GOST Cipher Suites for Transport Layer Security (TLS) Protocol Version 1.2
draft-smyshlyaev-tls12-gost-suites-04
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 9189.
|
|
|---|---|---|---|
| Authors | Stanislav V. Smyshlyaev , Dmitry Belyavsky , Markku-Juhani O. Saarinen | ||
| Last updated | 2018-12-29 | ||
| RFC stream | (None) | ||
| Formats | |||
| IETF conflict review | conflict-review-smyshlyaev-tls12-gost-suites, conflict-review-smyshlyaev-tls12-gost-suites, conflict-review-smyshlyaev-tls12-gost-suites, conflict-review-smyshlyaev-tls12-gost-suites, conflict-review-smyshlyaev-tls12-gost-suites, conflict-review-smyshlyaev-tls12-gost-suites | ||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | Became RFC 9189 (Informational) | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-smyshlyaev-tls12-gost-suites-04
Network Working Group S. Smyshlyaev, Ed.
Internet-Draft CryptoPro
Intended status: Informational D. Belyavsky
Expires: July 2, 2019 Cryptocom
M. Saarinen
Independent Consultant
December 29, 2018
GOST Cipher Suites for Transport Layer Security (TLS) Protocol Version
1.2
draft-smyshlyaev-tls12-gost-suites-04
Abstract
This document specifies a set of cipher suites for the Transport
Layer Security (TLS) protocol Version 1.2 to support the Russian
cryptographic standard algorithms.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 2, 2019.
Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
Smyshlyaev, et al. Expires July 2, 2019 [Page 1]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions Used in This Document . . . . . . . . . . . . . . 4
3. Basic Terms and Definitions . . . . . . . . . . . . . . . . . 4
4. Cipher Suite Definitions . . . . . . . . . . . . . . . . . . 5
4.1. Record Payload Protection . . . . . . . . . . . . . . . . 5
4.1.1. CTR_OMAC . . . . . . . . . . . . . . . . . . . . . . 6
4.1.2. CNT_IMIT . . . . . . . . . . . . . . . . . . . . . . 7
4.2. Key Exchange and Authentication . . . . . . . . . . . . . 8
4.2.1. Hello Messages . . . . . . . . . . . . . . . . . . . 10
4.2.2. Server Certificate . . . . . . . . . . . . . . . . . 11
4.2.3. CertificateRequest . . . . . . . . . . . . . . . . . 11
4.2.4. ClientKeyExchange . . . . . . . . . . . . . . . . . . 12
4.2.4.1. CTR_OMAC . . . . . . . . . . . . . . . . . . . . 12
4.2.4.2. CNT_IMIT . . . . . . . . . . . . . . . . . . . . 14
4.2.5. CertificateVerify . . . . . . . . . . . . . . . . . . 16
4.2.6. Finished . . . . . . . . . . . . . . . . . . . . . . 16
4.3. Cryptographic Algorithms . . . . . . . . . . . . . . . . 17
4.3.1. Block Cipher . . . . . . . . . . . . . . . . . . . . 17
4.3.2. MAC algorithm . . . . . . . . . . . . . . . . . . . . 17
4.3.3. Encryption algorithm . . . . . . . . . . . . . . . . 18
4.3.4. PRF and HASH algorithms . . . . . . . . . . . . . . . 18
4.3.5. SNMAX parameter . . . . . . . . . . . . . . . . . . . 18
5. New Values for the SignatureAlgorithm Registry . . . . . . . 18
6. New Values for the Supported Groups Registry . . . . . . . . 19
7. New Values for the ClientCertificateType Identifiers Registry 20
8. Additional Algorithms . . . . . . . . . . . . . . . . . . . . 21
8.1. TLSTREE . . . . . . . . . . . . . . . . . . . . . . . . . 21
8.1.1. Key Tree Parameters . . . . . . . . . . . . . . . . . 21
8.2. Key export and key import algorithms . . . . . . . . . . 22
8.2.1. KExp15 and KImp15 Algorithms . . . . . . . . . . . . 22
8.2.2. KExp28147 and KImp28147 Algorithms . . . . . . . . . 23
8.3. Key Exchange Generation Algorithms . . . . . . . . . . . 24
8.3.1. KEG Algorithm . . . . . . . . . . . . . . . . . . . . 24
8.3.2. KEG_28147 Algorithm . . . . . . . . . . . . . . . . . 26
8.4. gostIMIT28147 . . . . . . . . . . . . . . . . . . . . . . 27
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27
10. Historical considerations . . . . . . . . . . . . . . . . . . 29
11. Security Considerations . . . . . . . . . . . . . . . . . . . 29
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 29
12.1. Normative References . . . . . . . . . . . . . . . . . . 29
12.2. Informative References . . . . . . . . . . . . . . . . . 31
Appendix A. Test Examples . . . . . . . . . . . . . . . . . . . 32
A.1. Test Examples for CTR_OMAC cipher suites . . . . . . . . 32
Smyshlyaev, et al. Expires July 2, 2019 [Page 2]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
A.1.1. TLSTREE Examples . . . . . . . . . . . . . . . . . . 32
A.1.1.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC
ciphersuite . . . . . . . . . . . . . . . . . . . 32
A.1.1.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC
ciphersuite . . . . . . . . . . . . . . . . . . . 34
A.1.2. Record Examples . . . . . . . . . . . . . . . . . . . 36
A.1.2.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC
ciphersuite . . . . . . . . . . . . . . . . . . . 36
A.1.2.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC
ciphersuite . . . . . . . . . . . . . . . . . . . 39
A.1.3. Handshake Examples . . . . . . . . . . . . . . . . . 42
A.1.3.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC
ciphersuite . . . . . . . . . . . . . . . . . . . 42
A.1.3.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC
ciphersuite . . . . . . . . . . . . . . . . . . . 55
A.2. Test Examples for CNT_IMIT cipher suites . . . . . . . . 74
A.2.1. Record Examples . . . . . . . . . . . . . . . . . . . 74
A.2.2. Handshake Examples . . . . . . . . . . . . . . . . . 75
Appendix B. Contributors . . . . . . . . . . . . . . . . . . . . 85
Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 85
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 85
1. Introduction
This document specifies three new cipher suites for the Transport
Layer Security (TLS) Protocol Version 1.2 [RFC5246] to support the
set of Russian cryptographic standard algorithms (called GOST
algorithms). These cipher suites use the same hash algorithm GOST R
34.11-2012 [GOST3411-2012] (the English version can be found in
[RFC6986]) and the same signature algorithm GOST R 34.10-2012
[GOST3410-2012] (the English version can be found in [RFC7091]) but
use different encryption and MAC algorithms, so they are divided into
two types: the CTR_OMAC cipher suites and the CNT_IMIT cipher suite.
The CTR_OMAC cipher suites use the GOST R 34.12-2015 [GOST3412-2015]
block ciphers (the English version can be found in [RFC7801]) and
have the following values:
TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC = {TBD1};
TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC = {TBD2}.
The CNT_IMIT cipher suite uses the GOST 28147-89 [GOST28147-89] block
cipher (the English version can be found in [RFC5830]) and has the
following value:
TLS_GOSTR341112_256_WITH_28147_CNT_IMIT = {TBD3}.
Smyshlyaev, et al. Expires July 2, 2019 [Page 3]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
3. Basic Terms and Definitions
This document uses the following terms and definitions for the sets
and operations on the elements of these sets:
B_t the set of byte strings of length t, t >= 0, for t = 0 the
B_t set consists of a single empty string of zero length. If
A is an element of B_t, then A = (a_1, a_2, ... , a_t), where
a_1, a_2, ... , a_t are in {0, ... , 255};
B* the set of all byte strings of a finite length (hereinafter
referred to as strings), including the empty string;
A[i..j] the string A[i..j] = (a_i, a_{i+1}, ... , a_j) in B_{j-i+1}
where A = (a_1, ... , a_t) in B_t and 1<=i<=j<=t;
|A| the byte length of the byte string A;
A | C concatenation of strings A and C both belonging to B*, i.e.,
a string in B_{|A|+|C|}, where the left substring in B_|A| is
equal to A, and the right substring in B_|C| is equal to C;
A XOR C bitwise exclusive-or of strings A and C both belonging to
B_t, i.e., a string in B_t such that if A = (a_1, a_2, ... ,
a_t), C = (c_1, c_2, ... , c_t) then A XOR C = (a_1 (xor)
c_1, a_2 (xor) c_2, ... , a_t (xor) c_t) where (xor) is
bitwise exclusive-or of bytes;
i & j bitwise AND of integers i and j;
STR_t the transformation that maps an integer i = 256^{t-1} * i_1 +
... + 256 * i_{t-1} + i_t into the byte string STR_t(i) =
(i_1, ... , i_t) in B_t (the interpretation of the integer as
a byte string in big-endian format);
str_t the transformation that maps an integer i = 256^{t-1} * i_t +
... + 256 * i_2 + i_1 into the byte string str_t(i) = (i_1,
... , i_t) in B_t (the interpretation of the integer as a
byte string in little-endian format);
INT the transformation that maps a string a = (a_1, ... , a_t) in
B_t into the integer INT(a) = 256^{t-1} * a_1 + ... + 256 *
Smyshlyaev, et al. Expires July 2, 2019 [Page 4]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
a_{t-1} + a_t (the interpretation of the byte string in big-
endian format as an integer);
int the transformation that maps a string a = (a_1, ... , a_t) in
B_t into the integer int(a) = 256^{t-1} * a_t + ... + 256 *
a_2 + a_1 (the interpretation of the byte string in little-
endian format as an integer);
k the byte-length of the block cipher key;
n the byte-length of the block cipher block;
Q_c the public key stored in the client's certificate;
d_c the private key that corresponds to the Q_c key;
Q_s the public key stored in the server's certificate;
d_s the private key that corresponds to the Q_s key;
q_s subgroup order of group of points of the elliptic curve that
corresponds to Q_s;
P_s the point of order q_s that belongs to the same curve as Q_s;
r_c the random string contained in ClientHello.random field (see
[RFC5246]);
r_s the random string contained in ServerHello.random field (see
[RFC5246]).
4. Cipher Suite Definitions
4.1. Record Payload Protection
All of the cipher suites described in this document MUST use the
"null" compression method (see Section 6.2.2 of [RFC5246] and
Section 4.2.1). Note that the CompressionMethod.null operation is an
identity operation; no fields are altered.
All of the cipher suites described in this document use the stream
cipher (see Section 4.3.3) to protect records. The TLSCiphertext
structure for the CTR_OMAC and CNT_IMIT cipher suites is specified in
accordance with the Standard Stream Cipher case (see Section 6.2.3.1
of [RFC5246]):
Smyshlyaev, et al. Expires July 2, 2019 [Page 5]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
struct {
ContentType type;
ProtocolVersion version;
uint16 length;
GenericStreamCipher fragment;
} TLSCiphertext;
where TLSCiphertext.fragment is generated in accordance with
Section 4.1.1 or Section 4.1.2.
The connection key material is a key material that consists of the
sender_write_key (either the client_write_key or the
server_write_key), the sender_write_MAC_key (either the
client_write_MAC_key or the server_write_MAC_key) and the
sender_write_IV (either the client_write_IV or the server_write_IV)
parameters that are generated in accordance with Section 6.3 of
[RFC5246].
The record key material is a key material that is generated from the
connection key material and is used to protect a record with the
certain sequence number. Note that in the cipher suites defined in
this document the record key material can be equal to the connection
key material.
In this section the TLSCiphertext.fragment generation is described
for one particular endpoint (server or client) with the corresponding
connection key material and record key material.
4.1.1. CTR_OMAC
In case of the CTR_OMAC cipher suites the record key material differs
from the connection key material and for the certain sequence number
seqnum consists of:
o K_ENC_seqnum in B_k;
o K_MAC_seqnum in B_k;
o IV_seqnum in B_{n/2}.
The K_ENC_seqnum and K_MAC_seqnum values are calculated using the
TLSTREE function defined in Section 8.1 and the connection key
material. IV_seqnum is calculated by adding seqnum value to
sender_write_IV modulo 2^{(n/2)*8}:
o K_ENC_seqnum = TLSTREE(sender_write_key, seqnum);
Smyshlyaev, et al. Expires July 2, 2019 [Page 6]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
o K_MAC_seqnum = TLSTREE(sender_write_MAC_key, seqnum);
o IV_seqnum = STR_{n/2}((INT(sender_write_IV) + seqnum) mod
2^{(n/2)*8}).
The TLSCiphertext.fragment that corresponds to the certain sequence
number seqnum is equal to the ENCValue_seqnum value that is
calculated as follows:
1. The MAC value (MACValue_seqnum) is generated using the MAC
algorithm (see Section 4.3.2) similar to Section 6.2.3.1 of [RFC5246]
except the sender_write_MAC_key is replaced by the K_MAC_seqnum key:
MACData_seqnum = STR_8(seqnum) | type_seqnum | version_seqnum |
length_seqnum | fragment_seqnum;
MACValue_seqnum = MAC(K_MAC_seqnum, MACData_seqnum),
where type_seqnum, version_seqnum, length_seqnum, fragment_seqnum are
the TLSCompressed.type, TLSCompressed.version, TLSCompressed.length
and TLSCompressed.fragment values of the record with the seqnum
sequence number.
2. The entire data with the MACValue is encrypted with the ENC
stream cipher (see Section 4.3.3):
ENCData_seqnum = fragment_seqnum | MACValue_seqnum;
ENCValue_seqnum = ENC(K_ENC_seqnum, IV_seqnum, ENCData_seqnum).
4.1.2. CNT_IMIT
In case of the CNT_IMIT cipher suite the record key material is equal
to the connection key material and consists of:
o sender_write_key in B_k;
o sender_write_MAC_key in B_k;
o sender_write_IV in B_n.
The TLSCiphertext.fragment that corresponds to the certain sequence
number seqnum is equal to the ENCValue_seqnum value that is
calculated as follows:
1. The MAC value (MACValue_seqnum) is generated by the MAC algorithm
(see Section 4.3.2) as follows:
Smyshlyaev, et al. Expires July 2, 2019 [Page 7]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
MACData_i = STR_8(i) | type_i | version_i | length_i | fragment_i,
i in {0, ... , seqnum};
MACValue_seqnum = MAC(sender_write_MAC_key, MACData_0 | ... |
MACData_seqnum),
where type_i, version_i, length_i, fragment_i are the
TLSCompressed.type, TLSCompressed.version, TLSCompressed.length and
TLSCompressed.fragment values of the record with the i sequence
number.
Implementation note: Due to the use of the CBC-MAC based mode it is
not necessarily to store all previous fragments MACData_0, ... ,
MACData{i-1} to generate the MACValue_i fragment for the i-th record.
It's enough to know only the intermediate internal state of the MAC
algorithm.
2. The entire data with the MACValue is encrypted with the ENC
stream cipher (see Section 4.3.3):
ENCData_i = fragment_i | MACValue_i, i in {0, ... , seqnum};
ENCValue_0 | ... | ENCValue_seqnum = ENC(sender_write_key,
sender_write_IV, ENCData_0 | ... | ENCData_seqnum),
where |ENCValue_i| = |ENCData_i|, i in {0, ... , seqnum}.
Implementation note: Due to the use of the stream cipher it is not
necessarily to store all previous fragments ENCData_0, ... ,
ENCData{i-1} to generate the ENCValue_i fragment for the i-th record.
It's enough to know only the intermediate internal state of the ENC
stream cipher.
4.2. Key Exchange and Authentication
All of the cipher suites described in this document use ECDHE based
schema to share the TLS premaster secret.
Smyshlyaev, et al. Expires July 2, 2019 [Page 8]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
Client Server
ClientHello -------->
ServerHello
Certificate
CertificateRequest*
<-------- ServerHelloDone
Certificate*
ClientKeyExchange
CertificateVerify*
[ChangeCipherSpec]
Finished -------->
[ChangeCipherSpec]
<-------- Finished
Application Data <-------> Application Data
Figure 1: Message flow for a full handshake.
* Indicates optional messages that are sent for
the client authentication.
Figure 1 shows all messages involved in the TLS key establishment
protocol (full handshake). A ServerKeyExchange MUST NOT be sent (the
server's certificate contains enough data to allow client to exchange
the premaster secret).
The server side of the channel is always authenticated; the client
side is optionally authenticated. The server is authenticated by
proving that it knows the premaster secret that is encrypted with the
public key Q_s from the server's certificate. The client is
authenticated via its signature over the handshake transcript.
In general the key exchange process for both CTR_OMAC and CNT_IMIT
cipher suites consists of the following steps:
1. The client generates the ephemeral key pair (d_eph, Q_eph) that
corresponds to the server's public key Q_s stored in its
certificate.
2. The client generates the premaster secret PS. The PS value is
chosen from B_32 at random.
3. Using d_eph and Q_s the client generates the export key material
(see Section 4.2.4.1 and Section 4.2.4.2) for the particular key
export algorithm (see Section 8.2.1 and Section 8.2.2) to
generate the export representation PSExp of the PS value.
Smyshlyaev, et al. Expires July 2, 2019 [Page 9]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
4. The client sends its ephemeral public key Q_eph and PSExp value
in the ClientKeyExchange message.
5. Using its private key d_s the server generates the import key
material (see Section 4.2.4.1 and Section 4.2.4.2) for the
particular key import algorithm (see Section 8.2.1 and
Section 8.2.2) to extract the premaster secret PS from the export
representation PSExp.
The proposed cipher suites specify the ClientHello, ServerHello,
ServerCertificate, CertificateRequest, ClientKeyExchange,
CertificateVerify and Finished handshake messages, that are described
in further detail below.
4.2.1. Hello Messages
The ClientHello message is generated in accordance with the following
requirements:
o The ClientHello.compression_methods field SHOULD contain exactly
one byte, set to zero, which corresponds to the "null" compression
method.
o The ClientHello.extensions field SHOULD contain the
signature_algorithms extension (see [RFC5246]) with the values
defined in Section 5.
If the negotiated cipher suite is one of CTR_OMAC/CTR_IMIT and the
client implementation does not support generating the
signature_algorithms extension with the appropriate values, the
server MUST either abort the connection or ignore this extension
and behave as if the client had sent the signature_algorithms
extension with the values {8, TBD4} and {8, TBD5}.
o The ClientHello.extensions field is RECOMMENDED to contain the
extended_master_secret (see [RFC7627]) and the renegotiation_info
(see [RFC5746]) extensions.
o The ClientHello.extensions field MAY contain the supported_groups
extension (see [RFC8422] and [RFC7919]) with the values defined in
Section 6.
The ServerHello message is generated in accordance with the following
requirements:
o The ServerHello.compression_method field MUST contain exactly one
byte, set to zero, which corresponds to the "null" compression
method.
Smyshlyaev, et al. Expires July 2, 2019 [Page 10]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
o The ServerHello.extensions field is RECOMMENDED to contain the
extended_master_secret (see [RFC7627]) and the renegotiation_info
(see [RFC5746]) extensions.
o The ServerHello.extensions field MUST NOT contain the
encrypt_then_mac extension (see [RFC7366]).
If the extended_master_secret extension is agreed, then the master
secret value MUST be calculated in accordance with [RFC7627].
4.2.2. Server Certificate
This message is used to authentically convey the server's public key
Q_s to the client and is generated in accordance with Section 7.4.2
of [RFC5246].
Note: If the client has used supported_groups extension, the public
key in the server's certificate MUST respect the client's choice of
elliptic curves.
Upon receiving this message the client validates the certificate
chain, extracts the server's public key, and checks that the key type
is appropriate for the negotiated key exchange algorithm. (A
possible reason for a fatal handshake failure is that the client's
capabilities for handling elliptic curves and point formats are
exceeded)
4.2.3. CertificateRequest
This message is sent when requesting client authentication and is
specified in accordance with [RFC5246] as follows.
struct {
ClientCertificateType certificate_types<1..2^8-1>;
SignatureAndHashAlgorithm
supported_signature_algorithms<2..2^16-2>;
DistinguishedName certificate_authorities<0..2^16-1>;
} CertificateRequest;
If the CTR_OMAC or CNT_IMIT cipher suite is negotiated, the
CertificateRequest message MUST meet the following requirements:
o the CertificateRequest.supported_signature_algorithm field MUST
contain only signature/hash algorithm pairs with the values {8,
TBD4} or {8, TBD5} defined in Section 5;
Smyshlyaev, et al. Expires July 2, 2019 [Page 11]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
o the CertificateRequest.certificate_types field MUST contain only
the gost_sign256 (TBD13) or gost_sign512 (TBD14) values defined in
Section 7.
