMethod: 00
+ extensions:
+ length: 00B3
+ vector:
+ Extension: /* supported_groups */
+ extension_type: 000A
+ extension_data:
+ length: 0004
+ vector:
+ named_group_list:
+ length: 0002
+ vector:
+ /* GC512C */
+ 0028
+ Extension: /* signature_algorithms */
+ extension_type: 000D
+ extension_data:
+ length: 0010
+ vector:
+ supported_signature_algorithms:
+ length: 000E
+ vector:
+ /* gost34102012256a */
+ 0709
+ /* gost34102012256b */
+ 070A
+ /* gost34102012256c */
+ 070B
+ /* gost34102012256d */
+ 070C
+ /* gost34102012512a */
+ 070D
+ /* gost34102012512b */
+ 070E
+ /* gost34102012512c */
+ 070F
+ Extension: /* supported_versions */
+ extension_type: 002B
+ extension_data:
+ length: 0003
+ vector:
+ versions:
+ length: 02
+ vector:
+ 0304
+ Extension: /* psk_key_exchange_modes */
+ extension_type: 002D
+ extension_data:
+ length: 0002
+ vector:
+ ke_modes:
+ length: 01
+ vector:
+ /* psk_ke */
+ 00
+ Extension: /* key_share */
+ extension_type: 0033
+ extension_data:
+ length: 0086
+ vector:
+ length: 0084
+ vector:
+ group: 0028
+ key_exchange:
+ length: 0080
+ vector:
+ 05EEBDF3DDC1D2F5F3822433241284E7
+ 7641487938EA88721F26203E9792B5CB
+ 97EB70EF02E8F72B7491D4F2CFDC332A
+ DF7F1778E854A88DDC2113FEC527A151
+ 71A04CB0C573793A7AEF9BBCA486B6B0
+ 46B2149B46F4332903E5B7C438ADD05E
+ 185EFBF45557475A8CCBF6ACED1A2EB4
+ 16F916729D7CEF9CBD8334989304AFAE
+
+ 0000: 01 00 00 DE 03 03 03 03 03 03 03 03 03 03 03 03
+ 0010: 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03
+ 0020: 03 03 03 03 03 03 00 00 02 C1 05 01 00 00 B3 00
+ 0030: 0A 00 04 00 02 00 28 00 0D 00 10 00 0E 07 09 07
+ 0040: 0A 07 0B 07 0C 07 0D 07 0E 07 0F 00 2B 00 03 02
+ 0050: 03 04 00 2D 00 02 01 00 00 33 00 86 00 84 00 28
+ 0060: 00 80 05 EE BD F3 DD C1 D2 F5 F3 82 24 33 24 12
+ 0070: 84 E7 76 41 48 79 38 EA 88 72 1F 26 20 3E 97 92
+ 0080: B5 CB 97 EB 70 EF 02 E8 F7 2B 74 91 D4 F2 CF DC
+ 0090: 33 2A DF 7F 17 78 E8 54 A8 8D DC 21 13 FE C5 27
+ 00A0: A1 51 71 A0 4C B0 C5 73 79 3A 7A EF 9B BC A4 86
+ 00B0: B6 B0 46 B2 14 9B 46 F4 33 29 03 E5 B7 C4 38 AD
+ 00C0: D0 5E 18 5E FB F4 55 57 47 5A 8C CB F6 AC ED 1A
+ 00D0: 2E B4 16 F9 16 72 9D 7C EF 9C BD 83 34 98 93 04
+ 00E0: AF AE
+
+ Record layer message:
+ type: 16
+ legacy_record_version: 0301
+ length: 00E2
+ fragment: 010000DE030303030303030303030303
+ 03030303030303030303030303030303
+ 030303030303000002C105010000B300
+ 0A000400020028000D0010000E070907
+ 0A070B070C070D070E070F002B000302
+ 0304002D000201000033008600840028
+ 008005EEBDF3DDC1D2F5F38224332412
+ 84E77641487938EA88721F26203E9792
+ B5CB97EB70EF02E8F72B7491D4F2CFDC
+ 332ADF7F1778E854A88DDC2113FEC527
+ A15171A04CB0C573793A7AEF9BBCA486
+ B6B046B2149B46F4332903E5B7C438AD
+ D05E185EFBF45557475A8CCBF6ACED1A
+ 2EB416F916729D7CEF9CBD8334989304
+ AFAE
+
+ 00000: 16 03 01 00 E2 01 00 00 DE 03 03 03 03 03 03 03
+ 00010: 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03 03
+ 00020: 03 03 03 03 03 03 03 03 03 03 03 00 00 02 C1 05
+ 00030: 01 00 00 B3 00 0A 00 04 00 02 00 28 00 0D 00 10
+ 00040: 00 0E 07 09 07 0A 07 0B 07 0C 07 0D 07 0E 07 0F
+ 00050: 00 2B 00 03 02 03 04 00 2D 00 02 01 00 00 33 00
+ 00060: 86 00 84 00 28 00 80 05 EE BD F3 DD C1 D2 F5 F3
+ 00070: 82 24 33 24 12 84 E7 76 41 48 79 38 EA 88 72 1F
+ 00080: 26 20 3E 97 92 B5 CB 97 EB 70 EF 02 E8 F7 2B 74
+ 00090: 91 D4 F2 CF DC 33 2A DF 7F 17 78 E8 54 A8 8D DC
+ 000A0: 21 13 FE C5 27 A1 51 71 A0 4C B0 C5 73 79 3A 7A
+ 000B0: EF 9B BC A4 86 B6 B0 46 B2 14 9B 46 F4 33 29 03
+ 000D0: E5 B7 C4 38 AD D0 5E 18 5E FB F4 55 57 47 5A 8C
+ 000E0: CB F6 AC ED 1A 2E B4 16 F9 16 72 9D 7C EF 9C BD
+ 000F0: 83 34 98 93 04 AF AE
+
+ ---------------------------Server---------------------------
+
+ ServerHello message:
+ msg_type: 02
+ length: 0000B6
+ body:
+ legacy_version: 0303
+ random: 83838383838383838383838383838383
+ 83838383838383838383838383838383
+
+ legacy_session_id:
+ length: 00
+ vector: --
+ cipher_suite:
+ CipherSuite: C105
+ compression_method:
+ CompressionMethod: 00
+ extensions:
+ length: 008E
+ vector:
+ Extension: /* supported_versions */
+ extension_type: 002B
+ extension_data:
+ length: 0002
+ vector:
+ selected_version:
+ 0304
+ Extension: /* key_share */
+ extension_type: 0033
+ extension_data:
+ length: 0084
+ vector:
+ group: 0028
+ key_exchange:
+ length: 0080
+ vector:
+ 2F3C663FE74735A1C421160DF0F43266
+ 185FD30B6E5D6E88FC4061FAEACAB338
+ B10A1BD20CB0B4EE757E74A0027D409F
+ E937F01633A1E3F9A5518DEFD0F89F9D
+ 3D9F6CC651413DEC2C74366D83C47EE1
+ DE4E421F65CD1163E94EA0C2E19ED45D
+ 35558B937D9BFDC5ECC2B2A21B4EC3D5
+ 3B29579A8FD5E074811028FBCF17994F
+
+ 00000: 02 00 00 B6 03 03 83 83 83 83 83 83 83 83 83 83
+ 00010: 83 83 83 83 83 83 83 83 83 83 83 83 83 83 83 83
+ 00020: 83 83 83 83 83 83 00 C1 05 00 00 8E 00 2B 00 02
+ 00030: 03 04 00 33 00 84 00 28 00 80 2F 3C 66 3F E7 47
+ 00040: 35 A1 C4 21 16 0D F0 F4 32 66 18 5F D3 0B 6E 5D
+ 00050: 6E 88 FC 40 61 FA EA CA B3 38 B1 0A 1B D2 0C B0
+ 00060: B4 EE 75 7E 74 A0 02 7D 40 9F E9 37 F0 16 33 A1
+ 00070: E3 F9 A5 51 8D EF D0 F8 9F 9D 3D 9F 6C C6 51 41
+ 00080: 3D EC 2C 74 36 6D 83 C4 7E E1 DE 4E 42 1F 65 CD
+ 00090: 11 63 E9 4E A0 C2 E1 9E D4 5D 35 55 8B 93 7D 9B
+ 000A0: FD C5 EC C2 B2 A2 1B 4E C3 D5 3B 29 57 9A 8F D5
+ 000B0: E0 74 81 10 28 FB CF 17 99 4F
+
+ Record layer message:
+ type: 16
+ legacy_record_version: 0303
+ length: 00BA
+ fragment: 020000B6030383838383838383838383
+ 83838383838383838383838383838383
+ 83838383838300C10500008E002B0002
+ 030400330084002800802F3C663FE747
+ 35A1C421160DF0F43266185FD30B6E5D
+ 6E88FC4061FAEACAB338B10A1BD20CB0
+ B4EE757E74A0027D409FE937F01633A1
+ E3F9A5518DEFD0F89F9D3D9F6CC65141
+ 3DEC2C74366D83C47EE1DE4E421F65CD
+ 1163E94EA0C2E19ED45D35558B937D9B
+ FDC5ECC2B2A21B4EC3D53B29579A8FD5
+ E074811028FBCF17994F
+
+ 00000: 16 03 03 00 BA 02 00 00 B6 03 03 83 83 83 83 83
+ 00010: 83 83 83 83 83 83 83 83 83 83 83 83 83 83 83 83
+ 00020: 83 83 83 83 83 83 83 83 83 83 83 00 C1 05 00 00
+ 00030: 8E 00 2B 00 02 03 04 00 33 00 84 00 28 00 80 2F
+ 00040: 3C 66 3F E7 47 35 A1 C4 21 16 0D F0 F4 32 66 18
+ 00050: 5F D3 0B 6E 5D 6E 88 FC 40 61 FA EA CA B3 38 B1
+ 00060: 0A 1B D2 0C B0 B4 EE 75 7E 74 A0 02 7D 40 9F E9
+ 00070: 37 F0 16 33 A1 E3 F9 A5 51 8D EF D0 F8 9F 9D 3D
+ 00080: 9F 6C C6 51 41 3D EC 2C 74 36 6D 83 C4 7E E1 DE
+ 00090: 4E 42 1F 65 CD 11 63 E9 4E A0 C2 E1 9E D4 5D 35
+ 000A0: 55 8B 93 7D 9B FD C5 EC C2 B2 A2 1B 4E C3 D5 3B
+ 000B0: 29 57 9A 8F D5 E0 74 81 10 28 FB CF 17 99 4F
+
+ ---------------------------Client---------------------------
+
+ d_C^res:
+ 00000: 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04
+ 00010: 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04
+ 00020: 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04
+ 00030: 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04 04
+
+ Q_S^res:
+ 00000: 2F 3C 66 3F E7 47 35 A1 C4 21 16 0D F0 F4 32 66
+ 00010: 18 5F D3 0B 6E 5D 6E 88 FC 40 61 FA EA CA B3 38
+ 00020: B1 0A 1B D2 0C B0 B4 EE 75 7E 74 A0 02 7D 40 9F
+ 00030: E9 37 F0 16 33 A1 E3 F9 A5 51 8D EF D0 F8 9F 9D
+ 00040: 3D 9F 6C C6 51 41 3D EC 2C 74 36 6D 83 C4 7E E1
+ 00050: DE 4E 42 1F 65 CD 11 63 E9 4E A0 C2 E1 9E D4 5D
+ 00060: 35 55 8B 93 7D 9B FD C5 EC C2 B2 A2 1B 4E C3 D5
+ 00070: 3B 29 57 9A 8F D5 E0 74 81 10 28 FB CF 17 99 4F
+
+ ECDHE:
+ 00000: 4D E6 0D 21 EA 8F B9 22 0D 14 64 23 B4 90 DA 40
+ 00010: CC EB C4 3B C5 89 DB 79 B8 31 A4 7D 6B 06 30 07
+ 00020: DD 03 40 5A 1B 79 76 B6 23 DC AA 69 B0 11 AE 10
+ 00030: 6E 7E 41 74 38 5F 86 26 E1 21 B5 99 43 63 C9 9F
+
+ ---------------------------Server---------------------------
+
+ d_S^res:
+ 00000: AA 3C A4 F4 A5 0A C0 5B 37 42 B1 35 B5 30 A9 F2
+ 00010: 2A E4 F5 E1 85 30 1D EC 83 2E 77 BA 3B CD 6A F1
+ 00020: 84 84 84 84 84 84 84 84 84 84 84 84 84 84 84 84
+ 00030: 84 84 84 84 84 84 84 84 84 84 84 84 84 84 84 04
+
+ Q_C^res:
+ 00000: 05 EE BD F3 DD C1 D2 F5 F3 82 24 33 24 12 84 E7
+ 00010: 76 41 48 79 38 EA 88 72 1F 26 20 3E 97 92 B5 CB
+ 00020: 97 EB 70 EF 02 E8 F7 2B 74 91 D4 F2 CF DC 33 2A
+ 00030: DF 7F 17 78 E8 54 A8 8D DC 21 13 FE C5 27 A1 51
+ 00040: 71 A0 4C B0 C5 73 79 3A 7A EF 9B BC A4 86 B6 B0
+ 00050: 46 B2 14 9B 46 F4 33 29 03 E5 B7 C4 38 AD D0 5E
+ 00060: 18 5E FB F4 55 57 47 5A 8C CB F6 AC ED 1A 2E B4
+ 00070: 16 F9 16 72 9D 7C EF 9C BD 83 34 98 93 04 AF AE
+
+ ECDHE:
+ 00000: 4D E6 0D 21 EA 8F B9 22 0D 14 64 23 B4 90 DA 40
+ 00010: CC EB C4 3B C5 89 DB 79 B8 31 A4 7D 6B 06 30 07
+ 00020: DD 03 40 5A 1B 79 76 B6 23 DC AA 69 B0 11 AE 10
+ 00030: 6E 7E 41 74 38 5F 86 26 E1 21 B5 99 43 63 C9 9F
+
+ ---------------------------Server---------------------------
+
+ EncryptedExtensions message:
+ msg_type: 08
+ length: 000002
+ body:
+ extensions:
+ length: 0000
+ vector: --
+
+ 00000: 08 00 00 02 00 00
+
+ Record payload protection:
+
+ EarlySecret = HKDF-Extract(Salt: 0^256, IKM: 0^256):
+ 00000: FB DE FB E5 27 FE EA 66 5A AB 92 77 A2 16 3B 83
+ 00010: 43 08 4F D1 91 C4 60 66 26 0F AC 6F D1 43 6C 72
+
+ Derived #0 = Derive-Secret(EarlySecret, "derived", "") =
+ HKDF-Expand-Label(EarlySecret, "derived", "", 32):
+ 00000: DB C3 C8 26 D8 77 A3 B7 D2 D2 45 3D BF DC 6C FB
+ 00010: FB 11 51 B3 E8 4F 0C 8F 26 01 1D 8D 5B F3 ED F7
+
+ HandshakeSecret = HKDF-Extract(Salt: Derived #0, IKM: ECDHE):
+ 00000: 44 24 5E 2C 43 32 D1 F7 8B 0F 8D 16 F4 03 EB 69
+ 00010: ED 2A 40 53 84 7C DC 39 FA 8B 3D 29 74 F7 45 E7
+
+ HM1 = (ClientHello, ServerHello)
+
+ TH1 = Transcript-Hash(HM1):
+ 00000: 99 3B A7 22 12 4A F3 CB FD 47 71 E7 FA E3 2A C1
+ 00010: D0 E9 27 8C F7 84 3F CB C6 20 E1 A0 08 5A 87 A1
+
+ server_handshake_traffic_secret (SHTS):
+ SHTS = Derive-Secret(HandshakeSecret, "s hs traffic", HM1) =
+ HKDF-Expand-Label(HandshakeSecret, "s hs traffic", TH1, 32):
+ 00000: 70 A5 F2 46 3D F6 0D BA A2 36 8B 67 FD 45 AE FF
+ 00010: 7C 1A 0B A4 2D 8A BD 72 41 5E CD 1D 94 E9 EF 54
+
+ server_write_key_hs = HKDF-Expand-Label(SHTS, "key", "", 32):
+ 00000: E1 37 64 B5 4B 9E 1B 47 D4 33 98 D6 D2 16 DF 24
+ 00010: C2 89 A3 96 AB 6C 5B 52 4B BB 9C 06 F3 9F EF 01
+
+ server_write_iv_hs = HKDF-Expand-Label(SHTS, "iv", "", 16):
+ 00000: 69 69 FF AA A4 52 52 81 EE BB EB 4C BD 0B 64 0E
+
+ server_record_write_key = TLSTREE(server_write_key_hs, 0):
+ 00000: 56 EE 18 13 72 72 49 C9 DC DF 35 13 78 7E DB 93
+ 00010: DF 62 C6 1E E7 B1 26 C5 0F 26 C0 AA AF AE 00 E1
+
+ seqnum:
+ 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+ nonce:
+ 00000: 69 69 FF AA A4 52 52 81 EE BB EB 4C BD 0B 64 0E
+
+ additional_data:
+ 00000: 17 03 03 00 17
+
+ TLSInnerPlaintext:
+ 00000: 08 00 00 02 00 00 16
+
+ TLSCiphertext:
+ 00000: 17 03 03 00 17 94 0E 5D 2C 75 3A E5 FE BD 20 01
+ 00010: 2C C9 E3 EB 24 A3 79 84 1E 02 AB BE
+
+ Record layer message:
+ type: 17
+ legacy_record_version: 0303
+ length: 0017
+ encrypted_record: 940E5D2C753AE5FEBD20012CC9E3EB24
+ A379841E02ABBE
+
+ 00000: 17 03 03 00 17 94 0E 5D 2C 75 3A E5 FE BD 20 01
+ 00010: 2C C9 E3 EB 24 A3 79 84 1E 02 AB BE
+
+ ---------------------------Server---------------------------
+
+ Certificate message:
+ msg_type: 0B
+ length: 000151
+ body:
+ certificate_request_context:
+ length: 00
+ vector: --
+ certificate_list:
+ length: 00014D
+ vector:
+ ASN.1Cert:
+ length: 000148
+ vector: 308201443081F2A00302010202023039
+ 300A06082A85030701010302301B3119
+ 301706035504031310676F73742E6578
+ 616D706C652E636F6D301E170D323030
+ 3232383131303833375A170D33303032
+ 32353131303833375A301B3119301706
