\
HTTP                                                          M. Thomson
Internet-Draft                                                   Mozilla
Intended status: Standards Track                        October 28, 2016
Expires: May 1, 2017


                  Example Handshake Traces for TLS 1.3
                   draft-thomson-tls-tls13-vectors-00

Abstract

   Examples of TLS 1.3 handshakes are shown.  Private keys and inputs
   are provided so that these handshakes might be reproduced.
   Intermediate values, including secrets, traffic keys and ivs are
   shown so that implementations might be checked incrementally against
   these values.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on May 1, 2017.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.



Thomson                    Expires May 1, 2017                  [Page 1]


Internet-Draft               TLS 1.3 Traces                 October 2016


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Private Keys  . . . . . . . . . . . . . . . . . . . . . . . .   2
   3.  Simple 1-RTT Handshake  . . . . . . . . . . . . . . . . . . .   3
   4.  Resumed 0-RTT Handshake . . . . . . . . . . . . . . . . . . .  14
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .  25
   6.  Normative References  . . . . . . . . . . . . . . . . . . . .  25
   Appendix A.  Acknowledgements . . . . . . . . . . . . . . . . . .  25
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  26

1.  Introduction

   TLS 1.3 [I-D.ietf-tls-tls13] defines a new key schedule and a number
   new cryptographic operations.  This document includes sample
   handshakes that show all intermediate values.  This allows an
   implementation to be verified incrementally, examining inputs and
   outputs of each cryptographic computation independently.

   Private keys are included with the traces so that implementations can
   be checked by importing these values and verifying that the same
   outputs are produced.

   Note:  This version of the document shows vectors from version -16 of
      the draft.  It will be updated when NSS is updated to -18 (real
      soon now).

2.  Private Keys

   Ephemeral private keys are shown as they are generated in the traces.

   The server in most examples uses an RSA certificate with a private
   key of:

   modulus (public):  b4bb498f8279303d 980836399b36c698 8c0c68de55e1bdb8
      26d3901a2461eafd 2de49a91d015abbc 9a95137ace6c1af1
      9eaa6af98c7ced43 120998e187a80ee0 ccb0524b1b018c3e
      0b63264d449a6d38 e22a5fda43084674 8030530ef0461c8c
      a9d9efbfae8ea6d1 d03e2bd193eff0ab 9a8002c47428a6d3
      5a8d88d79f7f1e3f

   public exponent:  010001

   private exponent:  04dea705d43a6ea7 209dd8072111a83c 81e322a59278b334
      80641eaf7c0a6985 b8e31c44f6de62e1 b4c2309f6126e77b
      7c41e923314bbfa3 881305dc1217f16c 819ce538e922f369
      828d0e57195d8c84 88460207b2faa726 bcf708bbd7db7f67




Thomson                    Expires May 1, 2017                  [Page 2]


Internet-Draft               TLS 1.3 Traces                 October 2016


      9f893492fc2a622e 08970aac441ce4e0 c3088df25ae67923
      3df8a3bda2ff9941

   prime1:  e435fb7cc8373775 6dacea96ab7f59a2 cc1069db7deb190e
      17e33a532b273f30 a327aa0aaabc58cd 67466af9845fadc6
      75fe094af92c4bd1 f2c1bc33dd2e0515

   prime2:  cabd3bc0e0438664 c8d4cc9f99977a94 d9bbfead8e43870a
      bae3f7eb8b4e0eee 8af1d9b4719ba619 6cf2cbbaeeebf8b3
      490afe9e9ffa74a8 8aa51fc645629303

   exponent1:  3f57345c27fe1b68 7e6e761627b78b1b 826433dd760fa0be
      a6a6acf39490aa1b 47cda4869d68f584 dd5b5029bd32093b
      8258661fe715025e 5d70a45a08d3d319

   exponent2:  183da01363bd2f28 85cacbdc9964bf47 64f1517636f86401
      286f71893c52ccfe 40a6c23d0d086b47 c6fb10d8fd1041e0
      4def7e9a40ce957c 417794e10412d139

   coefficient:  839ca9a085e4286b 2c90e466997a2c68 1f21339aa3477814
      e4dec11833050ed5 0dd13cc038048a43 c59b2acc416889c0
      37665fe5afa60596 9f8c01dfa5ca969d

3.  Simple 1-RTT Handshake

   In this example, the simplest possible handshake is completed.  The
   server is authenticated, but the client remains anonymous.  After
   connecting, a few application data octets are exchanged.  The server
   sends a session ticket that permits the use of 0-RTT in any resumed
   session.