4.2.4. ClientKeyExchange
The ClientKeyExchange message is defined as follows.
enum { vko_kdf_gost, vko_gost } KeyExchangeAlgorithm;
struct {
select (KeyExchangeAlgorithm) {
case vko_kdf_gost: GostKeyTransport;
case vko_gost: TLSGostKeyTransportBlob;
} exchange_keys;
} ClientKeyExchange;
The body of the ClientKeyExchange message consists of a
GostKeyTransport/TLSGostKeyTransportBlob structure that contains an
export representation of the premaster secret PS.
The GostKeyTransport structure corresponds to the CTR_OMAC cipher
suites and is described in Section 4.2.4.1 and the
TLSGostKeyTransportBlob corresponds to CNT_IMIT cipher suite and is
described in Section 4.2.4.2.
4.2.4.1. CTR_OMAC
In case of the CTR_OMAC cipher suites the body of the
ClientKeyExchange message consists of the GostKeyTransport structure
that is defined bellow.
The client generates the ClientKeyExchange message in accordance with
the following steps:
1. Generates the ephemeral key pair (Q_eph, d_eph), where:
d_eph is chosen from {1, ... , q_s - 1} at random;
Q_eph = d_eph * P_s.
2. Generates export keys (K_EXP_MAC and K_EXP_ENC) using the KEG
algorithm defined in Section 8.3.1:
H = HASH(r_c | r_s);
Smyshlyaev, et al. Expires July 2, 2019 [Page 12]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
K_EXP_MAC | K_EXP_ENC = KEG(d_eph, Q_s, H).
3. Generates an export representation PSExp of the premaster secret
PS using the KExp15 algorithm defined in Section 8.2.1:
IV = H[25..24 + n / 2];
PSExp = KExp15(PS, K_EXP_MAC, K_EXP_ENC, IV).
4. Generates the ClientKeyExchange message using the
GostKeyTransport structure that is defined as follows:
GostKeyTransport ::= SEQUENCE {
keyExp OCTET STRING,
ephemeralPublicKey SubjectPublicKeyInfo,
ukm OCTET STRING OPTIONAL
}
SubjectPublicKeyInfo ::= SEQUENCE {
algorithm AlgorithmIdentifier,
subjectPublicKey BITSTRING
}
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY OPTIONAL
}
where the keyExp field contains the PSExp value, the
ephemeralPublicKey field contains the Q_eph value and the ukm field
MUST be ignored by the server.
Upon receiving the ClientKeyExchange message, the server process it
as follows.
1. Checks the following three conditions. If either of these checks
fails, then the server MUST abort the handshake with an alert.
o Q_eph belongs to the same curve as server public key Q_s;
o Q_eph is not equal to zero point;
o q_s * Q_eph is equal to zero point.
2. Generates export keys (K_EXP_MAC and K_EXP_ENC) using the KEG
algorithm defined in Section 8.3.1:
Smyshlyaev, et al. Expires July 2, 2019 [Page 13]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
H = HASH(r_c | r_s);
K_EXP_MAC | K_EXP_ENC = KEG(d_s, Q_eph, H).
3. Extracts the premaster secret PS from the export representation
PSExp using the KImp15 algorithm defined in Section 8.2.1:
IV = H[25..24 + n / 2];
PS = KImp15(PSExp, K_EXP_MAC, K_EXP_ENC, IV).
4.2.4.2. CNT_IMIT
In case of the CNT_IMIT cipher suite the body of the
ClientKeyExchange message consists of a TLSGostKeyTransportBlob
structure that is defined bellow.
The client generates the ClientKeyExchange message in accordance with
the following steps:
1. Generates the ephemeral key pair (Q_eph, d_eph), where:
d_eph is chosen from {1, ... , q_s - 1} at random;
Q_eph = d_eph * P_s.
2. Generates export key (K_EXP) using the KEG_28147 algorithm
defined in Section 8.3.2:
H = HASH(r_c | r_s);
K_EXP = KEG_28147(d_eph, Q_s, H).
3. Generates an export representation PSExp of the premaster secret
PS using the KExp28147 algorithm defined in Section 8.2.2:
PSExp = IV | CEK_ENC | CEK_MAC = KExp28147(PS, K_EXP, H[1..8]).
4. Generates the ClientKeyExchange message using the
TLSGostKeyTransportBlob structure that is defined as follows:
Smyshlyaev, et al. Expires July 2, 2019 [Page 14]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
TLSGostKeyTransportBlob ::= SEQUENCE {
keyBlob GostR3410-KeyTransport,
}
GostR3410-KeyTransport ::= SEQUENCE {
sessionEncryptedKey Gost28147-89-EncryptedKey,
transportParameters [0] IMPLICIT GostR3410-TransportParameters
}
Gost28147-89-EncryptedKey ::= SEQUENCE {
encryptedKey Gost28147-89-Key,
macKey Gost28147-89-MAC
}
GostR3410-TransportParameters ::= SEQUENCE {
encryptionParamSet OBJECT IDENTIFIER,
ephemeralPublicKey [0] IMPLICIT SubjectPublicKeyInfo,
ukm OCTET STRING
}
where Gost28147-89-EncryptedKey.encryptedKey field contains the
CEK_ENC value, the Gost28147-89-EncryptedKey.macKey field contains
the CEK_MAC value, and GostR3410-TransportParameters.ukm field
contains the IV value.
The keyBlob.transportParameters.ephemeralPublicKey field contains the
client ephemeral public key Q_eph. The encryptionParamSet contains
value 1.2.643.7.1.2.5.1.1 that corresponds to the id-tc26-gost-
28147-param-Z parameters set defined in [RFC7836].
Upon receiving the ClientKeyExchange message, the server process it
as follows.
1. Checks the following three conditions. If either of these checks
fails, then the server MUST abort the handshake with an alert.
1. Q_eph belongs to the same curve as server public key Q_s;
2. Q_eph is not equal to zero point;
3. q_s * Q_eph is equal to zero point;
2. Generates export key (K_EXP) using the KEG_28147 algorithm
defined in Section 8.3.2:
H = HASH(r_c | r_s);
K_EXP = KEG_28147(d_s, Q_eph, H).
Smyshlyaev, et al. Expires July 2, 2019 [Page 15]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
3. Extracts the premaster secret PS from the export representation
PSExp using the KImp28147 algorithm defined in Section 8.2.2:
PS = KImp28147(PSExp, K_EXP, H[1..8]).
4.2.5. CertificateVerify
Client generates the value sgn as follows:
sgn = SIGN_{d_c}(handshake_messages) = str_l(r) | str_l(s)
where SIGN_{d_c} is the GOST R 34.10-2012 [RFC7091] signature
algorithm, d_c is a client long-term private key that corresponds to
the client long-term public key Q_c from the client's certificate, l
= 32 for gostr34102012_256 value of the SignatureAndHashAlgorithm
field and l = 64 for gostr34102012_512 value of the
SignatureAndHashAlgorithm field.
Here handshake_messages refers to all handshake messages sent or
received, starting at client hello and up to CertificateVerify, but
not including, this message, including the type and length fields of
the handshake messages.
The TLS CertificateVerify message is specified as follows.
struct {
SignatureAndHashAlgorithm algorithm;
opaque signature<0..2^16-1>;
} CertificateVerify;
where SignatureAndHashAlgorithm structure is specified in Section 5
and CertificateVerify.signature field contains sgn value.
4.2.6. Finished
The TLS Finished message is specified as follows.
Smyshlyaev, et al. Expires July 2, 2019 [Page 16]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
struct {
opaque verify_data[verify_data_length];
} Finished;
verify_data = PRF(master_secret, finished_label,
HASH(handshake_messages))[0..verify_data_length-1];
where the verify_data_length value is equal to 32 for the CTR_OMAC
cipher suites and is equal to 12 for the CNT_IMIT cipher suite. The
PRF function is defined in Section 4.3.4.
4.3. Cryptographic Algorithms
4.3.1. Block Cipher
The cipher suite TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC MUST
uses Kuznyechik [RFC7801] as a base block cipher for the encryption
and MAC algorithm. The block length n is 16 bytes and the key length
k is 32 bytes.
The cipher suite TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC MUST uses
Magma [GOST3412-2015] as a base block cipher for the encryption and
MAC algorithm. The block length n is 8 bytes and the key length k is
32 bytes.
The cipher suite TLS_GOSTR341112_256_WITH_28147_CNT_IMIT MUST uses
GOST 28147-89 as a base block cipher [RFC5830] with the set of
parameters id-tc26-gost-28147-param-Z defined in [RFC7836]. The
block length n is 8 bytes and the key length k is 32 bytes.
4.3.2. MAC algorithm
The CTR_OMAC cipher suites use the OMAC message authentication code
construction defined in [GOST3413-2015], which can be considered as
the CMAC mode defined in [CMAC] where Kuznyechik or Magma block
cipher (see Section 4.3.1) are used instead of AES block cipher (see
[IK2003] for more detail) as the MAC function. The resulting MAC
length is equal to the block length and the MAC key length is 32
bytes.
The CNT_IMIT cipher suite uses the message authentication code
function gostIMIT28147 defined in Section 8.4 with the initialization
vector IV = IV0, where IV0 in B_8 is a string of all zeros, with the
CryptoPro Key Meshing algorithm defined in [RFC4357]. The resulting
MAC length is 4 bytes and the MAC key length is 32 bytes.
Smyshlyaev, et al. Expires July 2, 2019 [Page 17]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
4.3.3. Encryption algorithm
The CTR_OMAC cipher suites use the block cipher in CTR-ACPKM
encryption mode defined in [DraftRekeying] as the ENC function. The
section size N is 4 KB for
TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC cipher suite and 1 KB
for TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC cipher suite. The
initial counter nonce is defined as in Section 4.1.
The CNT_IMIT cipher suite uses the block cipher in counter encryption
mode (CNT) defined in Section 6 of [RFC5830] with the CryptoPro Key
Meshing algorithm defined in [RFC4357] as the ENC function.
4.3.4. PRF and HASH algorithms
The pseudorandom function (PRF) for all the cipher suites defined in
this document is the PRF_TLS_GOSTR3411_2012_256 function defined in
[RFC7836].
The hash function HASH for all the cipher suites defined in this
document is the GOST R 34.11-2012 [RFC6986] hash algorithm with
32-byte (256-bit) hash code.
4.3.5. SNMAX parameter
The SNMAX parameter defines the maximal value of the sequence number
seqnum during one TLS 1.2 connection and is defined as follows:
+---------------------------------------------+--------------------+
| CipherSuites | SNMAX |
+---------------------------------------------+--------------------+
|TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC | SNMAX = 2^64 - 1 |
|TLS_GOSTR341112_256_WITH_28147_CNT_IMIT | |
+---------------------------------------------+--------------------+
|TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC | SNMAX = 2^32 - 1 |
+---------------------------------------------+--------------------+
5. New Values for the SignatureAlgorithm Registry
The signature/hash algorithm pairs are used to indicate to the
server/client which algorithms can be used in digital signatures and
are defined by the SignatureAndHashAlgorithm structure (see
Section 7.4.1.4.1 of [RFC5246]) as follows:
Smyshlyaev, et al. Expires July 2, 2019 [Page 18]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
struct {
HashAlgorithm hash;
SignatureAlgorithm signature;
} SignatureAndHashAlgorithm;
This document defines new values for the "SignatureAlgorithm
Registry" that can be used in the SignatureAndHashAlgorithm.signature
field for the particular signature/hash algorithm pair:
enum {
gostr34102012_256(TBD4),
gostr34102012_512(TBD5),
} SignatureAlgorithm;
where the gostr34102012_256 and gostr34102012_512 values correspond
to the GOST R 34.10-2012 [RFC7091] signature algorithm with 32-byte
(256-bit) and 64-byte (512-bit) key length respectively.
According to [RFC7091] the GOST R 34.10-2012 signature algorithm with
32-byte (256-bit) or 64-byte (512-bit) key length use the GOST R
34.11-2012 [RFC6986] hash algorithm with 32-byte (256-bit) or 64-byte
(512-bit) hash code respectively (the hash algorithm is intrinsic to
the signature algorithm). Therefore, if the
SignatureAndHashAlgorithm.signature field of a particular hash/
signature pair listed in the Signature Algorithms Extension is equal
to the TBD4 (gostr34102012_256) or TBD5 (gostr34102012_512) value,
the SignatureAndHashAlgorithm.hash field of this pair MUST contain
the "Intrinsic" value 8 (see [RFC8422]).
6. New Values for the Supported Groups Registry
The Supported Groups Extension indicates the set of elliptic curves
supported by the client and is defined in [RFC8422] and [RFC7919].
This document defines new values for the "Supported Groups" registry:
enum {
GC256A(TBD6), GC256B(TBD7), GC256C(TBD8), GC256D(TBD9),
GC512A(TBD10), GC512B(TBD11), GC512C(TBD12),
} NamedGroup;
Where the values corresponds to the following curves:
Smyshlyaev, et al. Expires July 2, 2019 [Page 19]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
+-------------+--------------------------------------+-----------+
| Description | Curve Identifier Value | Reference |
+-------------+--------------------------------------+-----------+
| GC256A | id-tc26-gost-3410-2012-256-paramSetA | RFC 7836 |
+-------------+--------------------------------------+-----------+
| GC256B |id-GostR3410-2001-CryptoPro-A-ParamSet| RFC 4357 |
+-------------+--------------------------------------+-----------+
| GC256C |id-GostR3410-2001-CryptoPro-B-ParamSet| RFC 4357 |
+-------------+--------------------------------------+-----------+
| GC256D |id-GostR3410-2001-CryptoPro-C-ParamSet| RFC 4357 |
+-------------+--------------------------------------+-----------+
| GC512A | id-tc26-gost-3410-12-512-paramSetA | RFC 7836 |
+-------------+--------------------------------------+-----------+
| GC512B | id-tc26-gost-3410-12-512-paramSetB | RFC 7836 |
+-------------+--------------------------------------+-----------+
| GC512C | id-tc26-gost-3410-2012-512-paramSetC | RFC 7836 |
+-------------+--------------------------------------+-----------+
7. New Values for the ClientCertificateType Identifiers Registry
The ClientCertificateType field of the CertificateRequest message
contains a list of the types of certificate types that the client may
offer and is defined in Section 7.4.4 of [RFC5246].
This document defines new values for the "ClientCertificateType
Identifiers" registry:
enum {
gost_sign256(TBD13),
gost_sign512(TBD14),
} ClientCertificateType;
To use the gost_sign256 or gost_sign512 authentication mechanism, the
client MUST possess a certificate containing a GOST R
34.10-2012-capable public key that corresponds to the 32-byte
(256-bit) or 64-byte (512-bit) signature key respectively.
The client proves possession of the private key corresponding to the
certified key by including a signature in the CertificateVerify
message as described in Section 4.2.5.
Smyshlyaev, et al. Expires July 2, 2019 [Page 20]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
8. Additional Algorithms
8.1. TLSTREE
The TLSTREE function is defined as follows:
TLSTREE(K_root, i) = KDF_3(KDF_2(KDF_1(K_root, STR_8(i & C_1)),
STR_8(i & C_2)), STR_8(i & C_3)),
where
o K_root in B_32;
o i in {0, 1, ... , 2^64 - 1};
o C_1, C_2, C_3 are constants defined by the particular cipher suite
(see Section 8.1.1);
o KDF_j(K, D), j = 1, 2, 3, K in B_32, D in B_8, is the key
derivation function based on the KDF_GOSTR3411_2012_256 function
defined in [RFC7836]:
KDF_1(K, D) = KDF_GOSTR3411_2012_256(K, "level1", D);
KDF_2(K, D) = KDF_GOSTR3411_2012_256(K, "level2", D);
KDF_3(K, D) = KDF_GOSTR3411_2012_256(K, "level3", D).
8.1.1. Key Tree Parameters
The CTR_OMAC cipher suites use the TLSTREE function for the re-keying
approach. The constants for it are defined as in the table below.
+---------------------------------------------+------------------------+
| CipherSuites | C_1, C_2, C_3 |
+---------------------------------------------+------------------------+
|TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC | C_1=0xFFFFFFFF00000000 |
| | C_2=0xFFFFFFFFFFF80000 |
| | C_3=0xFFFFFFFFFFFFFFC0 |
+---------------------------------------------+------------------------+
|TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC | C_1=0xFFFFFFC000000000 |
| | C_2=0xFFFFFFFFFE000000 |
| | C_3=0xFFFFFFFFFFFFF000 |
+---------------------------------------------+------------------------+
Smyshlyaev, et al. Expires July 2, 2019 [Page 21]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
8.2. Key export and key import algorithms
8.2.1. KExp15 and KImp15 Algorithms
Algorithms KExp15 and KImp15 use the block cipher determined by the
particular cipher suite.
The KExp15 key export algorithm is defined as follows.
+------------------------------------------------------------+
| KExp15(S, K_Exp_MAC, K_Exp_ENC, IV) |
|------------------------------------------------------------|
| Input: |
| - secret S to be exported, S in B*, |
| - key K_Exp_MAC in B_k, |
| - key K_Exp_ENC in B_k, |
| - IV in B_{n/2} |
| Output: |
| - export representation SExp in B_{|S|+n} |
|------------------------------------------------------------|
| 1. CEK_MAC = OMAC(K_Exp_MAC, IV | S), CEK_MAC in B_n |
| 2. SExp = CTR-Encrypt(K_Exp_ENC, IV, S | CEK_MAC) |
| 3. return SExp |
+------------------------------------------------------------+
where the OMAC function is defined in [MODES], the CTR-Encrypt(K, IV,
S) function denotes the encryption of message S on key K and nonce IV
in the CTR mode with s = n (see [MODES]).
The KImp15 key import algorithm is defined as follows.
Smyshlyaev, et al. Expires July 2, 2019 [Page 22]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
+--------------------------------------------------------------------+
| KImp15(SExp, K_Exp_MAC, K_Exp_ENC, IV) |
|--------------------------------------------------------------------|
| Input: |
| - export representation SExp in B* |
| - key K_Exp_MAC in B_k, |
| - key K_Exp_ENC in B_k, |
| - IV in B_{n/2} |
| Output: |
| - secret S in B_{|SExp|-n} or FAIL |
|--------------------------------------------------------------------|
| 1. S | CEK_MAC = CTR-Decrypt(K_Exp_ENC, IV, SExp), CEK_MAC in B_n |
| 2. If CEK_MAC = OMAC(K_Exp_MAC, IV | S) |
| then return S; else return FAIL |
+--------------------------------------------------------------------+
where the OMAC function is defined in [MODES], the CTR-Decrypt(K, IV,
S) function denotes the decryption of message S on key K and nonce IV
in the CTR mode (see [MODES]).
The keys K_Exp_MAC and K_Exp_ENC MUST be independent. For every pair
of keys (K_Exp_ENC, K_Exp_MAC) the IV values MUST be unique. For the
import of key K with the KImp15 algorithm every IV value MUST be sent
with the export key representation or be a preshared value.
8.2.2. KExp28147 and KImp28147 Algorithms
The KExp28147 key export algorithm is defined as follows.
+----------------------------------------------------------------+
| KExp28147(S, K, IV) |
|----------------------------------------------------------------|
| Input: |
| - secret S to be exported, S in B_32, |
| - key K in B_32, |
| - IV in B_8. |
| Output: |
| - export representation SExp in B_44 |
|----------------------------------------------------------------|
| 1. CEK_MAC = gost28147IMIT(IV, K, S), CEK_MAC in B_4 |
| 2. CEK_ENC = ECB-Encrypt(K, S), CEK_ENC in B_32 |
| 3. return SExp = IV | CEK_ENC | CEK_MAC |
+----------------------------------------------------------------+
Smyshlyaev, et al. Expires July 2, 2019 [Page 23]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
where the gost28147IMIT function is defined in Section 8.4, the ECB-
Encrypt(K, S) function denotes the encryption of message S on key K
with the block cipher GOST 28147-89 in the ECB mode (see [RFC5830]).
The KImp28147 key import algorithm is defined as follows.