+ 035504031310676F73742E6578616D70
+ 6C652E636F6D305E301706082A850307
+ 01010101300B06092A85030701020101
+ 020343000440F383CEE83048B4EB14C7
+ 1A7F6DE44A37CE11A6AC1750F1CFB8DA
+ D8A38CCDD8FD06656F7CFC075F4083C3
+ 716221478F1EE24C6B1B70CCE3C72AFD
+ 2ACE65C775BCA321301F301D0603551D
+ 0E04160414F330FA7166DF095AF3A073
+ BC3B8EA356D7DFAC71300A06082A8503
+ 0701010302034100AB2EDA23F49B4862
+ 3B0CFF5906B7DD3C23B473570B296A08
+ 71DD15EF9A33201B97904A5CFA6C931C
+ 5473DC0C5A5F2FBB2E50CF587AE27C4D
+ 8E52EB80189DD08B
+ extensions:
+ length: 0000
+ vector: --
+
+ 00000: 0B 00 01 51 00 00 01 4D 00 01 48 30 82 01 44 30
+ 00010: 81 F2 A0 03 02 01 02 02 02 30 39 30 0A 06 08 2A
+ 00020: 85 03 07 01 01 03 02 30 1B 31 19 30 17 06 03 55
+ 00030: 04 03 13 10 67 6F 73 74 2E 65 78 61 6D 70 6C 65
+ 00040: 2E 63 6F 6D 30 1E 17 0D 32 30 30 32 32 38 31 31
+ 00050: 30 38 33 37 5A 17 0D 33 30 30 32 32 35 31 31 30
+ 00060: 38 33 37 5A 30 1B 31 19 30 17 06 03 55 04 03 13
+ 00070: 10 67 6F 73 74 2E 65 78 61 6D 70 6C 65 2E 63 6F
+ 00080: 6D 30 5E 30 17 06 08 2A 85 03 07 01 01 01 01 30
+ 00090: 0B 06 09 2A 85 03 07 01 02 01 01 02 03 43 00 04
+ 000A0: 40 F3 83 CE E8 30 48 B4 EB 14 C7 1A 7F 6D E4 4A
+ 000B0: 37 CE 11 A6 AC 17 50 F1 CF B8 DA D8 A3 8C CD D8
+ 000C0: FD 06 65 6F 7C FC 07 5F 40 83 C3 71 62 21 47 8F
+ 000D0: 1E E2 4C 6B 1B 70 CC E3 C7 2A FD 2A CE 65 C7 75
+ 000E0: BC A3 21 30 1F 30 1D 06 03 55 1D 0E 04 16 04 14
+ 000F0: F3 30 FA 71 66 DF 09 5A F3 A0 73 BC 3B 8E A3 56
+ 00100: D7 DF AC 71 30 0A 06 08 2A 85 03 07 01 01 03 02
+ 00110: 03 41 00 AB 2E DA 23 F4 9B 48 62 3B 0C FF 59 06
+ 00120: B7 DD 3C 23 B4 73 57 0B 29 6A 08 71 DD 15 EF 9A
+ 00130: 33 20 1B 97 90 4A 5C FA 6C 93 1C 54 73 DC 0C 5A
+ 00140: 5F 2F BB 2E 50 CF 58 7A E2 7C 4D 8E 52 EB 80 18
+ 00150: 9D D0 8B 00 00
+
+ Record payload protection:
+
+ server_record_write_key = TLSTREE(server_write_key_hs, 1):
+ 00000: 56 EE 18 13 72 72 49 C9 DC DF 35 13 78 7E DB 93
+ 00010: DF 62 C6 1E E7 B1 26 C5 0F 26 C0 AA AF AE 00 E1
+
+ seqnum:
+ 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01
+
+ nonce:
+ 00000: 69 69 FF AA A4 52 52 81 EE BB EB 4C BD 0B 64 0F
+
+ additional_data:
+ 00000: 17 03 03 01 66
+
+ TLSInnerPlaintext:
+ 00000: 0B 00 01 51 00 00 01 4D 00 01 48 30 82 01 44 30
+ 00010: 81 F2 A0 03 02 01 02 02 02 30 39 30 0A 06 08 2A
+ 00020: 85 03 07 01 01 03 02 30 1B 31 19 30 17 06 03 55
+ 00030: 04 03 13 10 67 6F 73 74 2E 65 78 61 6D 70 6C 65
+ 00040: 2E 63 6F 6D 30 1E 17 0D 32 30 30 32 32 38 31 31
+ 00050: 30 38 33 37 5A 17 0D 33 30 30 32 32 35 31 31 30
+ 00060: 38 33 37 5A 30 1B 31 19 30 17 06 03 55 04 03 13
+ 00070: 10 67 6F 73 74 2E 65 78 61 6D 70 6C 65 2E 63 6F
+ 00080: 6D 30 5E 30 17 06 08 2A 85 03 07 01 01 01 01 30
+ 00090: 0B 06 09 2A 85 03 07 01 02 01 01 02 03 43 00 04
+ 000A0: 40 F3 83 CE E8 30 48 B4 EB 14 C7 1A 7F 6D E4 4A
+ 000B0: 37 CE 11 A6 AC 17 50 F1 CF B8 DA D8 A3 8C CD D8
+ 000C0: FD 06 65 6F 7C FC 07 5F 40 83 C3 71 62 21 47 8F
+ 000D0: 1E E2 4C 6B 1B 70 CC E3 C7 2A FD 2A CE 65 C7 75
+ 000E0: BC A3 21 30 1F 30 1D 06 03 55 1D 0E 04 16 04 14
+ 000F0: F3 30 FA 71 66 DF 09 5A F3 A0 73 BC 3B 8E A3 56
+ 00100: D7 DF AC 71 30 0A 06 08 2A 85 03 07 01 01 03 02
+ 00110: 03 41 00 AB 2E DA 23 F4 9B 48 62 3B 0C FF 59 06
+ 00120: B7 DD 3C 23 B4 73 57 0B 29 6A 08 71 DD 15 EF 9A
+ 00130: 33 20 1B 97 90 4A 5C FA 6C 93 1C 54 73 DC 0C 5A
+ 00140: 5F 2F BB 2E 50 CF 58 7A E2 7C 4D 8E 52 EB 80 18
+ 00150: 9D D0 8B 00 00 16
+
+ Record layer message:
+ type: 17
+ legacy_record_version: 0303
+ length: 0166
+ encrypted_record: F57944FE9A599A76E7FE9C26E3FCE5BB
+ AC4DDCF68EF2E77624E33E80B6743E39
+ 10502EE419A219B3BB6A1712D15458BB
+ 897D3DAC7A48769945C89237DFB86620
+ CC31C456B4374B075905E42AB5333742
+ 3463819982DC6D76A067C4FD83BD3E47
+ 9CD9B7FD2926A5A63B1E88B1525DB976
+ C7F409190F955AE9F0AC5F976A471F23
+ 675DEB9B24E162D24F494ECDC483A070
+ 7129F3BD17D0FAC4944F2B3BF140D616
+ D654709297495B23898893B211505856
+ EEC1A96BC4DCF78A016798E5500D662C
+ 54A74BDF6A7F300AC9B72299B4F15F6F
+ 449F396CE1D0C9243CBC1C86BECD5CAB
+ BFDF50197B7AFF4BE903D7E3311B729B
+ C32D09D2D0DCE06622985AE037DC2F87
+ CB0C492F2D5106B259CC86E227CC8338
+ C1DF6C63576B17DB9655FD255F156E1F
+ 4F767FAFB74471731E4225256818DE94
+ 64218263D7CF7B87EB5222E76DE6C951
+ E462CCCCC53E06387BB4FEDEFD34B9C1
+ 3AB4EE3D49057CD2672F852A5F692408
+ 29B92341CDC9
+
+ TLSCiphertext:
+ 00000: 17 03 03 01 66 F5 79 44 FE 9A 59 9A 76 E7 FE 9C
+ 00010: 26 E3 FC E5 BB AC 4D DC F6 8E F2 E7 76 24 E3 3E
+ 00020: 80 B6 74 3E 39 10 50 2E E4 19 A2 19 B3 BB 6A 17
+ 00030: 12 D1 54 58 BB 89 7D 3D AC 7A 48 76 99 45 C8 92
+ 00040: 37 DF B8 66 20 CC 31 C4 56 B4 37 4B 07 59 05 E4
+ 00050: 2A B5 33 37 42 34 63 81 99 82 DC 6D 76 A0 67 C4
+ 00060: FD 83 BD 3E 47 9C D9 B7 FD 29 26 A5 A6 3B 1E 88
+ 00070: B1 52 5D B9 76 C7 F4 09 19 0F 95 5A E9 F0 AC 5F
+ 00080: 97 6A 47 1F 23 67 5D EB 9B 24 E1 62 D2 4F 49 4E
+ 00090: CD C4 83 A0 70 71 29 F3 BD 17 D0 FA C4 94 4F 2B
+ 000A0: 3B F1 40 D6 16 D6 54 70 92 97 49 5B 23 89 88 93
+ 000B0: B2 11 50 58 56 EE C1 A9 6B C4 DC F7 8A 01 67 98
+ 000C0: E5 50 0D 66 2C 54 A7 4B DF 6A 7F 30 0A C9 B7 22
+ 000D0: 99 B4 F1 5F 6F 44 9F 39 6C E1 D0 C9 24 3C BC 1C
+ 000E0: 86 BE CD 5C AB BF DF 50 19 7B 7A FF 4B E9 03 D7
+ 000F0: E3 31 1B 72 9B C3 2D 09 D2 D0 DC E0 66 22 98 5A
+ 00100: E0 37 DC 2F 87 CB 0C 49 2F 2D 51 06 B2 59 CC 86
+ 00110: E2 27 CC 83 38 C1 DF 6C 63 57 6B 17 DB 96 55 FD
+ 00120: 25 5F 15 6E 1F 4F 76 7F AF B7 44 71 73 1E 42 25
+ 00130: 25 68 18 DE 94 64 21 82 63 D7 CF 7B 87 EB 52 22
+ 00140: E7 6D E6 C9 51 E4 62 CC CC C5 3E 06 38 7B B4 FE
+ 00150: DE FD 34 B9 C1 3A B4 EE 3D 49 05 7C D2 67 2F 85
+ 00160: 2A 5F 69 24 08 29 B9 23 41 CD C9
+
+ ---------------------------Server---------------------------
+
+ HMCertificateVerify = (ClientHello, ServerHello,
+ EncryptedExtensions, Certificate)
+
+ Transcript-Hash(HMCertificateVerify):
+ 00000: E0 CC 4B C1 4B EC 5D 13 19 2C DC 66 22 B4 FD A9
+ 00010: 67 6A 1B 50 E4 56 83 0B B5 F0 7E 01 21 22 73 06
+
+ k (random for signature algorithm):
+ 00000: 85 85 85 85 85 85 85 85 85 85 85 85 85 85 85 85
+ 00010: 85 85 85 85 85 85 85 85 85 85 85 85 85 85 85 85
+
+ sgn:
+ 00000: A0 AA 13 91 5C 5B 80 C6 02 E2 FD 85 80 4F 99 2C
+ 00010: 77 15 97 AD 37 85 7A D6 BC 2A 9D 7B C5 FE BE C3
+ 00020: 7C 72 94 BA A2 3C F6 9D 03 E4 71 0B D7 08 13 FD
+ 00030: AC 59 6B C1 58 E7 56 BD 37 1C 44 2E 95 22 DE 87
+
+ CertificateVerify message:
+ msg_type: 0F
+ length: 000044
+ body:
+ algorithm: 070A
+ signature:
+ length: 0040
+ vector:
+ A0AA13915C5B80C602E2FD85804F992C
+ 771597AD37857AD6BC2A9D7BC5FEBEC3
+ 7C7294BAA23CF69D03E4710BD70813FD
+ AC596BC158E756BD371C442E9522DE87
+
+ 00000: 0F 00 00 44 07 0A 00 40 A0 AA 13 91 5C 5B 80 C6
+ 00010: 02 E2 FD 85 80 4F 99 2C 77 15 97 AD 37 85 7A D6
+ 00020: BC 2A 9D 7B C5 FE BE C3 7C 72 94 BA A2 3C F6 9D
+ 00030: 03 E4 71 0B D7 08 13 FD AC 59 6B C1 58 E7 56 BD
+ 00040: 37 1C 44 2E 95 22 DE 87
+
+ Record payload protection:
+
+ server_record_write_key = TLSTREE(server_write_key_hs, 2):
+ 00000: 56 EE 18 13 72 72 49 C9 DC DF 35 13 78 7E DB 93
+ 00010: DF 62 C6 1E E7 B1 26 C5 0F 26 C0 AA AF AE 00 E1
+
+ seqnum:
+ 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02
+
+ nonce:
+ 00000: 69 69 FF AA A4 52 52 81 EE BB EB 4C BD 0B 64 0C
+
+ additional_data:
+ 00000: 17 03 03 00 59
+
+ TLSInnerPlaintext:
+ 00000: 0F 00 00 44 07 0A 00 40 A0 AA 13 91 5C 5B 80 C6
+ 00010: 02 E2 FD 85 80 4F 99 2C 77 15 97 AD 37 85 7A D6
+ 00020: BC 2A 9D 7B C5 FE BE C3 7C 72 94 BA A2 3C F6 9D
+ 00030: 03 E4 71 0B D7 08 13 FD AC 59 6B C1 58 E7 56 BD
+ 00040: 37 1C 44 2E 95 22 DE 87 16
+
+ Record layer message:
+ type: 17
+ legacy_record_version: 0303
+ length: 0059
+ encrypted_record: 52631D5BFDF48254BDFB5F9E02A6A527
+ 0163BCE1E0D818E8D74176535C6CDD25
+ 2DE065AE77984A65ADBA036D59CF45B9
+ A0047BABCCD0B28044D34BCFD09E6E46
+ 27044B26FE5CA734FCB08607146F41A8
+ 71C3F95384B48ADABC
+
+ TLSCiphertext:
+ 00000: 17 03 03 00 59 52 63 1D 5B FD F4 82 54 BD FB 5F
+ 00010: 9E 02 A6 A5 27 01 63 BC E1 E0 D8 18 E8 D7 41 76
+ 00020: 53 5C 6C DD 25 2D E0 65 AE 77 98 4A 65 AD BA 03
+ 00030: 6D 59 CF 45 B9 A0 04 7B AB CC D0 B2 80 44 D3 4B
+ 00040: CF D0 9E 6E 46 27 04 4B 26 FE 5C A7 34 FC B0 86
+ 00050: 07 14 6F 41 A8 71 C3 F9 53 84 B4 8A DA BC
+
+ ---------------------------Server---------------------------
+
+ server_finished_key = HKDF-Expand-Label(SHTS, "finished", "", 32):
+ 00000: 53 F1 C0 38 8F 8A 70 C0 BC A0 DD 21 A0 30 F2 38
+ 00010: 1C 34 37 CD 0E 7E C9 3D 0A 96 5E 25 63 2D D7 9A
+
+ HMFinished = (ClientHello, ServerHello, EncryptedExtensions
+ Certificate, CertificateVerify)
+
+ Transcript-Hash(HMFinished):
+ 00000: 03 EC 9B 1D 0B 37 41 42 45 72 BA C9 DF 3A A5 2C
+ 00010: 03 EF E9 E9 58 07 69 43 AF D8 58 19 BC 60 2F 46
+
+ FinishedHash =
+ HMAC(server_finished_key,Transcript-Hash(HMFinished)):
+ 00000: E0 BA A3 36 14 E0 69 69 7E 4D FA B0 71 B9 72 57
+ 00010: 73 F8 FE 1A 32 6A 66 2D 0F 52 30 9B 45 B6 E0 31
+
+ Finished message:
+ msg_type: 14
+ length: 000020
+ body:
+ verify_data: E0BAA33614E069697E4DFAB071B97257
+ 73F8FE1A326A662D0F52309B45B6E031
+
+ 00000: 14 00 00 20 E0 BA A3 36 14 E0 69 69 7E 4D FA B0
+ 00010: 71 B9 72 57 73 F8 FE 1A 32 6A 66 2D 0F 52 30 9B
+ 00020: 45 B6 E0 31
+
+ Record payload protection:
+
+ server_record_write_key = TLSTREE(server_write_key_hs, 3):
+ 00000: 56 EE 18 13 72 72 49 C9 DC DF 35 13 78 7E DB 93
+ 00010: DF 62 C6 1E E7 B1 26 C5 0F 26 C0 AA AF AE 00 E1
+
+ seqnum:
+ 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03
+
+ nonce:
+ 00000: 69 69 FF AA A4 52 52 81 EE BB EB 4C BD 0B 64 0D
+
+ additional_data:
+ 00000: 17 03 03 00 35
+
+ TLSInnerPlaintext:
+ 00000: 14 00 00 20 E0 BA A3 36 14 E0 69 69 7E 4D FA B0
+ 00010: 71 B9 72 57 73 F8 FE 1A 32 6A 66 2D 0F 52 30 9B
+ 00020: 45 B6 E0 31 16
+
+ Record layer message:
+ type: 17
+ legacy_record_version: 0303
+ length: 0035
+ encrypted_record: 57B1706C4918F67EACCA457F7D5B537C
+ CE5036B4004C778022B97EE802320398
+ 119404506680ADD7D6A6CD7C8153B755
+ 3C6E646AD6
+
+ TLSCiphertext:
+ 00000: 17 03 03 00 35 57 B1 70 6C 49 18 F6 7E AC CA 45
+ 00010: 7F 7D 5B 53 7C CE 50 36 B4 00 4C 77 80 22 B9 7E
+ 00020: E8 02 32 03 98 11 94 04 50 66 80 AD D7 D6 A6 CD
+ 00030: 7C 81 53 B7 55 3C 6E 64 6A D6
+
+ ---------------------------Server---------------------------
+ Application Data:
+ HELO gost.example.com\r\n
+
+ Record payload protection:
+
+ Derived #1 = Derive-Secret(HandshakeSecret, "derived", "") =
+ HKDF-Expand-Label(HandshakeSecret, "derived", "", 32):
+ 00000: EA 3C 54 BB D1 4E F9 D7 50 77 6F AB E3 95 BE 2A
+ 00010: BD DB BB B7 1C 13 C2 BD 60 9E 35 15 79 4A FA 02
+
+ MainSecret = HKDF-Extract(Salt: Derived #1, IKM: 0^256):
+ 00000: 31 BB 1D 61 2C CD 53 32 68 8A 55 1A 48 CA 25 0F
+ 00010: 24 78 3D 4A B0 B4 A7 6D 3F E5 06 7A 26 16 A4 A3
+
+ HM2 = (ClientHello, ServerHello, EncryptedExtensions, Certificate,
+ CertificateVerify, Server Finished)
+
+ TH2 = Transcript-Hash(HM2):
+ 00000: 9E BC 5F BE 32 D9 F4 0D 48 F8 EE CE BB 62 31 A5
+ 00010: 33 C2 C0 EF 24 32 77 B9 6D 6F 7A D3 BB FD 14 94
+
+ server_application_traffic_secret (SATS):
+ SATS = Derive-Secret(MainSecret, "s ap traffic", HM2) =
+ HKDF-Expand-Label(MainSecret, "s ap traffic", TH2, 32):
+ 00000: 87 73 4F 4B 4C FD 17 B9 7B 83 4D 82 2D 9D 73 79
+ 00010: F6 F5 E0 3B 80 B5 2A EB 2A FF 51 0E DD 83 DB D2
+
+ server_write_key_ap = HKDF-Expand-Label(SATS, "key", "", 32):