   Note:  This example doesn't include the calculation of the exporter
      secret.  Support for that will be added to NSS soon.

   {client}  create an ephemeral x25519 key pair:

      private key (32 octets):  075e1d4503195c00 61e75a39738e7f88
         08cdcceb84fc36ec aae01a327d05010b

      public key (32 octets):  e122b20099cbe505 9a9bbe5880e02ed6
         525d6f72f8f7afab b87a32dbe9e23022

   {client}  send a ClientHello handshake message

   {client}  send record:

      cleartext (250 octets):  010000f603034a77 2c764c3313f344b2
         f4fae943e816fe5a f3eac74809c21e2c 24989f3e8c520000



Thomson                    Expires May 1, 2017                  [Page 3]


Internet-Draft               TLS 1.3 Traces                 October 2016


         3e130113031302c0 2bc02fcca9cca8c0 0ac009c013c023c0
         27c014009eccaa00 3300320067003900 38006b0016001300
         9c002f003c003500 3d000a0005000401 00008f0000000b00
         0900000673657276 6572ff0100010000 0a00140012001d00
         1700180019010001 0101020103010400 0b00020100002300
         0000280026002400 1d0020e122b20099 cbe5059a9bbe5880
         e02ed6525d6f72f8 f7afabb87a32dbe9 e23022002b000706
         7f1003030302000d 0020001e04030503 0603020308040805
         0806040105010601 0201040205020602 0202

      ciphertext (255 octets):  16030100fa010000 f603034a772c764c
         3313f344b2f4fae9 43e816fe5af3eac7 4809c21e2c24989f
         3e8c5200003e1301 13031302c02bc02f cca9cca8c00ac009
         c013c023c027c014 009eccaa00330032 006700390038006b
         00160013009c002f 003c0035003d000a 000500040100008f
         0000000b00090000 06736572766572ff 01000100000a0014
         0012001d00170018 0019010001010102 01030104000b0002
         0100002300000028 00260024001d0020 e122b20099cbe505
         9a9bbe5880e02ed6 525d6f72f8f7afab b87a32dbe9e23022
         002b0007067f1003 030302000d002000 1e04030503060302
         0308040805080604 0105010601020104 02050206020202

   {server}  create an ephemeral x25519 key pair:

      private key (32 octets):  06730e3ab71702bc 322472986e421ba2
         320db29fb0c67d7a 1bf21a4f06c9f115

      public key (32 octets):  e2816da24ed31838 bd876b0a344b2793
         dead2350adda23fb 5193787ae608f647

   {server}  extract secret "early":

      salt (0 octets):  (empty)

      ikm (32 octets):  0000000000000000 0000000000000000
         0000000000000000 0000000000000000

      secret (32 octets):  33ad0a1c607ec03b 09e6cd9893680ce2
         10adf300aa1f2660 e1b22e10f170f92a

   {server}  send a ServerHello handshake message

   {server}  extract secret "handshake":

      salt (32 octets):  33ad0a1c607ec03b 09e6cd9893680ce2
         10adf300aa1f2660 e1b22e10f170f92a





Thomson                    Expires May 1, 2017                  [Page 4]


Internet-Draft               TLS 1.3 Traces                 October 2016


      ikm (32 octets):  ad602096bc9ed914 61b83c950382a9d4
         1829059264f563a1 59c87cec790b0333

      secret (32 octets):  b75d555586220fea 3e6eb1e1243c8f7e
         20e5af8cee1799e0 31b7efefff43c8b1

   {server}  derive secret "client handshake traffic secret":

      handshake hash (64 octets):  48d89c6276fa205b 0eb068ac122fb05b
         1e010350db32eae9 59cbe6addf25a67e 66687aadf862bd77
         6c8fc18b8e9f8e20 089714856ee233b3 902a591d0d5f2925