+----------------------------------------------------------------+
| KImp28147(SExp, K, IV) |
|----------------------------------------------------------------|
| Input: |
| - export representation SExp in B_44, |
| - key K in B_32, |
| - IV in B_8. |
| Output: |
| - imported secret S in B_32 or FAIL |
|----------------------------------------------------------------|
| 1. extract from SExp |
| IV' = SExp[1..8], |
| CEK_ENC = SExp[9..40], |
| CEK_MAC = SExp[41..44] |
| 2. if IV' != IV then return FAIL; else |
| 3. S = ECB-Decrypt(K, CEK_ENC), S in B_32 |
| 4. If CEK_MAC = gost28147IMIT(IV, K, S) |
| then return S; else return FAIL |
+----------------------------------------------------------------+
where the gost28147IMIT function is defined in Section 8.4, the ECB-
Decrypt(CEK_ENC, M) function denotes the decryption of ciphertext
CEK_ENC on key K with a block cipher GOST 28147-89 in the ECB mode
(see [RFC5830]).
8.3. Key Exchange Generation Algorithms
8.3.1. KEG Algorithm
The KEG algorithm is defined as follows:
Smyshlyaev, et al. Expires July 2, 2019 [Page 24]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
+----------------------------------------------------------------+
| KEG(d, Q, H) |
|----------------------------------------------------------------|
| Input: |
| - private key d, |
| - public key Q, |
| - H in B_32. |
| Output: |
| - key material K in B_64. |
|----------------------------------------------------------------|
| 1. If m < 2^{256} |
| return KEG_256(d, Q, H) |
| 2. If m < 2^{512} |
| return KEG_512(d, Q, H) |
| 3. return FAIL |
+----------------------------------------------------------------+
where m is the order of the used elliptic curve points group
containing point Q, d in {1, ... , m - 1}.
The KEG_256 algorithm is defined as follows:
+----------------------------------------------------------------+
| KEG_256(d, Q, H) |
|----------------------------------------------------------------|
| Input: |
| - private key d, |
| - public key Q, |
| - H in B_32. |
| Output: |
| - key material K in B_64. |
|----------------------------------------------------------------|
| 1. r = INT(H[1..16]) |
| 2. If r = 0 |
| UKM = 1; else UKM = r |
| 3. K_EXP = VKO_256(d, Q, UKM) |
| 4. seed = H[17..24] |
| 5. return KDFTREE_256(K_EXP, "kdf tree", seed, 1) |
+----------------------------------------------------------------+
where VKO_256 is the function VKO_GOSTR3410_2012_256 defined in
[RFC7836] and KDFTREE_256 is the KDF_TREE_GOSTR3411_2012_256 function
defined in [RFC7836] with the parameter L equal to 512.
The KEG_512 algorithm is defined as follows:
Smyshlyaev, et al. Expires July 2, 2019 [Page 25]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
+----------------------------------------------------------------+
| KEG_512(d, Q, H) |
|----------------------------------------------------------------|
| Input: |
| - private key d, |
| - public key Q, |
| - H in B_32. |
| Output: |
| - key material K in B_64. |
|----------------------------------------------------------------|
| 1. r = INT(H[1..16]) |
| 2. If r = 0 |
| UKM = 1; else UKM = r |
| 3. return VKO_512(d, Q, UKM) |
+----------------------------------------------------------------+
where VKO_512 is the VKO_GOSTR3410_2012_512 function defined in
[RFC7836].
8.3.2. KEG_28147 Algorithm
The KEG_28147 algorithm is defined as follows:
+----------------------------------------------------------------+
| KEG_28147(d, Q, H) |
|----------------------------------------------------------------|
| Input: |
| - private key d, |
| - public key Q, |
| - H in B_32. |
| Output: |
| - key material K in B_32. |
|----------------------------------------------------------------|
| 1. UKM = H[1..8] |
| 2. R = VKO_256(d, Q, int(UKM)) |
| 3. return K = CPDivers(UKM, R) |
+----------------------------------------------------------------+
where the VKO_256 function is equal to the VKO_GOSTR3410_2012_256
function defined in [RFC7836], the CPDivers function corresponds to
the CryptoPro KEK Diversification Algorithm defined in [RFC4357],
which takes as input the UKM value and the key value.
Smyshlyaev, et al. Expires July 2, 2019 [Page 26]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
8.4. gostIMIT28147
gost28147IMIT(IV, K, M) is a MAC algorithm with 4 bytes output and is
defined as follows:
+----------------------------------------------------------------+
| gost28147IMIT(IV, K, M) |
|----------------------------------------------------------------|
| Input: |
| - initial value IV in B_8, |
| - key K in B_32, |
| - message M in B*. |
| Output: |
| - MAC value T in B_4. |
|----------------------------------------------------------------|
| 1. M' = PAD(M) |
| 2. M' = M'_0 | ... | M'_r, |M'_i| = 8, i in {0, ... , r} |
| 3. M'' = (M'_0 XOR IV) | M'_1 | ... | M'_r |
| 4. return K = MAC28147(K, M'') |
+----------------------------------------------------------------+
where the PAD function is the padding function that adds m zero bytes
to the end of the message, where m is the smallest, non-negative
solution to the equation (|M| + m) mod 8 = 0, the MAC28147 function
corresponds to Message Authentication Code Generation Mode defined in
[RFC5830] with 4 byte length output.
9. IANA Considerations
IANA is asked to assign numbers TBD1, TBD2 and TBD3 with the names
TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC,
TTLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC,
TLS_GOSTR341112_256_WITH_28147_CNT_IMIT to the "TLS Cipher Suite"
registry with this document as reference, as shown below.
+-----------+--------------------------------------------+---------+----------+
| Value | Description | DTLS-OK | Reference|
+-----------+--------------------------------------------+---------+----------+
| TBD1 |TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC| N | this RFC |
+-----------+--------------------------------------------+---------+----------+
| TBD2 | TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC | N | this RFC |
+-----------+--------------------------------------------+---------+----------+
| TBD3 | TLS_GOSTR341112_256_WITH_28147_CNT_IMIT | N | this RFC |
+-----------+--------------------------------------------+---------+----------+
Smyshlyaev, et al. Expires July 2, 2019 [Page 27]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
IANA is asked to assign numbers TBD4, TBD5 with the names
gostr34102012_256, gostr34102012_512, to the "TLS SignatureAlgorithm"
registry, as shown below.
+-----------+---------------------+---------+----------+
| Value | Description | DTLS-OK | Reference|
+-----------+---------------------+---------+----------+
| TBD4 | gostr34102012_256 | Y | this RFC |
+-----------+---------------------+---------+----------+
| TBD5 | gostr34102012_512 | Y | this RFC |
+-----------+---------------------+---------+----------+
IANA is asked to assign numbers TBD6, TBD7, TBD8, TBD9, TBD10, TBD11,
TBD12 with the names GC256A, GC256B, GC256C, GC256D, GC512A, GC512B,
GC512C to the "TLS Supported Groups" registry, as shown below.
+-----------+----------------+---------+------------+-----------+
| Value | Description | DTLS-OK | Recomended | Reference |
+-----------+----------------+---------+------------+-----------+
| TBD6 | GC256A | Y | N | this RFC |
+-----------+----------------+---------+------------+-----------+
| TBD7 | GC256B | Y | N | this RFC |
+-----------+----------------+---------+------------+-----------+
| TBD8 | GC256C | Y | N | this RFC |
+-----------+----------------+---------+------------+-----------+
| TBD9 | GC256D | Y | N | this RFC |
+-----------+----------------+---------+------------+-----------+
| TBD10 | GC512A | Y | N | this RFC |
+-----------+----------------+---------+------------+-----------+
| TBD11 | GC512B | Y | N | this RFC |
+-----------+----------------+---------+------------+-----------+
| TBD12 | GC512C | Y | N | this RFC |
+-----------+----------------+---------+------------+-----------+
IANA is asked to assign numbers TBD13, TBD14 with the names
gost_sign256, gost_sign512 to the "ClientCertificateType Identifiers"
registry, as shown below.
Smyshlyaev, et al. Expires July 2, 2019 [Page 28]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
+-----------+---------------------+---------+----------+
| Value | Description | DTLS-OK | Reference|
+-----------+---------------------+---------+----------+
| TBD13 | gost_sign256 | Y | this RFC |
+-----------+---------------------+---------+----------+
| TBD14 | gost_sign512 | Y | this RFC |
+-----------+---------------------+---------+----------+
10. Historical considerations
Note that prior to the existence of this document implementations
could use only the values from the Private Use space in order to use
the GOST-based algorithms. So some old implementations can still use
the old value {0x00,0x81} instead of the TBD3 value to indicate the
TLS_GOSTR341112_256_WITH_28147_CNT_IMIT cipher suite; one old value
238 instead of the values TBD4, 8 and TBD13 (to indicate the
gostr34102012_256 signature algorithm, the Intrinsic hash algorithm
and the gost_sign256 certificate type respectively); one old value
239 instead of the values TBD5, 8 and TBD14 (to indicate the
gostr34102012_512 signature algorithm, the Intrinsic hash algorithm
and the gost_sign512 certificate type respectively).
11. Security Considerations
This entire document is about security considerations.
12. References
12.1. Normative References
[DraftRekeying]
Smyshlyaev, S., "Re-keying Mechanisms for Symmetric Keys",
2018, <https://tools.ietf.org/html/
draft-irtf-cfrg-re-keying-12>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC4357] Popov, V., Kurepkin, I., and S. Leontiev, "Additional
Cryptographic Algorithms for Use with GOST 28147-89, GOST
R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94
Algorithms", RFC 4357, DOI 10.17487/RFC4357, January 2006,
<https://www.rfc-editor.org/info/rfc4357>.
Smyshlyaev, et al. Expires July 2, 2019 [Page 29]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246,
DOI 10.17487/RFC5246, August 2008,
<https://www.rfc-editor.org/info/rfc5246>.
[RFC5746] Rescorla, E., Ray, M., Dispensa, S., and N. Oskov,
"Transport Layer Security (TLS) Renegotiation Indication
Extension", RFC 5746, DOI 10.17487/RFC5746, February 2010,
<https://www.rfc-editor.org/info/rfc5746>.
[RFC5830] Dolmatov, V., Ed., "GOST 28147-89: Encryption, Decryption,
and Message Authentication Code (MAC) Algorithms",
RFC 5830, DOI 10.17487/RFC5830, March 2010,
<https://www.rfc-editor.org/info/rfc5830>.
[RFC6986] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.11-2012:
Hash Function", RFC 6986, DOI 10.17487/RFC6986, August
2013, <https://www.rfc-editor.org/info/rfc6986>.
[RFC7091] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.10-2012:
Digital Signature Algorithm", RFC 7091,
DOI 10.17487/RFC7091, December 2013,
<https://www.rfc-editor.org/info/rfc7091>.
[RFC7366] Gutmann, P., "Encrypt-then-MAC for Transport Layer
Security (TLS) and Datagram Transport Layer Security
(DTLS)", RFC 7366, DOI 10.17487/RFC7366, September 2014,
<https://www.rfc-editor.org/info/rfc7366>.
[RFC7627] Bhargavan, K., Ed., Delignat-Lavaud, A., Pironti, A.,
Langley, A., and M. Ray, "Transport Layer Security (TLS)
Session Hash and Extended Master Secret Extension",
RFC 7627, DOI 10.17487/RFC7627, September 2015,
<https://www.rfc-editor.org/info/rfc7627>.
[RFC7801] Dolmatov, V., Ed., "GOST R 34.12-2015: Block Cipher
"Kuznyechik"", RFC 7801, DOI 10.17487/RFC7801, March 2016,
<https://www.rfc-editor.org/info/rfc7801>.
[RFC7836] Smyshlyaev, S., Ed., Alekseev, E., Oshkin, I., Popov, V.,
Leontiev, S., Podobaev, V., and D. Belyavsky, "Guidelines
on the Cryptographic Algorithms to Accompany the Usage of
Standards GOST R 34.10-2012 and GOST R 34.11-2012",
RFC 7836, DOI 10.17487/RFC7836, March 2016,
<https://www.rfc-editor.org/info/rfc7836>.
Smyshlyaev, et al. Expires July 2, 2019 [Page 30]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
[RFC7919] Gillmor, D., "Negotiated Finite Field Diffie-Hellman
Ephemeral Parameters for Transport Layer Security (TLS)",
RFC 7919, DOI 10.17487/RFC7919, August 2016,
<https://www.rfc-editor.org/info/rfc7919>.
[RFC8422] Nir, Y., Josefsson, S., and M. Pegourie-Gonnard, "Elliptic
Curve Cryptography (ECC) Cipher Suites for Transport Layer
Security (TLS) Versions 1.2 and Earlier", RFC 8422,
DOI 10.17487/RFC8422, August 2018,
<https://www.rfc-editor.org/info/rfc8422>.
12.2. Informative References
[CMAC] Dworkin, M., "Recommendation for Block Cipher Modes of
Operation: the CMAC Mode for Authentication", NIST Special
Publication 800-38B, 2005.
[GOST28147-89]
Government Committee of the USSR for Standards,
"Cryptographic Protection for Data Processing System,
Gosudarstvennyi Standard of USSR (In Russian)",
GOST 28147-89, 1989.
[GOST3410-2012]
Federal Agency on Technical Regulating and Metrology,
"Information technology. Cryptographic data security.
Signature and verification processes of [electronic]
digital signature", GOST R 34.10-2012, 2012.
[GOST3411-2012]
Federal Agency on Technical Regulating and Metrology,
"Information technology. Cryptographic Data Security.
Hashing function", GOST R 34.11-2012, 2012.
[GOST3412-2015]
Federal Agency on Technical Regulating and Metrology,
"Information technology. Cryptographic data security.
Block ciphers", GOST R 34.12-2015, 2015.
[GOST3413-2015]
Federal Agency on Technical Regulating and Metrology,
"Information technology. Cryptographic data security.
Modes of operation for block ciphers", GOST R 34.13-2015,
2015.
[IK2003] Iwata T., Kurosawa K. (2003), "OMAC: One-Key CBC MAC.",
FSE 2003. Lecture Notes in Computer Science, vol 2887.
Springer, Berlin, Heidelberg, 2003.
Smyshlyaev, et al. Expires July 2, 2019 [Page 31]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
[MODES] Dworkin, M., "Recommendation for Block Cipher Modes of
Operation: Methods and Techniques", NIST Special
Publication 800-38A, December 2001.
Appendix A. Test Examples
[[TODO: This section must be updated after receiving IANA values
TBD1, TBD2, TBD3, TBD4, TBD5.]]
A.1. Test Examples for CTR_OMAC cipher suites
A.1.1. TLSTREE Examples
A.1.1.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC ciphersuite
TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC
***********************************************
Root Key K_root:
00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A
11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00
seqnum = 0
First level key from Divers_1:
F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1
39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42
Second level key from Divers_2:
51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F
08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4
The resulting key from Divers 3:
19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38
17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D
seqnum = 4095
First level key from Divers_1:
F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1
39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42
Second level key from Divers_2:
51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F
08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4
The resulting key from Divers 3:
19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38
17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D
Smyshlyaev, et al. Expires July 2, 2019 [Page 32]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
seqnum = 4096
First level key from Divers_1:
F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1
39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42
Second level key from Divers_2:
51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F
08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4
The resulting key from Divers 3:
FB 30 EE 53 CF CF 89 D7 48 FC 0C 72 EF 16 0B 8B
53 CB BB FD 03 12 82 B0 26 21 4A B2 E0 77 58 FF
seqnum = 33554431
First level key from Divers_1:
F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1
39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42
Second level key from Divers_2:
51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F
08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4
The resulting key from Divers 3:
B8 5B 36 DC 22 82 32 6B C0 35 C5 72 DC 93 F1 8D
83 AA 01 74 F3 94 20 9A 51 3B B3 74 DC 09 35 AE
seqnum = 33554432
First level key from Divers_1:
F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1
39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42
Second level key from Divers_2:
3F EA 59 38 DA 2B F8 DD C4 7E C1 DC 55 61 89 66
79 02 BE 42 0D F4 C3 7D AF 21 75 3B CB 1D C7 F3
The resulting key from Divers 3:
0F D7 C0 9E FD F8 E8 15 73 EE CC F8 6E 4B 95 E3
AF 7F 34 DA B1 17 7C FD 7D B9 7B 6D A9 06 40 8A
seqnum = 274877906943
First level key from Divers_1:
F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1
39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42
Second level key from Divers_2:
AB F3 A5 37 98 3A 1B 98 40 06 6D E6 8A 49 BF 25
97 7E E5 C3 F5 2D 33 3E 3C 22 0F 1D 15 C5 08 93
Smyshlyaev, et al. Expires July 2, 2019 [Page 33]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
The resulting key from Divers 3:
48 0F 99 72 BA F2 5D 4C 36 9A 96 AF 91 BC A4 55
3F 79 D8 F0 C5 61 8B 19 FD 44 CF DC 57 FA 37 33
seqnum = 274877906944
First level key from Divers_1:
15 60 0D 9E 8F A6 85 54 CF 15 2D C7 4F BC 42 51
17 B0 3E 09 76 BB 28 EA 98 24 C3 B7 0F 28 CB D8
Second level key from Divers_2:
6C C2 8E B0 93 24 72 12 5C 7A D3 F8 09 73 B3 C8
C4 13 7D A5 73 BC 17 1A 24 ED D4 A3 71 F1 F8 73
The resulting key from Divers 3:
25 28 C1 C6 A8 F0 92 7B F2 BE 27 BB 78 D2 7F 21
46 D6 55 93 B0 C7 17 3A 06 CB 9D 88 DF 92 32 65
A.1.1.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC ciphersuite
TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC
***********************************************
Root Key K_root:
00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A
11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00
seqnum = 0
First level key from Divers_1:
F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1
39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42
Second level key from Divers_2:
51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F
08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4
The resulting key from Divers 3:
19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38
17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D
seqnum = 63
First level key from Divers_1:
F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1
39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42
Second level key from Divers_2:
51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F
Smyshlyaev, et al. Expires July 2, 2019 [Page 34]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4
The resulting key from Divers 3:
19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38
17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D
seqnum = 64
First level key from Divers_1:
F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1
39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42
Second level key from Divers_2:
51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F
08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4
The resulting key from Divers 3:
AE BE 1E F4 18 71 3B F0 44 B9 FC D9 E5 72 D4 37
FB 38 B5 D8 29 56 7A 6F 79 18 39 6D 9F 4E 09 6B
seqnum = 524287
First level key from Divers_1:
F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1
39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42
Second level key from Divers_2:
51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F
08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4
The resulting key from Divers 3:
6F 18 D4 00 3E A2 CB 30 F5 FE C1 93 A2 34 F0 7D
7C 43 94 98 7F 50 75 8D E2 2B 22 0D 8A 10 51 06
seqnum = 524288
First level key from Divers_1:
F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1
39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42
Second level key from Divers_2:
F6 59 EB 85 EE BD 2A 8D CC 1B B3 F7 C6 00 57 FF
6D 33 B6 0F 74 65 DD 42 B5 11 2C F3 A6 B1 AB 66
The resulting key from Divers 3:
E5 4B 16 41 5B 3B 66 3E 78 0B 06 2D 24 F7 36 C4
49 54 63 C3 A8 91 E1 FA 46 F7 AE 99 FF F9 F3 78
seqnum = 4294967295
First level key from Divers_1:
F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1
Smyshlyaev, et al. Expires July 2, 2019 [Page 35]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42
Second level key from Divers_2:
F4 BC 10 1A BB 68 86 2A 8C E3 1E A0 0D DF A7 FE
B8 29 10 F1 24 F4 B1 E2 9E A8 3B E0 06 C2 26 8D
The resulting key from Divers 3:
CF 60 09 04 C7 1E 7B 88 A4 9A C8 E2 45 77 4B 3D
BE ED FB 81 DE 9A 0E 2F 4E 46 C3 56 07 BC 2F 04
seqnum = 4294967296
First level key from Divers_1:
55 CC 95 E0 D1 FB 54 85 AF 8E F6 9A CD 72 B2 32
79 7C D2 E8 5D 86 CD FD 1D E5 5B D1 FA 14 37 78
Second level key from Divers_2:
72 16 91 E1 01 C4 28 96 A6 40 AE 18 3F BB 44 5B
76 37 9C 57 E1 FD 8A 7D 49 A6 23 E4 23 8C 0E 1D
The resulting key from Divers 3:
16 18 0B 24 64 54 00 B8 36 14 38 37 D8 6A AC 93
95 2A E3 EB 82 44 D5 EC 2A B0 2C FF 30 78 11 38
A.1.2. Record Examples
A.1.2.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC ciphersuite
TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC
********************************************************
It is assumed that during Handshake following keys were established:
- MAC key:
00000: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A
00010: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00
- Encryption key:
00000: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11
00010: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22
- IV:
00000: 00 00 00 00
---------------------------------------------------------
seqnum = 0
Application data:
00000: 00 00 00 00 00 00 00
Smyshlyaev, et al. Expires July 2, 2019 [Page 36]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
TLSPlaintext:
00000: 17 03 03 00 07 00 00 00 00 00 00 00
K_MAC_0:
00000: 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38
00010: 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D
MAC value:
00000: F3 3E B6 89 6F EC E2 86
K_ENC_0:
00000: 58 AF BE 9A 4C 31 98 AA AB AA 26 92 C4 19 F1 79
00010: 7C 9B 92 DE B3 CC 74 46 B3 63 57 71 13 F0 FB 56
IV_0:
00000: 00 00 00 00
TLSCiphertext:
00000: 17 03 03 00 0F 9B 42 0D A8 6F AF 36 7F 05 14 43
00010: CE 9C 10 72
---------------------------------------------------------
seqnum = 4095
Application data:
00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
. . .