+ 00000: 47 5E 4C 51 4C C6 31 8C 3A 5F 00 0F 12 65 BD 1A
+ 00010: B5 F0 DE 1A F3 57 ED 00 79 EC 5F F0 AF BD 03 0C
+
+ server_write_iv_ap = HKDF-Expand-Label(SATS, "iv", "", 16):
+ 00000: AF E9 1F 71 18 35 40 26 31 7E 1A B4 D8 22 17 B8
+
+ server_record_write_key = TLSTREE(server_write_key_ap, 0):
+ 00000: C8 FC 93 D7 C5 86 F2 B0 A3 10 1B AA 6A 97 9E 4E
+ 00010: 38 86 70 65 51 E8 11 87 E9 78 80 40 9C 7E 8E E9
+
+ seqnum:
+ 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+ nonce:
+ 00000: 2F E9 1F 71 18 35 40 26 31 7E 1A B4 D8 22 17 B8
+
+ additional_data:
+ 00000: 17 03 03 00 28
+
+ TLSInnerPlaintext:
+ 00000: 48 45 4C 4F 20 67 6F 73 74 2E 65 78 61 6D 70 6C
+ 00010: 65 2E 63 6F 6D 0D 0A 17
+
+ Record layer message:
+ type: 17
+ legacy_record_version: 0303
+ length: 0028
+ encrypted_record: ABB8C372C79681DCE5C3C909DD039D59
+ 8161FD3E6CE5D6F9CA5715BD6B5C1824
+ 7FB26AC1AB396A4E
+
+ TLSCiphertext:
+ 00000: 17 03 03 00 28 AB B8 C3 72 C7 96 81 DC E5 C3 C9
+ 00010: 09 DD 03 9D 59 81 61 FD 3E 6C E5 D6 F9 CA 57 15
+ 00020: BD 6B 5C 18 24 7F B2 6A C1 AB 39 6A 4E
+
+ ---------------------------Client---------------------------
+
+ client_finished_key = HKDF-Expand-Label(CHTS, "finished", "", 32):
+ 00000: 2F 21 54 8C F5 27 78 69 AE 49 0D E7 BC 15 AC E6
+ 00010: 39 F6 57 E3 58 2A 5A 63 4B 0A 91 56 95 D5 4C 42
+
+ HM2 = (ClientHello, ServerHello, EncryptedExtensions, Certificate,
+ CertificateVerify, Server Finished)
+
+ TH2 = Transcript-Hash(HM2):
+ 00000: 9E BC 5F BE 32 D9 F4 0D 48 F8 EE CE BB 62 31 A5
+ 00010: 33 C2 C0 EF 24 32 77 B9 6D 6F 7A D3 BB FD 14 94
+
+ FinishedHash =
+ HMAC(client_finished_key, TH2):
+ 00000: 08 5F C7 FD 79 B6 D1 11 CD 8D 3F F6 B2 3A 06 5A
+ 00010: 7A F7 A6 38 73 42 A5 F3 57 68 14 CD 00 47 19 D2
+
+ Finished message:
+ msg_type: 14
+ length: 000020
+ body:
+ verify_data: 085FC7FD79B6D111CD8D3FF6B23A065A
+ 7AF7A6387342A5F3576814CD004719D2
+
+ 00000: 14 00 00 20 08 5F C7 FD 79 B6 D1 11 CD 8D 3F F6
+ 00010: B2 3A 06 5A 7A F7 A6 38 73 42 A5 F3 57 68 14 CD
+ 00020: 00 47 19 D2
+
+ Record payload protection:
+
+ EarlySecret = HKDF-Extract(Salt: 0^256, IKM: 0^256):
+ 00000: FB DE FB E5 27 FE EA 66 5A AB 92 77 A2 16 3B 83
+ 00010: 43 08 4F D1 91 C4 60 66 26 0F AC 6F D1 43 6C 72
+
+ Derived #0 = Derive-Secret(EarlySecret, "derived", "") =
+ HKDF-Expand-Label(EarlySecret, "derived", "", 32):
+ 00000: DB C3 C8 26 D8 77 A3 B7 D2 D2 45 3D BF DC 6C FB
+ 00010: FB 11 51 B3 E8 4F 0C 8F 26 01 1D 8D 5B F3 ED F7
+
+ HandshakeSecret = HKDF-Extract(Salt: Derived #0, IKM: ECDHE):
+ 00000: 44 24 5E 2C 43 32 D1 F7 8B 0F 8D 16 F4 03 EB 69
+ 00010: ED 2A 40 53 84 7C DC 39 FA 8B 3D 29 74 F7 45 E7
+
+ HM1 = (ClientHello, ServerHello)
+
+ TH1 = Transcript-Hash(HM1):
+ 00000: 99 3B A7 22 12 4A F3 CB FD 47 71 E7 FA E3 2A C1
+ 00010: D0 E9 27 8C F7 84 3F CB C6 20 E1 A0 08 5A 87 A1
+
+ client_handshake_traffic_secret (CHTS):
+ CHTS = Derive-Secret(HandshakeSecret, "c hs traffic", HM1) =
+ HKDF-Expand-Label(HandshakeSecret, "c hs traffic", TH1, 32):
+ 00000: B3 F7 11 3D 35 26 55 4F E6 55 E5 6F AB 79 B1 A0
+ 00010: 3D E3 35 96 E3 30 88 C7 78 37 19 A9 A4 B0 DC CD
+
+ client_write_key_hs = HKDF-Expand-Label(CHTS, "key", "", 32):
+ 00000: 58 16 88 D7 6E FE 12 2B B5 5F 62 B3 8E F0 1B CC
+ 00010: 8C 88 DB 83 E9 EA 4D 55 D3 89 8C 53 72 1F C3 84
+
+ client_write_iv_hs = HKDF-Expand-Label(CHTS, "iv", "", 16):
+ 00000: 43 9A 07 45 3D 0B EA 0C 1D 1B EB 73 8E B5 B8 DD
+
+ client_record_write_key = TLSTREE(client_write_key_hs, 0):
+ 00000: E1 C5 9B 41 69 D8 96 10 7F 78 45 68 93 A3 75 1E
+ 00010: 15 73 54 3D AD 8C B7 40 69 E6 81 4A 51 3B BB 1C
+
+ seqnum:
+ 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+ nonce:
+ 00000: 43 9A 07 45 3D 0B EA 0C 1D 1B EB 73 8E B5 B8 DD
+
+ additional_data:
+ 00000: 17 03 03 00 35
+
+ TLSInnerPlaintext:
+ 00000: 14 00 00 20 08 5F C7 FD 79 B6 D1 11 CD 8D 3F F6
+ 00010: B2 3A 06 5A 7A F7 A6 38 73 42 A5 F3 57 68 14 CD
+ 00020: 00 47 19 D2 16
+
+ Record layer message:
+ type: 17
+ legacy_record_version: 0303
+ length: 0035
+ encrypted_record: C9C65EAAB4A80E04849A122EB0CC26A9
+ CA6B5DD4DB7AD6813949F629FC09E052
+ 2FF7ACDBBA93926C20008B8CCE865422
+ 7B31D439F8
+
+ TLSCiphertext:
+ 00000: 17 03 03 00 35 C9 C6 5E AA B4 A8 0E 04 84 9A 12
+ 00010: 2E B0 CC 26 A9 CA 6B 5D D4 DB 7A D6 81 39 49 F6
+ 00020: 29 FC 09 E0 52 2F F7 AC DB BA 93 92 6C 20 00 8B
+ 00030: 8C CE 86 54 22 7B 31 D4 39 F8
+
+ ---------------------------Server---------------------------
+
+ NewSessionTicket message:
+ msg_type: 04
+ length: 000035
+ body:
+ ticket_lifetime: 00093A80
+ ticket_age_add: 86868686
+ ticket_nonce:
+ length: 08
+ vector: 0000000000000000
+ ticket:
+ length: 0020
+ vector: 88888888888888888888888888888888
+ 88888888888888888888888888888888
+ extensions:
+ length: 0000
+ vector: --
+
+ 00000: 04 00 00 35 00 09 3A 80 86 86 86 86 08 00 00 00
+ 00010: 00 00 00 00 00 00 20 88 88 88 88 88 88 88 88 88
+ 00020: 88 88 88 88 88 88 88 88 88 88 88 88 88 88 88 88
+ 00030: 88 88 88 88 88 88 88 00 00
+
+ Record payload protection:
+
+ server_record_write_key = TLSTREE(server_write_key_ap, 1):
+ 00000: C8 FC 93 D7 C5 86 F2 B0 A3 10 1B AA 6A 97 9E 4E
+ 00010: 38 86 70 65 51 E8 11 87 E9 78 80 40 9C 7E 8E E9
+
+ seqnum:
+ 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01
+
+ nonce:
+ 00000: 2F E9 1F 71 18 35 40 26 31 7E 1A B4 D8 22 17 B9
+
+ additional_data:
+ 00000: 17 03 03 00 4A
+
+ TLSInnerPlaintext:
+ 00000: 04 00 00 35 00 09 3A 80 86 86 86 86 08 00 00 00
+ 00010: 00 00 00 00 00 00 20 88 88 88 88 88 88 88 88 88
+ 00020: 88 88 88 88 88 88 88 88 88 88 88 88 88 88 88 88
+ 00030: 88 88 88 88 88 88 88 00 00 16
+
+ Record layer message:
+ type: 17
+ legacy_record_version: 0303
+ length: 004A
+ encrypted_record: CA6688A5DC22208DC8A8DE7E597292E3
+ CB5D454945B8F06C7C50F1823D7B6BB0
+ 021178AE3ADB2DE3994539FD696945CF
+ AA6919F3F1294CD41ED2A8EA75302869
+ ACB994F3920B09D67186
+
+ TLSCiphertext:
+ 00000: 17 03 03 00 4A CA 66 88 A5 DC 22 20 8D C8 A8 DE
+ 00010: 7E 59 72 92 E3 CB 5D 45 49 45 B8 F0 6C 7C 50 F1
+ 00020: 82 3D 7B 6B B0 02 11 78 AE 3A DB 2D E3 99 45 39
+ 00030: FD 69 69 45 CF AA 69 19 F3 F1 29 4C D4 1E D2 A8
+ 00040: EA 75 30 28 69 AC B9 94 F3 92 0B 09 D6 71 86
+
+ ---------------------------Server---------------------------
+
+ Application data:
+ 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ [...]
+ 000003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ Pad: 15360 bytes
+
+ Record payload protection:
+
+ server_record_write_key = TLSTREE(server_write_key_ap, 2):
+ 00000: C8 FC 93 D7 C5 86 F2 B0 A3 10 1B AA 6A 97 9E 4E
+ 00010: 38 86 70 65 51 E8 11 87 E9 78 80 40 9C 7E 8E E9
+
+ seqnum:
+ 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02
+
+ nonce:
+ 00000: 2F E9 1F 71 18 35 40 26 31 7E 1A B4 D8 22 17 BA
+
+ additional_data:
+ 00000: 17 03 03 40 11
+
+ TLSInnerPlaintext:
+ 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ [...]
+ 000003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00000400: 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00000410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ [...]
+ 00004000: 00
+
+ Record layer message:
+ type: 17
+ legacy_record_version: 0303
+ length: 4011
+ encrypted_record: 9B3AD6939F05A403EEB1A636E13989D9
+ 1CCA6A45BE5B7CB5C980020627A1B2AD
+ 34AC4B5AAE5BD445C91C28325E4C7149
+ 188D55EF27016D80AF440704820BCE22
+ CE501EA619A4FF7CD9F722A28391CE8B
+ B86BF87D5A85555BEF59A9C9A1572F38
+ 114E64FD04A0DB2E1787A585EA51DCAB
+ B95DAFB73D0B3FE3F0702C5E1AA01571
+ 17D884783E5E6113F6CA8352F6CF49F9
+ DB3B3DAB380BFD7BE04B0A [...]
+ 64E7027D926E0F95AB7F133B5921F996
+ A81EB67B78449DD32F4511E013206524
+ AD4AFACF0B1C1622282CB20A965E670C
+ C9A17E13F343AF3825AFD58B06915BDC
+ 9E49477F02830694F5AC7CC99C887F62
+ CDAAEF0053766FB12BC9A082C157C347
+ 21C5400C376088A660EE4329ED645D7C
+ 07D4DA1ABDF6F9A1B9D51BF3E09CFCC1
+ A59CD96F07FC9ACF004EA1B20E6BBDAD
+ 7BBF0C9E2A1B
+
+ TLSCiphertext:
+ 00000000: 17 03 03 40 11 9B 3A D6 93 9F 05 A4 03 EE B1 A6
+ 00000010: 36 E1 39 89 D9 1C CA 6A 45 BE 5B 7C B5 C9 80 02
+ 00000020: 06 27 A1 B2 AD 34 AC 4B 5A AE 5B D4 45 C9 1C 28
+ 00000030: 32 5E 4C 71 49 18 8D 55 EF 27 01 6D 80 AF 44 07
+ 00000040: 04 82 0B CE 22 CE 50 1E A6 19 A4 FF 7C D9 F7 22
+ 00000050: A2 83 91 CE 8B B8 6B F8 7D 5A 85 55 5B EF 59 A9
+ 00000060: C9 A1 57 2F 38 11 4E 64 FD 04 A0 DB 2E 17 87 A5
+ 00000070: 85 EA 51 DC AB B9 5D AF B7 3D 0B 3F E3 F0 70 2C
+ 00000080: 5E 1A A0 15 71 17 D8 84 78 3E 5E 61 13 F6 CA 83
+ 00000090: 52 F6 CF 49 F9 DB 3B 3D AB 38 0B FD 7B E0 4B 0A
+ [...]
+ 00003F80: 64 E7 02 7D 92 6E 0F 95 AB 7F 13 3B 59 21 F9 96
+ 00003F90: A8 1E B6 7B 78 44 9D D3 2F 45 11 E0 13 20 65 24
+ 00003FA0: AD 4A FA CF 0B 1C 16 22 28 2C B2 0A 96 5E 67 0C
+ 00003FB0: C9 A1 7E 13 F3 43 AF 38 25 AF D5 8B 06 91 5B DC
+ 00003FC0: 9E 49 47 7F 02 83 06 94 F5 AC 7C C9 9C 88 7F 62
+ 00003FD0: CD AA EF 00 53 76 6F B1 2B C9 A0 82 C1 57 C3 47
+ 00003FE0: 21 C5 40 0C 37 60 88 A6 60 EE 43 29 ED 64 5D 7C
+ 00003FF0: 07 D4 DA 1A BD F6 F9 A1 B9 D5 1B F3 E0 9C FC C1
+ 00004000: A5 9C D9 6F 07 FC 9A CF 00 4E A1 B2 0E 6B BD AD
+ 00004010: 7B BF 0C 9E 2A 1B
+
+ ---------------------------Server---------------------------
+
+ Application data:
+ 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ [...]
+ 000003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ Pad: 15360 bytes
+
+ Record payload protection:
+
+ server_record_write_key = TLSTREE(server_write_key_ap, 3):
+ 00000: C8 FC 93 D7 C5 86 F2 B0 A3 10 1B AA 6A 97 9E 4E
+ 00010: 38 86 70 65 51 E8 11 87 E9 78 80 40 9C 7E 8E E9
+
+ seqnum:
+ 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03
+
+ nonce:
+ 00000: 2F E9 1F 71 18 35 40 26 31 7E 1A B4 D8 22 17 BB
+
+ additional_data:
+ 00000: 17 03 03 40 11
+
+ TLSInnerPlaintext:
+ 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ [...]
+ 000003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00000400: 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00000410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ [...]
+ 00004000: 00
+
+ Record layer message:
+ type: 17
+ legacy_record_version: 0303
+ length: 4011
+ encrypted_record: F06C5032F8A7AD58CED14D5383ED969E
+ 628DE4F35CF9B6FCF5047D9B02261F56
+ F724DE961F8FF9C27AE76FBAC0A18E96
+ AA30CA7D8EBAD5B5135A0962515CC4F2
+ A16EBAB9A08886ED4EFD9DFAEC158F94
+ EFB0F90725C9114D9D8D904A18ABF184
+ E74B07150B2F2F27CB8032064943C957
+ 11E480E4F4FCE8E9F020D5C90489E734
+ AEA10D91C7097AEC8CD6D5E3EEC764B0
+ CD447FC07735F0F8D9D490 [...]
+ 3A79E7B3BCFD2B2478092911073A7CC9
+ 6AC626C30DD0A5612DBBFF26E35AF0BB
+ 5CEC24EED391100533FB999D4873ED5D
+ 5E4693C5EEDC3ECC3C6EFF041B0A7F42
+ 25A1092F4AADD9A508C7A56CB13A3F33
+ E844E28C8ADCD45250F4EE29834C5CAA
+ C50B5EBF94501785664E78AE9B5FDBFA
+ DF730DED97985D659135F5DABAD883FF
+ AC6046A0F629881F76147646D8E2A867
+ 3B14295621F7
+
+
+ TLSCiphertext:
+ 00000000: 17 03 03 40 11 F0 6C 50 32 F8 A7 AD 58 CE D1 4D
+ 00000010: 53 83 ED 96 9E 62 8D E4 F3 5C F9 B6 FC F5 04 7D
+ 00000020: 9B 02 26 1F 56 F7 24 DE 96 1F 8F F9 C2 7A E7 6F
+ 00000030: BA C0 A1 8E 96 AA 30 CA 7D 8E BA D5 B5 13 5A 09
+ 00000040: 62 51 5C C4 F2 A1 6E BA B9 A0 88 86 ED 4E FD 9D
+ 00000050: FA EC 15 8F 94 EF B0 F9 07 25 C9 11 4D 9D 8D 90
+ 00000060: 4A 18 AB F1 84 E7 4B 07 15 0B 2F 2F 27 CB 80 32
+ 00000070: 06 49 43 C9 57 11 E4 80 E4 F4 FC E8 E9 F0 20 D5
+ 00000080: C9 04 89 E7 34 AE A1 0D 91 C7 09 7A EC 8C D6 D5
+ 00000090: E3 EE C7 64 B0 CD 44 7F C0 77 35 F0 F8 D9 D4 90
+ [...]