      PRK (32 octets):  b75d555586220fea 3e6eb1e1243c8f7e
         20e5af8cee1799e0 31b7efefff43c8b1

      info (108 octets):  002028544c532031 2e332c20636c6965
         6e742068616e6473 68616b6520747261 6666696320736563
         7265744048d89c62 76fa205b0eb068ac 122fb05b1e010350
         db32eae959cbe6ad df25a67e66687aad f862bd776c8fc18b
         8e9f8e2008971485 6ee233b3902a591d 0d5f2925

      output (32 octets):  7f9ee8ff500bdb58 6780934edddd288e
         1600a2083ab2ece6 0dc339845e158678

   {server}  derive secret "server handshake traffic secret":

      handshake hash (64 octets):  48d89c6276fa205b 0eb068ac122fb05b
         1e010350db32eae9 59cbe6addf25a67e 66687aadf862bd77
         6c8fc18b8e9f8e20 089714856ee233b3 902a591d0d5f2925

      PRK (32 octets):  b75d555586220fea 3e6eb1e1243c8f7e
         20e5af8cee1799e0 31b7efefff43c8b1

      info (108 octets):  002028544c532031 2e332c2073657276
         65722068616e6473 68616b6520747261 6666696320736563
         7265744048d89c62 76fa205b0eb068ac 122fb05b1e010350
         db32eae959cbe6ad df25a67e66687aad f862bd776c8fc18b
         8e9f8e2008971485 6ee233b3902a591d 0d5f2925

      output (32 octets):  d7fa33c70916f980 d2097d211158c6dc
         b3aaa9899cfe0acf 10bc5334d9083866

   {server}  extract secret "master":

      salt (32 octets):  b75d555586220fea 3e6eb1e1243c8f7e
         20e5af8cee1799e0 31b7efefff43c8b1





Thomson                    Expires May 1, 2017                  [Page 5]


Internet-Draft               TLS 1.3 Traces                 October 2016


      ikm (32 octets):  0000000000000000 0000000000000000
         0000000000000000 0000000000000000

      secret (32 octets):  6304ef9c9685cfd5 940af49d657cc6b8
         942889b94a4fafef b0d3f181c440028c

   {server}  send record:

      cleartext (86 octets):  020000527f102ac7 df3c5e246509294f
         5cd617339959743c 8d34c0f28b6f3c57 c02e77014b901301
         002c000d00000028 0024001d0020e281 6da24ed31838bd87
         6b0a344b2793dead 2350adda23fb5193 787ae608f647

      ciphertext (91 octets):  1603010056020000 527f102ac7df3c5e
         246509294f5cd617 339959743c8d34c0 f28b6f3c57c02e77
         014b901301002c00 0d00000028002400 1d0020e2816da24e
         d31838bd876b0a34 4b2793dead2350ad da23fb5193787ae6 08f647

   {server}  derive write traffic keys using label "handshake key
      expansion":

      PRK (32 octets):  d7fa33c70916f980 d2097d211158c6dc
         b3aaa9899cfe0acf 10bc5334d9083866

      key info (41 octets):  001025544c532031 2e332c2068616e64
         7368616b65206b65 7920657870616e73 696f6e2c206b6579 00

      key output (16 octets):  d9e91353d9fc4516 3218909ab937fddb

      iv info (40 octets):  000c24544c532031 2e332c2068616e64
         7368616b65206b65 7920657870616e73 696f6e2c20697600

      iv output (12 octets):  7c880c98fe14487b aec110ee

   {server}  send a EncryptedExtensions handshake message

   {server}  send a Certificate handshake message

   {server}  send a CertificateVerify handshake message

   {server}  send a Finished handshake message

   {server}  send record:

      cleartext (649 octets):  0800001e001c000a 00140012001d0017
         0018001901000101 0102010301040000 00000b0001b70000
         01b30001b0308201 ac30820115a00302 0102020102300d06
         092a864886f70d01 010b0500300e310c 300a060355040313



Thomson                    Expires May 1, 2017                  [Page 6]