003D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
003E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
TLSPlaintext:
00000: 17 03 03 04 00 00 00 00 00 00 00 00 00 00 00 00
00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
. . .
003D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
003E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00400: 00 00 00 00 00
K_MAC_4095:
00000: 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38
00010: 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D
MAC value:
00000: 58 D3 BB 60 8F BC 98 B8
Smyshlyaev, et al. Expires July 2, 2019 [Page 37]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
K_ENC_4095:
00000: 58 AF BE 9A 4C 31 98 AA AB AA 26 92 C4 19 F1 79
00010: 7C 9B 92 DE B3 CC 74 46 B3 63 57 71 13 F0 FB 56
IV_4095:
00000: 00 00 0F FF
TLSCiphertext:
00000: 17 03 03 04 08 B7 11 43 8B 16 20 1F 3C 49 33 95
00010: 21 C9 C8 CA 75 66 D4 C2 0F D3 3E 58 1F 80 07 DC
00020: 76 04 3E 2B 35 C8 E8 4B B2 55 08 27 66 13 59 6F
. . .
003D0: E7 77 70 BF 45 17 E1 F8 DD 1B 2C 05 64 AD 68 FC
003E0: 4A 88 9A 48 B8 B1 FF 0E A4 E1 BB 70 4D 56 A4 75
003F0: 2F 51 A5 82 CC 54 1A 80 8F 8C 8B 62 97 68 88 C8
00400: 10 59 DE 41 27 63 A3 E0 99 9A CD DA 77
---------------------------------------------------------
seqnum = 4096
Application data:
00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
. . .
007D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
007E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
007F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
TLSPlaintext:
00000: 17 03 03 08 00 00 00 00 00 00 00 00 00 00 00 00
00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
. . .
007D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
007E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
007F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00800: 00 00 00 00 00
K_MAC_4096:
00000: FB 30 EE 53 CF CF 89 D7 48 FC 0C 72 EF 16 0B 8B
00010: 53 CB BB FD 03 12 82 B0 26 21 4A B2 E0 77 58 FF
MAC value:
00000: 50 55 A2 6A BE 19 63 81
K_ENC_4096:
00000: ED F2 FD 02 47 71 60 23 83 09 00 2D 1D 57 DF 9F
Smyshlyaev, et al. Expires July 2, 2019 [Page 38]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
00010: D2 ED 18 D6 45 66 C7 6F 4B F0 3D 3A BF 7B BB 1E
IV_4096:
00000: 00 00 10 00
TLSCiphertext:
00000: 17 03 03 08 08 99 95 26 07 03 47 1D ED A2 E6 55
00010: B6 B3 93 83 5E 33 8B 1E D0 0E DD 22 47 A2 FB 88
00020: FB B7 A8 94 80 62 08 8A F3 2C AE B6 AA 2C 4F 2A
. . .
007D0: 7F 0B 24 61 E7 5F E1 06 34 B8 4D C5 70 35 72 5A
007E0: CA 4F 0C BC A9 B0 6C B9 F7 6F BD 2F 80 46 2B 8D
007F0: 77 5E BD 41 6F 63 41 39 AC 89 C2 ED 3D F1 9F E2
00800: 4E F8 C0 5A A8 90 93 1B 01 86 FD 7D DF
A.1.2.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC ciphersuite
TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC
***********************************************
It is assumed that during Handshake following keys were established:
- MAC key:
00000: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A
00010: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00
- Encryption key:
00000: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11
00010: 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22
- IV:
00000: 00 00 00 00 00 00 00 00
---------------------------------------------------------
seqnum = 0
Application data:
00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
TLSPlaintext:
00000: 17 03 03 00 0F 00 00 00 00 00 00 00 00 00 00 00
00010: 00 00 00 00
K_MAC_0:
00000: 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38
00010: 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D
MAC value:
Smyshlyaev, et al. Expires July 2, 2019 [Page 39]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
00000: FD 17 19 DD 95 08 37 EB 7C 7B B8 F5 00 37 99 81
K_ENC_0:
00000: 58 AF BE 9A 4C 31 98 AA AB AA 26 92 C4 19 F1 79
00010: 7C 9B 92 DE B3 CC 74 46 B3 63 57 71 13 F0 FB 56
IV_0:
00000: 00 00 00 00 00 00 00 00
TLSCiphertext:
00000: 17 03 03 00 1F 4D 1A 30 52 36 57 3B FF C1 4E 46
00010: DC BE 74 6D B6 C9 9A 17 5A 81 C4 71 1E 2F 84 C3
00020: 92 C5 40 7C
---------------------------------------------------------
seqnum = 63
Application data:
00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
. . .
00FD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00FE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00FF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
TLSPlaintext:
00000: 17 03 03 10 00 00 00 00 00 00 00 00 00 00 00 00
00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
. . .
00FD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00FE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00FF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
01000: 00 00 00 00 00
K_MAC_63:
00000: 19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38
00010: 17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D
Mac value:
00000: 98 46 27 61 D0 26 24 4A 2C 0B 7D 1B CC CB E7 B0
K_ENC_63:
00000: 58 AF BE 9A 4C 31 98 AA AB AA 26 92 C4 19 F1 79
00010: 7C 9B 92 DE B3 CC 74 46 B3 63 57 71 13 F0 FB 56
IV_63:
Smyshlyaev, et al. Expires July 2, 2019 [Page 40]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
00000: 00 00 00 00 00 00 00 3F
TLSCiphertext:
00000: 17 03 03 10 10 12 93 51 D2 6E 14 07 13 A2 1B 37
00010: 68 24 A2 23 17 CD C0 D8 8E 01 CF A3 FE 21 41 5F
00020: 5C 5E 05 86 9C CF 38 A5 1B C2 E0 ED 68 94 46 A8
. . .
00FE0: 19 AD 99 8C 06 25 21 E6 7B 63 59 A4 F5 C8 16 F9
00FF0: 47 6B A7 13 26 82 BB A8 CE 0B ED AD 65 E4 20 A2
01000: 97 B6 E2 C6 1F A4 06 D9 B8 CA 36 FD 9F CD 3A EE
01010: 24 78 F4 D1 96
---------------------------------------------------------
seqnum = 64
Application data:
00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
. . .
01FD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
01FE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
01FF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
TLSPlaintext:
00000: 17 03 03 20 00 00 00 00 00 00 00 00 00 00 00 00
00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
. . .
01FD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
01FE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
01FF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
02000: 00 00 00 00 00
K_MAC_64:
00000: AE BE 1E F4 18 71 3B F0 44 B9 FC D9 E5 72 D4 37
00010: FB 38 B5 D8 29 56 7A 6F 79 18 39 6D 9F 4E 09 6B
Mac value:
00000: EA C3 97 87 84 2B 1D BD 60 80 CC 3F BF AE 5C 2F
K_ENC_64:
00000: 64 F5 5A FC 37 A1 74 D9 53 3E 70 8B CD 14 FA 4A
00010: EE C3 7B C0 E3 2B A4 99 01 B4 66 9E 96 A6 3D 96
IV_64:
00000: 00 00 00 00 00 00 00 40
Smyshlyaev, et al. Expires July 2, 2019 [Page 41]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
TLSCiphertext:
00000: 17 03 03 20 10 E6 66 BB 98 AC 5B 0F 39 31 D8 55
00010: 1B 93 36 85 96 EE F0 EB A8 26 9C B8 BD AA E7 EB
00020: 80 C8 30 D7 5A B7 D4 6C 25 06 DC 8B 83 E1 F2 D3
. . .
01FE0: B3 02 67 2C CB 02 86 CD 40 48 FB D5 38 1A 65 55
01FF0: 26 11 25 51 01 4F A8 ED F5 C2 1B 7D 1D B3 9D 6B
02000: AD EC 0D 7C 07 05 34 8B 5C 55 6C 4D 50 81 69 1A
02010: A9 EC 36 F8 B5
A.1.3. Handshake Examples
A.1.3.1. TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC ciphersuite
Server certificate curve OID:
id-tc26-gost-3410-2012-256-paramSetB, "1.2.643.2.2.36.0"
Server public key Q_s:
x = 0xE823FFEB48C2A92D1AFDDB0BC7265699
D35640ECC69AF3DC85E7C21960DD109A
y = 0xC80CBACDAECF6F04631A03118E5D0B9E
DEEEC7CBEAF765C4AB299447706FD6CA
Server private key d_s:
0x03495493ABCA61B3B65E158398455D70
C22107DA5B68195BB65B99C01A0FD3C0
---------------------------Client---------------------------
ClientHello message:
msg_type: 01
length: 000040
body:
client_version:
major: 03
minor: 03
random: 933EA21EC3802A561550EC78D6ED51AC
2439D7E749C31BC3A3456165889684CA
session_id:
length: 00
vector: --
cipher_suites:
Smyshlyaev, et al. Expires July 2, 2019 [Page 42]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
length: 0004
vector:
CipherSuite: FF88
CipherSuite: FF89
compression_methods:
length: 01
vector:
CompressionMethod: 00
extensions:
length: 0013
Extension: /* signature_algorithms */
extension_type: 000D
extension_data:
length: 0006
vector:
supported_signature_algorithms:
length: 0004
vector:
/* 1 pair of algorithms */
hash: EE
signature:
EE
/* 2 pair of algorithms */
hash: EF
signature:
EF
Extension: /* renegotiation_info */
extension_type: FF01
extension_data:
length: 0001
vector:
renegotiated_connection:
length: 00
vector: --
Extension: /* extended_master_secret */
extension_type: 0017
extension_data:
length: 0000
vector: --
00000: 01 00 00 40 03 03 93 3E A2 1E C3 80 2A 56 15 50
00010: EC 78 D6 ED 51 AC 24 39 D7 E7 49 C3 1B C3 A3 45
00020: 61 65 88 96 84 CA 00 00 04 FF 88 FF 89 01 00 00
00030: 13 00 0D 00 06 00 04 EE EE EF EF FF 01 00 01 00
00040: 00 17 00 00
Record layer message:
type: 16
Smyshlyaev, et al. Expires July 2, 2019 [Page 43]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
version:
major: 03
minor: 03
length: 0044
fragment: 010000400303933EA21EC3802A561550
EC78D6ED51AC2439D7E749C31BC3A345
6165889684CA000004FF88FF89010000
13000D00060004EEEEEFEFFF01000100
00170000
00000: 16 03 03 00 44 01 00 00 40 03 03 93 3E A2 1E C3
00010: 80 2A 56 15 50 EC 78 D6 ED 51 AC 24 39 D7 E7 49
00020: C3 1B C3 A3 45 61 65 88 96 84 CA 00 00 04 FF 88
00030: FF 89 01 00 00 13 00 0D 00 06 00 04 EE EE EF EF
00040: FF 01 00 01 00 00 17 00 00
---------------------------Server---------------------------
ServerHello message:
msg_type: 02
length: 000041
body:
client_version:
major: 03
minor: 03
random: 933EA21E49C31BC3A3456165889684CA
A5576CE7924A24F58113808DBD9EF856
session_id:
length: 10
vector: C3802A561550EC78D6ED51AC2439D7E7
cipher_suite:
CipherSuite: FF88
compression_method:
CompressionMethod: 00
extensions:
length: 0009
Extension: /* renegotiation_info */
extension_type: FF01
extension_data:
length: 0001
vector:
renegotiated_connection:
length: 00
vector: --
Extension: /* extended_master_secret */
extension_type: 0017
Smyshlyaev, et al. Expires July 2, 2019 [Page 44]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
extension_data:
length: 0000
vector: --
00000: 02 00 00 41 03 03 93 3E A2 1E 49 C3 1B C3 A3 45
00010: 61 65 88 96 84 CA A5 57 6C E7 92 4A 24 F5 81 13
00020: 80 8D BD 9E F8 56 10 C3 80 2A 56 15 50 EC 78 D6
00030: ED 51 AC 24 39 D7 E7 FF 88 00 00 09 FF 01 00 01
00040: 00 00 17 00 00
Record layer message::
type: 16
version:
major: 03
minor: 03
length: 0045
fragment: 020000410303933EA21E49C31BC3A345
6165889684CAA5576CE7924A24F58113
808DBD9EF85610C3802A561550EC78D6
ED51AC2439D7E7FF88000009FF010001
0000170000
00000: 16 03 03 00 45 02 00 00 41 03 03 93 3E A2 1E 49
00010: C3 1B C3 A3 45 61 65 88 96 84 CA A5 57 6C E7 92
00020: 4A 24 F5 81 13 80 8D BD 9E F8 56 10 C3 80 2A 56
00030: 15 50 EC 78 D6 ED 51 AC 24 39 D7 E7 FF 88 00 00
00040: 09 FF 01 00 01 00 00 17 00 00
---------------------------Server---------------------------
Certificate message:
msg_type: 0B
length: 0001C6
body:
certificate_list:
length: 0001C3
vector:
ASN.1Cert:
length: 0001C0
vector: 308201BC30820169A003020102020101
300A06082A850307010103023042312C
302A06092A864886F70D010901161D74
. . .
C24737BEB0FF7D291D391E4D79514AE2
8AC284F45169886F65B0080F53501EF7
06012FBF9396B9766911213C18ECE1FD
Smyshlyaev, et al. Expires July 2, 2019 [Page 45]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
00000: 0B 00 01 C6 00 01 C3 00 01 C0 30 82 01 BC 30 82
00010: 01 69 A0 03 02 01 02 02 01 01 30 0A 06 08 2A 85
00020: 03 07 01 01 03 02 30 42 31 2C 30 2A 06 09 2A 86
00030: 48 86 F7 0D 01 09 01 16 1D 74 6C 73 31 32 5F 73
00040: 65 72 76 65 72 32 35 36 41 40 63 72 79 70 74 6F
00050: 70 72 6F 2E 72 75 31 12 30 10 06 03 55 04 03 13
00060: 09 53 65 72 76 65 72 32 35 36 30 1E 17 0D 31 37
00070: 30 35 32 35 30 39 32 32 34 37 5A 17 0D 33 30 30
00080: 35 30 31 30 39 32 32 34 37 5A 30 42 31 2C 30 2A
00090: 06 09 2A 86 48 86 F7 0D 01 09 01 16 1D 74 6C 73
000A0: 31 32 5F 73 65 72 76 65 72 32 35 36 41 40 63 72
000B0: 79 70 74 6F 70 72 6F 2E 72 75 31 12 30 10 06 03
000C0: 55 04 03 13 09 53 65 72 76 65 72 32 35 36 30 66
000D0: 30 1F 06 08 2A 85 03 07 01 01 01 01 30 13 06 07
000E0: 2A 85 03 02 02 24 00 06 08 2A 85 03 07 01 01 02
000F0: 02 03 43 00 04 40 9A 10 DD 60 19 C2 E7 85 DC F3
00100: 9A C6 EC 40 56 D3 99 56 26 C7 0B DB FD 1A 2D A9
00110: C2 48 EB FF 23 E8 CA D6 6F 70 47 94 29 AB C4 65
00120: F7 EA CB C7 EE DE 9E 0B 5D 8E 11 03 1A 63 04 6F
00130: CF AE CD BA 0C C8 A3 43 30 41 30 1D 06 03 55 1D
00140: 0E 04 16 04 14 68 AB F5 C4 EE D8 68 6E 9C 68 35
00150: 22 EC 09 AA E9 D3 CF 30 10 30 0B 06 03 55 1D 0F
00160: 04 04 03 02 03 28 30 13 06 03 55 1D 25 04 0C 30
00170: 0A 06 08 2B 06 01 05 05 07 03 01 30 0A 06 08 2A
00180: 85 03 07 01 01 03 02 03 41 00 88 2E 34 FB 75 8C
00190: FB BE 2C 42 34 14 C4 6A D4 31 C2 47 37 BE B0 FF
001A0: 7D 29 1D 39 1E 4D 79 51 4A E2 8A C2 84 F4 51 69
001B0: 88 6F 65 B0 08 0F 53 50 1E F7 06 01 2F BF 93 96
001C0: B9 76 69 11 21 3C 18 EC E1 FD
Record layer message:
type: 16
version:
major: 03
minor: 03
length: 01CA
fragment: 0B0001C60001C30001C0308201BC3082
0169A003020102020101300A06082A85
0307010103023042312C302A06092A86
. . .
FBBE2C423414C46AD431C24737BEB0FF
7D291D391E4D79514AE28AC284F45169
886F65B0080F53501EF706012FBF9396
B9766911213C18ECE1FD
00000: 16 03 03 01 CA 0B 00 01 C6 00 01 C3 00 01 C0 30
00010: 82 01 BC 30 82 01 69 A0 03 02 01 02 02 01 01 30
00020: 0A 06 08 2A 85 03 07 01 01 03 02 30 42 31 2C 30
Smyshlyaev, et al. Expires July 2, 2019 [Page 46]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
00030: 2A 06 09 2A 86 48 86 F7 0D 01 09 01 16 1D 74 6C
00040: 73 31 32 5F 73 65 72 76 65 72 32 35 36 41 40 63
00050: 72 79 70 74 6F 70 72 6F 2E 72 75 31 12 30 10 06
00060: 03 55 04 03 13 09 53 65 72 76 65 72 32 35 36 30
00070: 1E 17 0D 31 37 30 35 32 35 30 39 32 32 34 37 5A
00080: 17 0D 33 30 30 35 30 31 30 39 32 32 34 37 5A 30
00090: 42 31 2C 30 2A 06 09 2A 86 48 86 F7 0D 01 09 01
000A0: 16 1D 74 6C 73 31 32 5F 73 65 72 76 65 72 32 35
000B0: 36 41 40 63 72 79 70 74 6F 70 72 6F 2E 72 75 31
000C0: 12 30 10 06 03 55 04 03 13 09 53 65 72 76 65 72
000D0: 32 35 36 30 66 30 1F 06 08 2A 85 03 07 01 01 01
000E0: 01 30 13 06 07 2A 85 03 02 02 24 00 06 08 2A 85
000F0: 03 07 01 01 02 02 03 43 00 04 40 9A 10 DD 60 19
00100: C2 E7 85 DC F3 9A C6 EC 40 56 D3 99 56 26 C7 0B
00110: DB FD 1A 2D A9 C2 48 EB FF 23 E8 CA D6 6F 70 47
00120: 94 29 AB C4 65 F7 EA CB C7 EE DE 9E 0B 5D 8E 11
00130: 03 1A 63 04 6F CF AE CD BA 0C C8 A3 43 30 41 30
00140: 1D 06 03 55 1D 0E 04 16 04 14 68 AB F5 C4 EE D8
00150: 68 6E 9C 68 35 22 EC 09 AA E9 D3 CF 30 10 30 0B
00160: 06 03 55 1D 0F 04 04 03 02 03 28 30 13 06 03 55
00170: 1D 25 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 01
00180: 30 0A 06 08 2A 85 03 07 01 01 03 02 03 41 00 88
00190: 2E 34 FB 75 8C FB BE 2C 42 34 14 C4 6A D4 31 C2
001A0: 47 37 BE B0 FF 7D 29 1D 39 1E 4D 79 51 4A E2 8A
001B0: C2 84 F4 51 69 88 6F 65 B0 08 0F 53 50 1E F7 06
001C0: 01 2F BF 93 96 B9 76 69 11 21 3C 18 EC E1 FD
---------------------------Server---------------------------
ServerHelloDone message:
msg_type: 0E
length: 000000
body: --
00000: 0E 00 00 00
Record layer message::
type: 16
version:
major: 03
minor: 03
length: 0004
fragment: 0E000000
00000: 16 03 03 00 04 0E 00 00 00
Smyshlyaev, et al. Expires July 2, 2019 [Page 47]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
---------------------------Client---------------------------
PMS:
00000: A5 57 6C E7 92 4A 24 F5 81 13 80 8D BD 9E F8 56
00010: F5 BD C3 B1 83 CE 5D AD CA 36 A5 3A A0 77 65 1D
Random d_eph value:
0xA5C77C7482373DE16CE4A6F73CCE7F78
471493FF2C0709B8B706C9E8A25E6C1E
Q_eph ephemeral key:
x = 0xA8F36D63D262A203978F1B3B6795CDBB
F1AE7FB8EF7F47F1F18871C198E00793
y = 0x34CA5D6B4485640EA195435993BEB1F8
B016ED610496B5CC175AC2EA1F14F887
HASH (r_c | r_s):
00000: C3 EF 04 28 D4 B7 A1 F4 C5 02 5F 2E 65 DD 2B 2E
00010: A5 83 AE EF DB 67 C7 F4 21 4A 6A 29 8E 99 E3 25
Export key generation. r value:
0xC3EF0428D4B7A1F4C5025F2E65DD2B2E
Export key generation. UKM value:
0xC3EF0428D4B7A1F4C5025F2E65DD2B2E
Export keys K_Exp_MAC | K_Exp_ENC used in KExp15 algorithm:
00000: 0E 01 38 D5 83 68 57 0B 89 F4 D2 50 71 5A E6 52
00010: B1 B6 D8 02 A0 60 D3 CD D7 75 C6 8C 5C 53 B9 98
00020: 3B B7 27 99 3C D2 3A 3C 27 C1 B9 BB 44 E6 AF B7
00030: 62 71 F9 7D 80 38 1F 3C B1 FF 6E 7E 93 B0 62 02
IV:
00000: 21 4A 6A 29
PMSEXP:
00000: 9E C3 E0 76 C5 56 73 1E 3B 25 3B E5 8B 8F AD D4
00010: A9 0A 24 B3 42 F6 13 A5 E2 AC 13 CE 07 53 0A 00
00020: A9 8C 1E E2 A2 AF C0 E0
---------------------------Client---------------------------
ClientKeyExchange message:
msg_type: 10
length: 000095
body:
Smyshlyaev, et al. Expires July 2, 2019 [Page 48]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
exchange_keys: 30819204289EC3E076C556731E3B253B
E58B8FADD4A90A24B342F613A5E2AC13
CE07530A00A98C1EE2A2AFC0E0306630
. . .