+ 00003F80: 3A 79 E7 B3 BC FD 2B 24 78 09 29 11 07 3A 7C C9
+ 00003F90: 6A C6 26 C3 0D D0 A5 61 2D BB FF 26 E3 5A F0 BB
+ 00003FA0: 5C EC 24 EE D3 91 10 05 33 FB 99 9D 48 73 ED 5D
+ 00003FB0: 5E 46 93 C5 EE DC 3E CC 3C 6E FF 04 1B 0A 7F 42
+ 00003FC0: 25 A1 09 2F 4A AD D9 A5 08 C7 A5 6C B1 3A 3F 33
+ 00003FD0: E8 44 E2 8C 8A DC D4 52 50 F4 EE 29 83 4C 5C AA
+ 00003FE0: C5 0B 5E BF 94 50 17 85 66 4E 78 AE 9B 5F DB FA
+ 00003FF0: DF 73 0D ED 97 98 5D 65 91 35 F5 DA BA D8 83 FF
+ 00004000: AC 60 46 A0 F6 29 88 1F 76 14 76 46 D8 E2 A8 67
+ 00004010: 3B 14 29 56 21 F7
+
+ ---------------------------Server---------------------------
+
+ Application data:
+ 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ [...]
+ 000003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ Pad: 15360 bytes
+
+ Record payload protection:
+
+ server_record_write_key = TLSTREE(server_write_key_ap, 8):
+ 00000: D3 CD 87 D5 68 74 07 82 39 78 34 4C 06 B9 28 A8
+ 00010: 58 98 B7 39 A3 1D 3D E5 FF 2B 78 8E F3 91 96 ED
+
+ seqnum:
+ 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08
+
+ nonce:
+ 00000: 2F E9 1F 71 18 35 40 26 31 7E 1A B4 D8 22 17 B0
+
+ additional_data:
+ 00000: 17 03 03 40 11
+
+ TLSInnerPlaintext:
+ 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ [...]
+ 000003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00000400: 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00000410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ [...]
+ 00004000: 00
+
+ Record layer message:
+ type: 17
+ legacy_record_version: 0303
+ length: 4011
+ encrypted_record: E3DF00F169A76FA19FE55FA304E0A552
+ 5A28FDBD3DD4CA654B89140EFD69E263
+ 28A65A77F5D8B2E2F73568F7A677E5DF
+ 8D225FAA8ED5FED98F09963FF1E82161
+ 81595E9FA6989CCABC2150CA668D70EA
+ 8CB6F62BCC528D26B52FB27AB70F194A
+ 30E5C9085D9323D38745093070D15650
+ 52468045F3398DC5BF93D6A983956E1D
+ 3077337B773DAF4B9A6BA5BC569A251D
+ 34FE23DF7B9343A0550094 [...]
+ 2B516EE4A4971FD26EFB9293981435E9
+ FCC560B618B8ED0A52589E7342C25325
+ 11C3D7C145559B8119BC02CB22CBF1EB
+ 915578E8468806B2D0728C591B617354
+ CC47D51FF2363197A559018AD3498846
+ AD167DD086BD12EF52179D45ABF06C28
+ 97B0C1D8AAD49413E0CCC086586D537A
+ 296F9CEEB7E7E1DD2537540232C6BD71
+ 619FC93BAE3FD8B0C95EA9915B6127B9
+ 9F87884541F7
+
+ TLSCiphertext:
+ 00000000: 17 03 03 40 11 E3 DF 00 F1 69 A7 6F A1 9F E5 5F
+ 00000010: A3 04 E0 A5 52 5A 28 FD BD 3D D4 CA 65 4B 89 14
+ 00000020: 0E FD 69 E2 63 28 A6 5A 77 F5 D8 B2 E2 F7 35 68
+ 00000030: F7 A6 77 E5 DF 8D 22 5F AA 8E D5 FE D9 8F 09 96
+ 00000040: 3F F1 E8 21 61 81 59 5E 9F A6 98 9C CA BC 21 50
+ 00000050: CA 66 8D 70 EA 8C B6 F6 2B CC 52 8D 26 B5 2F B2
+ 00000060: 7A B7 0F 19 4A 30 E5 C9 08 5D 93 23 D3 87 45 09
+ 00000070: 30 70 D1 56 50 52 46 80 45 F3 39 8D C5 BF 93 D6
+ 00000080: A9 83 95 6E 1D 30 77 33 7B 77 3D AF 4B 9A 6B A5
+ 00000090: BC 56 9A 25 1D 34 FE 23 DF 7B 93 43 A0 55 00 94
+ [...]
+ 00003F80: 2B 51 6E E4 A4 97 1F D2 6E FB 92 93 98 14 35 E9
+ 00003F90: FC C5 60 B6 18 B8 ED 0A 52 58 9E 73 42 C2 53 25
+ 00003FA0: 11 C3 D7 C1 45 55 9B 81 19 BC 02 CB 22 CB F1 EB
+ 00003FB0: 91 55 78 E8 46 88 06 B2 D0 72 8C 59 1B 61 73 54
+ 00003FC0: CC 47 D5 1F F2 36 31 97 A5 59 01 8A D3 49 88 46
+ 00003FD0: AD 16 7D D0 86 BD 12 EF 52 17 9D 45 AB F0 6C 28
+ 00003FE0: 97 B0 C1 D8 AA D4 94 13 E0 CC C0 86 58 6D 53 7A
+ 00003FF0: 29 6F 9C EE B7 E7 E1 DD 25 37 54 02 32 C6 BD 71
+ 00004000: 61 9F C9 3B AE 3F D8 B0 C9 5E A9 91 5B 61 27 B9
+ 00004010: 9F 87 88 45 41 F7
+
+ ---------------------------Server---------------------------
+
+ Application data:
+ 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ [...]
+ 000003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ Pad: 15360 bytes
+
+ Record payload protection:
+
+ server_record_write_key = TLSTREE(server_write_key_ap, 9):
+ 00000: D3 CD 87 D5 68 74 07 82 39 78 34 4C 06 B9 28 A8
+ 00010: 58 98 B7 39 A3 1D 3D E5 FF 2B 78 8E F3 91 96 ED
+
+ seqnum:
+ 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09
+
+ nonce:
+ 00000: 2F E9 1F 71 18 35 40 26 31 7E 1A B4 D8 22 17 B1
+
+ additional_data:
+ 00000: 17 03 03 40 11
+
+ TLSInnerPlaintext:
+ 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ [...]
+ 000003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00000400: 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00000410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ [...]
+ 00004000: 00
+
+ Record layer message:
+ type: 17
+ legacy_record_version: 0303
+ length: 4011
+ encrypted_record: 4AFCD1257E2C8D4626BC0BFBB30F2F9C
+ A57A9D0DEC090B4248CAADDFE7AA4AEB
+ 770F285384FEA308CADE2EEF318148C2
+ BED4870ABEE1955CCA41CE8344C3EDA4
+ 7C2512CDD19FD54C7E0260BBC7BD8DD1
+ EE9D4EBADD3D7915D0A029D7847CA05D
+ 078068CC8A792FED69A4E655A6E6D22D
+ A134ECA2BDECA1E59D3AE7313E45E785
+ AF89A8F1890BFCC59F03F39C4FB2337C
+ 326D94FA04F5548619D6DC [...]
+ 79B6F56B6EBF8B8860436EFF9D8F03CC
+ 73BDF446D30F918AF8FF8BA2D078D243
+ 1AC04657D7871203F15969F160820D7D
+ FCA78F65FF954CE5549F2C78AA3A0885
+ 04527FC561B6AE06020A8772B75CE933
+ 6CAC35B536A50DB26930BFA21E9EB56E
+ A20E39CC2BBBA66D41C2E8720AA0143D
+ 298D8036D7B0090A0214F58C5B1890A7
+ 5B4783820395E39421F4357A49597EB0
+ 64123818EACE
+
+ TLSCiphertext:
+ 00000000: 17 03 03 40 11 4A FC D1 25 7E 2C 8D 46 26 BC 0B
+ 00000010: FB B3 0F 2F 9C A5 7A 9D 0D EC 09 0B 42 48 CA AD
+ 00000020: DF E7 AA 4A EB 77 0F 28 53 84 FE A3 08 CA DE 2E
+ 00000030: EF 31 81 48 C2 BE D4 87 0A BE E1 95 5C CA 41 CE
+ 00000040: 83 44 C3 ED A4 7C 25 12 CD D1 9F D5 4C 7E 02 60
+ 00000050: BB C7 BD 8D D1 EE 9D 4E BA DD 3D 79 15 D0 A0 29
+ 00000060: D7 84 7C A0 5D 07 80 68 CC 8A 79 2F ED 69 A4 E6
+ 00000070: 55 A6 E6 D2 2D A1 34 EC A2 BD EC A1 E5 9D 3A E7
+ 00000080: 31 3E 45 E7 85 AF 89 A8 F1 89 0B FC C5 9F 03 F3
+ 00000090: 9C 4F B2 33 7C 32 6D 94 FA 04 F5 54 86 19 D6 DC
+ [...]
+ 00003F80: 79 B6 F5 6B 6E BF 8B 88 60 43 6E FF 9D 8F 03 CC
+ 00003F90: 73 BD F4 46 D3 0F 91 8A F8 FF 8B A2 D0 78 D2 43
+ 00003FA0: 1A C0 46 57 D7 87 12 03 F1 59 69 F1 60 82 0D 7D
+ 00003FB0: FC A7 8F 65 FF 95 4C E5 54 9F 2C 78 AA 3A 08 85
+ 00003FC0: 04 52 7F C5 61 B6 AE 06 02 0A 87 72 B7 5C E9 33
+ 00003FD0: 6C AC 35 B5 36 A5 0D B2 69 30 BF A2 1E 9E B5 6E
+ 00003FE0: A2 0E 39 CC 2B BB A6 6D 41 C2 E8 72 0A A0 14 3D
+ 00003FF0: 29 8D 80 36 D7 B0 09 0A 02 14 F5 8C 5B 18 90 A7
+ 00004000: 5B 47 83 82 03 95 E3 94 21 F4 35 7A 49 59 7E B0
+ 00004010: 64 12 38 18 EA CE
+
+ ---------------------------Client-----------------------------
+
+ Application data:
+ 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ [...]
+ 000003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ Pad: 15360 bytes
+
+ Record payload protection:
+
+ Derived #1 = Derive-Secret(HandshakeSecret, "derived", "") =
+ HKDF-Expand-Label(HandshakeSecret, "derived", "", 32):
+ 00000: EA 3C 54 BB D1 4E F9 D7 50 77 6F AB E3 95 BE 2A
+ 00010: BD DB BB B7 1C 13 C2 BD 60 9E 35 15 79 4A FA 02
+
+ MainSecret = HKDF-Extract(Salt: Derived #1, IKM: 0^256):
+ 00000: 31 BB 1D 61 2C CD 53 32 68 8A 55 1A 48 CA 25 0F
+ 00010: 24 78 3D 4A B0 B4 A7 6D 3F E5 06 7A 26 16 A4 A3
+
+ HM2 = (ClientHello, ServerHello, EncryptedExtensions, Certificate,
+ CertificateVerify, Server Finished)
+
+ TH2 = Transcript-Hash(HM2):
+ 00000: 9E BC 5F BE 32 D9 F4 0D 48 F8 EE CE BB 62 31 A5
+ 00010: 33 C2 C0 EF 24 32 77 B9 6D 6F 7A D3 BB FD 14 94
+
+ client_application_traffic_secret (CATS):
+ CATS = Derive-Secret(MainSecret, "c ap traffic", HM2) =
+ HKDF-Expand-Label(MainSecret, "c ap traffic", TH2, 32):
+ 00000: 8A CF 74 6B EC 31 17 6C BD 14 2C 75 80 6C 27 0A
+ 00010: 0A EF 6F C3 8E 0D 8F DC B5 A8 85 25 36 3A DE 81
+
+ client_write_key_ap = HKDF-Expand-Label(CATS, "key", "", 32):
+ 00000: 7B E6 4E 2C 12 78 7B 5B 8C 87 56 C4 3D 92 FA EF
+ 00010: 64 F1 5A 3A 3C 10 81 AD 34 BC A5 06 F0 32 24 15
+
+ client_write_iv_ap = HKDF-Expand-Label(CATS, "iv", "", 16):
+ 00000: 31 09 57 EF 71 31 44 33 F5 76 CC 9B 00 AD 93 54
+
+ client_record_write_key = TLSTREE(client_write_key_ap, 0):
+ 00000: D4 9A 57 15 49 E7 48 94 9F A2 4B 88 34 23 2C A8
+ 00010: 75 D3 7A 26 C4 BB 5C 62 A2 61 DA B3 72 65 05 26
+
+ seqnum:
+ 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+ nonce:
+ 00000: 31 09 57 EF 71 31 44 33 F5 76 CC 9B 00 AD 93 54
+
+ additional_data:
+ 00000: 17 03 03 40 11
+
+ TLSInnerPlaintext:
+ 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ [...]
+ 000003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00000400: 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00000410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ [...]
+ 00004000: 00
+
+ Record layer message:
+ type: 17
+ legacy_record_version: 0303
+ length: 4011
+ encrypted_record: EA6CB652C7CBE6B50560D0364DC94D90
+ 2560DFE55D8B83C8AA919F5A1E5492E7
+ 4CA5156F18BEC8EAB6971CAA2D2C1FF1
+ 46EA5FEF5D62682601868FFCD2688F34
+ 83899C31F6BA87538682E7F895F653C0
+ 9BFE95ABF3EEDF7EBB261CCC593DFCB0
+ 04F05119567148BB35F3C7B4F09713A6
+ 247A047EF29B05F7720E375A6E3264F4
+ 7922EAEBE3AA6D1E80832806D5F20E7C
+ 56662A7128B191829597DB [...]
+ 6A5184907D9FF8D3FC0994A3C850DDBC
+ 2D0420EB66EA177FCDD78F16246E2076
+ 039C525604F79A007F472AC7A20A4574
+ 1B9D96E38E565899D40A724B8A37FF68
+ 702BF9A645D04962BBC9C66A35FFD219
+ A08A385FE4CDD0A1F3F080BECDF01E45
+ 68C338FAD2C850DFEAA98A7F1B95ECA1
+ 72BA7F7526E3BFF2EFF2395CE4561867
+ DC9DE8FD10F38BCA1E44B0207AF4CCE8
+ 8155836330BC
+
+ TLSCiphertext:
+ 00000000: 17 03 03 40 11 EA 6C B6 52 C7 CB E6 B5 05 60 D0
+ 00000010: 36 4D C9 4D 90 25 60 DF E5 5D 8B 83 C8 AA 91 9F
+ 00000020: 5A 1E 54 92 E7 4C A5 15 6F 18 BE C8 EA B6 97 1C
+ 00000030: AA 2D 2C 1F F1 46 EA 5F EF 5D 62 68 26 01 86 8F
+ 00000040: FC D2 68 8F 34 83 89 9C 31 F6 BA 87 53 86 82 E7
+ 00000050: F8 95 F6 53 C0 9B FE 95 AB F3 EE DF 7E BB 26 1C
+ 00000060: CC 59 3D FC B0 04 F0 51 19 56 71 48 BB 35 F3 C7
+ 00000070: B4 F0 97 13 A6 24 7A 04 7E F2 9B 05 F7 72 0E 37
+ 00000080: 5A 6E 32 64 F4 79 22 EA EB E3 AA 6D 1E 80 83 28
+ 00000090: 06 D5 F2 0E 7C 56 66 2A 71 28 B1 91 82 95 97 DB
+ [...]
+ 00003F80: 6A 51 84 90 7D 9F F8 D3 FC 09 94 A3 C8 50 DD BC
+ 00003F90: 2D 04 20 EB 66 EA 17 7F CD D7 8F 16 24 6E 20 76
+ 00003FA0: 03 9C 52 56 04 F7 9A 00 7F 47 2A C7 A2 0A 45 74
+ 00003FB0: 1B 9D 96 E3 8E 56 58 99 D4 0A 72 4B 8A 37 FF 68
+ 00003FC0: 70 2B F9 A6 45 D0 49 62 BB C9 C6 6A 35 FF D2 19
+ 00003FD0: A0 8A 38 5F E4 CD D0 A1 F3 F0 80 BE CD F0 1E 45
+ 00003FE0: 68 C3 38 FA D2 C8 50 DF EA A9 8A 7F 1B 95 EC A1
+ 00003FF0: 72 BA 7F 75 26 E3 BF F2 EF F2 39 5C E4 56 18 67
+ 00004000: DC 9D E8 FD 10 F3 8B CA 1E 44 B0 20 7A F4 CC E8
+ 00004010: 81 55 83 63 30 BC
+
+ ---------------------------Client-----------------------------
+
+ Application data:
+ 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ [...]
+ 000003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ Pad: 15360 bytes
+
+ Record payload protection:
+
+ server_record_write_key = TLSTREE(server_write_key_ap, 1):
+ 00000: D4 9A 57 15 49 E7 48 94 9F A2 4B 88 34 23 2C A8
+ 00010: 75 D3 7A 26 C4 BB 5C 62 A2 61 DA B3 72 65 05 26
+
+ seqnum:
+ 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01
+
+ nonce:
+ 00000: 31 09 57 EF 71 31 44 33 F5 76 CC 9B 00 AD 93 55
+
+ additional_data:
+ 00000: 17 03 03 40 11
+
+ TLSInnerPlaintext:
+ 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ [...]
+ 000003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00000400: 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00000410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ [...]
+ 00004000: 00
+
+ Record layer message:
+ type: 17
+ legacy_record_version: 0303
+ length: 4011
+ encrypted_record: 0D486A03D03A020296EA0AD1D684A9F4
+ AE35824129141D3434CEE064FD5E966F
+ 88D6E8903913417658E46C49B18BB0CC
+ B29B663D3F380A2CF9E5234BCD27F3A4
+ E12EBF3A3C69DB7661B08FC1685FADDE
+ 50F68028A6E85EE12729D6F9CAD762FF
+ A6BAB5FC94AC65BAA36885DAF85C9B27
+ C68F9E97AB85ECFA760CDD22F9A8C0BA
+ 6097D7960587CA708834516D9588592D
+ D1B8E05210BAA640FE6540 [...]
