Skip to main content

Example Handshake Traces for TLS 1.3
draft-ietf-tls-tls13-vectors-07

Revision differences

Document history

Date Rev. By Action
2019-01-10
07 (System) RFC Editor state changed to AUTH48-DONE from AUTH48
2019-01-09
07 (System) RFC Editor state changed to AUTH48 from RFC-EDITOR
2018-12-12
07 (System) RFC Editor state changed to RFC-EDITOR from EDIT
2018-11-05
07 (System) RFC Editor state changed to EDIT
2018-11-05
07 (System) IESG state changed to RFC Ed Queue from Approved-announcement sent
2018-11-05
07 (System) Announcement was received by RFC Editor
2018-11-05
07 (System) IANA Action state changed to No IANA Actions from In Progress
2018-11-05
07 (System) IANA Action state changed to In Progress
2018-11-04
07 Cindy Morgan IESG state changed to Approved-announcement sent from Approved-announcement to be sent
2018-11-04
07 Cindy Morgan IESG has approved the document
2018-11-04
07 Cindy Morgan Closed "Approve" ballot
2018-11-04
07 Cindy Morgan Ballot approval text was generated
2018-11-04
07 Benjamin Kaduk IESG state changed to Approved-announcement to be sent from Approved-announcement to be sent::AD Followup
2018-11-04
07 Benjamin Kaduk RFC Editor Note was changed
2018-11-04
07 Benjamin Kaduk RFC Editor Note for ballot was generated
2018-11-04
07 Benjamin Kaduk RFC Editor Note for ballot was generated
2018-09-27
07 (System) Sub state has been changed to AD Followup from Revised ID Needed
2018-09-27
07 Martin Thomson New version available: draft-ietf-tls-tls13-vectors-07.txt
2018-09-27
07 (System) New version approved
2018-09-27
07 (System) Request for posting confirmation emailed to previous authors: Martin Thomson
2018-09-27
07 Martin Thomson Uploaded new revision
2018-09-27
07 Martin Thomson Uploaded new revision
2018-08-02
06 Cindy Morgan IESG state changed to Approved-announcement to be sent::Revised I-D Needed from Waiting for AD Go-Ahead
2018-08-01
06 Ben Campbell [Ballot Position Update] New position, No Objection, has been recorded for Ben Campbell
2018-08-01
06 Suresh Krishnan [Ballot Position Update] New position, No Objection, has been recorded for Suresh Krishnan
2018-08-01
06 Ignas Bagdonas [Ballot Position Update] New position, No Objection, has been recorded for Ignas Bagdonas
2018-08-01
06 Alissa Cooper [Ballot Position Update] New position, No Objection, has been recorded for Alissa Cooper
2018-07-31
06 Terry Manderson [Ballot Position Update] New position, No Objection, has been recorded for Terry Manderson
2018-07-31
06 Eric Rescorla
[Ballot comment]
Rich version of this review at:
https://mozphab-ietf.devsvcdev.mozaws.net/D3562


Has anyone checked these besides MT?

COMMENTS
S 3.
>            03 …
[Ballot comment]
Rich version of this review at:
https://mozphab-ietf.devsvcdev.mozaws.net/D3562


Has anyone checked these besides MT?

COMMENTS
S 3.
>            03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01
>            04 02 05 02 06 02 02 02 00 2d 00 02 01 01 00 1c 00 02 40 01

>      {server}  extract secret "early":

>        salt:  (absent)

ARen't we using the convention 0?


S 3.
>      {server}  extract secret "handshake":

>        salt (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97
>            16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

>        IKM (32 octets):  81 51 d1 46 4c 1b 55 53 36 23 b9 c2 24 6a 6a 0e

You should specify Z above with the DH.


S 3.
>            64 00

>        output (32 octets):  a8 0c b7 d1 5d b3 4a 17 ab b0 c2 37 65 be 68
>            c2 6d 3f 10 da 34 90 5b 09 99 47 e5 5e 37 db 17 b3

>      {server}  send a Finished handshake message

Maybe include more of the finished computaitons.