EFB87FAEF1BBCD95673B1B8F9703A262
D2636DF3A887F8141FEAC25A17CCB596
0461ED16B0F8B1BE93594395A10E6485
446B5DCA34
00000: 10 00 00 95 30 81 92 04 28 9E C3 E0 76 C5 56 73
00010: 1E 3B 25 3B E5 8B 8F AD D4 A9 0A 24 B3 42 F6 13
00020: A5 E2 AC 13 CE 07 53 0A 00 A9 8C 1E E2 A2 AF C0
00030: E0 30 66 30 1F 06 08 2A 85 03 07 01 01 01 01 30
00040: 13 06 07 2A 85 03 02 02 24 00 06 08 2A 85 03 07
00050: 01 01 02 02 03 43 00 04 40 93 07 E0 98 C1 71 88
00060: F1 F1 47 7F EF B8 7F AE F1 BB CD 95 67 3B 1B 8F
00070: 97 03 A2 62 D2 63 6D F3 A8 87 F8 14 1F EA C2 5A
00080: 17 CC B5 96 04 61 ED 16 B0 F8 B1 BE 93 59 43 95
00090: A1 0E 64 85 44 6B 5D CA 34
Record layer message:
type: 16
version:
major: 03
minor: 03
length: 0099
fragment: 1000009530819204289EC3E076C55673
1E3B253BE58B8FADD4A90A24B342F613
A5E2AC13CE07530A00A98C1EE2A2AFC0
. . .
F1F1477FEFB87FAEF1BBCD95673B1B8F
9703A262D2636DF3A887F8141FEAC25A
17CCB5960461ED16B0F8B1BE93594395
A10E6485446B5DCA34
00000: 16 03 03 00 99 10 00 00 95 30 81 92 04 28 9E C3
00010: E0 76 C5 56 73 1E 3B 25 3B E5 8B 8F AD D4 A9 0A
00020: 24 B3 42 F6 13 A5 E2 AC 13 CE 07 53 0A 00 A9 8C
00030: 1E E2 A2 AF C0 E0 30 66 30 1F 06 08 2A 85 03 07
00040: 01 01 01 01 30 13 06 07 2A 85 03 02 02 24 00 06
00050: 08 2A 85 03 07 01 01 02 02 03 43 00 04 40 93 07
00060: E0 98 C1 71 88 F1 F1 47 7F EF B8 7F AE F1 BB CD
00070: 95 67 3B 1B 8F 97 03 A2 62 D2 63 6D F3 A8 87 F8
00080: 14 1F EA C2 5A 17 CC B5 96 04 61 ED 16 B0 F8 B1
00090: BE 93 59 43 95 A1 0E 64 85 44 6B 5D CA 34
---------------------------Server---------------------------
Smyshlyaev, et al. Expires July 2, 2019 [Page 49]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
PMSEXP extracted:
00000: 9E C3 E0 76 C5 56 73 1E 3B 25 3B E5 8B 8F AD D4
00010: A9 0A 24 B3 42 F6 13 A5 E2 AC 13 CE 07 53 0A 00
00020: A9 8C 1E E2 A2 AF C0 E0
HASH(r_c | r_s):
00000: C3 EF 04 28 D4 B7 A1 F4 C5 02 5F 2E 65 DD 2B 2E
00010: A5 83 AE EF DB 67 C7 F4 21 4A 6A 29 8E 99 E3 25
Export key generation. r value:
0xC3EF0428D4B7A1F4C5025F2E65DD2B2E
Export key generation. UKM value:
0xC3EF0428D4B7A1F4C5025F2E65DD2B2E
Import keys K_Imp_MAC | K_Imp_ENC used in KImp15 algorithm:
00000: 0E 01 38 D5 83 68 57 0B 89 F4 D2 50 71 5A E6 52
00010: B1 B6 D8 02 A0 60 D3 CD D7 75 C6 8C 5C 53 B9 98
00020: 3B B7 27 99 3C D2 3A 3C 27 C1 B9 BB 44 E6 AF B7
00030: 62 71 F9 7D 80 38 1F 3C B1 FF 6E 7E 93 B0 62 02
IV:
00000: 21 4A 6A 29
PMS:
00000: A5 57 6C E7 92 4A 24 F5 81 13 80 8D BD 9E F8 56
00010: F5 BD C3 B1 83 CE 5D AD CA 36 A5 3A A0 77 65 1D
---------------------------Client---------------------------
HASH(HM):
00000: F7 90 79 19 83 24 FD 49 8D FE A7 10 56 46 DE 41
00010: DA 87 DC 0B 0A 91 71 A2 F9 7C 65 E7 EA DA 48 92
MS:
00000: ED 28 A3 02 79 AC 3E 83 A7 E3 73 22 65 96 BA D8
00010: DD 7F 5E C5 FE 60 BB 2F 32 4C B0 14 7D F1 F3 51
00020: 04 EB DB 85 04 53 5C E6 9A 96 68 8C BD FE A5 6D
Client connection key material
K_write_MAC|K_read_MAC|K_write_ENC|K_read_ENC|IV_write|IV_read:
00000: 50 BB E5 17 CF 2A 6E 3A 15 04 F6 91 3C 07 2B 89
00010: 17 17 46 89 86 9E CF A4 70 AC C2 C6 1C 1A 5B 4D
00020: 11 03 A5 C1 E5 9F 18 7B 82 6C F0 26 D8 F0 21 35
00030: 0B 44 48 F2 FC E5 0A 51 52 F5 43 2C 2F 25 24 FE
00040: 1D FA 50 19 2E E1 69 BC 60 A6 24 A6 98 12 08 A7
00050: 80 D1 F0 02 20 A1 CF B3 4B 0D 2E 71 7D BE 67 7A
Smyshlyaev, et al. Expires July 2, 2019 [Page 50]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
00060: 62 41 A1 0E 1A 10 49 53 97 00 6F AC BF 63 96 19
00070: 22 7C 4C 03 0A E8 E5 3F C3 6E 43 A7 17 AF FE 60
00080: 5F 23 58 29 21 BE FE 71
---------------------------Server---------------------------
HASH(HM):
00000: F7 90 79 19 83 24 FD 49 8D FE A7 10 56 46 DE 41
00010: DA 87 DC 0B 0A 91 71 A2 F9 7C 65 E7 EA DA 48 92
MS:
00000: ED 28 A3 02 79 AC 3E 83 A7 E3 73 22 65 96 BA D8
00010: DD 7F 5E C5 FE 60 BB 2F 32 4C B0 14 7D F1 F3 51
00020: 04 EB DB 85 04 53 5C E6 9A 96 68 8C BD FE A5 6D
Server connection key material
K_read_MAC|K_write_MAC|K_read_ENC|K_write_ENC|IV_read|IV_write:
00000: 50 BB E5 17 CF 2A 6E 3A 15 04 F6 91 3C 07 2B 89
00010: 17 17 46 89 86 9E CF A4 70 AC C2 C6 1C 1A 5B 4D
00020: 11 03 A5 C1 E5 9F 18 7B 82 6C F0 26 D8 F0 21 35
00030: 0B 44 48 F2 FC E5 0A 51 52 F5 43 2C 2F 25 24 FE
00040: 1D FA 50 19 2E E1 69 BC 60 A6 24 A6 98 12 08 A7
00050: 80 D1 F0 02 20 A1 CF B3 4B 0D 2E 71 7D BE 67 7A
00060: 62 41 A1 0E 1A 10 49 53 97 00 6F AC BF 63 96 19
00070: 22 7C 4C 03 0A E8 E5 3F C3 6E 43 A7 17 AF FE 60
00080: 5F 23 58 29 21 BE FE 71
---------------------------Client---------------------------
ChangeCipherSpec message:
type: 01
00000: 01
Record layer message:
type: 14
version:
major: 03
minor: 03
length: 0001
fragment: 01
00000: 14 03 03 00 01 01
---------------------------Client---------------------------
Smyshlyaev, et al. Expires July 2, 2019 [Page 51]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
HASH(HM):
00000: F7 90 79 19 83 24 FD 49 8D FE A7 10 56 46 DE 41
00010: DA 87 DC 0B 0A 91 71 A2 F9 7C 65 E7 EA DA 48 92
client_verify_data:
00000: C5 D6 43 59 6D 0D BC C5 39 22 D6 3C A2 57 A4 D8
00010: 83 B7 C9 02 7A 61 F4 53 E9 7C 97 1E F9 AB 78 03
---------------------------Client---------------------------
Finished message:
msg_type: 14
length: 000020
body:
verify_data: C5D643596D0DBCC53922D63CA257A4D8
83B7C9027A61F453E97C971EF9AB7803
00000: 14 00 00 20 C5 D6 43 59 6D 0D BC C5 39 22 D6 3C
00010: A2 57 A4 D8 83 B7 C9 02 7A 61 F4 53 E9 7C 97 1E
00020: F9 AB 78 03
Record layer message:
type: 16
version:
major: 03
minor: 03
length: 002C
fragment: 69F034DADA4950821E59013560B9823C
C86AC12516C477C9811ABD6489EBC2AF
F291A308F18250F3938D1742
00000: 16 03 03 00 2C 69 F0 34 DA DA 49 50 82 1E 59 01
00010: 35 60 B9 82 3C C8 6A C1 25 16 C4 77 C9 81 1A BD
00020: 64 89 EB C2 AF F2 91 A3 08 F1 82 50 F3 93 8D 17
00030: 42
---------------------------Server---------------------------
ChangeCipherSpec message:
type: 01
00000: 01
Record layer message:
type: 14
version:
Smyshlyaev, et al. Expires July 2, 2019 [Page 52]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
major: 03
minor: 03
length: 0001
fragment: 01
00000: 14 03 03 00 01 01
---------------------------Server---------------------------
HASH(HM):
00000: 79 58 3A 49 C2 DC 4D DB B4 CA 81 02 60 AE 3A 05
00010: EE 01 E4 F2 2D C2 49 52 4B 28 2E 63 A1 5A FD A1
server_verify_data:
00000: 46 91 5D 21 6B 19 42 E8 8B 0D 78 B8 EB 66 18 84
00010: C3 E8 74 94 AC 48 92 08 46 48 7D A5 8D CF 7C CD
---------------------------Server---------------------------
Finished message:
msg_type: 14
length: 000020
body:
verify_data: 46915D216B1942E88B0D78B8EB661884
C3E87494AC48920846487DA58DCF7CCD
00000: 14 00 00 20 46 91 5D 21 6B 19 42 E8 8B 0D 78 B8
00010: EB 66 18 84 C3 E8 74 94 AC 48 92 08 46 48 7D A5
00020: 8D CF 7C CD
Record layer message:
type: 16
version:
major: 03
minor: 03
length: 002C
fragment: 4403C9BE3831E9E4BC71BDB3E4F3706D
628DC8FCF87859E572C2236DB091BAC9
EA0FC11A22163195563D7EC2
00000: 16 03 03 00 2C 44 03 C9 BE 38 31 E9 E4 BC 71 BD
00010: B3 E4 F3 70 6D 62 8D C8 FC F8 78 59 E5 72 C2 23
00020: 6D B0 91 BA C9 EA 0F C1 1A 22 16 31 95 56 3D 7E
00030: C2
Smyshlyaev, et al. Expires July 2, 2019 [Page 53]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
---------------------------Client---------------------------
Application data:
00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Record layer message:
type: 17
version:
major: 03
minor: 03
length: 0028
fragment: E2F569C4F3495C6B77C94FB94BE4FE9B
D94832077D05BFF0F5A4A2E667F727EF
8C3CFDE990FD741D
00000: 17 03 03 00 28 E2 F5 69 C4 F3 49 5C 6B 77 C9 4F
00010: B9 4B E4 FE 9B D9 48 32 07 7D 05 BF F0 F5 A4 A2
00020: E6 67 F7 27 EF 8C 3C FD E9 90 FD 74 1D
---------------------------Server---------------------------
Application data:
00000: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
00010: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
Record layer message:
type: 17
version:
major: 03
minor: 03
length: 0028
fragment: EB8458C2C5F1EBF2E81C6550F88C4978
5F90566E2E1EF46741CF4F9FB6D0B5EB
8E98BEDB8AFB31CD
00000: 17 03 03 00 28 EB 84 58 C2 C5 F1 EB F2 E8 1C 65
00010: 50 F8 8C 49 78 5F 90 56 6E 2E 1E F4 67 41 CF 4F
00020: 9F B6 D0 B5 EB 8E 98 BE DB 8A FB 31 CD
---------------------------Client---------------------------
close_notify alert:
Alert:
level: 01
description: 00
Smyshlyaev, et al. Expires July 2, 2019 [Page 54]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
00000: 01 00
Record layer message:
type: 15
version:
major: 03
minor: 03
length: 000A
fragment: D6B17B5D426B0C7FE629
00000: 15 03 03 00 0A D6 B1 7B 5D 42 6B 0C 7F E6 29
---------------------------Server---------------------------
close_notify alert:
Alert:
level: 01
description: 00
00000: 01 00
Record layer message:
type: 15
version:
major: 03
minor: 03
length: 000A
fragment: E20498CC0DFA0D8EC6B5
00000: 15 03 03 00 0A E2 04 98 CC 0D FA 0D 8E C6 B5
A.1.3.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC ciphersuite
Server certificate curve OID:
id-tc26-gost-3410-2012-512-paramSetC, "1.2.643.7.1.2.1.2.3"
Server public key Q_s:
x = 0xF14589DA479AD972C66563669B3FF580
92E6A30A288BF447CD9FF6C3133E9724
7A9706B267703C9B4E239F0D7C7E3310
C22D2752B35BD2E4FD39B8F11DEB833A
Smyshlyaev, et al. Expires July 2, 2019 [Page 55]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
y = 0xF305E95B36502D4E60A1059FB20AB30B
FC7C95727F3A2C04B1DFDDB53B0413F2
99F2DFE66A5E1CCB4101A7A01D612BE6
BD78E1E3B3D567EBB16ABE587A11F4EA
Server private key d_s:
0x12FD7A70067479A0F66C59F9A25534AD
FBC7ABFD3CC72D79806F8B402601644B
3005ED365A2D8989A8CCAE640D5FC08D
D27DFBBFE137CF528E1AC6D445192E01
Client certificate curve OID:
id-tc26-gost-3410-2012-256-paramSetA, "1.2.643.7.1.2.1.1.1"
Client public key Q_c:
x = 0x0F5DB18A9E15F324B778676025BFD7B5
DF066566EABAA1C51CD879F87B0B4975
y = 0x9EE5BBF18361F842D3F087DEC2943939
E0FA2BFB4EDEC25A8D10ABB22C48F386
Client private key d_c:
0x0918AD3F7D209ABF89F1E8505DA894CE
E10DA09D32E72E815D9C0ADA30B5A103
---------------------------Client---------------------------
ClientHello message:
msg_type: 01
length: 000040
body:
client_version:
major: 03
minor: 03
random: 933EA21EC3802A561550EC78D6ED51AC
2439D7E749C31BC3A3456165889684CA
session_id:
length: 00
vector: --
cipher_suites:
length: 0004
vector:
CipherSuite: FF88
CipherSuite: FF89
compression_methods:
length: 01
vector:
Smyshlyaev, et al. Expires July 2, 2019 [Page 56]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
CompressionMethod: 00
extensions:
length: 0013
vector:
Extension: /* signature_algorithms */
extension_type: 000D
extension_data:
length: 0006
vector:
supported_signature_algorithms:
length: 0004
vector:
/* 1 pair of algorithms */
hash: EE
signature:
EE
/* 2 pair of algorithms */
hash: EF
signature:
EF
Extension: /* renegotiation_info */
extension_type: FF01
extension_data:
length: 0001
vector:
renegotiated_connection:
length: 00
vector: --
Extension: /* extended_master_secret */
extension_type: 0017
extension_data:
length: 0000
vector: --
00000: 01 00 00 40 03 03 93 3E A2 1E C3 80 2A 56 15 50
00010: EC 78 D6 ED 51 AC 24 39 D7 E7 49 C3 1B C3 A3 45
00020: 61 65 88 96 84 CA 00 00 04 FF 88 FF 89 01 00 00
00030: 13 00 0D 00 06 00 04 EE EE EF EF FF 01 00 01 00
00040: 00 17 00 00
Record layer message:
type: 16
version:
major: 03
minor: 03
length: 0044
fragment: 010000400303933EA21EC3802A561550
EC78D6ED51AC2439D7E749C31BC3A345
Smyshlyaev, et al. Expires July 2, 2019 [Page 57]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
6165889684CA000004FF88FF89010000
13000D00060004EEEEEFEFFF01000100
00170000
00000: 16 03 03 00 44 01 00 00 40 03 03 93 3E A2 1E C3
00010: 80 2A 56 15 50 EC 78 D6 ED 51 AC 24 39 D7 E7 49
00020: C3 1B C3 A3 45 61 65 88 96 84 CA 00 00 04 FF 88
00030: FF 89 01 00 00 13 00 0D 00 06 00 04 EE EE EF EF
00040: FF 01 00 01 00 00 17 00 00
---------------------------Server---------------------------
ServerHello message:
msg_type: 02
length: 000041
body:
server_version:
major: 03
minor: 03
random: 933EA21E49C31BC3A3456165889684CA
A5576CE7924A24F58113808DBD9EF856
session_id:
length: 10
vector: C3802A561550EC78D6ED51AC2439D7E7
cipher_suite:
CipherSuite: FF89
compression_method:
CompressionMethod: 00
extensions:
length: 0009
vector:
Extension: /* renegotiation_info */
extension_type: FF01
extension_data:
length: 0001
vector:
renegotiated_connection:
length: 00
vector: --
Extension: /* extended_master_secret */
extension_type: 0017
extension_data:
length: 0000
vector: --
00000: 02 00 00 41 03 03 93 3E A2 1E 49 C3 1B C3 A3 45
00010: 61 65 88 96 84 CA A5 57 6C E7 92 4A 24 F5 81 13
Smyshlyaev, et al. Expires July 2, 2019 [Page 58]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
00020: 80 8D BD 9E F8 56 10 C3 80 2A 56 15 50 EC 78 D6
00030: ED 51 AC 24 39 D7 E7 FF 89 00 00 09 FF 01 00 01
00040: 00 00 17 00 00
Record layer message:
type: 16
version:
major: 03
minor: 03
length: 0045
fragment: 020000410303933EA21E49C31BC3A345
6165889684CAA5576CE7924A24F58113
808DBD9EF85610C3802A561550EC78D6
ED51AC2439D7E7FF89000009FF010001
0000170000
00000: 16 03 03 00 45 02 00 00 41 03 03 93 3E A2 1E 49
00010: C3 1B C3 A3 45 61 65 88 96 84 CA A5 57 6C E7 92
00020: 4A 24 F5 81 13 80 8D BD 9E F8 56 10 C3 80 2A 56
00030: 15 50 EC 78 D6 ED 51 AC 24 39 D7 E7 FF 89 00 00
00040: 09 FF 01 00 01 00 00 17 00 00
---------------------------Server---------------------------
Certificate message:
msg_type: 0B
length: 00024C
body:
certificate_list:
length: 000249
vector:
ASN.1Cert:
length: 000246
vector: 30820242308201AEA003020102020101
300A06082A850307010103033042312C
302A06092A864886F70D010901161D74
. . .