+ 55A9C5A6557D35B8F1A9804BFA0F2789
+ 3EDC6AA0350E9630AFF6C9B06C3CE01D
+ 5BE51E87EBFFAC58230D074BE121F077
+ 9D08F8177AFFFBB36DCEFDD0D0696873
+ A772B9A1DA73C681B0F8359EC1C74B6E
+ 0452095C622C4C797F450CAA4F26975A
+ 311F41F31C6A617747298CC052A6376F
+ A46191658FEE5BD8D7A998E7F12E8838
+ 7365BAAD4BA490114733FC15A58148E6
+ 186484821A94
+
+ TLSCiphertext:
+ 00000000: 17 03 03 40 11 0D 48 6A 03 D0 3A 02 02 96 EA 0A
+ 00000010: D1 D6 84 A9 F4 AE 35 82 41 29 14 1D 34 34 CE E0
+ 00000020: 64 FD 5E 96 6F 88 D6 E8 90 39 13 41 76 58 E4 6C
+ 00000030: 49 B1 8B B0 CC B2 9B 66 3D 3F 38 0A 2C F9 E5 23
+ 00000040: 4B CD 27 F3 A4 E1 2E BF 3A 3C 69 DB 76 61 B0 8F
+ 00000050: C1 68 5F AD DE 50 F6 80 28 A6 E8 5E E1 27 29 D6
+ 00000060: F9 CA D7 62 FF A6 BA B5 FC 94 AC 65 BA A3 68 85
+ 00000070: DA F8 5C 9B 27 C6 8F 9E 97 AB 85 EC FA 76 0C DD
+ 00000080: 22 F9 A8 C0 BA 60 97 D7 96 05 87 CA 70 88 34 51
+ 00000090: 6D 95 88 59 2D D1 B8 E0 52 10 BA A6 40 FE 65 40
+ [...]
+ 00003F80: 55 A9 C5 A6 55 7D 35 B8 F1 A9 80 4B FA 0F 27 89
+ 00003F90: 3E DC 6A A0 35 0E 96 30 AF F6 C9 B0 6C 3C E0 1D
+ 00003FA0: 5B E5 1E 87 EB FF AC 58 23 0D 07 4B E1 21 F0 77
+ 00003FB0: 9D 08 F8 17 7A FF FB B3 6D CE FD D0 D0 69 68 73
+ 00003FC0: A7 72 B9 A1 DA 73 C6 81 B0 F8 35 9E C1 C7 4B 6E
+ 00003FD0: 04 52 09 5C 62 2C 4C 79 7F 45 0C AA 4F 26 97 5A
+ 00003FE0: 31 1F 41 F3 1C 6A 61 77 47 29 8C C0 52 A6 37 6F
+ 00003FF0: A4 61 91 65 8F EE 5B D8 D7 A9 98 E7 F1 2E 88 38
+ 00004000: 73 65 BA AD 4B A4 90 11 47 33 FC 15 A5 81 48 E6
+ 00004010: 18 64 84 82 1A 94
+
+ ---------------------------Client-----------------------------
+
+ Application data:
+ 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ [...]
+ 000003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ Pad: 15360 bytes
+
+ Record payload protection:
+
+ client_record_write_key = TLSTREE(client_write_key_ap, 8):
+ 00000: B8 2D 78 25 D1 5F AE 18 A7 01 32 28 B3 1C B0 C5
+ 00010: 97 52 C6 40 9C 5F 78 99 EC C6 95 0F 74 63 C0 90
+
+ seqnum:
+ 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08
+
+ nonce:
+ 00000: 31 09 57 EF 71 31 44 33 F5 76 CC 9B 00 AD 93 5C
+
+ additional_data:
+ 00000: 17 03 03 40 11
+
+ TLSInnerPlaintext:
+ 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ [...]
+ 000003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00000400: 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00000410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ [...]
+ 00004000: 00
+
+ Record layer message:
+ type: 17
+ legacy_record_version: 0303
+ length: 4011
+ encrypted_record: F8B5732A300C8EF05FB712A2972F4DB8
+ 4BE783A959090398E989516B6A54F333
+ 331049283186BD1C42EFD98003A476A2
+ 408EACE0D7047FB536979386C26B5523
+ F933A4F5BD7048B094EC5F5627EDFA98
+ 99DE1AF8D9A493E481BA5DA0857BE15A
+ 3F21CA01E22092159BAA770569CFBE54
+ F653BEFB4A8B32295DEFE992258F4581
+ 257E936AF549E82D54EA6C09EF0D987B
+ F3A3E8453C1548CEF1C349 [...]
+ 0EF4E88899AA3481AEDAE0E257449F80
+ A20CBDF070EC02211B6B9CBA9248B192
+ CF75C88A085DBFF77ABCFB1D82DAA421
+ 1B487A48230350CBA4F338DD0BFD36D8
+ AAC5EE709456B7E317C78E7198FB7264
+ 5B45EEFD3F93BF1C021F9E74A2ED2BCC
+ 1CF5D367B553C7E7E9D80DD2447C7D13
+ D0345FEF2976696DFE579E5F71740C71
+ 3124CFBAD66C7BB5BC21AAAE2F1E0860
+ 5C248ADAF8BA
+
+ TLSCiphertext:
+ 00000000: 17 03 03 40 11 F8 B5 73 2A 30 0C 8E F0 5F B7 12
+ 00000010: A2 97 2F 4D B8 4B E7 83 A9 59 09 03 98 E9 89 51
+ 00000020: 6B 6A 54 F3 33 33 10 49 28 31 86 BD 1C 42 EF D9
+ 00000030: 80 03 A4 76 A2 40 8E AC E0 D7 04 7F B5 36 97 93
+ 00000040: 86 C2 6B 55 23 F9 33 A4 F5 BD 70 48 B0 94 EC 5F
+ 00000050: 56 27 ED FA 98 99 DE 1A F8 D9 A4 93 E4 81 BA 5D
+ 00000060: A0 85 7B E1 5A 3F 21 CA 01 E2 20 92 15 9B AA 77
+ 00000070: 05 69 CF BE 54 F6 53 BE FB 4A 8B 32 29 5D EF E9
+ 00000080: 92 25 8F 45 81 25 7E 93 6A F5 49 E8 2D 54 EA 6C
+ 00000090: 09 EF 0D 98 7B F3 A3 E8 45 3C 15 48 CE F1 C3 49
+ [...]
+ 00003F80: 0E F4 E8 88 99 AA 34 81 AE DA E0 E2 57 44 9F 80
+ 00003F90: A2 0C BD F0 70 EC 02 21 1B 6B 9C BA 92 48 B1 92
+ 00003FA0: CF 75 C8 8A 08 5D BF F7 7A BC FB 1D 82 DA A4 21
+ 00003FB0: 1B 48 7A 48 23 03 50 CB A4 F3 38 DD 0B FD 36 D8
+ 00003FC0: AA C5 EE 70 94 56 B7 E3 17 C7 8E 71 98 FB 72 64
+ 00003FD0: 5B 45 EE FD 3F 93 BF 1C 02 1F 9E 74 A2 ED 2B CC
+ 00003FE0: 1C F5 D3 67 B5 53 C7 E7 E9 D8 0D D2 44 7C 7D 13
+ 00003FF0: D0 34 5F EF 29 76 69 6D FE 57 9E 5F 71 74 0C 71
+ 00004000: 31 24 CF BA D6 6C 7B B5 BC 21 AA AE 2F 1E 08 60
+ 00004010: 5C 24 8A DA F8 BA
+
+ ---------------------------Client-----------------------------
+
+ Application data:
+ 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ [...]
+ 000003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ Pad: 15360 bytes
+
+ Record payload protection:
+
+ client_record_write_key = TLSTREE(client_write_key_ap, 9):
+ 00000: B8 2D 78 25 D1 5F AE 18 A7 01 32 28 B3 1C B0 C5
+ 00010: 97 52 C6 40 9C 5F 78 99 EC C6 95 0F 74 63 C0 90
+
+ seqnum:
+ 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09
+
+ nonce:
+ 00000: 31 09 57 EF 71 31 44 33 F5 76 CC 9B 00 AD 93 5D
+
+ additional_data:
+ 00000: 17 03 03 40 11
+
+ TLSInnerPlaintext:
+ 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ [...]
+ 000003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00000400: 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00000410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ [...]
+ 00004000: 00
+
+ Record layer message:
+ type: 17
+ legacy_record_version: 0303
+ length: 4011
+ encrypted_record: C1719B62D4F5E295AB8A4A2CBD6BBEF3
+ 0F07297D96004EBABE315090247510A6
+ BEE6395676956B4249B16B52CE9FE171
+ B1F4693F48B3446D48A99B6224537FBB
+ 9BC8BF54AEA688D21E39F17840DB9F33
+ 632EA196922B7E15D6AE080F9F3B33F2
+ FABE63BB66E21C590785EFAEBE75BB1E
+ 17C9E5F58A1B1D1101DE95F9BF346C62
+ 1C63CABEB6D7245DB75F18DA495F129A
+ 652CE6B7E0FE47FB210D6A [...]
+ 2AF9D515B26C3D8F37F9BF5F3A766D8B
+ 03189A78605069179FB9CF9B1A449DC0
+ 4F0FE37E67FDF9A0341B1F0D64AA2871
+ D4DFEF10EC7DFE7475CFE364BB4D9453
+ A9F176829887148F3E8C0EEE858F9C17
+ C0B753C145D13BD2A96B23822F73DC6C
+ FD623DE3CB70F8D507E436C20E393940
+ F3A36C913C0BCDFE672C903C5522AA41
+ 0B318DD1268D035C59D3E11FF273B1D7
+ 715E2FBF3ACA
+
+ TLSCiphertext:
+ 00000000: 17 03 03 40 11 C1 71 9B 62 D4 F5 E2 95 AB 8A 4A
+ 00000010: 2C BD 6B BE F3 0F 07 29 7D 96 00 4E BA BE 31 50
+ 00000020: 90 24 75 10 A6 BE E6 39 56 76 95 6B 42 49 B1 6B
+ 00000030: 52 CE 9F E1 71 B1 F4 69 3F 48 B3 44 6D 48 A9 9B
+ 00000040: 62 24 53 7F BB 9B C8 BF 54 AE A6 88 D2 1E 39 F1
+ 00000050: 78 40 DB 9F 33 63 2E A1 96 92 2B 7E 15 D6 AE 08
+ 00000060: 0F 9F 3B 33 F2 FA BE 63 BB 66 E2 1C 59 07 85 EF
+ 00000070: AE BE 75 BB 1E 17 C9 E5 F5 8A 1B 1D 11 01 DE 95
+ 00000080: F9 BF 34 6C 62 1C 63 CA BE B6 D7 24 5D B7 5F 18
+ 00000090: DA 49 5F 12 9A 65 2C E6 B7 E0 FE 47 FB 21 0D 6A
+ [...]
+ 00003F80: 2A F9 D5 15 B2 6C 3D 8F 37 F9 BF 5F 3A 76 6D 8B
+ 00003F90: 03 18 9A 78 60 50 69 17 9F B9 CF 9B 1A 44 9D C0
+ 00003FA0: 4F 0F E3 7E 67 FD F9 A0 34 1B 1F 0D 64 AA 28 71
+ 00003FB0: D4 DF EF 10 EC 7D FE 74 75 CF E3 64 BB 4D 94 53
+ 00003FC0: A9 F1 76 82 98 87 14 8F 3E 8C 0E EE 85 8F 9C 17
+ 00003FD0: C0 B7 53 C1 45 D1 3B D2 A9 6B 23 82 2F 73 DC 6C
+ 00003FE0: FD 62 3D E3 CB 70 F8 D5 07 E4 36 C2 0E 39 39 40
+ 00003FF0: F3 A3 6C 91 3C 0B CD FE 67 2C 90 3C 55 22 AA 41
+ 00004000: 0B 31 8D D1 26 8D 03 5C 59 D3 E1 1F F2 73 B1 D7
+ 00004010: 71 5E 2F BF 3A CA
+
+ ---------------------------Server---------------------------
+ Alert message:
+ level: 01
+ description: 00
+
+ 00000: 01 00
+
+ Record payload protection:
+
+ client_record_write_key = TLSTREE(client_write_key_ap, 10):
+ 00000: D3 CD 87 D5 68 74 07 82 39 78 34 4C 06 B9 28 A8
+ 00010: 58 98 B7 39 A3 1D 3D E5 FF 2B 78 8E F3 91 96 ED
+
+ seqnum:
+ 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0A
+
+ nonce:
+ 00000: 2F E9 1F 71 18 35 40 26 31 7E 1A B4 D8 22 17 B2
+
+ additional_data:
+ 00000: 17 03 03 00 13
+
+ TLSInnerPlaintext:
+ 00000: 01 00 15
+
+ Record layer message:
+ type: 17
+ legacy_record_version: 0303
+ length: 0013
+ encrypted_record: 7CBC00AD5D29E301739394D31942C6A1
+ 6658E9
+
+ TLSCiphertext:
+ 00000: 17 03 03 00 13 7C BC 00 AD 5D 29 E3 01 73 93 94
+ 00010: D3 19 42 C6 A1 66 58 E9
+
+ ---------------------------Client---------------------------
+ Alert message:
+ level: 01
+ description: 00
+
+ 00000: 01 00
+
+ Record payload protection:
+
+ client_record_write_key = TLSTREE(client_write_key_ap, 10):
+ 00000: B8 2D 78 25 D1 5F AE 18 A7 01 32 28 B3 1C B0 C5
+ 00010: 97 52 C6 40 9C 5F 78 99 EC C6 95 0F 74 63 C0 90
+
+
+ seqnum:
+ 00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0A
+
+ nonce:
+ 00000: 31 09 57 EF 71 31 44 33 F5 76 CC 9B 00 AD 93 5E
+
+ additional_data:
+ 00000: 17 03 03 00 13
+
+ TLSInnerPlaintext:
+ 00000: 01 00 15
+
+ Record layer message:
+ type: 17
+ legacy_record_version: 0303
+ length: 0013
+ encrypted_record: CB19F306C3641754BE4FC95390DF06F9
+ CD44AA
+
+ TLSCiphertext:
+ 00000: 17 03 03 00 13 CB 19 F3 06 C3 64 17 54 BE 4F C9
+ 00010: 53 90 DF 06 F9 CD 44 AA
+
+A.2. Example 2
+
+A.2.1. Test Case
+
+ Test examples are given for the following instance of the TLS13_GOST
+ profile:
+
+ 1. Full TLS Handshake is used.
+
+ 2. PSK with ECDHE key exchange mode is used. The elliptic curve
+ GC256B is used for ECDHE shared secret calculation.
+
+ 3. Authentication is used on the server and client sides. The
+ external PSK is used for the mutual authentication.
+
+ 4. TLS_GOSTR341112_256_WITH_MAGMA_MGM_L cipher suite is negotiated.
+
+ 5. Four Application Data records are sent during the operation of
+ the Record protocol. The sequence numbers are selected to
+ demonstrate the operation of the TLSTREE function.
+
+ 6. Alert protocol is used for closure of the connection.