S 3.
>        key output (16 octets):  26 79 a4 3e 1d 76 78 40 34 ea 17 97 d5 ad
>            26 49

>        iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

>        iv output (12 octets):  54 82 40 52 90 dd 0d 2f 81 c0 d9 42

This is kind of an odd order.


S 3.

>        IKM (32 octets):  81 51 d1 46 4c 1b 55 53 36 23 b9 c2 24 6a 6a 0e
>            6e 7e 18 50 63 e1 4a fd af f0 b6 e1 c6 1a 86 42

>        secret (32 octets):  5b 4f 96 5d f0 3c 68 2c 46 e6 ee 86 c3 11 63
>            66 15 a1 d2 bb b2 43 45 c2 52 05 95 3c 87 9e 8d 06

Aren't these the same as the server too?


S 3.
>        key output (16 octets):  c6 6c b1 ae c5 19 df 44 c9 1e 10 99 55 11
>            ac 8b

>        iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

>        iv output (12 octets):  f7 f6 88 4c 49 81 71 6c 2d 0d 29 a4

This is the same as the server write side, right?


S 3.
>        server read traffic keys)

>      {client}  derive read traffic keys for application data (same as
>        server write traffic keys)

>      {client}  calculate finished "tls13 finished":

This isn't calculating the finished but rather the finished keys.


S 4.
>        secret (32 octets):  04 8b 40 aa 09 ff d4 c6 76 9c 54 1a 2f 46 e2
>            84 66 06 f7 0d 62 a6 15 97 77 29 c5 b2 81 c7 e7 15

>      {client}  send a ClientHello handshake message

>      {client}  calculate finished "tls13 finished":

You should label this as the binder.


S 4.
>        output (32 octets):  a8 19 28 e3 08 5c 3a 85 63 ed 82 2d a9 af 7a
>            b7 1a c5 43 2a 5f 9d 1e 6f 71 32 f1 8b 36 e2 c7 05

>      {client}  send handshake record:

>        payload (512 octets):  01 00 01 fc 03 03 88 09 d2 a3 9b f9 ae b3

You should explain why this is 512


S 4.
>            36 db da 6a 62 6f 02 70 e2 0e eb c7 3d 6f ca e2 b1 a0 da 12 2e
>            e9 04 2f 76 be 56 eb f4 1a a4 69 c3 d2 c9 da 91 97 d8 2f d3 99
>            32 00 21 20 3c e6 69 de de c4 4e 5e 75 53 8f cc ab 3d b0 45 fb
>            5d 21 01 19 99 e1 45 12 ee 3a b3 5f 2a f4 e9

>        ciphertext (517 octets):  16 03 01 02 00 01 00 01 fc 03 03 88 09

I should have noted this earlier, but it's not really ciphertext.


S 5.
>            f5 71 06 36 c0 5b 88 ab a0 35 38 0c 00 2b 00 03 02 03 04 00 0d
>            00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05
>            01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 00 1c
>            00 02 40 01

>      {server}  send a ServerHello handshake message

Maybe note that this is a HRR
2018-07-31
06 Eric Rescorla [Ballot Position Update] New position, No Objection, has been recorded for Eric Rescorla
2018-07-31
06 Deborah Brungard [Ballot Position Update] New position, No Objection, has been recorded for Deborah Brungard
2018-07-31
06 Matthew Miller Request for Last Call review by SECDIR Completed: Ready. Reviewer: Matthew Miller. Sent review to list.
2018-07-31
06 Warren Kumari
[Ballot comment]
I read each and every octet of this document; I'd thought I'd found a typo on page 7, but I'd forgotten to carry …
[Ballot comment]
I read each and every octet of this document; I'd thought I'd found a typo on page 7, but I'd forgotten to carry the 1 (....and if you believe this, I've also got a very nice bridge for sale :-))