371AF83C5BC58B366DFEFA7345D50317
867C177AC84AC07EE8612164629AB7BD
C48AA0F64A741FE7298E82C5BFCE8672
029F875391F7
00000: 0B 00 02 4C 00 02 49 00 02 46 30 82 02 42 30 82
00010: 01 AE A0 03 02 01 02 02 01 01 30 0A 06 08 2A 85
00020: 03 07 01 01 03 03 30 42 31 2C 30 2A 06 09 2A 86
00030: 48 86 F7 0D 01 09 01 16 1D 74 6C 73 31 32 5F 73
00040: 65 72 76 65 72 35 31 32 43 40 63 72 79 70 74 6F
Smyshlyaev, et al. Expires July 2, 2019 [Page 59]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
00050: 70 72 6F 2E 72 75 31 12 30 10 06 03 55 04 03 13
00060: 09 53 65 72 76 65 72 35 31 32 30 1E 17 0D 31 37
00070: 30 35 32 35 30 39 32 35 31 38 5A 17 0D 33 30 30
00080: 35 30 31 30 39 32 35 31 38 5A 30 42 31 2C 30 2A
00090: 06 09 2A 86 48 86 F7 0D 01 09 01 16 1D 74 6C 73
000A0: 31 32 5F 73 65 72 76 65 72 35 31 32 43 40 63 72
000B0: 79 70 74 6F 70 72 6F 2E 72 75 31 12 30 10 06 03
000C0: 55 04 03 13 09 53 65 72 76 65 72 35 31 32 30 81
000D0: AA 30 21 06 08 2A 85 03 07 01 01 01 02 30 15 06
000E0: 09 2A 85 03 07 01 02 01 02 03 06 08 2A 85 03 07
000F0: 01 01 02 03 03 81 84 00 04 81 80 3A 83 EB 1D F1
00100: B8 39 FD E4 D2 5B B3 52 27 2D C2 10 33 7E 7C 0D
00110: 9F 23 4E 9B 3C 70 67 B2 06 97 7A 24 97 3E 13 C3
00120: F6 9F CD 47 F4 8B 28 0A A3 E6 92 80 F5 3F 9B 66
00130: 63 65 C6 72 D9 9A 47 DA 89 45 F1 EA F4 11 7A 58
00140: BE 6A B1 EB 67 D5 B3 E3 E1 78 BD E6 2B 61 1D A0
00150: A7 01 41 CB 1C 5E 6A E6 DF F2 99 F2 13 04 3B B5
00160: DD DF B1 04 2C 3A 7F 72 95 7C FC 0B B3 0A B2 9F
00170: 05 A1 60 4E 2D 50 36 5B E9 05 F3 A3 43 30 41 30
00180: 1D 06 03 55 1D 0E 04 16 04 14 87 9C C6 5A 0F 4A
00190: 89 CB 4A 58 49 DF 05 61 56 9B AA DC 11 69 30 0B
001A0: 06 03 55 1D 0F 04 04 03 02 03 28 30 13 06 03 55
001B0: 1D 25 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 01
001C0: 30 0A 06 08 2A 85 03 07 01 01 03 03 03 81 81 00
001D0: 35 BE 38 51 EC B6 E9 2D 32 40 01 81 0F 8C 89 03
001E0: 52 42 F4 05 46 9F 4C 4E CB 05 02 7C 57 E2 71 52
001F0: 12 AF D7 CD BB 0C ED 7A 8B 4D 33 42 CC 50 1A BD
00200: 99 99 75 A5 8A DE 0E 58 4F CA 35 F5 2E 45 58 B7
00210: 31 1D 49 D0 A0 51 32 79 F7 39 37 1A F8 3C 5B C5
00220: 8B 36 6D FE FA 73 45 D5 03 17 86 7C 17 7A C8 4A
00230: C0 7E E8 61 21 64 62 9A B7 BD C4 8A A0 F6 4A 74
00240: 1F E7 29 8E 82 C5 BF CE 86 72 02 9F 87 53 91 F7
Record layer message:
type: 16
version:
major: 03
minor: 03
length: 0250
fragment: 0B00024C000249000246308202423082
01AEA003020102020101300A06082A85
0307010103033042312C302A06092A86
. . .
8B366DFEFA7345D50317867C177AC84A
C07EE8612164629AB7BDC48AA0F64A74
1FE7298E82C5BFCE8672029F875391F7
00000: 16 03 03 02 50 0B 00 02 4C 00 02 49 00 02 46 30
Smyshlyaev, et al. Expires July 2, 2019 [Page 60]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
00010: 82 02 42 30 82 01 AE A0 03 02 01 02 02 01 01 30
00020: 0A 06 08 2A 85 03 07 01 01 03 03 30 42 31 2C 30
00030: 2A 06 09 2A 86 48 86 F7 0D 01 09 01 16 1D 74 6C
00040: 73 31 32 5F 73 65 72 76 65 72 35 31 32 43 40 63
00050: 72 79 70 74 6F 70 72 6F 2E 72 75 31 12 30 10 06
00060: 03 55 04 03 13 09 53 65 72 76 65 72 35 31 32 30
00070: 1E 17 0D 31 37 30 35 32 35 30 39 32 35 31 38 5A
00080: 17 0D 33 30 30 35 30 31 30 39 32 35 31 38 5A 30
00090: 42 31 2C 30 2A 06 09 2A 86 48 86 F7 0D 01 09 01
000A0: 16 1D 74 6C 73 31 32 5F 73 65 72 76 65 72 35 31
000B0: 32 43 40 63 72 79 70 74 6F 70 72 6F 2E 72 75 31
000C0: 12 30 10 06 03 55 04 03 13 09 53 65 72 76 65 72
000D0: 35 31 32 30 81 AA 30 21 06 08 2A 85 03 07 01 01
000E0: 01 02 30 15 06 09 2A 85 03 07 01 02 01 02 03 06
000F0: 08 2A 85 03 07 01 01 02 03 03 81 84 00 04 81 80
00100: 3A 83 EB 1D F1 B8 39 FD E4 D2 5B B3 52 27 2D C2
00110: 10 33 7E 7C 0D 9F 23 4E 9B 3C 70 67 B2 06 97 7A
00120: 24 97 3E 13 C3 F6 9F CD 47 F4 8B 28 0A A3 E6 92
00130: 80 F5 3F 9B 66 63 65 C6 72 D9 9A 47 DA 89 45 F1
00140: EA F4 11 7A 58 BE 6A B1 EB 67 D5 B3 E3 E1 78 BD
00150: E6 2B 61 1D A0 A7 01 41 CB 1C 5E 6A E6 DF F2 99
00160: F2 13 04 3B B5 DD DF B1 04 2C 3A 7F 72 95 7C FC
00170: 0B B3 0A B2 9F 05 A1 60 4E 2D 50 36 5B E9 05 F3
00180: A3 43 30 41 30 1D 06 03 55 1D 0E 04 16 04 14 87
00190: 9C C6 5A 0F 4A 89 CB 4A 58 49 DF 05 61 56 9B AA
001A0: DC 11 69 30 0B 06 03 55 1D 0F 04 04 03 02 03 28
001B0: 30 13 06 03 55 1D 25 04 0C 30 0A 06 08 2B 06 01
001C0: 05 05 07 03 01 30 0A 06 08 2A 85 03 07 01 01 03
001D0: 03 03 81 81 00 35 BE 38 51 EC B6 E9 2D 32 40 01
001E0: 81 0F 8C 89 03 52 42 F4 05 46 9F 4C 4E CB 05 02
001F0: 7C 57 E2 71 52 12 AF D7 CD BB 0C ED 7A 8B 4D 33
00200: 42 CC 50 1A BD 99 99 75 A5 8A DE 0E 58 4F CA 35
00210: F5 2E 45 58 B7 31 1D 49 D0 A0 51 32 79 F7 39 37
00220: 1A F8 3C 5B C5 8B 36 6D FE FA 73 45 D5 03 17 86
00230: 7C 17 7A C8 4A C0 7E E8 61 21 64 62 9A B7 BD C4
00240: 8A A0 F6 4A 74 1F E7 29 8E 82 C5 BF CE 86 72 02
00250: 9F 87 53 91 F7
---------------------------Server---------------------------
CertificateRequest message:
msg_type: 0D
length: 00000B
body:
certificate_types:
length: 02
vector:
Smyshlyaev, et al. Expires July 2, 2019 [Page 61]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
/* gostr34102012_256 */
EE
/* gostr34102012_512 */
EF
supported_signature_algorithms:
length: 0004
vector:
/* 1 pair of algorithms */
hash: EE
signature: EE
/* 2 pair of algorithms */
hash: EF
signature: EF
certificate_authorities:
length: 0000
vector: --
00000: 0D 00 00 0B 02 EE EF 00 04 EE EE EF EF 00 00
Record layer message:
type: 16
version:
major: 03
minor: 03
length: 000F
fragment: 0D00000B02EEEF0004EEEEEFEF0000
00000: 16 03 03 00 0F 0D 00 00 0B 02 EE EF 00 04 EE EE
00010: EF EF 00 00
---------------------------Server---------------------------
ServerHelloDone message:
msg_type: 0E
length: 000000
body: --
00000: 0E 00 00 00
Record layer message:
type: 16
version:
major: 03
minor: 03
length: 0004
fragment: 0E000000
Smyshlyaev, et al. Expires July 2, 2019 [Page 62]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
00000: 16 03 03 00 04 0E 00 00 00
---------------------------Client---------------------------
Certificate message:
msg_type: 0B
length: 0001EA
body:
certificate_list:
length: 0001E7
vector:
ASN.1Cert:
length: 0001E4
vector: 308201E03082018DA003020102020101
300A06082A850307010103023053312E
302C06092A864886F70D010901161F74
. . .
C1CAB43AC01AFB0F3451BDC2DB188BBC
B77884251CDF6037BA830F4B31D5E96F
DC9BC1C95ABE658266C48402E070DE1F
292724E8
00000: 0B 00 01 EA 00 01 E7 00 01 E4 30 82 01 E0 30 82
00010: 01 8D A0 03 02 01 02 02 01 01 30 0A 06 08 2A 85
00020: 03 07 01 01 03 02 30 53 31 2E 30 2C 06 09 2A 86
00030: 48 86 F7 0D 01 09 01 16 1F 74 6C 73 31 32 5F 63
00040: 6C 69 65 6E 74 32 35 36 41 5F 45 40 63 72 79 70
00050: 74 6F 70 72 6F 2E 72 75 31 21 30 1F 06 03 55 04
00060: 03 1E 18 00 43 00 6C 00 69 00 65 00 6E 00 74 00
00070: 32 00 35 00 36 00 41 00 5F 00 45 30 1E 17 0D 31
00080: 37 30 35 32 35 30 39 33 31 31 38 5A 17 0D 33 30
00090: 30 35 30 31 30 39 33 31 31 38 5A 30 53 31 2E 30
000A0: 2C 06 09 2A 86 48 86 F7 0D 01 09 01 16 1F 74 6C
000B0: 73 31 32 5F 63 6C 69 65 6E 74 32 35 36 41 5F 45
000C0: 40 63 72 79 70 74 6F 70 72 6F 2E 72 75 31 21 30
000D0: 1F 06 03 55 04 03 1E 18 00 43 00 6C 00 69 00 65
000E0: 00 6E 00 74 00 32 00 35 00 36 00 41 00 5F 00 45
000F0: 30 68 30 21 06 08 2A 85 03 07 01 01 01 01 30 15
00100: 06 09 2A 85 03 07 01 02 01 01 01 06 08 2A 85 03
00110: 07 01 01 02 02 03 43 00 04 40 75 49 0B 7B F8 79
00120: D8 1C C5 A1 BA EA 66 65 06 DF B5 D7 BF 25 60 67
00130: 78 B7 24 F3 15 9E 8A B1 5D 0F 86 F3 48 2C B2 AB
00140: 10 8D 5A C2 DE 4E FB 2B FA E0 39 39 94 C2 DE 87
00150: F0 D3 42 F8 61 83 F1 BB E5 9E A3 43 30 41 30 1D
00160: 06 03 55 1D 0E 04 16 04 14 74 49 1E 77 30 D3 42
00170: A6 28 0E 72 A1 13 9D D9 90 8B FA F1 03 30 0B 06
00180: 03 55 1D 0F 04 04 03 02 07 80 30 13 06 03 55 1D
Smyshlyaev, et al. Expires July 2, 2019 [Page 63]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
00190: 25 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 02 30
001A0: 0A 06 08 2A 85 03 07 01 01 03 02 03 41 00 1C 2D
001B0: 35 22 B4 11 02 D6 20 1F 23 50 C1 CA B4 3A C0 1A
001C0: FB 0F 34 51 BD C2 DB 18 8B BC B7 78 84 25 1C DF
001D0: 60 37 BA 83 0F 4B 31 D5 E9 6F DC 9B C1 C9 5A BE
001E0: 65 82 66 C4 84 02 E0 70 DE 1F 29 27 24 E8
Record layer message:
type: 16
version:
major: 03
minor: 03
length: 01EE
fragment: 0B0001EA0001E70001E4308201E03082
018DA003020102020101300A06082A85
0307010103023053312E302C06092A86
. . .
3522B41102D6201F2350C1CAB43AC01A
FB0F3451BDC2DB188BBCB77884251CDF
6037BA830F4B31D5E96FDC9BC1C95ABE
658266C48402E070DE1F292724E8
00000: 16 03 03 01 EE 0B 00 01 EA 00 01 E7 00 01 E4 30
00010: 82 01 E0 30 82 01 8D A0 03 02 01 02 02 01 01 30
00020: 0A 06 08 2A 85 03 07 01 01 03 02 30 53 31 2E 30
00030: 2C 06 09 2A 86 48 86 F7 0D 01 09 01 16 1F 74 6C
00040: 73 31 32 5F 63 6C 69 65 6E 74 32 35 36 41 5F 45
00050: 40 63 72 79 70 74 6F 70 72 6F 2E 72 75 31 21 30
00060: 1F 06 03 55 04 03 1E 18 00 43 00 6C 00 69 00 65
00070: 00 6E 00 74 00 32 00 35 00 36 00 41 00 5F 00 45
00080: 30 1E 17 0D 31 37 30 35 32 35 30 39 33 31 31 38
00090: 5A 17 0D 33 30 30 35 30 31 30 39 33 31 31 38 5A
000A0: 30 53 31 2E 30 2C 06 09 2A 86 48 86 F7 0D 01 09
000B0: 01 16 1F 74 6C 73 31 32 5F 63 6C 69 65 6E 74 32
000C0: 35 36 41 5F 45 40 63 72 79 70 74 6F 70 72 6F 2E
000D0: 72 75 31 21 30 1F 06 03 55 04 03 1E 18 00 43 00
000E0: 6C 00 69 00 65 00 6E 00 74 00 32 00 35 00 36 00
000F0: 41 00 5F 00 45 30 68 30 21 06 08 2A 85 03 07 01
00100: 01 01 01 30 15 06 09 2A 85 03 07 01 02 01 01 01
00110: 06 08 2A 85 03 07 01 01 02 02 03 43 00 04 40 75
00120: 49 0B 7B F8 79 D8 1C C5 A1 BA EA 66 65 06 DF B5
00130: D7 BF 25 60 67 78 B7 24 F3 15 9E 8A B1 5D 0F 86
00140: F3 48 2C B2 AB 10 8D 5A C2 DE 4E FB 2B FA E0 39
00150: 39 94 C2 DE 87 F0 D3 42 F8 61 83 F1 BB E5 9E A3
00160: 43 30 41 30 1D 06 03 55 1D 0E 04 16 04 14 74 49
00170: 1E 77 30 D3 42 A6 28 0E 72 A1 13 9D D9 90 8B FA
00180: F1 03 30 0B 06 03 55 1D 0F 04 04 03 02 07 80 30
00190: 13 06 03 55 1D 25 04 0C 30 0A 06 08 2B 06 01 05
Smyshlyaev, et al. Expires July 2, 2019 [Page 64]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
001A0: 05 07 03 02 30 0A 06 08 2A 85 03 07 01 01 03 02
001B0: 03 41 00 1C 2D 35 22 B4 11 02 D6 20 1F 23 50 C1
001C0: CA B4 3A C0 1A FB 0F 34 51 BD C2 DB 18 8B BC B7
001D0: 78 84 25 1C DF 60 37 BA 83 0F 4B 31 D5 E9 6F DC
001E0: 9B C1 C9 5A BE 65 82 66 C4 84 02 E0 70 DE 1F 29
001F0: 27 24 E8
---------------------------Client---------------------------
PMS value:
00000: A5 57 6C E7 92 4A 24 F5 81 13 80 8D BD 9E F8 56
00010: F5 BD C3 B1 83 CE 5D AD CA 36 A5 3A A0 77 65 1D
Random d_eph value:
0x150ACD11B66DD695AD18418FA7A2DC63
6B7E29DCA24536AABC826EE3175BB1FA
DC3AA0D01D3092E120B0FCF7EB872F4B
7E26EA17849D689222A48CF95A6E4831
Q_eph ephemeral key:
x = 0xC941BE5193189B476D5A0334114A3E04
BBE5B37C738AE40F150B334135288664
FEBFC5622818894A07B1F7AD60E28480
B4B637B90EA7D4BA980186B605D75BC6
y = 0xA154F7B93E8148652011F4FD52C9A06A
6471ADB28D0A949AE26BC786DE874153
ABC00B35164F3214A8A83C00ECE27831
B093528456234EFE766224FC2A7E9ABE
HASH (r_c | r_s):
00000: C3 EF 04 28 D4 B7 A1 F4 C5 02 5F 2E 65 DD 2B 2E
00010: A5 83 AE EF DB 67 C7 F4 21 4A 6A 29 8E 99 E3 25
Export key generation. r value:
0xC3EF0428D4B7A1F4C5025F2E65DD2B2E
Export key generation. UKM value:
0xC3EF0428D4B7A1F4C5025F2E65DD2B2E
Export keys K_Exp_MAC | K_Exp_ENC used in KExp15 algorithm:
00000: 7D AC 56 E4 8A 4D C1 70 FA A8 FC BA E2 0D B8 45
00010: 45 0C CC C4 C6 32 8B DC 8D 01 15 7C EF A2 A5 F1
00020: 1F 1C BA D8 86 61 66 F0 1F FA AB 01 52 E2 4B F4
00030: 60 9D 5F 46 A5 C8 99 C7 87 90 0D 08 B9 FC AD 24
IV:
Smyshlyaev, et al. Expires July 2, 2019 [Page 65]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
00000: 21 4A 6A 29 8E 99 E3 25
PMSEXP:
00000: 25 0D 1B 67 A2 70 AB 04 D3 F6 54 18 E1 D3 80 B4
00010: CB 94 5F 0A 3D CA 51 50 0C F3 A1 BE F3 7F 76 C0
00020: 73 41 A9 83 9C CF 6C BA 71 89 DA 61 EB 67 17 6C
---------------------------Client---------------------------
ClientKeyExchange message:
msg_type: 10
length: 0000E2
body:
exchange_keys: 3081DF0430250D1B67A270AB04D3F654
18E1D380B4CB945F0A3DCA51500CF3A1
BEF37F76C07341A9839CCF6CBA7189DA
. . .