Internet-Draft               TLS 1.3 Traces                 October 2016


         03727361301e170d 3136303733303031 323335395a170d32
         3630373330303132 3335395a300e310c 300a060355040313
         0372736130819f30 0d06092a864886f7 0d01010105000381
         8d00308189028181 00b4bb498f827930 3d980836399b36c6
         988c0c68de55e1bd b826d3901a2461ea fd2de49a91d015ab
         bc9a95137ace6c1a f19eaa6af98c7ced 43120998e187a80e
         e0ccb0524b1b018c 3e0b63264d449a6d 38e22a5fda430846
         748030530ef0461c 8ca9d9efbfae8ea6 d1d03e2bd193eff0
         ab9a8002c47428a6 d35a8d88d79f7f1e 3f0203010001a31a
         301830090603551d 1304023000300b06 03551d0f04040302
         05a0300d06092a86 4886f70d01010b05 000381810085aad2
         a0e5b9276b908c65 f73a7267170618a5 4c5f8a7b337d2df7
         a594365417f2eae8 f8a58c8f8172f931 9cf36b7fd6c55b80
         f21a030151567260 96fd335e5e67f2db f102702e608ccae6
         bec1fc63a42a99be 5c3eb7107c3c54e9 b9eb2bd5203b1c3b
         84e0a8b2f759409b a3eac9d91d402dcc 0cc8f8961229ac91
         87b42b4de10f0000 840804008050421a 381f73d2f29ad569
         3f93bc456fd7024f 189b98ddb73be484 0509b16ba4e91973
         156e97328919568f 6458edae49c0620a 636fb689f53d3eea
         3b6474ba54b2f851 b0ca038bbd1b603e c0a337526fb47ff6
         fd2fdebbfd81a8a4 5da64b115175c243 76c48fbb9fe5e30f
         be81dce81afc8d33 1b4ec72487f58701 ce979ece6e140000
         2005729a74d99f80 61a1e0d75f6d5cef 88d26fa95661aa81
         db6cc2bf99a25b75 07

      ciphertext (671 octets):  170301029aca54b6 a40203d951b0d14f
         9573fc3b918db939 fe3b7d8d1ca90163 870a9fa0687b7451
         96893091919525a3 586bebddc81d0c64 14ad78a337af2dde
         585361126008e5a3 1c377c05056cd994 7fc8682a0d4e12cf
         eee9b2ba99b7fc6b d7ec8a167be1c675 26395c8486d00ea9
         b704c6776847d3e2 f5e80a014593116a 8e317aab896a9c24
         757069f0a627882f 291dc6c5ad46520c 1c9ddc40ca6c1632
         c38f7d0b6e0e6b56 3094a14ee9da6862 a470d2335e3afcd8
         146be77ef8477c78 b54bdfeb847dffae ac6a41ce697674a9
         24f24006aae67391 bcdc6298a4c267c5 71ba244f92c039fe
         9bbc2ca94d199e20 3b45f6a3f90acbe9 0f48a18c28a2cdfb
         3aa376a2d4e8d131 6fae0dee5b0c6317 3726c02c63ad7513
         2af36f10c49c33f9 228b8d17abdfd7c2 db649bbb05309095
         5b71294b9405bec9 f02121a2826de9e3 ed606f92c6a98290
         7aae17417e75af9f 8f8d20b15623647d 951e4c7e9a0f9423
         7a7080b1c50a7d1f ff5a9e827674e02e ca0732f6cbad41d5
         021fdf33ca1140fc 37b2f9f92b93c12e f32f1199864c9acc
         c1db416403a51f71 a8a12174cf0fcb96 d7c8301f405bd35f
         a454167f27191885 b62a38e9a8610dba 8a12a63ff6ab3ff8
         6475fced4bf26460 bd47d5e3a9fc96c8 1a5b95b9710cd699
         eb34255fa528d061 4cbd9acac2966635 dea58e1c3174de8b
         46e66cb09a9f0f56 d7fb01e7cbaf3e91 d565482bf1caf6c2
         b6ad6f405c444f6a 9f12b7a26ce59aa9 594fa88319133bcb



Thomson                    Expires May 1, 2017                  [Page 7]