I do agree with Spencer - I think it would be very useful to even more clearly state that you really really really shouldn't use the crypto material here for anything other than testing implementations / understanding the protocol flow.
Also:
"It probably isn't a good idea to use the private key here.  If it
  weren't for the fact that it is too small to provide any meaningful
  security, it is now very well known."
doesn't actually make sense to me -- surely it is "In addition to the fact that..."? ("weren't" makes it sound like, because it is too small it isn't well known (or something!) - "If it weren't for A, then B"...)
2018-07-31
06 Warren Kumari [Ballot Position Update] New position, No Objection, has been recorded for Warren Kumari
2018-07-31
06 Alexey Melnikov [Ballot Position Update] New position, No Objection, has been recorded for Alexey Melnikov
2018-07-30
06 Adam Roach
[Ballot comment]
Thanks for all the work that went into this document. I think it's very useful
to have a set of test vectors for …
[Ballot comment]
Thanks for all the work that went into this document. I think it's very useful
to have a set of test vectors for future implementations to develop against. I
have a couple of minor comments.

---------------------------------------------------------------------------
§1:

>  Note:  Invocations of HMAC-based Extract-and-Expand Key Derivation
>    Function (HKDF) [RFC5869] are not labelled, but can be identified
>    through the use the labels used by HKDF.

This doesn't parse. Probably should say "...through the use of labels..." or
something similar.

---------------------------------------------------------------------------

§6:

>  Note that private keys for this
>  example are not included in the draft.
>
>  {client}  create an ephemeral x25519 key pair:
>
>    private key (32 octets):...

I'm not sure what to make of this. Should it say "...private RSA keys for this
example..." or something like that? It may also be useful to include a sentence
or clause explaining why the omitted private key is not useful for users of this
document.
2018-07-30
06 Adam Roach [Ballot Position Update] New position, No Objection, has been recorded for Adam Roach
2018-07-29
06 Spencer Dawkins
[Ballot comment]
Thank you folks for producing this document. I have two cynical observations, so please decide how cynical you want to be, and do …
[Ballot comment]
Thank you folks for producing this document. I have two cynical observations, so please decide how cynical you want to be, and do the right thing.

I think

8.  Security Considerations

  It probably isn't a good idea to use the private key here.  If it
  weren't for the fact that it is too small to provide any meaningful
  security, it is now very well known.

is awesome, but I remember that the SIP community spent a couple of decades with implementers who coded to call flows and read the protocol specifications as a last resort. You might consider saying this at the beginning of Section 2, because it's a long way from page 2, to page 60.

Section 8 is really polite ("probably isn't a good idea" might be true, but I bet "is a horrible idea" is equally true!), but do the right thing, of course!
2018-07-29
06 Spencer Dawkins [Ballot Position Update] New position, No Objection, has been recorded for Spencer Dawkins
2018-07-26
06 Jean Mahoney Request for Last Call review by GENART Completed: Ready. Reviewer: Meral Shirazipour.
2018-07-25
06 Mirja Kühlewind [Ballot comment]
Why is it really necessary to publish the test vectors in an RFC?
2018-07-25
06 Mirja Kühlewind [Ballot Position Update] New position, No Objection, has been recorded for Mirja Kühlewind
2018-07-24
06 (System) IESG state changed to Waiting for AD Go-Ahead from In Last Call
2018-07-23
06 Amy Vezza Placed on agenda for telechat - 2018-08-02
2018-07-23
06 Benjamin Kaduk Ballot has been issued
2018-07-23
06 Benjamin Kaduk [Ballot Position Update] New position, Yes, has been recorded for Benjamin Kaduk
2018-07-23
06 Benjamin Kaduk Created "Approve" ballot
2018-07-23
06 Benjamin Kaduk Ballot writeup was changed
2018-07-19
06 Tero Kivinen Request for Last Call review by SECDIR is assigned to Matthew Miller
2018-07-19
06 Tero Kivinen Request for Last Call review by SECDIR is assigned to Matthew Miller
2018-07-12
06 Jean Mahoney Request for Last Call review by GENART is assigned to Meral Shirazipour
2018-07-12
06 Jean Mahoney Request for Last Call review by GENART is assigned to Meral Shirazipour
2018-07-12
06 Gunter Van de Velde Request for Last Call review by OPSDIR is assigned to Will LIU
2018-07-12
06 Gunter Van de Velde Request for Last Call review by OPSDIR is assigned to Will LIU
2018-07-11
06 (System) IANA Review state changed to IANA OK - No Actions Needed from IANA - Review Needed
2018-07-11
06 Sabrina Tanamal
(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