+
+A.2.2. Test Examples
+
+ ePSK:
+ 00000: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80
+ 00000: 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80 80
+
+
+ ---------------------------Client---------------------------
+
+ ClientHello1 message:
+ msg_type: 01
+ length: 00007B
+ body:
+ legacy_version: 0303
+ random: 01010101010101010101010101010101
+ 01010101010101010101010101010101
+ legacy_session_id:
+ length: 00
+ vector: --
+ cipher_suites:
+ length: 0002
+ vector:
+ CipherSuite: C104
+ compression_methods:
+ length: 01
+ vector:
+ CompressionMethod: 00
+ extensions:
+ length: 0050
+ vector:
+ Extension: /* supported_groups */
+ extension_type: 000A
+ extension_data:
+ length: 0006
+ vector:
+ named_group_list:
+ length: 0004
+ vector:
+ /* GC256B */
+ 0023
+ /* GC512C */
+ 0028
+ Extension: /* supported_versions */
+ extension_type: 002B
+ extension_data:
+ length: 0003
+ vector:
+ versions:
+ length: 02
+ vector:
+ 0304
+ Extension: /* psk_key_exchange_modes */
+ extension_type: 002D
+ extension_data:
+ length: 0002
+ vector:
+ ke_modes:
+ length: 01
+ vector:
+ /* psk_dhe_ke */
+ 01
+ Extension: /* key_share */
+ extension_type: 0033
+ extension_data:
+ length: 0002
+ client_shares:
+ length: 0000
+ vector: --
+ Extension: /* pre_shared_key */
+ extension_type: 0029
+ extension_data:
+ length: 002F
+ vector:
+ identities:
+ length: 000A
+ vector:
+ identity:
+ length: 0004
+ vector: 6550534B
+ obfuscated_ticket_age: 00000000
+ binders:
+ length: 0021
+ vector:
+ binder:
+ length: 20
+ vector: 6F3A0B91F2945EF7056DB74302BC34B6
+ DF77A88E09C587508AB6287C6C0514AD
+
+ Truncate(ClientHello1):
+ 0000: 01 00 00 7B 03 03 01 01 01 01 01 01 01 01 01 01
+ 0010: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
+ 0020: 01 01 01 01 01 01 00 00 02 C1 04 01 00 00 50 00
+ 0030: 0A 00 06 00 04 00 23 00 28 00 2B 00 03 02 03 04
+ 0040: 00 2D 00 02 01 01 00 33 00 02 00 00 00 29 00 2F
+ 0050: 00 0A 00 04 65 50 53 4B 00 00 00 00
+
+ Hash(Truncate(ClientHello1)):
+ 0000: CC 9C A9 FC 18 DF 7A 2F 5F 63 27 D7 7B EA DC F1
+ 0010: A7 3D 80 97 7F EB EA B4 F0 D3 83 39 30 00 2B 8D
+
+ EarlySecret = HKDF-Extract(Salt: 0^Hlen, IKM: ePSK):
+ 00000: 42 30 7A 99 68 18 34 0D D0 56 2F 7F EB E6 2A B5
+ 00010: 70 F3 BC 88 9C A9 29 3A 89 0D F2 09 B9 1B BB F3
+
+ binder_key = Derive-Secret(EarlySecret, "ext binder", "") =
+ HKDF-Expand-Label(EarlySecret, "ext binder", "", 32):
+ 00000: A4 37 62 C3 5E 75 54 1A 15 58 A0 8D 15 50 D3 29
+ 00010: 4C C3 F9 0C 73 99 EC C0 50 B9 15 37 A2 4C D5 E4
+
+ finished_binder_key =
+ HKDF-Expand-Label(binder_key, "finished", "", 32):
+ 00000: F5 6F 59 C2 E2 F8 E7 7C 69 80 1F B1 7D B4 C1 8B
+ 00010: ED 96 EB 32 FC D7 AB 95 AD D6 B1 CF F1 73 E6 65
+
+ binder = HMAC(finished_binder_key, Hash(Truncate(ClientHello1))):
+ 00000: 6F 3A 0B 91 F2 94 5E F7 05 6D B7 43 02 BC 34 B6
+ 00010: DF 77 A8 8E 09 C5 87 50 8A B6 28 7C 6C 05 14 AD
+
+ 0000: 01 00 00 7B 03 03 01 01 01 01 01 01 01 01 01 01
+ 0010: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
+ 0020: 01 01 01 01 01 01 00 00 02 C1 04 01 00 00 50 00
+ 0030: 0A 00 06 00 04 00 23 00 28 00 2B 00 03 02 03 04
+ 0040: 0A 07 0B 07 0C 07 0D 07 0E 07 0F 00 2B 00 03 02
+ 0050: 00 2D 00 02 01 01 00 33 00 02 00 00 00 29 00 2F
+ 0060: 00 0A 00 04 65 50 53 4B 00 00 00 00 00 21 20 6F
+ 0070: 3A 0B 91 F2 94 5E F7 05 6D B7 43 02 BC 34 B6 DF
+ 0080: 77 A8 8E 09 C5 87 50 8A B6 28 7C 6C 05 14 AD
+
+ Record layer message:
+ type: 16
+ legacy_record_version: 0301
+ length: 007F
+ fragment: 0100007B030301010101010101010101
+ 01010101010101010101010101010101
+ 010101010101000002C1040100005000
+ 0A0006000400230028002B0003020304
+ 0A070B070C070D070E070F002B000302
+ 002D000201010033000200000029002F
+ 000A00046550534B000000000021206F
+ 3A0B91F2945EF7056DB74302BC34B6DF
+ 77A88E09C587508AB6287C6C0514AD
+
+ 00000: 16 03 01 00 7F 01 00 00 7B 03 03 01 01 01 01 01
+ 00010: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
+ 00020: 01 01 01 01 01 01 01 01 01 01 01 00 00 02 C1 04
+ 00030: 01 00 00 50 00 0A 00 06 00 04 00 23 00 28 00 2B
+ 00040: 00 03 02 03 04 0A 07 0B 07 0C 07 0D 07 0E 07 0F
+ 00050: 00 2B 00 03 02 00 2D 00 02 01 01 00 33 00 02 00
+ 00060: 00 00 29 00 2F 00 0A 00 04 65 50 53 4B 00 00 00
+ 00070: 00 00 21 20 6F 3A 0B 91 F2 94 5E F7 05 6D B7 43
+ 00080: 02 BC 34 B6 DF 77 A8 8E 09 C5 87 50 8A B6 28 7C
+ 00090: 6C 05 14 AD
+
+
+ ---------------------------Server---------------------------
+
+ HelloRetryRequest message:
+ msg_type: 02
+ length: 000034
+ body:
+ legacy_version: 0303
+ random: CF21AD74E59A6111BE1D8C021E65B891
+ C2A211167ABB8C5E079E09E2C8A8339C
+ legacy_session_id:
+ length: 00
+ vector: --
+ cipher_suite:
+ CipherSuite: C104
+ compression_method:
+ CompressionMethod: 00
+ extensions:
+ length: 000C
+ vector:
+ Extension: /* supported_versions */
+ extension_type: 002B
+ extension_data:
+ length: 0002
+ vector:
+ selected_version:
+ 0304
+ Extension: /* key_share */
+ extension_type: 0033
+ extension_data:
+ length: 0002
+ selected_group: 0023
+
+ 00000: 02 00 00 34 03 03 CF 21 AD 74 E5 9A 61 11 BE 1D
+ 00010: 8C 02 1E 65 B8 91 C2 A2 11 16 7A BB 8C 5E 07 9E
+ 00020: 09 E2 C8 A8 33 9C 00 C1 04 00 00 0C 00 2B 00 02
+ 00030: 03 04 00 33 00 02 00 23
+
+ Record layer message:
+ type: 16
+ legacy_record_version: 0303
+ length: 0038
+ fragment: 020000340303CF21AD74E59A6111BE1D
+ 8C021E65B891C2A211167ABB8C5E079E
+ 09E2C8A8339C00C10400000C002B0002
+ 0304003300020023
+
+ 00000: 16 03 03 00 38 02 00 00 34 03 03 CF 21 AD 74 E5
+ 00010: 9A 61 11 BE 1D 8C 02 1E 65 B8 91 C2 A2 11 16 7A
+ 00020: BB 8C 5E 07 9E 09 E2 C8 A8 33 9C 00 C1 04 00 00
+ 00030: 0C 00 2B 00 02 03 04 00 33 00 02 00 23
+
+ ---------------------------Client---------------------------
+
+ ClientHello2 message:
+ msg_type: 01
+ length: 0000BF
+ body:
+ legacy_version: 0303
+ random: 01010101010101010101010101010101
+ 01010101010101010101010101010101
+ legacy_session_id:
+ length: 00
+ vector: --
+ cipher_suites:
+ length: 0002
+ vector:
+ CipherSuite: C104
+ compression_methods:
+ length: 01
+ vector:
+ CompressionMethod: 00
+ extensions:
+ length: 0094
+ vector:
+ Extension: /* supported_groups */
+ extension_type: 000A
+ extension_data:
+ length: 0006
+ vector:
+ named_group_list:
+ length: 0004
+ vector:
+ /* GC256B */
+ 0023
+ /* GC512C */
+ 0028
+ Extension: /* supported_versions */
+ extension_type: 002B
+ extension_data:
+ length: 0003
+ vector:
+ versions:
+ length: 02
+ vector:
+ 0304
+ Extension: /* psk_key_exchange_modes */
+ extension_type: 002D
+ extension_data:
+ length: 0002
+ vector:
+ ke_modes:
+ length: 01
+ vector:
+ /* psk_dhe_ke */
+ 01
+ Extension: /* key_share */
+ extension_type: 0033
+ extension_data:
+ length: 0046
+ client_shares:
+ length: 0044
+ vector:
+ group: 0023
+ key_exchange:
+ length: 0040
+ vector:
+ D35AA795C452450949591D60E7D5C076
+ 056D6646F3B80708CDC2E7034DE85F68
+ D1122DC32A3B986D40FF910622A06C12
+ 26D9EC3A7D3A52E0A37C282C47602A43
+ Extension: /* pre_shared_key */
+ extension_type: 0029
+ extension_data:
+ length: 002F
+ vector:
+ identities:
+ length: 000A
+ vector:
+ identity:
+ length: 0004
+ vector: 6550534B
+ obfuscated_ticket_age: 00000000
+ binders:
+ length: 0021
+ vector:
+ binder:
+ length: 20
+ vector: 0BF74AA3933B7D1A66961B6E2CFB6A28
+ 04D696BB607710E3F56DDA91F56B57CB
+
+ Truncate(ClientHello2):
+ 0000: 01 00 00 BF 03 03 01 01 01 01 01 01 01 01 01 01
+ 0010: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
+ 0020: 01 01 01 01 01 01 00 00 02 C1 04 01 00 00 94 00
+ 0030: 0A 00 06 00 04 00 23 00 28 00 2B 00 03 02 03 04
+ 0040: 00 2D 00 02 01 01 00 33 00 46 00 44 00 23 00 40
+ 0050: D3 5A A7 95 C4 52 45 09 49 59 1D 60 E7 D5 C0 76
+ 0060: 05 6D 66 46 F3 B8 07 08 CD C2 E7 03 4D E8 5F 68
+ 0070: D1 12 2D C3 2A 3B 98 6D 40 FF 91 06 22 A0 6C 12
+ 0080: 26 D9 EC 3A 7D 3A 52 E0 A3 7C 28 2C 47 60 2A 43
+ 0090: 00 29 00 2F 00 0A 00 04 65 50 53 4B 00 00 00 00
+
+ finished_binder_key:
+ 00000: F5 6F 59 C2 E2 F8 E7 7C 69 80 1F B1 7D B4 C1 8B
+ 00010: ED 96 EB 32 FC D7 AB 95 AD D6 B1 CF F1 73 E6 65
+
+ BinderMsg = (FE 00 00 20 | Hash(ClientHello1), HelloRetryRequest,
+ Truncate(ClientHello2))
+
+ Hash(BinderMsg) =
+ 73 7C 63 74 1B 3A EA DF C8 73 DF 6E EA 81 19 32
+ BF CE 93 4F AA 85 84 F1 44 F8 77 13 E0 D0 CA 32
+
+ binder = HMAC(finished_binder_key, Hash(BinderMsg)) =
+ 0B F7 4A A3 93 3B 7D 1A 66 96 1B 6E 2C FB 6A 28
+ 04 D6 96 BB 60 77 10 E3 F5 6D DA 91 F5 6B 57 CB
+
+
+ 0000: 01 00 00 BF 03 03 01 01 01 01 01 01 01 01 01 01
+ 0010: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
+ 0020: 01 01 01 01 01 01 00 00 02 C1 04 01 00 00 94 00
+ 0030: 0A 00 06 00 04 00 23 00 28 00 2B 00 03 02 03 04
+ 0040: 00 2D 00 02 01 01 00 33 00 46 00 44 00 23 00 40
+ 0050: D3 5A A7 95 C4 52 45 09 49 59 1D 60 E7 D5 C0 76
+ 0060: 05 6D 66 46 F3 B8 07 08 CD C2 E7 03 4D E8 5F 68
+ 0070: D1 12 2D C3 2A 3B 98 6D 40 FF 91 06 22 A0 6C 12
+ 0080: 26 D9 EC 3A 7D 3A 52 E0 A3 7C 28 2C 47 60 2A 43
+ 0090: 00 29 00 2F 00 0A 00 04 65 50 53 4B 00 00 00 00
+ 00A0: 00 21 20 0B F7 4A A3 93 3B 7D 1A 66 96 1B 6E 2C
+ 00B0: FB 6A 28 04 D6 96 BB 60 77 10 E3 F5 6D DA 91 F5
+ 00C0: 6B 57 CB
+
+
+ Record layer message:
+ type: 16
+ legacy_record_version: 0303
+ length: 00C3
+ fragment: 010000BF030301010101010101010101
+ 01010101010101010101010101010101
+ 010101010101000002C1040100009400
+ 0A0006000400230028002B0003020304
+ 002D0002010100330046004400230040
+ D35AA795C452450949591D60E7D5C076
+ 056D6646F3B80708CDC2E7034DE85F68
+ D1122DC32A3B986D40FF910622A06C12
+ 26D9EC3A7D3A52E0A37C282C47602A43
+ 0029002F000A00046550534B00000000
+ 0021200BF74AA3933B7D1A66961B6E2C
+ FB6A2804D696BB607710E3F56DDA91F5
+ 6B57CB
+
+ 00000: 16 03 03 00 C3 01 00 00 BF 03 03 01 01 01 01 01
+ 00010: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
+ 00020: 01 01 01 01 01 01 01 01 01 01 01 00 00 02 C1 04
+ 00030: 01 00 00 94 00 0A 00 06 00 04 00 23 00 28 00 2B
+ 00040: 00 03 02 03 04 00 2D 00 02 01 01 00 33 00 46 00
+ 00050: 44 00 23 00 40 D3 5A A7 95 C4 52 45 09 49 59 1D
+ 00060: 60 E7 D5 C0 76 05 6D 66 46 F3 B8 07 08 CD C2 E7
+ 00070: 03 4D E8 5F 68 D1 12 2D C3 2A 3B 98 6D 40 FF 91
+ 00080: 06 22 A0 6C 12 26 D9 EC 3A 7D 3A 52 E0 A3 7C 28
+ 00090: 2C 47 60 2A 43 00 29 00 2F 00 0A 00 04 65 50 53
+ 000A0: 4B 00 00 00 00 00 21 20 0B F7 4A A3 93 3B 7D 1A
+ 000B0: 66 96 1B 6E 2C FB 6A 28 04 D6 96 BB 60 77 10 E3
+ 000C0: F5 6D DA 91 F5 6B 57 CB
+
+ ---------------------------Server---------------------------
+
+ ServerHello message:
+ msg_type: 02
+ length: 00007C
+ body:
+ legacy_version: 0303
+ random: 82828282828282828282828282828282
+ 82828282828282828282828282828282
+
+
+ legacy_session_id:
+ length: 00
+ vector: --
+ cipher_suite:
+ CipherSuite: C104
+ compression_method:
+ CompressionMethod: 00
+ extensions:
+ length: 0054
+ vector:
+ Extension: /* supported_versions */
+ extension_type: 002B
+ extension_data:
+ length: 0002
+ vector:
+ selected_version:
+ 0304
+ Extension: /* key_share */
+ extension_type: 0033
+ extension_data:
+ length: 0044
+ vector:
+ group: 0023
+ key_exchange:
+ length: 0040
+ vector:
+ 3D2FB067E106CC9980FB8842811164BA
+ 708BBB5038D5EDFBEE1D5E5DFBE6F74F
+ 1931217C67C2BDF46253DB9CE3487241
+ F2DBD84E2DABDF65455851B0B19AEFEC
+ Extension: /* pre_shared_key */
+ extension_type: 0029
+ extension_data:
+ length: 0002
+ selected_identity: 0000
+
+ 00000: 02 00 00 7C 03 03 82 82 82 82 82 82 82 82 82 82
+ 00010: 82 82 82 82 82 82 82 82 82 82 82 82 82 82 82 82
+ 00020: 82 82 82 82 82 82 00 C1 04 00 00 54 00 2B 00 02
+ 00030: 03 04 00 33 00 44 00 23 00 40 3D 2F B0 67 E1 06
+ 00040: CC 99 80 FB 88 42 81 11 64 BA 70 8B BB 50 38 D5
+ 00050: ED FB EE 1D 5E 5D FB E6 F7 4F 19 31 21 7C 67 C2
+ 00060: BD F4 62 53 DB 9C E3 48 72 41 F2 DB D8 4E 2D AB
+ 00070: DF 65 45 58 51 B0 B1 9A EF EC 00 29 00 02 00 00
+
+
+ Record layer message:
+ type: 16
+ legacy_record_version: 0303
+ length: 0080
+ fragment: 020000410303933EA21E49C31BC3A345
+ 6165889684CAA5576CE7924A24F58113
+ 808DBD9EF85610C3802A561550EC78D6
+ ED51AC2439D7E7C101000009FF010001
+ 0000170000
+
+ 00000: 16 03 03 00 80 02 00 00 7C 03 03 82 82 82 82 82
+ 00010: 82 82 82 82 82 82 82 82 82 82 82 82 82 82 82 82
+ 00020: 82 82 82 82 82 82 82 82 82 82 82 00 C1 04 00 00
+ 00030: 54 00 2B 00 02 03 04 00 33 00 44 00 23 00 40 3D
+ 00040: 2F B0 67 E1 06 CC 99 80 FB 88 42 81 11 64 BA 70
+ 00050: 8B BB 50 38 D5 ED FB EE 1D 5E 5D FB E6 F7 4F 19
+ 00060: 31 21 7C 67 C2 BD F4 62 53 DB 9C E3 48 72 41 F2
+ 00070: DB D8 4E 2D AB DF 65 45 58 51 B0 B1 9A EF EC 00
+ 00080: 29 00 02 00 00
+
+
+ ---------------------------Client---------------------------
+
+ d_C^res:
+ 00000: 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02
+ 00010: 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02
+
+
+ Q_S^res:
+ 00000: 3D 2F B0 67 E1 06 CC 99 80 FB 88 42 81 11 64 BA
+ 00010: 70 8B BB 50 38 D5 ED FB EE 1D 5E 5D FB E6 F7 4F