Internet-Draft               TLS 1.3 Traces                 October 2016


         45fb6808116bb185 f284663cb7a93cf3 7abf77869c29bed6
         531355b921def46c 10a307248deaa5c3 7698d9fa582e9d8a
         dd76bb66a12464a2 593a2f36097bd279 a9d2a33611c835fc
         b66c47a2d6274f02 9f1dae41075ff72d c490b460e16ce7c0
         0372cb171c318825 15be0cf49954228b 07ca8df5f1afaeac
         824a3901f46ba0

   {server}  derive secret "client application traffic secret":

      handshake hash (64 octets):  ff0df9baa81cb6f3 63c49c82a47d1760
         a4f8f3a3ff5e5bc0 908ed79828a2307b 66687aadf862bd77
         6c8fc18b8e9f8e20 089714856ee233b3 902a591d0d5f2925

      PRK (32 octets):  6304ef9c9685cfd5 940af49d657cc6b8
         942889b94a4fafef b0d3f181c440028c

      info (110 octets):  00202a544c532031 2e332c20636c6965
         6e74206170706c69 636174696f6e2074 7261666669632073
         656372657440ff0d f9baa81cb6f363c4 9c82a47d1760a4f8
         f3a3ff5e5bc0908e d79828a2307b6668 7aadf862bd776c8f
         c18b8e9f8e200897 14856ee233b3902a 591d0d5f2925

      output (32 octets):  97e11121ec208603 baf556083a0846a7
         d3865e129dfd431e f58ed67ef3294ea0

   {server}  derive secret "server application traffic secret":

      handshake hash (64 octets):  ff0df9baa81cb6f3 63c49c82a47d1760
         a4f8f3a3ff5e5bc0 908ed79828a2307b 66687aadf862bd77
         6c8fc18b8e9f8e20 089714856ee233b3 902a591d0d5f2925

      PRK (32 octets):  6304ef9c9685cfd5 940af49d657cc6b8
         942889b94a4fafef b0d3f181c440028c

      info (110 octets):  00202a544c532031 2e332c2073657276
         6572206170706c69 636174696f6e2074 7261666669632073
         656372657440ff0d f9baa81cb6f363c4 9c82a47d1760a4f8
         f3a3ff5e5bc0908e d79828a2307b6668 7aadf862bd776c8f
         c18b8e9f8e200897 14856ee233b3902a 591d0d5f2925

      output (32 octets):  99ad63e5f7e3fd34 ac5e25c72d40ccb2
         0d00b15ac72af67d 45f51b58af21bb6b

   {server}  derive write traffic keys using label "application data key
      expansion":

      PRK (32 octets):  99ad63e5f7e3fd34 ac5e25c72d40ccb2
         0d00b15ac72af67d 45f51b58af21bb6b



Thomson                    Expires May 1, 2017                  [Page 8]


Internet-Draft               TLS 1.3 Traces                 October 2016


      key info (48 octets):  00102c544c532031 2e332c206170706c
         69636174696f6e20 64617461206b6579 20657870616e7369
         6f6e2c206b657900

      key output (16 octets):  6169499247a881de 7229cd410dc39148

      iv info (47 octets):  000c2b544c532031 2e332c206170706c
         69636174696f6e20 64617461206b6579 20657870616e7369
         6f6e2c20697600

      iv output (12 octets):  e9a71b94ce8a906f 80318b27

   {server}  derive read traffic keys using label "handshake key
      expansion":

      PRK (32 octets):  7f9ee8ff500bdb58 6780934edddd288e
         1600a2083ab2ece6 0dc339845e158678

      key info (41 octets):  001025544c532031 2e332c2068616e64
         7368616b65206b65 7920657870616e73 696f6e2c206b6579 00

      key output (16 octets):  3d44490aa0bf7393 15c50de02eb3675b

      iv info (40 octets):  000c24544c532031 2e332c2068616e64
         7368616b65206b65 7920657870616e73 696f6e2c20697600

      iv output (12 octets):  82decae60afb84cb 6692e045

   {client}  extract secret "early":

      salt (0 octets):  (empty)

      ikm (32 octets):  0000000000000000 0000000000000000
         0000000000000000 0000000000000000

      secret (32 octets):  33ad0a1c607ec03b 09e6cd9893680ce2
         10adf300aa1f2660 e1b22e10f170f92a