93B03178E2EC003CA8A814324F16350B
C0AB534187DE86C76BE29A940A8DB2AD
71646AA0C952FDF411206548813EB9F7
54A1
00000: 10 00 00 E2 30 81 DF 04 30 25 0D 1B 67 A2 70 AB
00010: 04 D3 F6 54 18 E1 D3 80 B4 CB 94 5F 0A 3D CA 51
00020: 50 0C F3 A1 BE F3 7F 76 C0 73 41 A9 83 9C CF 6C
00030: BA 71 89 DA 61 EB 67 17 6C 30 81 AA 30 21 06 08
00040: 2A 85 03 07 01 01 01 02 30 15 06 09 2A 85 03 07
00050: 01 02 01 02 03 06 08 2A 85 03 07 01 01 02 03 03
00060: 81 84 00 04 81 80 C6 5B D7 05 B6 86 01 98 BA D4
00070: A7 0E B9 37 B6 B4 80 84 E2 60 AD F7 B1 07 4A 89
00080: 18 28 62 C5 BF FE 64 86 28 35 41 33 0B 15 0F E4
00090: 8A 73 7C B3 E5 BB 04 3E 4A 11 34 03 5A 6D 47 9B
000A0: 18 93 51 BE 41 C9 BE 9A 7E 2A FC 24 62 76 FE 4E
000B0: 23 56 84 52 93 B0 31 78 E2 EC 00 3C A8 A8 14 32
000C0: 4F 16 35 0B C0 AB 53 41 87 DE 86 C7 6B E2 9A 94
000D0: 0A 8D B2 AD 71 64 6A A0 C9 52 FD F4 11 20 65 48
000E0: 81 3E B9 F7 54 A1
Record layer message:
type: 16
version:
major: 03
minor: 03
length: 00E6
fragment: 100000E23081DF0430250D1B67A270AB
04D3F65418E1D380B4CB945F0A3DCA51
500CF3A1BEF37F76C07341A9839CCF6C
Smyshlyaev, et al. Expires July 2, 2019 [Page 66]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
. . .
2356845293B03178E2EC003CA8A81432
4F16350BC0AB534187DE86C76BE29A94
0A8DB2AD71646AA0C952FDF411206548
813EB9F754A1
00000: 16 03 03 00 E6 10 00 00 E2 30 81 DF 04 30 25 0D
00010: 1B 67 A2 70 AB 04 D3 F6 54 18 E1 D3 80 B4 CB 94
00020: 5F 0A 3D CA 51 50 0C F3 A1 BE F3 7F 76 C0 73 41
00030: A9 83 9C CF 6C BA 71 89 DA 61 EB 67 17 6C 30 81
00040: AA 30 21 06 08 2A 85 03 07 01 01 01 02 30 15 06
00050: 09 2A 85 03 07 01 02 01 02 03 06 08 2A 85 03 07
00060: 01 01 02 03 03 81 84 00 04 81 80 C6 5B D7 05 B6
00070: 86 01 98 BA D4 A7 0E B9 37 B6 B4 80 84 E2 60 AD
00080: F7 B1 07 4A 89 18 28 62 C5 BF FE 64 86 28 35 41
00090: 33 0B 15 0F E4 8A 73 7C B3 E5 BB 04 3E 4A 11 34
000A0: 03 5A 6D 47 9B 18 93 51 BE 41 C9 BE 9A 7E 2A FC
000B0: 24 62 76 FE 4E 23 56 84 52 93 B0 31 78 E2 EC 00
000C0: 3C A8 A8 14 32 4F 16 35 0B C0 AB 53 41 87 DE 86
000D0: C7 6B E2 9A 94 0A 8D B2 AD 71 64 6A A0 C9 52 FD
000E0: F4 11 20 65 48 81 3E B9 F7 54 A1
---------------------------Server---------------------------
PMSEXP extracted:
00000: 25 0D 1B 67 A2 70 AB 04 D3 F6 54 18 E1 D3 80 B4
00010: CB 94 5F 0A 3D CA 51 50 0C F3 A1 BE F3 7F 76 C0
00020: 73 41 A9 83 9C CF 6C BA 71 89 DA 61 EB 67 17 6C
HASH(r_c | r_s):
00000: C3 EF 04 28 D4 B7 A1 F4 C5 02 5F 2E 65 DD 2B 2E
00010: A5 83 AE EF DB 67 C7 F4 21 4A 6A 29 8E 99 E3 25
Export key generation. r value:
0xC3EF0428D4B7A1F4C5025F2E65DD2B2E
Export key generation. UKM value:
0xC3EF0428D4B7A1F4C5025F2E65DD2B2E
Export keys K_Exp_MAC | K_Exp_ENC used in KImp15 algorithm:
00000: 7D AC 56 E4 8A 4D C1 70 FA A8 FC BA E2 0D B8 45
00010: 45 0C CC C4 C6 32 8B DC 8D 01 15 7C EF A2 A5 F1
00020: 1F 1C BA D8 86 61 66 F0 1F FA AB 01 52 E2 4B F4
00030: 60 9D 5F 46 A5 C8 99 C7 87 90 0D 08 B9 FC AD 24
IV:
Smyshlyaev, et al. Expires July 2, 2019 [Page 67]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
00000: 21 4A 6A 29 8E 99 E3 25
PMS:
00000: A5 57 6C E7 92 4A 24 F5 81 13 80 8D BD 9E F8 56
00010: F5 BD C3 B1 83 CE 5D AD CA 36 A5 3A A0 77 65 1D
---------------------------Client---------------------------
Random value k used in signature generation:
0x163962EEA268203E7C6B3F70BF8D4A36
34CE6E2CFC424687951D70ACE0B4292A
Signature value sgn_c = SIGN_d_c(HM):
00000: F7 1F 43 62 45 5B C5 5B A8 9A 8F AF 01 82 88 EC
00010: 00 B3 27 17 48 2E 76 24 B2 57 D9 79 7C 8F F6 02
00020: 71 B2 94 AF 3F 2D 07 51 7A F1 48 DA B3 2F E9 45
00030: 94 85 C8 93 63 C2 F9 D8 2B 88 93 52 6A 92 D6 2E
---------------------------Client---------------------------
CertificateVerify message:
msg_type: 0F
length: 000044
body:
algorithm:
hash: EE
signature: EE
signature:
length: 0040
vector: F71F4362455BC55BA89A8FAF018288EC
00B32717482E7624B257D9797C8FF602
71B294AF3F2D07517AF148DAB32FE945
9485C89363C2F9D82B8893526A92D62E
00000: 0F 00 00 44 EE EE 00 40 F7 1F 43 62 45 5B C5 5B
00010: A8 9A 8F AF 01 82 88 EC 00 B3 27 17 48 2E 76 24
00020: B2 57 D9 79 7C 8F F6 02 71 B2 94 AF 3F 2D 07 51
00030: 7A F1 48 DA B3 2F E9 45 94 85 C8 93 63 C2 F9 D8
00040: 2B 88 93 52 6A 92 D6 2E
Record layer message:
type: 16
version:
major: 03
minor: 03
length: 0048
fragment: 0F000044EEEE0040F71F4362455BC55B
Smyshlyaev, et al. Expires July 2, 2019 [Page 68]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
A89A8FAF018288EC00B32717482E7624
B257D9797C8FF60271B294AF3F2D0751
7AF148DAB32FE9459485C89363C2F9D8
2B8893526A92D62E
00000: 16 03 03 00 48 0F 00 00 44 EE EE 00 40 F7 1F 43
00010: 62 45 5B C5 5B A8 9A 8F AF 01 82 88 EC 00 B3 27
00020: 17 48 2E 76 24 B2 57 D9 79 7C 8F F6 02 71 B2 94
00030: AF 3F 2D 07 51 7A F1 48 DA B3 2F E9 45 94 85 C8
00040: 93 63 C2 F9 D8 2B 88 93 52 6A 92 D6 2E
---------------------------Client---------------------------
HASH(HM):
00000: A5 71 AD 3C A4 E8 1B 38 69 01 E1 6A 1B E7 F9 38
00010: CC 0A 5C 52 94 F1 34 B4 30 31 F2 40 FA EA 24 D4
MS:
00000: 30 17 37 13 09 D6 91 42 3B B0 E2 C6 F5 5B 9D F7
00010: 85 21 D8 81 11 29 D8 9A 75 D9 85 1C 12 A1 55 DA
00020: CA 1C EC 8F F2 62 81 8D 46 F9 7D CC 1E 46 AF 26
Client connection key material
K_write_MAC|K_read_MAC|K_write_ENC|K_read_ENC|IV_write|IV_read:
00000: DC 78 65 3E F5 45 8F 54 02 70 6B 35 AA CC 15 8C
00010: C4 20 8C 51 7D 4F 1F 76 35 AD 7E B0 B5 5D 35 D1
00020: DF DA 05 F6 77 7A B7 24 A3 F5 FC 1D E9 43 64 C4
00030: 10 C9 D3 88 ED 9C 4B 6E CA C6 18 60 6B 23 4A 47
00040: 19 F6 C5 37 3B 2D D7 34 A2 A0 8D 0B 09 47 56 84
00050: B6 88 34 63 70 AA 7B 9E 22 6B 99 1B 7F FE 96 D0
00060: B0 DA EF 30 98 13 85 2C 8E 90 D9 A6 F2 96 EF 84
00070: F5 0F 2A CD 13 BE 46 44 4D BD 5F CA 38 48 EC 74
00080: A3 85 90 95 6E F0 BD 0C BA 36 E9 8A 0E 42 C2 62
---------------------------Server---------------------------
HASH(HM):
00000: A5 71 AD 3C A4 E8 1B 38 69 01 E1 6A 1B E7 F9 38
00010: CC 0A 5C 52 94 F1 34 B4 30 31 F2 40 FA EA 24 D4
MS:
00000: 30 17 37 13 09 D6 91 42 3B B0 E2 C6 F5 5B 9D F7
00010: 85 21 D8 81 11 29 D8 9A 75 D9 85 1C 12 A1 55 DA
00020: CA 1C EC 8F F2 62 81 8D 46 F9 7D CC 1E 46 AF 26
Server connection key material
Smyshlyaev, et al. Expires July 2, 2019 [Page 69]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
K_read_MAC|K_write_MAC|K_read_ENC|K_write_ENC|IV_read|IV_write:
00000: DC 78 65 3E F5 45 8F 54 02 70 6B 35 AA CC 15 8C
00010: C4 20 8C 51 7D 4F 1F 76 35 AD 7E B0 B5 5D 35 D1
00020: DF DA 05 F6 77 7A B7 24 A3 F5 FC 1D E9 43 64 C4
00030: 10 C9 D3 88 ED 9C 4B 6E CA C6 18 60 6B 23 4A 47
00040: 19 F6 C5 37 3B 2D D7 34 A2 A0 8D 0B 09 47 56 84
00050: B6 88 34 63 70 AA 7B 9E 22 6B 99 1B 7F FE 96 D0
00060: B0 DA EF 30 98 13 85 2C 8E 90 D9 A6 F2 96 EF 84
00070: F5 0F 2A CD 13 BE 46 44 4D BD 5F CA 38 48 EC 74
00080: A3 85 90 95 6E F0 BD 0C BA 36 E9 8A 0E 42 C2 62
---------------------------Client---------------------------
ChangeCipherSpec message:
type: 01
00000: 01
Record layer message:
type: 14
version:
major: 03
minor: 03
length: 0001
fragment: 01
00000: 14 03 03 00 01 01
---------------------------Client---------------------------
HASH(HM):
00000: A5 71 AD 3C A4 E8 1B 38 69 01 E1 6A 1B E7 F9 38
00010: CC 0A 5C 52 94 F1 34 B4 30 31 F2 40 FA EA 24 D4
client_verify_data:
00000: 5A 96 F3 54 37 5E 7F 05 CC E8 29 63 CB 06 74 DE
00010: B2 E2 DD 50 5F 57 94 7E 2A 92 C5 26 B3 8B 5F BC
---------------------------Client---------------------------
Finished message:
msg_type: 14
length: 000020
body:
verify_data: 5A96F354375E7F05CCE82963CB0674DE
Smyshlyaev, et al. Expires July 2, 2019 [Page 70]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
B2E2DD505F57947E2A92C526B38B5FBC
00000: 14 00 00 20 5A 96 F3 54 37 5E 7F 05 CC E8 29 63
00010: CB 06 74 DE B2 E2 DD 50 5F 57 94 7E 2A 92 C5 26
00020: B3 8B 5F BC
Record layer message:
type: 16
version:
major: 03
minor: 03
length: 0034
fragment: CA97257884E730D5AC1FB76D6526899B
8840C07A057E1DCBEC3B1D20C7CD7FD4
16BA78B87DC0CD49F9718F87D7C2F81F
27C8BA8B
00000: 16 03 03 00 34 CA 97 25 78 84 E7 30 D5 AC 1F B7
00010: 6D 65 26 89 9B 88 40 C0 7A 05 7E 1D CB EC 3B 1D
00020: 20 C7 CD 7F D4 16 BA 78 B8 7D C0 CD 49 F9 71 8F
00030: 87 D7 C2 F8 1F 27 C8 BA 8B
---------------------------Server---------------------------
ChangeCipherSpec message:
type: 01
00000: 01
Record layer message:
type: 14
version:
major: 03
minor: 03
length: 0001
fragment: 01
00000: 14 03 03 00 01 01
---------------------------Server---------------------------
HASH(HM):
00000: A1 0A B7 4A DC BC EB DF D3 20 79 3E 5D 3E 90 90
00010: CE 30 E3 AE 93 5F 6F E0 30 01 DB 03 D5 0D 5D 1B
server_verify_data:
Smyshlyaev, et al. Expires July 2, 2019 [Page 71]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
00000: A2 03 08 F0 17 39 63 EE DD AE 6E 1E 12 76 8F A3
00010: 91 C8 4E B5 48 41 C3 7B DB A3 2D 27 5A 17 88 66
---------------------------Server---------------------------
Finished message:
msg_type: 14
length: 000020
body:
verify_data: A20308F0173963EEDDAE6E1E12768FA3
91C84EB54841C37BDBA32D275A178866
00000: 14 00 00 20 A2 03 08 F0 17 39 63 EE DD AE 6E 1E
00010: 12 76 8F A3 91 C8 4E B5 48 41 C3 7B DB A3 2D 27
00020: 5A 17 88 66
Record layer message:
type: 16
version:
major: 03
minor: 03
length: 0034
fragment: F3DBAB6EA0562B3F71A879D3D6750FDA
269DA9A8FF8686C8E229D8F542500743
B44A13BA7737325AC0E617AA5BFFA4A4
E48FA7E8
00000: 16 03 03 00 34 F3 DB AB 6E A0 56 2B 3F 71 A8 79
00010: D3 D6 75 0F DA 26 9D A9 A8 FF 86 86 C8 E2 29 D8
00020: F5 42 50 07 43 B4 4A 13 BA 77 37 32 5A C0 E6 17
00030: AA 5B FF A4 A4 E4 8F A7 E8
---------------------------Client---------------------------
Application data:
00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Record layer message:
type: 17
version:
major: 03
minor: 03
length: 0030
fragment: E01DFE3155F02E164284F359D3E811BB
CEAA9F24EA9BCEB26C1D1DA80996F72A
Smyshlyaev, et al. Expires July 2, 2019 [Page 72]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
9D097430398FE2A414BE9B97C8603E97
00000: 17 03 03 00 30 E0 1D FE 31 55 F0 2E 16 42 84 F3
00010: 59 D3 E8 11 BB CE AA 9F 24 EA 9B CE B2 6C 1D 1D
00020: A8 09 96 F7 2A 9D 09 74 30 39 8F E2 A4 14 BE 9B
00030: 97 C8 60 3E 97
---------------------------Server---------------------------
Application data:
00000: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
00010: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
Record layer message:
type: 17
version:
major: 03
minor: 03
length: 0030
fragment: F7F5A29767A3C0DC2B070A61C97BFB0A
E94BB6126D0DD745C1FB8361C7146AE6
4966244F4D142A724F6E141549BA1201
00000: 17 03 03 00 30 F7 F5 A2 97 67 A3 C0 DC 2B 07 0A
00010: 61 C9 7B FB 0A E9 4B B6 12 6D 0D D7 45 C1 FB 83
00020: 61 C7 14 6A E6 49 66 24 4F 4D 14 2A 72 4F 6E 14
00030: 15 49 BA 12 01
---------------------------Client---------------------------
close_notify alert:
Alert:
level: 01
description: 00
00000: 01 00
Record layer message:
type: 15
version:
major: 03
minor: 03
length: 0012
fragment: B9B550F9458C7E0CD60038C979662CAD
EE16
Smyshlyaev, et al. Expires July 2, 2019 [Page 73]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
00000: 15 03 03 00 12 B9 B5 50 F9 45 8C 7E 0C D6 00 38
00010: C9 79 66 2C AD EE 16
---------------------------Server---------------------------
close_notify alert:
Alert:
level: 01
description: 00
00000: 01 00
Record layer message:
type: 15
version:
major: 03
minor: 03
length: 0012
fragment: 453DF39A53D9A0F33CDDE9F1E0476BA7
F10C
00000: 15 03 03 00 12 45 3D F3 9A 53 D9 A0 F3 3C DD E9
00010: F1 E0 47 6B A7 F1 0C
A.2. Test Examples for CNT_IMIT cipher suites
A.2.1. Record Examples
It is assumed that during Handshake following keys were established:
- MAC key:
00000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
00010: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
- Encryption key:
00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- IV:
00000: 00 00 00 00 00 00 00 00
---------------------------------------------------------
seqnum = 0
Application data:
00000: 00 00 00 00 00 00 00
Smyshlyaev, et al. Expires July 2, 2019 [Page 74]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
Plaintext:
00000: 17 03 03 00 07 00 00 00 00 00 00 00
MAC:
00000: 30 01 34 a1
Ciphertext:
00000: 17 03 03 00 0b 86 71 cd bf 3c 1a ae 0f 62 4b 04
---------------------------------------------------------
seqnum = 1
Application data:
00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
....
007f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Plaintext:
00000: 17 03 03 08 00 00 00 00 00 00 00 00 00 00 00 00
00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
....
007f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00804: 00 00 00 00 00
MAC:
00000: f7 c3 8b 8a
Ciphertext:
00000: 17 03 03 08 04 cf aa 0c b4 2f a5 a4 7a 13 3d 73
00010: b9 f2 c0 b0 4f 8c a2 55 52 f8 56 bc be 6a 58 fa
....