The IANA Functions Operator has reviewed draft-ietf-tls-tls13-vectors-06, which is currently in Last Call, and has the following comments:

We …
(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

The IANA Functions Operator has reviewed draft-ietf-tls-tls13-vectors-06, which is currently in Last Call, and has the following comments:

We understand that this document doesn't require any registry actions.

While it's often helpful for a document's IANA Considerations section to remain in place upon publication even if there are no actions, if the authors strongly prefer to remove it, we do not object.

If this assessment is not accurate, please respond as soon as possible.

Thank you,

Sabrina Tanamal
Senior IANA Services Specialist
2018-07-10
06 Amy Vezza IANA Review state changed to IANA - Review Needed
2018-07-10
06 Amy Vezza
The following Last Call announcement was sent out (ends 2018-07-24):

From: The IESG
To: IETF-Announce
CC: tls-chairs@ietf.org, Sean Turner , draft-ietf-tls-tls13-vectors@ietf.org, tls@ietf.org, …
The following Last Call announcement was sent out (ends 2018-07-24):

From: The IESG
To: IETF-Announce
CC: tls-chairs@ietf.org, Sean Turner , draft-ietf-tls-tls13-vectors@ietf.org, tls@ietf.org, sean@sn3rd.com, kaduk@mit.edu
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (Example Handshake Traces for TLS 1.3) to Informational RFC


The IESG has received a request from the Transport Layer Security WG (tls) to
consider the following document: - 'Example Handshake Traces for TLS 1.3'
  as Informational RFC

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2018-07-24. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the beginning of
the Subject line to allow automated sorting.

Abstract


  Examples of TLS 1.3 handshakes are shown.  Private keys and inputs
  are provided so that these handshakes might be reproduced.
  Intermediate values, including secrets, traffic keys and IVs are
  shown so that implementations might be checked incrementally against
  these values.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-tls-tls13-vectors/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-tls-tls13-vectors/ballot/


No IPR declarations have been submitted directly on this I-D.




2018-07-10
06 Amy Vezza IESG state changed to In Last Call from Last Call Requested
2018-07-10
06 Amy Vezza Last call announcement was changed
2018-07-09
06 Benjamin Kaduk Last call was requested
2018-07-09
06 Benjamin Kaduk Last call announcement was generated
2018-07-09
06 Benjamin Kaduk Ballot approval text was generated
2018-07-09
06 Benjamin Kaduk Ballot writeup was generated
2018-07-09
06 Benjamin Kaduk IESG state changed to Last Call Requested from AD Evaluation
2018-07-09
06 Cindy Morgan New version available: draft-ietf-tls-tls13-vectors-06.txt
2018-07-09
06 (System) Secretariat manually posting. Approvals already received
2018-07-09
06 Cindy Morgan Uploaded new revision
2018-06-21
05 Benjamin Kaduk IESG state changed to AD Evaluation from Publication Requested
2018-05-29
05 Sean Turner
1. Summary

This document provides examples TLS 1.3 handshakes.  Private keys and inputs are provided so that these handshakes might be reproduced with are shown.  …
1. Summary

This document provides examples TLS 1.3 handshakes.  Private keys and inputs are provided so that these handshakes might be reproduced with are shown.  As the examples are illustrative the draft is intended to be Informational.

Sean Turner is the Document Shepherd.
Benjamin Kaduk is the responsible Area Director.

2. Review and Consensus

There's always interest in having examples and this draft fills that gap for TLS, which some would say have been sorely need for a very long time.  While there wasn't a lot of list traffic on this draft, you could argue that there's lots of review because the vectors are automatically generated using the NSS test suite.  NSS is used to do interop with a number of implementations.