+ 00020: 19 31 21 7C 67 C2 BD F4 62 53 DB 9C E3 48 72 41
+ 00030: F2 DB D8 4E 2D AB DF 65 45 58 51 B0 B1 9A EF EC
+
+
+
+ ECDHE:
+ 00000: 98 5A 86 59 D5 5A 8D 48 E0 E6 77 13 96 58 0B 2C
+ 00010: DC DA 37 E9 2A EE 18 14 D1 0E 1B F2 A4 4F 0D 24
+
+
+ ---------------------------Server---------------------------
+
+ d_S^res:
+ 00000: 83 83 83 83 83 83 83 83 83 83 83 83 83 83 83 83
+ 00010: 83 83 83 83 83 83 83 83 83 83 83 83 83 83 83 83
+
+
+ Q_C^res:
+ 00000: D3 5A A7 95 C4 52 45 09 49 59 1D 60 E7 D5 C0 76
+ 00010: 05 6D 66 46 F3 B8 07 08 CD C2 E7 03 4D E8 5F 68
+ 00020: D1 12 2D C3 2A 3B 98 6D 40 FF 91 06 22 A0 6C 12
+ 00030: 26 D9 EC 3A 7D 3A 52 E0 A3 7C 28 2C 47 60 2A 43
+
+
+ ECDHE:
+ 00000: 98 5A 86 59 D5 5A 8D 48 E0 E6 77 13 96 58 0B 2C
+ 00010: DC DA 37 E9 2A EE 18 14 D1 0E 1B F2 A4 4F 0D 24
+
+ ---------------------------Server---------------------------
+
+ EncryptedExtensions message:
+ msg_type: 08
+ length: 000002
+ body:
+ extensions:
+ length: 0000
+ vector: --
+
+ 00000: 08 00 00 02 00 00
+
+ Record payload protection:
+
+ EarlySecret = HKDF-Extract(Salt: 0^256, IKM: ePSK):
+ 00000: 42 30 7A 99 68 18 34 0D D0 56 2F 7F EB E6 2A B5
+ 00010: 70 F3 BC 88 9C A9 29 3A 89 0D F2 09 B9 1B BB F3
+
+ Derived #0 = Derive-Secret(EarlySecret, "derived", "") =
+ HKDF-Expand-Label(EarlySecret, "derived", "", 32):
+ 00000: 6B 4E 9C 49 C5 C6 F1 7F 60 B2 B8 4B 55 0A 16 38
+ 00010: 14 09 5B 80 88 8E C0 B0 CA 52 E4 09 0C B3 F8 BE
+
+
+ HandshakeSecret = HKDF-Extract(Salt: Derived #0, IKM: ECDHE):
+ 00000: A9 CB E6 58 50 2F 3F D1 18 66 51 5F D6 15 E9 88
+ 00010: 0D 1E 61 B5 28 34 BB FD 5F 19 C2 4C 53 C8 79 7F
+
+
+ HM1 = (FE 00 00 20 | Hash(ClientHello1), HelloRetryRequest,
+ ClientHello2, ServerHello)
+
+ TH1 = Transcript-Hash(HM1):
+ 00000: 88 8D 5D 1E 15 98 65 05 97 3E F2 0F 9A FA F5 71
+ 00010: 20 A3 66 C2 D2 19 91 D1 5E 25 07 0C 3D 07 D5 E9
+
+ server_handshake_traffic_secret (SHTS):
+ SHTS = Derive-Secret(HandshakeSecret, "s hs traffic", HM1) =
+ HKDF-Expand-Label(HandshakeSecret, "s hs traffic", TH1, 32):
+ 00000: 4E F8 68 E5 5B 27 F8 88 8A 6F 82 DA A7 0B 01 1B
+ 00010: DA B1 77 95 10 F0 88 78 A0 22 2B 3E 2C 76 E6 83
+
+ server_write_key_hs = HKDF-Expand-Label(SHTS, "key", "", 32):
+ 00000: DB 61 9B 58 F4 41 1E 33 4F 07 EA C7 7C EF EF CA
+ 00010: 78 41 F5 40 88 B8 D0 D5 CE 6A 62 C9 82 85 C6 81
+
+ server_write_iv_hs = HKDF-Expand-Label(SHTS, "iv", "", 16):
+ 00000: FC 9E 2A C6 63 04 C2 5B
+
+ server_record_write_key = TLSTREE(server_write_key_hs, 0):
+ 00000: 3C 7D F3 5E AC F4 FE 71 EA 6A DC E0 DC 44 5D D3
+ 00010: A9 29 EF CD 08 3F 18 2F BD 51 42 BA 68 6D 38 84
+
+ seqnum:
+ 00000: 00 00 00 00 00 00 00 00
+
+ nonce:
+ 00000: 7C 9E 2A C6 63 04 C2 5B
+
+ additional_data:
+ 00000: 17 03 03 00 0F
+
+ TLSInnerPlaintext:
+ 00000: 08 00 00 02 00 00 16
+
+ TLSCiphertext:
+ 00000: 17 03 03 00 0F 49 67 A7 E1 AE 7B FB 37 5A 0F 4B
+ 00010: 25 45 91 17
+
+ Record layer message:
+ type: 17
+ legacy_record_version: 0303
+ length: 000F
+ encrypted_record: 4967A7E1AE7BFB375A0F4B
+ 25459117
+
+ 00000: 17 03 03 00 0F 49 67 A7 E1 AE 7B FB 37 5A 0F 4B
+ 00010: 25 45 91 17
+
+ ---------------------------Server---------------------------
+
+ server_finished_key = HKDF-Expand-Label(SHTS, "finished", "", 32):
+ 00000: AF 41 F7 7A CB 18 B4 C5 9D E0 F7 8D 46 D5 AE 95
+ 00010: 7A A4 92 A7 D8 D8 2A 36 F4 B2 09 B8 20 7C 79 03
+
+ HMFinished = (FE 00 00 20 | Hash(ClientHello1), HelloRetryRequest,
+ ClientHello2, ServerHello, EncryptedExtensions)
+
+ Transcript-Hash(HMFinished):
+ 00000: E0 5D D6 C9 DE BA 09 3D 72 AD 6F 4A 7D 0E 11 95
+ 00010: FC E7 AE 31 93 F2 FF 5B 2D 0B F6 14 8E CB E7 B9
+
+ FinishedHash =
+ HMAC(server_finished_key,Transcript-Hash(HMFinished)):
+ 00000: 96 14 5B 61 68 E0 1C 4C F2 99 50 96 EE 12 C8 6B
+ 00010: 1F 53 1F 96 0A 48 9D E9 C3 44 2A 24 33 E9 AE EE
+
+ Finished message:
+ msg_type: 14
+ length: 000020
+ body:
+ verify_data: 96145B6168E01C4CF2995096EE12C86B
+ 1F531F960A489DE9C3442A2433E9AEEE
+
+ 00000: 14 00 00 20 96 14 5B 61 68 E0 1C 4C F2 99 50 96
+ 00010: EE 12 C8 6B 1F 53 1F 96 0A 48 9D E9 C3 44 2A 24
+ 00020: 33 E9 AE EE
+
+ Record payload protection:
+
+ server_record_write_key = TLSTREE(server_write_key_hs, 1):
+ 00000: 3C 7D F3 5E AC F4 FE 71 EA 6A DC E0 DC 44 5D D3
+ 00010: A9 29 EF CD 08 3F 18 2F BD 51 42 BA 68 6D 38 84
+
+ seqnum:
+ 00000: 00 00 00 00 00 00 00 01
+
+ nonce:
+ 00000: 7C 9E 2A C6 63 04 C2 5A
+
+ additional_data:
+ 00000: 17 03 03 00 2D
+
+ TLSInnerPlaintext:
+ 00000: 14 00 00 20 96 14 5B 61 68 E0 1C 4C F2 99 50 96
+ 00010: EE 12 C8 6B 1F 53 1F 96 0A 48 9D E9 C3 44 2A 24
+ 00020: 33 E9 AE EE 16
+
+ Record layer message:
+ type: 17
+ legacy_record_version: 0303
+ length: 002D
+ encrypted_record: 3BFB2AEADBC349FD89AFB8E481F8426B
+ CC6B7F5D975FE05E5B28755C00BF353F
+ CA6A48E9F0145993C40CE06F37
+
+ TLSCiphertext:
+ 00000: 17 03 03 00 2D 3B FB 2A EA DB C3 49 FD 89 AF B8
+ 00010: E4 81 F8 42 6B CC 6B 7F 5D 97 5F E0 5E 5B 28 75
+ 00020: 5C 00 BF 35 3F CA 6A 48 E9 F0 14 59 93 C4 0C E0
+ 00030: 6F 37
+
+
+ ---------------------------Client---------------------------
+
+ EarlySecret = HKDF-Extract(Salt: 0^256, IKM: ePSK):
+ 00000: 42 30 7A 99 68 18 34 0D D0 56 2F 7F EB E6 2A B5
+ 00010: 70 F3 BC 88 9C A9 29 3A 89 0D F2 09 B9 1B BB F3
+
+ Derived #0 = Derive-Secret(EarlySecret, "derived", "") =
+ HKDF-Expand-Label(EarlySecret, "derived", "", 32):
+ 00000: 6B 4E 9C 49 C5 C6 F1 7F 60 B2 B8 4B 55 0A 16 38
+ 00010: 14 09 5B 80 88 8E C0 B0 CA 52 E4 09 0C B3 F8 BE
+
+ HandshakeSecret = HKDF-Extract(Salt: Derived #0, IKM: ECDHE):
+ 00000: A9 CB E6 58 50 2F 3F D1 18 66 51 5F D6 15 E9 88
+ 00010: 0D 1E 61 B5 28 34 BB FD 5F 19 C2 4C 53 C8 79 7F
+
+ HM1 = (FE 00 00 20 | Hash(ClientHello1), HelloRetryRequest,
+ ClientHello2, ServerHello)
+
+ TH1 = Transcript-Hash(HM1):
+ 00000: 88 8D 5D 1E 15 98 65 05 97 3E F2 0F 9A FA F5 71
+ 00010: 20 A3 66 C2 D2 19 91 D1 5E 25 07 0C 3D 07 D5 E9
+
+ client_handshake_traffic_secret (CHTS):
+ CHTS = Derive-Secret(HandshakeSecret, "c hs traffic", HM1) =
+ HKDF-Expand-Label(HandshakeSecret, "c hs traffic", TH1, 32):
+ 00000: DF 00 4B 79 A1 D3 51 55 97 1B 0E 84 C8 91 99 7F
+ 00010: FE E6 D0 1B 27 04 23 CC 74 64 4B 25 47 3E 78 60
+
+ client_finished_key = HKDF-Expand-Label(CHTS, "finished", "", 32):
+ 00000: 1F A6 7D 28 9F F2 A6 85 C7 BE 13 FD F5 60 A6 D5
+ 00010: A9 F5 EA 85 63 AD 6C C7 B4 85 30 76 59 A5 55 81
+
+ HM2 = (FE 00 00 20 | Hash(ClientHello1), HelloRetryRequest,
+ ClientHello2, ServerHello,
+ EncryptedExtensions, Server Finished)
+
+ TH2 =Transcript-Hash(HM2):
+ 00000: 53 06 24 EE 07 6F FF E1 04 DC 15 EB B4 2D 78 8F
+ 00010: 1E 4F EB 3E 8C 2D CF A5 CB 85 D7 2F 81 D0 6D 15
+
+ FinishedHash = HMAC(client_finished_key, TH2):
+ 00000: BB 83 09 94 BE 38 A9 8F FC A3 BF D2 35 CD 80 7E
+ 00010: 81 82 1E 67 37 AB 98 31 43 DC A9 7B 9E E0 23 25
+
+ Finished message:
+ msg_type: 14
+ length: 000020
+ body:
+ verify_data: BB830994BE38A98FFCA3BFD235CD807E
+ 81821E6737AB983143DCA97B9EE02325
+
+ 00000: 14 00 00 20 BB 83 09 94 BE 38 A9 8F FC A3 BF D2
+ 00010: 35 CD 80 7E 81 82 1E 67 37 AB 98 31 43 DC A9 7B
+ 00020: 9E E0 23 25
+
+ Record payload protection:
+
+ client_write_key_hs = HKDF-Expand-Label(CHTS, "key", "", 32):
+ 00000: DF 66 60 1E DD D6 4E 96 1D FC 7D D0 21 2E F2 25
+ 00010: C0 05 33 E6 DA A4 AD 24 18 5E BE B2 24 B5 46 B8
+
+ client_write_iv_hs = HKDF-Expand-Label(CHTS, "iv", "", 16):
+ 00000: E8 94 3C 9F A2 88 56 A1
+
+ client_record_write_key = TLSTREE(client_write_key_hs, 0):
+ 00000: BD 00 9F FC 04 A0 52 9E 60 78 EB A5 A0 7A DE 74
+ 00010: 93 7F F3 A1 AB 75 F7 AE 05 19 04 78 51 9B 6D F3
+
+ seqnum:
+ 00000: 00 00 00 00 00 00 00 00
+
+ nonce:
+ 00000: 68 94 3C 9F A2 88 56 A1
+
+ additional_data:
+ 00000: 17 03 03 00 2D
+
+ TLSInnerPlaintext:
+ 00000: 14 00 00 20 BB 83 09 94 BE 38 A9 8F FC A3 BF D2
+ 00010: 35 CD 80 7E 81 82 1E 67 37 AB 98 31 43 DC A9 7B
+ 00020: 9E E0 23 25 16
+
+
+ Record layer message:
+ type: 17
+ legacy_record_version: 0303
+ length: 002D
+ encrypted_record: 14254CA6B9EBCC4A951A3D1F1040B0B1
+ 45446DF131946CEECBDB6A8EC534F194
+ 223281B56532A703C492160E2C
+
+ TLSCiphertext:
+ 00000: 17 03 03 00 2D 14 25 4C A6 B9 EB CC 4A 95 1A 3D
+ 00010: 1F 10 40 B0 B1 45 44 6D F1 31 94 6C EE CB DB 6A
+ 00020: 8E C5 34 F1 94 22 32 81 B5 65 32 A7 03 C4 92 16
+ 00030: 0E 2C
+
+
+ ---------------------------Server---------------------------
+
+ Application data:
+ 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ [...]
+ 000003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+ Record payload protection:
+ Derived #1 = Derive-Secret(HandshakeSecret, "derived", "") =
+ HKDF-Expand-Label(HandshakeSecret, "derived", "", 32):
+ 00000: BC 4D 6F E3 D9 43 78 21 1D 3D 64 1C 75 92 EB AA
+ 00010: 7A A2 96 47 9C 57 BD D1 E1 4C 7B 04 9F 6D F1 CD
+
+ MainSecret = HKDF-Extract(Salt: Derived #1, IKM: 0^256):
+ 00000: DB FF 82 86 2E 54 A1 41 3E 6C 2E D8 2C 6D A5 AF
+ 00010: FD BF DE 12 30 2E 49 75 5B 61 F2 06 32 E1 0A 42
+
+ HM2 = (FE 00 00 20 | Hash(ClientHello1), HelloRetryRequest,
+ ClientHello2, ServerHello,
+ EncryptedExtensions, Server Finished)
+
+ TH2 = Transcript-Hash(HM2):
+ 00000: 53 06 24 EE 07 6F FF E1 04 DC 15 EB B4 2D 78 8F
+ 00010: 1E 4F EB 3E 8C 2D CF A5 CB 85 D7 2F 81 D0 6D 15
+
+ SATS = Derive-Secret(MainSecret, "s ap traffic", HM2) =
+ HKDF-Expand-Label(MainSecret, "s ap traffic", TH2, 32):
+ 00000: 52 91 26 2B EC B5 22 69 34 3A E8 27 9B 43 54 B1
+ 00010: 89 22 D5 15 04 60 8B A7 21 C4 72 46 7E EE E8 78
+
+ server_write_key_ap = HKDF-Expand-Label(SATS, "key", "", 32):
+ 00000: 15 D9 2C 51 47 B2 13 10 ED ED F5 5B 3D 7A B7 76
+ 00000: 81 7D 6F E2 FC F2 30 D7 E3 F2 92 75 F6 E2 41 EC
+
+ server_write_iv_ap = HKDF-Expand-Label(SATS, "iv", "", 8):
+ 00000: 71 2E 2F 11 CD 50 6E B9
+
+ server_record_write_key = TLSTREE(server_write_key_ap, 0):
+ 00000: 7B B8 81 55 35 98 DE F5 34 FC AF 9B 77 A3 35 5B
+ 00010: C3 BC A3 87 4D 67 40 F6 CB F5 C1 B6 D3 5C 65 ED
+
+ seqnum:
+ 00000: 00 00 00 00 00 00 00 00
+
+ nonce:
+ 00000: 71 2E 2F 11 CD 50 6E B9
+
+ additional_data:
+ 00000: 17 03 03 04 09
+
+ TLSInnerPlaintext:
+ 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ [...]
+ 000003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00000400: 17
+
+ Record layer message:
+ type: 17
+ legacy_record_version: 0303
+ length: 0409
+ encrypted_record: 7CAA82039F67326C2D735EE809B57750
+ 945F5CE2B0C47B8EF1ECADA3D3F1AD9E
+ 3FBA5926FDB2B61197D08B8B1399167B
+ 6C249C90C0A3101452FD72078FBFB057
+ 31E06215019395DDCF44AA763DCB1ACA
+ 8B3F47D033FBA12E7C0FBB4DFBDABD8B
+ 97E996E8E36231BE8015412B90CCCFBB
+ E2BC967E597FC2E7B251A9BBEBAA245B
+ 63139387203DB90BD1BF5300A5B577BF
+ 46793DB1AA30FEDFD1E6A5
+ [...]
+ E1D55816BFD6BFFBF6E6FB23D86117D2
+ 47441BC211D078199C1F8340BE808BA6
+ E5BE092B9E081E95D4A57672A07970A6
+ 1FEF2F4B12A0F401FA30B813FE7CD1BF
+ 881485157381B8489EC36296C6EE7538
+ 0FB1DAA1B1473358FD87AA41D5DBA089
+ F528BD5F3B41B34002D945D7E0C49EFA
+ 54A4EFB0DA4049F5F248B3F7D46FEC05
+ A25BBE0A5120106BC21C1EA25EFF3125
+ E079CA0F7FFA56FD89C1A80DA0A3
+
+ TLSCiphertext:
+ 00000000: 17 03 03 04 09 7C AA 82 03 9F 67 32 6C 2D 73 5E
+ 00000010: E8 09 B5 77 50 94 5F 5C E2 B0 C4 7B 8E F1 EC AD
+ 00000020: A3 D3 F1 AD 9E 3F BA 59 26 FD B2 B6 11 97 D0 8B
+ 00000030: 8B 13 99 16 7B 6C 24 9C 90 C0 A3 10 14 52 FD 72
+ 00000040: 07 8F BF B0 57 31 E0 62 15 01 93 95 DD CF 44 AA
+ 00000050: 76 3D CB 1A CA 8B 3F 47 D0 33 FB A1 2E 7C 0F BB
+ 00000060: 4D FB DA BD 8B 97 E9 96 E8 E3 62 31 BE 80 15 41
+ 00000070: 2B 90 CC CF BB E2 BC 96 7E 59 7F C2 E7 B2 51 A9
+ 00000080: BB EB AA 24 5B 63 13 93 87 20 3D B9 0B D1 BF 53
+ 00000090: 00 A5 B5 77 BF 46 79 3D B1 AA 30 FE DF D1 E6 A5
+ [...]
+ 00000370: E1 D5 58 16 BF D6 BF FB F6 E6 FB 23 D8 61 17 D2
+ 00000380: 47 44 1B C2 11 D0 78 19 9C 1F 83 40 BE 80 8B A6
+ 00000390: E5 BE 09 2B 9E 08 1E 95 D4 A5 76 72 A0 79 70 A6
+ 000003A0: 1F EF 2F 4B 12 A0 F4 01 FA 30 B8 13 FE 7C D1 BF
+ 000003B0: 88 14 85 15 73 81 B8 48 9E C3 62 96 C6 EE 75 38
+ 000003C0: 0F B1 DA A1 B1 47 33 58 FD 87 AA 41 D5 DB A0 89
+ 000003D0: F5 28 BD 5F 3B 41 B3 40 02 D9 45 D7 E0 C4 9E FA
+ 000003E0: 54 A4 EF B0 DA 40 49 F5F2 48 B3 F7 D4 6F EC 05
+ 000003F0: A2 5B BE 0A 51 20 10 6B C2 1C 1E A2 5E FF 31 25
+ 00000400: E0 79 CA 0F 7F FA 56 FD 89 C1 A8 0D A0 A3
+
+
+ ---------------------------Server---------------------------
+
+ Application data:
+ 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ [...]
+ 000003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+ Record payload protection:
+
+ server_record_write_key = TLSTREE(server_write_key_ap, 1):
+ 00000: 7B B8 81 55 35 98 DE F5 34 FC AF 9B 77 A3 35 5B
+ 00010: C3 BC A3 87 4D 67 40 F6 CB F5 C1 B6 D3 5C 65 ED
+
+ seqnum:
+ 00000: 00 00 00 00 00 00 00 01
+
+ nonce:
+ 00000: 71 2E 2F 11 CD 50 6E B8
+
+ additional_data:
+ 00000: 17 03 03 04 09
+
+ TLSInnerPlaintext:
+ 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ [...]