007f0: 3e e2 c7 6f a2 30 a0 44 be 21 dc 8e 1a 96 f9 a8
00804: 88 1f ad 83 45 96 96 84 47
A.2.2. Handshake Examples
client -> server
0000 16 03 03 00 3e 01 00 00 3a 03 03 61 53 80 49 30
0010 e2 cf d2 ac 10 97 5d b1 66 ae 9f df f9 e7 3b 7a
0020 47 68 27 f0 6e 37 10 e9 24 5a 3c 00 00 02 ff 85
0030 01 00 00 0f 00 0d 00 06 00 04 ef ef ee ee ff 01
0040 00 01 00
Smyshlyaev, et al. Expires July 2, 2019 [Page 75]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 62
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 58
Version: TLS 1.2 (0x0303)
Random: 6153804930e2cfd2ac10975db166ae9fdff9e73b7a476827f06e3710e9245a3c
Session ID Length: 0
Cipher Suites Length: 2
Cipher Suites (1 suite)
Cipher Suite: TLS_GOSTR341112_256_WITH_28147_CNT_IMIT (0xff85)
Compression Methods Length: 1
Compression Methods (1 method)
Extensions Length: 15
Extension: signature_algorithms (len=6)
Type: signature_algorithms (13)
Length: 6
Signature Hash Algorithms Length: 4
Signature Hash Algorithms (2 algorithms)
Signature Algorithm: gostr34102012_512 gostr34102012_512 (0xefef)
Signature Hash Algorithm Hash: gostr34102012_512 (239)
Signature Hash Algorithm Signature: gostr34102012_512 (239)
Signature Algorithm: gostr34102012_256 gostr34102012_256 (0xeeee)
Signature Hash Algorithm Hash: gostr34102012_256 (238)
Signature Hash Algorithm Signature: gostr34102012_256 (238)
Extension: renegotiation_info (len=1)
Type: renegotiation_info (65281)
Length: 1
Renegotiation Info extension
Renegotiation info extension length: 0
---------------------------------------------------------
server -> client
0000 16 03 03 00 51 02 00 00 4d 03 03 e6 bd 34 dd 03
0010 26 e6 75 1d 8d 45 e5 81 05 b0 a9 5f 0e 12 88 a2
0020 cf 9b 7b 44 4f 57 4e 47 52 44 01 20 5f d4 61 e1
0030 ff 8d 62 1c 02 99 24 0c 6c c9 f6 7a b2 4d d7 ff
0040 e4 e4 e5 f4 28 ee 6e bd 6d 9c a2 4a ff 85 00 00
0050 05 ff 01 00 01 00
TLSv1.2 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 81
Smyshlyaev, et al. Expires July 2, 2019 [Page 76]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 77
Version: TLS 1.2 (0x0303)
Random: e6bd34dd0326e6751d8d45e58105b0a95f0e1288a2cf9b7b444f574e47524401
Session ID Length: 32
Session ID: 5fd461e1ff8d621c0299240c6cc9f67ab24dd7ffe4e4e5f428ee6ebd6d9ca24a
Cipher Suite: TLS_GOSTR341112_256_WITH_28147_CNT_IMIT (0xff85)
Compression Method: null (0)
Extensions Length: 5
Extension: renegotiation_info (len=1)
Type: renegotiation_info (65281)
Length: 1
Renegotiation Info extension
Renegotiation info extension length: 0
---------------------------------------------------------
server -> client
0000 16 03 03 02 6a 0b 00 02 66 00 02 63 00 02 60 30
0010 82 02 5c 30 82 01 c8 a0 03 02 01 02 02 14 78 94
0020 dc 9d 92 09 77 80 91 91 64 2f 1d ae dc 26 ba 3b
0030 51 04 30 0a 06 08 2a 85 03 07 01 01 03 03 30 19
0040 31 17 30 15 06 03 55 04 03 13 0e 43 41 20 43 65
0050 72 74 69 66 69 63 61 74 65 30 1e 17 0d 31 38 30
0060 31 30 32 30 30 30 30 31 31 5a 17 0d 32 32 30 31
0070 30 32 30 30 30 30 32 31 5a 30 21 31 1f 30 1d 06
0080 03 55 04 03 13 16 53 65 72 76 65 72 20 35 31 32
0090 20 43 65 72 74 69 66 69 63 61 74 65 30 81 aa 30
00a0 21 06 08 2a 85 03 07 01 01 01 02 30 15 06 09 2a
00b0 85 03 07 01 02 01 02 01 06 08 2a 85 03 07 01 01
00c0 02 03 03 81 84 00 04 81 80 95 67 94 9f 6a bf a3
00d0 d9 89 1c 70 21 f2 89 fd 24 14 1b 84 e3 23 29 24
00e0 b8 58 91 38 55 46 79 54 e0 7a 9b 2e 9d 85 ac 2e
00f0 0b 99 3e 43 d5 13 6a f3 97 6d 23 24 48 99 43 41
0100 20 c8 8a 27 c0 66 05 db 16 cf d4 0f a0 c4 77 20
0110 08 6d a0 15 16 76 44 04 22 82 32 f7 f7 f2 26 98
0120 62 80 da ff aa 99 bb 6f 7d 5a e6 4a 5a 28 cb 02
0130 fd b8 4f e2 0d d5 7a ae a5 35 16 bb 2b f1 85 6b
0140 bc c8 23 bd c5 de 80 1e d0 a3 81 93 30 81 90 30
0150 0c 06 03 55 1d 13 01 01 ff 04 02 30 00 30 1a 06
0160 03 55 1d 11 04 13 30 11 82 09 6c 6f 63 61 6c 68
0170 6f 73 74 87 04 7f 00 00 01 30 13 06 03 55 1d 25
0180 04 0c 30 0a 06 08 2b 06 01 05 05 07 03 01 30 0f
0190 06 03 55 1d 0f 01 01 ff 04 05 03 03 07 b0 00 30
01a0 1d 06 03 55 1d 0e 04 16 04 14 ae 46 41 1b fd b3
01b0 08 c3 39 03 47 57 57 2b 0f bf a3 6f 9a 99 30 1f
Smyshlyaev, et al. Expires July 2, 2019 [Page 77]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
01c0 06 03 55 1d 23 04 18 30 16 80 14 7f 7b 7a 15 61
01d0 a6 f2 18 a2 e3 48 3b c6 39 d9 7f 42 db 6d af 30
01e0 0a 06 08 2a 85 03 07 01 01 03 03 03 81 81 00 9c
01f0 49 78 f7 1b ab 54 8a 25 6d 2a 18 7c a8 4d 72 4f
0200 e1 ef a7 e5 36 67 2e 79 1f 8a 0c b6 74 1e b1 63
0210 e2 96 37 8c 5b 82 83 ee da b4 1b a4 22 1e bc e2
0220 05 f6 f8 79 cf eb f0 ad e9 36 07 0f b2 40 e5 0d
0230 04 37 03 7f 2a ec 99 c7 cd 23 9f 6f 20 25 a8 6c
0240 12 d5 1f 99 c9 8a 4a 99 04 f0 ea 54 86 fe d7 ff
0250 66 ab 8e b2 42 5e 1a ce ae 8a 75 8b df 84 3b e1
0260 a8 f6 fe bf 67 30 15 fe d7 ab 86 53 3d bf 20
TLSv1.2 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 618
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 614
Certificates Length: 611
Certificates (611 bytes)
Certificate Length: 608
Certificate: 3082025c308201c8a00302010202147894dc9d9209778091...
---------------------------------------------------------
server -> client
0000 16 03 03 00 2f 0d 00 00 2b 05 01 02 40 ee ef 00
0010 04 ef ef ee ee 00 1d 00 1b 30 19 31 17 30 15 06
0020 03 55 04 03 13 0e 43 41 20 43 65 72 74 69 66 69
0030 63 61 74 65
TLSv1.2 Record Layer: Handshake Protocol: Certificate Request
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 47
Handshake Protocol: Certificate Request
Handshake Type: Certificate Request (13)
Length: 43
Certificate types count: 5
Certificate types (5 types)
Certificate type: RSA Sign (1)
Certificate type: DSS Sign (2)
Certificate type: ECDSA Sign (64)
Certificate type: Unknown (238)
Certificate type: Unknown (239)
Signature Hash Algorithms Length: 4
Smyshlyaev, et al. Expires July 2, 2019 [Page 78]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
Signature Hash Algorithms (2 algorithms)
Signature Algorithm: gostr34102012_512 gostr34102012_512 (0xefef)
Signature Hash Algorithm Hash: gostr34102012_512 (239)
Signature Hash Algorithm Signature: gostr34102012_512 (239)
Signature Algorithm: gostr34102012_256 gostr34102012_256 (0xeeee)
Signature Hash Algorithm Hash: gostr34102012_256 (238)
Signature Hash Algorithm Signature: gostr34102012_256 (238)
Distinguished Names Length: 29
Distinguished Names (29 bytes)
---------------------------------------------------------
server -> client
0000 16 03 03 00 04 0e 00 00 00
TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 4
Handshake Protocol: Server Hello Done
Handshake Type: Server Hello Done (14)
Length: 0
---------------------------------------------------------
client -> server
0000 16 03 03 02 07 0b 00 02 03 00 02 00 00 01 fd 30
0010 82 01 f9 30 82 01 65 a0 03 02 01 02 02 14 47 07
0020 04 a6 c5 d9 ed 65 1a 66 4d f8 f3 68 2d c3 59 8f
0030 9f 3e 30 0a 06 08 2a 85 03 07 01 01 03 03 30 19
0040 31 17 30 15 06 03 55 04 03 13 0e 43 41 20 43 65
0050 72 74 69 66 69 63 61 74 65 30 1e 17 0d 31 38 30
0060 31 30 32 30 30 30 30 31 32 5a 17 0d 32 32 30 31
0070 30 32 30 30 30 30 33 32 5a 30 21 31 1f 30 1d 06
0080 03 55 04 03 13 16 43 6c 69 65 6e 74 20 32 35 36
0090 20 43 65 72 74 69 66 69 63 61 74 65 30 66 30 1f
00a0 06 08 2a 85 03 07 01 01 01 01 30 13 06 07 2a 85
00b0 03 02 02 23 01 06 08 2a 85 03 07 01 01 02 02 03
00c0 43 00 04 40 57 e4 a2 be 86 1d e8 72 2d c5 d0 b2
00d0 1b 21 57 0b ee 43 d9 07 40 ee db 6c ee 04 99 0f
00e0 58 b3 f0 0f 66 f3 21 44 46 4d cc e8 b0 0d 72 c5
00f0 89 21 da 05 3a 4b c7 f4 eb a5 25 68 ae 79 e8 23
0100 29 4e 0c 56 a3 76 30 74 30 0c 06 03 55 1d 13 01
0110 01 ff 04 02 30 00 30 13 06 03 55 1d 25 04 0c 30
0120 0a 06 08 2b 06 01 05 05 07 03 02 30 0f 06 03 55
0130 1d 0f 01 01 ff 04 05 03 03 07 b0 00 30 1d 06 03
0140 55 1d 0e 04 16 04 14 0f 6d b6 a1 e3 a2 6f 52 ab
Smyshlyaev, et al. Expires July 2, 2019 [Page 79]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
0150 a7 39 d1 39 c2 51 bf 25 4d a2 aa 30 1f 06 03 55
0160 1d 23 04 18 30 16 80 14 7f 7b 7a 15 61 a6 f2 18
0170 a2 e3 48 3b c6 39 d9 7f 42 db 6d af 30 0a 06 08
0180 2a 85 03 07 01 01 03 03 03 81 81 00 b2 83 3d db
0190 7f 5a 80 54 d3 b4 42 cb 0b 61 7c 99 d6 27 36 d7
01a0 2c 13 04 f5 28 22 89 f9 34 9a 1e 0f 8c db da f4
01b0 7d 11 cd fa b9 f1 02 b4 a0 8f 3c 35 01 f3 1b 8f
01c0 60 4a 64 c8 f7 16 01 cb 6f e1 55 c3 8f 76 d2 d9
01d0 50 b7 55 74 10 a7 0d c5 d7 70 52 d2 bd 14 57 81
01e0 7c 05 2f 21 03 3f 84 7b 7e 23 b1 ce 1b a7 cd 4a
01f0 1f 7f 83 cc 43 75 e0 0b fe 7b 6a 14 21 76 ba 21
0200 49 f5 88 51 a1 30 0a 04 b7 1c 95 d4
TLSv1.2 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 519
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 515
Certificates Length: 512
Certificates (512 bytes)
---------------------------------------------------------
VKO PRIVATE KEY[64]:
d46a655f4fc7a0d419be74539761c99d5911061778c35bcdeb83e25ddeca331
88dc3b5cd01bb119628c0b844a8c4b30e743576bb3222f959b9e8d0da377592
---------------------------------------------------------
client -> server
0000 16 03 03 00 f9 10 00 00 f5 30 81 f2 30 81 ef 30
0010 28 04 20 de b2 79 5a a9 14 a7 e6 0b b1 6b c4 b5
0020 ee 44 47 93 a9 37 e3 b1 fa 4b e6 80 1a 9c 12 04
0030 93 bc 49 04 04 7a 70 60 69 a0 81 c2 06 09 2a 85
0040 03 07 01 02 05 01 01 a0 81 aa 30 21 06 08 2a 85
0050 03 07 01 01 01 02 30 15 06 09 2a 85 03 07 01 02
0060 01 02 01 06 08 2a 85 03 07 01 01 02 03 03 81 84
0070 00 04 81 80 6a 28 2e f5 e0 63 8b 93 35 09 b2 a0
0080 91 5c 89 85 60 c0 9d ee 8c 14 35 d4 d7 8a ba 75
0090 27 4c e1 9a 1a 0b a4 ba c9 6e 7a dd 83 9d 5a 2c
00a0 14 49 ae 12 2e 82 3d 7e d3 bb 67 a5 4a 21 0c 74
00b0 ff 56 1f 20 5c 12 44 7c 58 72 6c c9 c0 eb 8c 67
00c0 62 4a 79 6a e3 5a 30 bd 89 98 12 e5 0e e8 a5 e5
00d0 30 ed 50 1e fd f4 43 7d 55 79 fa de 34 73 66 7d
00e0 ba 65 ba 56 61 29 fc 60 50 c3 a6 d9 d0 b5 0e 80
00f0 c7 a2 a8 1b 04 08 c4 5e d2 ee bd 69 e3 c9
Smyshlyaev, et al. Expires July 2, 2019 [Page 80]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
TLSv1.2 Record Layer: Handshake Protocol: Client Key Exchange
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 249
Handshake Protocol: Client Key Exchange
Handshake Type: Client Key Exchange (16)
Length: 245
---------------------------------------------------------
client -> server
0000 16 03 03 00 48 0f 00 00 44 ee ee 00 40 19 a9 05
0010 4a c3 76 92 c5 60 02 bc 40 3f 62 6a 8b bc 25 e2
0020 52 f9 f0 72 68 d4 70 da 72 6a ce 8a bb a5 83 53
0030 d7 3c 4b 34 48 a7 2c bb 82 93 a6 4d 9e fc 36 98
0040 18 e7 c8 04 c2 7e 9f ea ce ac 65 79 25
TLSv1.2 Record Layer: Handshake Protocol: Certificate Verify
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 72
Handshake Protocol: Certificate Verify
Handshake Type: Certificate Verify (15)
Length: 68
Signature Algorithm: gostr34102012_256 gostr34102012_256 (0xeeee)
Signature Hash Algorithm Hash: gostr34102012_256 (238)
Signature Hash Algorithm Signature: gostr34102012_256 (238)
Signature length: 64
Signature: 19a9054ac37692c56002bc403f626a8bbc25e252f9f07268d470da726ace8abb
a58353d73c4b3448a72cbb8293a64d9efc369818e7c804c27e9feaceac657925
---------------------------------------------------------
client -> server
0000 14 03 03 00 01 01
TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
Content Type: Change Cipher Spec (20)
Version: TLS 1.2 (0x0303)
Length: 1
Change Cipher Spec Message
---------------------------------------------------------
PREMASTER SECRET[32]: fadd834d5d887253e33580b399b36a41ee42faf179a44c95885ddaaacdfd28c8
CLIENT RANDOM[32]: 6153804930e2cfd2ac10975db166ae9fdff9e73b7a476827f06e3710e9245a3c
Smyshlyaev, et al. Expires July 2, 2019 [Page 81]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
SERVER RANDOM[32]: e6bd34dd0326e6751d8d45e58105b0a95f0e1288a2cf9b7b444f574e47524401
MASTER SECRET[48]: 6fbf770be54c718da1a1875cbcc948722588ba2a374d5b496fbb270452a8f408c9
5e1c28883b7524af2afa63cd2bbd2f
CLIENT MAC KEY [32]: c9ffcd14ca3150732d1ee30c8c5acfa8fc43e813a8090407095c4870fef82f4d
SERVER MAC KEY [32]: fe1c675405dc40e73c29274192126cb10c33afa09f7c009a49da6a9fded490b1
CLIENT WRITE KEY [32]: abb7919a60ac828f001ba7fc824dfbc0a6ffc88818c4cc75cacb917049b4423d
SERVER WRITE KEY [32]: c521c75efe65c17d2bb1e2a8e577e44b3dcf7dcc3e2a3b25c4f01bf24d9147b9
CLIENT WRITE IV [8]: fd9ef69d6e246e7d
SERVER WRITE IV [8]: 133088402844ae73
---------------------------------------------------------
client -> server
0000 16 03 03 00 14 5d 3d c6 48 44 3c 17 b6 95 90 e5
0010 0b 7f 9a 86 eb 7e 08 db 78
TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 20
Handshake Protocol: Encrypted Handshake Message
Decrypted data:
0000 14 00 00 0c 74 72 15 6e f1 d4 20 08 0b 52 18 39
0010 c9 a0 cb 55
SeqNo: 0
Plaintext: 1400000c7472156ef1d420080b521839
MAC: c9a0cb55
---------------------------------------------------------
server -> client
0000 14 03 03 00 01 01
TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
Content Type: Change Cipher Spec (20)
Version: TLS 1.2 (0x0303)
Length: 1
Change Cipher Spec Message
---------------------------------------------------------
server -> client
0000 16 03 03 00 14 1e 8d 8a 90 51 11 49 b0 0a c0 5b
0010 3f a1 01 91 a7 7d d3 08 61
Smyshlyaev, et al. Expires July 2, 2019 [Page 82]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 20
Handshake Protocol: Encrypted Handshake Message
Decrypted data:
0000 14 00 00 0c 5f 9a a2 91 63 73 c5 76 00 24 7d 89
0010 2e bc 23 74
SeqNo: 0
Plaintext: 1400000c5f9aa2916373c57600247d89
MAC: 2ebc2374
---------------------------------------------------------
client -> server
0000 17 03 03 00 0a 03 67 5c d5 b3 9c 42 af c7 79
TLSv1.2 Record Layer: Application Data Protocol: Application Data
Content Type: Application Data (23)
Version: TLS 1.2 (0x0303)
Length: 10
Encrypted Application Data: 03675cd5b39c42afc779
Decrypted data:
0000 68 65 6c 6c 6f 0a a3 22 93 9c
SeqNo: 1
Plaintext: 68656c6c6f0a
MAC: a322939c
---------------------------------------------------------
server -> client
0000 17 03 03 00 0a 17 fe 1c 80 18 55 3c a3 9f 72
TLSv1.2 Record Layer: Application Data Protocol: Application Data
Content Type: Application Data (23)
Version: TLS 1.2 (0x0303)
Length: 10
Encrypted Application Data: 17fe1c8018553ca39f72
Decrypted data:
Smyshlyaev, et al. Expires July 2, 2019 [Page 83]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
0000 68 65 6c 6c 6f 0a e9 f1 be f7
SeqNo: 1
Plaintext: 68656c6c6f0a
MAC: e9f1bef7
---------------------------------------------------------
client -> server
0000 15 03 03 00 06 d2 85 f8 5e 11 40
TLSv1.2 Record Layer: Encrypted Alert
Content Type: Alert (21)
Version: TLS 1.2 (0x0303)
Length: 6
Alert Message: Encrypted Alert
Decrypted data:
0000 01 00 18 8c fe 58
SeqNo: 2
Plaintext: 0100
MAC: 188cfe58
---------------------------------------------------------
server -> client
0000 15 03 03 00 06 ca 7d 8b 03 21 04
TLSv1.2 Record Layer: Encrypted Alert
Content Type: Alert (21)
Version: TLS 1.2 (0x0303)
Length: 6
Alert Message: Encrypted Alert
Decrypted data:
0000 01 00 be b9 f9 c2
SeqNo: 2
Plaintext: 0100
MAC: beb9f9c2
Smyshlyaev, et al. Expires July 2, 2019 [Page 84]
Internet-Draft GOST Cipher Suites for TLS 1.2 December 2018
Appendix B. Contributors
o Evgeny Alekseev
CryptoPro
alekseev@cryptopro.ru
o Ekaterina Smyshlyaeva
CryptoPro
ess@cryptopro.ru
o Grigory Sedov
CryptoPro
sedovgk@cryptopro.ru
o Dmitry Eremin-Solenikov
Auriga
dbaryshkov@gmail.com
Appendix C. Acknowledgments
Authors' Addresses
Stanislav Smyshlyaev (editor)
CryptoPro
18, Suschevsky val
Moscow 127018
Russian Federation
Phone: +7 (495) 995-48-20
Email: svs@cryptopro.ru
Dmitry Belyavsky
Cryptocom
14/2 Kedrova st
Moscow 117218
Russian Federation
Email: beldmit@gmail.com
Markku-Juhani O. Saarinen
Independent Consultant
Email: mjos@iki.fi
Smyshlyaev, et al. Expires July 2, 2019 [Page 85]