3. Intellectual Property

I confirmed with Martin that his direct, personal knowledge of any IPR related to this document has already been disclosed, in conformance with BCPs 78 and 79.

4. Other Points

There are no DOWNREFs; there is only one normative reference and it's to the TLS1.3 RFC.

There are also no IANA considerations.
2018-05-29
05 Sean Turner Responsible AD changed to Benjamin Kaduk
2018-05-29
05 Sean Turner IETF WG state changed to Submitted to IESG for Publication from WG Consensus: Waiting for Write-Up
2018-05-29
05 Sean Turner IESG state changed to Publication Requested
2018-05-29
05 Sean Turner IESG process started in state Publication Requested
2018-05-29
05 Sean Turner Tag Revised I-D Needed - Issue raised by WGLC cleared.
2018-05-29
05 Sean Turner IETF WG state changed to WG Consensus: Waiting for Write-Up from Waiting for WG Chair Go-Ahead
2018-05-29
05 Martin Thomson New version available: draft-ietf-tls-tls13-vectors-05.txt
2018-05-29
05 (System) New version approved
2018-05-29
04 Sean Turner Changed document writeup
2018-05-29
05 (System) Request for posting confirmation emailed to previous authors: Martin Thomson
2018-05-29
05 Martin Thomson Uploaded new revision
2018-05-29
05 Martin Thomson Uploaded new revision
2018-05-29
04 Sean Turner Tag Revised I-D Needed - Issue raised by WGLC set.
2018-05-29
04 Sean Turner IETF WG state changed to Waiting for WG Chair Go-Ahead from In WG Last Call
2018-05-08
04 Sean Turner IETF WG state changed to In WG Last Call from WG Document
2018-05-08
04 Sean Turner Notification list changed to Sean Turner <sean@sn3rd.com>
2018-05-08
04 Sean Turner Document shepherd changed to Sean Turner
2018-05-01
04 Martin Thomson New version available: draft-ietf-tls-tls13-vectors-04.txt
2018-05-01
04 (System) New version approved
2018-05-01
04 (System) Request for posting confirmation emailed to previous authors: Martin Thomson
2018-05-01
04 Martin Thomson Uploaded new revision
2018-05-01
04 Martin Thomson Uploaded new revision
2017-12-04
03 Martin Thomson New version available: draft-ietf-tls-tls13-vectors-03.txt
2017-12-04
03 (System) New version approved
2017-12-04
03 (System) Request for posting confirmation emailed to previous authors: Martin Thomson
2017-12-04
03 Martin Thomson Uploaded new revision
2017-12-04
03 Martin Thomson Uploaded new revision
2017-11-01
02 Sean Turner Intended Status changed to Informational from Proposed Standard
2017-10-31
02 Sean Turner Changed consensus to Yes from Unknown
2017-10-31
02 Sean Turner Intended Status changed to Proposed Standard from None
2017-07-17
02 Martin Thomson New version available: draft-ietf-tls-tls13-vectors-02.txt
2017-07-17
02 (System) New version approved
2017-07-17
02 (System) Request for posting confirmation emailed to previous authors: Martin Thomson
2017-07-17
02 Martin Thomson Uploaded new revision
2017-06-30
01 Martin Thomson New version available: draft-ietf-tls-tls13-vectors-01.txt
2017-06-30
01 (System) New version approved
2017-06-30
01 (System) Request for posting confirmation emailed to previous authors: Martin Thomson
2017-06-30
01 Martin Thomson Uploaded new revision
2017-01-03
00 (System) This document now replaces draft-thomson-tls-tls13-vectors instead of None
2017-01-03
00 Martin Thomson New version available: draft-ietf-tls-tls13-vectors-00.txt
2017-01-03
00 (System) New version approved
2017-01-03
00 Martin Thomson Request for posting confirmation emailed  to submitter and authors: "Martin Thomson"
2017-01-03
00 Martin Thomson Uploaded new revision