+ 000003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00000400: 17
+
+ Record layer message:
+ type: 17
+ legacy_record_version: 0303
+ length: 0409
+ encrypted_record: DC593FC6FAFC5191242B632E144504A2
+ 61AEF332970FF8316FA4DE507BFB471E
+ A83C713FF950791078FD9A3178D02682
+ 66E12BC970FFB1EE4A56600DF32ABF9F
+ A318FF45C91CDEF42E1C1D450059729B
+ 1BB6925F773A1E8F304E7AB143F0FC16
+ EF16BC4E0DF60D76DE43390F9CD257DE
+ D256209B1675378FE6822CBB19A53620
+ BD5B240282CF4977F1C572AB3B1DD6CF
+ 497F2757286B7E49CF80C7 [...]
+ EE2E29D3F79640D9CA3C35181B9CE939
+ CA16A862AC460424B6AEF6B89D533406
+ 7724CCF2466A804F09FAB3EBE737F99C
+ 6498EFF2379CAD6596C3C352F4426876
+ 95ACBC4FB44B5D069FB66605E47945FE
+ 2F11509FF7B5961BE8AB43EC2060D822
+ A994D97C59C8058C951708029AE0BEDA
+ 8045ECA025FE02E6D2EFAF13202012E9
+ E34358DE79E561CCEC8F549E70073EE6
+ 938F4A1AAE97465970D65260604C
+
+
+ TLSCiphertext:
+ 00000000: 17 03 03 04 09 DC 59 3F C6 FA FC 51 91 24 2B 63
+ 00000010: 2E 14 45 04 A2 61 AE F3 32 97 0F F8 31 6F A4 DE
+ 00000020: 50 7B FB 47 1E A8 3C 71 3F F9 50 79 10 78 FD 9A
+ 00000030: 31 78 D0 26 82 66 E1 2B C9 70 FF B1 EE 4A 56 60
+ 00000040: 0D F3 2A BF 9F A3 18 FF 45 C9 1C DE F4 2E 1C 1D
+ 00000050: 45 00 59 72 9B 1B B6 92 5F 77 3A 1E 8F 30 4E 7A
+ 00000060: B1 43 F0 FC 16 EF 16 BC 4E 0D F6 0D 76 DE 43 39
+ 00000070: 0F 9C D2 57 DE D2 56 20 9B 16 75 37 8F E6 82 2C
+ 00000080: BB 19 A5 36 20 BD 5B 24 02 82 CF 49 77 F1 C5 72
+ 00000090: AB 3B 1D D6 CF 49 7F 27 57 28 6B 7E 49 CF 80 C7
+ [...]
+ 00000370: EE 2E 29 D3 F7 96 40 D9 CA 3C 35 18 1B 9C E9 39
+ 00000380: CA 16 A8 62 AC 46 04 24 B6 AE F6 B8 9D 53 34 06
+ 00000390: 77 24 CC F2 46 6A 80 4F 09 FA B3 EB E7 37 F9 9C
+ 000003A0: 64 98 EF F2 37 9C AD 65 96 C3 C3 52 F4 42 68 76
+ 000003B0: 95 AC BC 4F B4 4B 5D 06 9F B6 66 05 E4 79 45 FE
+ 000003C0: 2F 11 50 9F F7 B5 96 1B E8 AB 43 EC 20 60 D8 22
+ 000003D0: A9 94 D9 7C 59 C8 05 8C 95 17 08 02 9A E0 BE DA
+ 000003E0: 80 45 EC A0 25 FE 02 E6 D2 EF AF 13 20 20 12 E9
+ 000003F0: E3 43 58 DE 79 E5 61 CC EC 8F 54 9E 70 07 3E E6
+ 00000400: 93 8F 4A 1A AE 97 46 59 70 D6 52 60 60 4C
+
+
+ ---------------------------Server---------------------------
+
+ Application data:
+ 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ [...]
+ 000003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+ Record payload protection:
+
+ server_record_write_key = TLSTREE(server_write_key_ap, 128):
+ 00000: 93 D5 D6 E1 03 6F DF B3 EF BF 31 E6 DA 5E EC E6
+ 00010: 85 17 1C 97 7F F9 CD 6C 3A 3F 67 C0 22 4A B6 EB
+
+ seqnum:
+ 00000: 00 00 00 00 00 00 00 80
+ nonce:
+ 00000: 71 2E 2F 11 CD 50 6E 39
+
+ additional_data:
+ 00000: 17 03 03 04 09
+
+ TLSInnerPlaintext:
+ 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ [...]
+ 000003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00000400: 17
+
+ Record layer message:
+ type: 17
+ legacy_record_version: 0303
+ length: 0409
+ encrypted_record: 56A7E2F32541DB0EE1563F8CA79EB129
+ 3192E2122BA8A89A6CF05B151D205AEC
+ EB60321D0F637A98880814BEF639FC08
+ A1E8222D95A54E5593F8BB9CF520D3FA
+ 7D38D960E00665BB736A7AFF49D7A7BA
+ D092DDB1714655EDF1A9A24F4727DA7E
+ 873135F2A0534FAF7825EA99401FE1F0
+ 1E8C4246D2B55CEBE768FA205B3F7890
+ 9827B912C6AA9FDDE3CFCA47F2D9E2E2
+ 0FBEE9606D0E0105A7C97A [...]
+ A72D5F8E43ABC13984593F16DCECBE7B
+ 26AF73FDC82D7BE1F913B846D2612531
+ BA0F05FF0C52DEFC8674AF3A1AE27393
+ FC092D45DCD0F71E2B54B60EC618C2A4
+ 5BE72EC19B5FB263C2DC780FF3093FD5
+ D2F75185E437BE8BB3E5C26F9E0E71B3
+ C5D6CCA2E0D2F44BB1ACDA17B189F21E
+ C97C748502A2155E3ADC3CCC1BA14EEB
+ 7CDAA018253FCB57D53A12F548C5456C
+ DDA00385EE1C0826AB58E964007C
+
+ TLSCiphertext:
+ 00000000: 17 03 03 04 09 56 A7 E2 F3 25 41 DB 0E E1 56 3F
+ 00000010: 8C A7 9E B1 29 31 92 E2 12 2B A8 A8 9A 6C F0 5B
+ 00000020: 15 1D 20 5A EC EB 60 32 1D 0F 63 7A 98 88 08 14
+ 00000030: BE F6 39 FC 08 A1 E8 22 2D 95 A5 4E 55 93 F8 BB
+ 00000040: 9C F5 20 D3 FA 7D 38 D9 60 E0 06 65 BB 73 6A 7A
+ 00000050: FF 49 D7 A7 BA D0 92 DD B1 71 46 55 ED F1 A9 A2
+ 00000060: 4F 47 27 DA 7E 87 31 35 F2 A0 53 4F AF 78 25 EA
+ 00000070: 99 40 1F E1 F0 1E 8C 42 46 D2 B5 5C EB E7 68 FA
+ 00000080: 20 5B 3F 78 90 98 27 B9 12 C6 AA 9F DD E3 CF CA
+ 00000090: 47 F2 D9 E2 E2 0F BE E9 60 6D 0E 01 05 A7 C9 7A
+ [...]
+ 00000370: A7 2D 5F 8E 43 AB C1 39 84 59 3F 16 DC EC BE 7B
+ 00000380: 26 AF 73 FD C8 2D 7B E1 F9 13 B8 46 D2 61 25 31
+ 00000390: BA 0F 05 FF 0C 52 DE FC 86 74 AF 3A 1A E2 73 93
+ 000003A0: FC 09 2D 45 DC D0 F7 1E 2B 54 B6 0E C6 18 C2 A4
+ 000003B0: 5B E7 2E C1 9B 5F B2 63 C2 DC 78 0F F3 09 3F D5
+ 000003C0: D2 F7 51 85 E4 37 BE 8B B3 E5 C2 6F 9E 0E 71 B3
+ 000003D0: C5 D6 CC A2 E0 D2 F4 4B B1 AC DA 17 B1 89 F2 1E
+ 000003E0: C9 7C 74 85 02 A2 15 5E 3A DC 3C CC 1B A1 4E EB
+ 000003F0: 7C DA A0 18 25 3F CB 57 D5 3A 12 F5 48 C5 45 6C
+ 00000400: DD A0 03 85 EE 1C 08 26 AB 58 E9 64 00 7C
+
+
+ ---------------------------Server---------------------------
+
+ Application data:
+ 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ [...]
+ 000003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+ Record payload protection:
+
+ server_record_write_key = TLSTREE(server_write_key_ap, 129):
+ 00000: 93 D5 D6 E1 03 6F DF B3 EF BF 31 E6 DA 5E EC E6
+ 00010: 85 17 1C 97 7F F9 CD 6C 3A 3F 67 C0 22 4A B6 EB
+
+ seqnum:
+ 00000: 00 00 00 00 00 00 00 81
+
+ nonce:
+ 00000: 71 2E 2F 11 CD 50 6E 38
+
+ additional_data:
+ 00000: 17 03 03 04 09
+
+ TLSInnerPlaintext:
+ 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ [...]
+ 000003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00000400: 17
+
+ Record layer message:
+ type: 17
+ legacy_record_version: 0303
+ length: 0409
+ encrypted_record: EE73C4CAE69FD30BC4B3A66CA571CD9F
+ 3C7AA2C2BA9F428A82249720F717738F
+ 8C35AC7745B701F3B0CEE993EB2CFDAB
+ 4468B22297A8286C2572DE366AC38B70
+ 471B26A1EC4F19D68E7EDA0A231C3BD1
+ 98013FA05BAC92E774A370EB10C0CBD9
+ 15BACD0117A885804B9A475B44A6F3E8
+ 7D7BCA40F3F52EF4AB624B6EDD3094F9
+ 86269E409F8BB76CEB4BE26D4B1AF54C
+ 0A14D41C291EB8E181F79A [...]
+ 10C401A9423D02804B51DDBFE5925294
+ ADEE0067193FED8F66CBEED9475873B8
+ 8A730496487E8E7F45FC05EEE9C628AF
+ E9236696F41A1505AA7392BF71C7EED3
+ 78035013ADE1EF07DE5A0230669E133E
+ 0D18B6C977A7FE94F4D22AB29CBAA6B5
+ CDDBF4B35598C0007F3BA69D3FA2730D
+ F51D867E1E47CFDE22CAEACD4C5AFD97
+ 088AEB92D12CE3C685C4E517730B8339
+ 4FC8514264E2F15E51CE439DED1D
+
+ TLSCiphertext:
+ 00000000: 17 03 03 04 09 EE 73 C4 CA E6 9F D3 0B C4 B3 A6
+ 00000010: 6C A5 71 CD 9F 3C 7A A2 C2 BA 9F 42 8A 82 24 97
+ 00000020: 20 F7 17 73 8F 8C 35 AC 77 45 B7 01 F3 B0 CE E9
+ 00000030: 93 EB 2C FD AB 44 68 B2 22 97 A8 28 6C 25 72 DE
+ 00000040: 36 6A C3 8B 70 47 1B 26 A1 EC 4F 19 D6 8E 7E DA
+ 00000050: 0A 23 1C 3B D1 98 01 3F A0 5B AC 92 E7 74 A3 70
+ 00000060: EB 10 C0 CB D9 15 BA CD 01 17 A8 85 80 4B 9A 47
+ 00000070: 5B 44 A6 F3 E8 7D 7B CA 40 F3 F5 2E F4 AB 62 4B
+ 00000080: 6E DD 30 94 F9 86 26 9E 40 9F 8B B7 6C EB 4B E2
+ 00000090: 6D 4B 1A F5 4C 0A 14 D4 1C 29 1E B8 E1 81 F7 9A
+ [...]
+ 00000370: 10 C4 01 A9 42 3D 02 80 4B 51 DD BF E5 92 52 94
+ 00000380: AD EE 00 67 19 3F ED 8F 66 CB EE D9 47 58 73 B8
+ 00000390: 8A 73 04 96 48 7E 8E 7F 45 FC 05 EE E9 C6 28 AF
+ 000003A0: E9 23 66 96 F4 1A 15 05 AA 73 92 BF 71 C7 EE D3
+ 000003B0: 78 03 50 13 AD E1 EF 07 DE 5A 02 30 66 9E 13 3E
+ 000003C0: 0D 18 B6 C9 77 A7 FE 94 F4 D2 2A B2 9C BA A6 B5
+ 000003D0: CD DB F4 B3 55 98 C0 00 7F 3B A6 9D 3F A2 73 0D
+ 000003E0: F5 1D 86 7E 1E 47 CF DE 22 CA EA CD 4C 5A FD 97
+ 000003F0: 08 8A EB 92 D1 2C E3 C6 85 C4 E5 17 73 0B 83 39
+ 00000400: 4F C8 51 42 64 E2 F1 5E 51 CE 43 9D ED 1D
+
+ ---------------------------Server---------------------------
+ Alert message:
+ level: 01
+ description: 00
+
+ 00000: 01 00
+
+ Record payload protection:
+
+ server_record_write_key = TLSTREE(server_write_key_ap, 130):
+ 00000: 93 D5 D6 E1 03 6F DF B3 EF BF 31 E6 DA 5E EC E6
+ 00010: 85 17 1C 97 7F F9 CD 6C 3A 3F 67 C0 22 4A B6 EB
+
+ seqnum:
+ 00000: 00 00 00 00 00 00 00 82
+
+ nonce:
+ 00000: 71 2E 2F 11 CD 50 6E 3B
+
+ additional_data:
+ 00000: 17 03 03 00 0B
+
+ TLSInnerPlaintext:
+ 00000: 01 00 15
+
+ Record layer message:
+ type: 17
+ legacy_record_version: 0303
+ length: 000B
+ encrypted_record: 447A3FAE8F86C135189B10
+
+ TLSCiphertext:
+ 00000: 17 03 03 00 0B 44 7A 3F AE 8F 86 C1 35 18 9B 10
+
+ ---------------------------Client---------------------------
+ Alert message:
+ level: 01
+ description: 00
+
+ 00000: 01 00
+
+ Record payload protection:
+
+ Derived #1 = Derive-Secret(HandshakeSecret, "derived", "") =
+ HKDF-Expand-Label(HandshakeSecret, "derived", "", 32):
+ 00000: BC 4D 6F E3 D9 43 78 21 1D 3D 64 1C 75 92 EB AA
+ 00010: 7A A2 96 47 9C 57 BD D1 E1 4C 7B 04 9F 6D F1 CD
+
+ MainSecret = HKDF-Extract(Salt: Derived #1, IKM: 0^256):
+ 00000: DB FF 82 86 2E 54 A1 41 3E 6C 2E D8 2C 6D A5 AF
+ 00010: FD BF DE 12 30 2E 49 75 5B 61 F2 06 32 E1 0A 42
+
+ HM2 = (FE 00 00 20 | Hash(ClientHello1), HelloRetryRequest,
+ ClientHello2, ServerHello, EncryptedExtensions,
+ Server Finished)
+
+ TH2 = Transcript-Hash(HM2):
+ 00000: 53 06 24 EE 07 6F FF E1 04 DC 15 EB B4 2D 78 8F
+ 00010: 1E 4F EB 3E 8C 2D CF A5 CB 85 D7 2F 81 D0 6D 15
+
+ client_application_traffic_secret (CATS):
+ CATS = Derive-Secret(MainSecret, "c ap traffic", HM2) =
+ HKDF-Expand-Label(MainSecret, "c ap traffic", TH2, 32):
+ 20 D9 85 D5 B8 4D 9D 8D 4E 5E CF CD BC DD 67 41
+ 55 F1 82 F7 28 7B 18 4D A5 53 42 5C 6C 64 57 83
+
+ client_write_key_ap = HKDF-Expand-Label(CATS, "key", "", 32):
+ 00000: EB D2 71 DE 19 FE E1 8B B1 99 8F 69 AF 5B 6A E1
+ 00010: 89 58 E8 D3 70 2F 12 FB B5 B0 3F 6F D6 91 FE FA
+
+ client_write_iv_ap = HKDF-Expand-Label(CATS, "iv", "", 8):
+ 00000: 18 FB 03 8D BF 72 41 E6
+
+ client_record_write_key = TLSTREE(client_write_key_ap, 0):
+ 00000: 86 2A 74 18 0B 4A E4 C2 D1 5F 4A 62 ED 8A 4A 75
+ 00010: B0 8D 72 B0 46 AF DE CB 3A 8E F0 C2 67 F4 56 BD
+
+ seqnum:
+ 00000: 00 00 00 00 00 00 00 00
+
+ nonce:
+ 00000: 18 FB 03 8D BF 72 41 E6
+
+ additional_data:
+ 00000: 17 03 03 00 0B
+
+ TLSInnerPlaintext:
+ 00000: 01 00 15
+
+ Record layer message:
+ type: 17
+ legacy_record_version: 0303
+ length: 000B
+ encrypted_record: 464AEEAD391D97987169F3
+
+ TLSCiphertext:
+ 00000: 17 03 03 00 0B 46 4A EE AD 39 1D 97 98 71 69 F3
+
+Contributors
+
+ Lilia Akhmetzyanova
+ CryptoPro
+ Email: lah@cryptopro.ru
+
+
+ Alexandr Sokolov
+ CryptoPro
+ Email: sokolov@cryptopro.ru
+
+
+ Vasily Nikolaev
+ CryptoPro
+ Email: nikolaev@cryptopro.ru
+
+
+Authors' Addresses
+
+ Stanislav Smyshlyaev (editor)
+ CryptoPro
+ 18, Suschevsky val
+ Moscow
+ 127018
+ Russian Federation
+ Phone: +7 (495) 995-48-20
+ Email: svs@cryptopro.ru
+
+
+ Evgeny Alekseev
+ CryptoPro
+ 18, Suschevsky val
+ Moscow
+ 127018
+ Russian Federation
+ Email: alekseev@cryptopro.ru
+
+
+ Ekaterina Griboedova
+ CryptoPro
+ 18, Suschevsky val
+ Moscow
+ 127018
+ Russian Federation
+ Email: griboedovaekaterina@gmail.com
+
+
+ Alexandra Babueva
+ CryptoPro
+ 18, Suschevsky val
+ Moscow
+ 127018
+ Russian Federation
+ Email: babueva@cryptopro.ru
+
+
+ Lidiia Nikiforova
+ CryptoPro
+ 18, Suschevsky val
+ Moscow
+ 127018
+ Russian Federation
+ Email: nikiforova@cryptopro.ru