   {client}  extract secret "handshake":

      salt (32 octets):  33ad0a1c607ec03b 09e6cd9893680ce2
         10adf300aa1f2660 e1b22e10f170f92a

      ikm (32 octets):  ad602096bc9ed914 61b83c950382a9d4
         1829059264f563a1 59c87cec790b0333

      secret (32 octets):  b75d555586220fea 3e6eb1e1243c8f7e
         20e5af8cee1799e0 31b7efefff43c8b1



Thomson                    Expires May 1, 2017                  [Page 9]


Internet-Draft               TLS 1.3 Traces                 October 2016


   {client}  derive secret "client handshake traffic secret":

      handshake hash (64 octets):  48d89c6276fa205b 0eb068ac122fb05b
         1e010350db32eae9 59cbe6addf25a67e 66687aadf862bd77
         6c8fc18b8e9f8e20 089714856ee233b3 902a591d0d5f2925

      PRK (32 octets):  b75d555586220fea 3e6eb1e1243c8f7e
         20e5af8cee1799e0 31b7efefff43c8b1

      info (108 octets):  002028544c532031 2e332c20636c6965
         6e742068616e6473 68616b6520747261 6666696320736563
         7265744048d89c62 76fa205b0eb068ac 122fb05b1e010350
         db32eae959cbe6ad df25a67e66687aad f862bd776c8fc18b
         8e9f8e2008971485 6ee233b3902a591d 0d5f2925

      output (32 octets):  7f9ee8ff500bdb58 6780934edddd288e
         1600a2083ab2ece6 0dc339845e158678

   {client}  derive secret "server handshake traffic secret":

      handshake hash (64 octets):  48d89c6276fa205b 0eb068ac122fb05b
         1e010350db32eae9 59cbe6addf25a67e 66687aadf862bd77
         6c8fc18b8e9f8e20 089714856ee233b3 902a591d0d5f2925

      PRK (32 octets):  b75d555586220fea 3e6eb1e1243c8f7e
         20e5af8cee1799e0 31b7efefff43c8b1

      info (108 octets):  002028544c532031 2e332c2073657276
         65722068616e6473 68616b6520747261 6666696320736563
         7265744048d89c62 76fa205b0eb068ac 122fb05b1e010350
         db32eae959cbe6ad df25a67e66687aad f862bd776c8fc18b
         8e9f8e2008971485 6ee233b3902a591d 0d5f2925

      output (32 octets):  d7fa33c70916f980 d2097d211158c6dc
         b3aaa9899cfe0acf 10bc5334d9083866

   {client}  extract secret "master" (same as server)

   {client}  derive read traffic keys using label "handshake key
      expansion":

      PRK (32 octets):  d7fa33c70916f980 d2097d211158c6dc
         b3aaa9899cfe0acf 10bc5334d9083866

      key info (41 octets):  001025544c532031 2e332c2068616e64
         7368616b65206b65 7920657870616e73 696f6e2c206b6579 00

      key output (16 octets):  d9e91353d9fc4516 3218909ab937fddb



Thomson                    Expires May 1, 2017                 [Page 10]


Internet-Draft               TLS 1.3 Traces                 October 2016


      iv info (40 octets):  000c24544c532031 2e332c2068616e64
         7368616b65206b65 7920657870616e73 696f6e2c20697600

      iv output (12 octets):  7c880c98fe14487b aec110ee

   {client}  derive write traffic keys using label "handshake key
      expansion" (same as server read traffic keys)

   {client}  derive secret "client application traffic secret":

      handshake hash (64 octets):  ff0df9baa81cb6f3 63c49c82a47d1760
         a4f8f3a3ff5e5bc0 908ed79828a2307b 66687aadf862bd77
         6c8fc18b8e9f8e20 089714856ee233b3 902a591d0d5f2925

      PRK (32 octets):  6304ef9c9685cfd5 940af49d657cc6b8
         942889b94a4fafef b0d3f181c440028c

      info (110 octets):  00202a544c532031 2e332c20636c6965
         6e74206170706c69 636174696f6e2074 7261666669632073
         656372657440ff0d f9baa81cb6f363c4 9c82a47d1760a4f8
         f3a3ff5e5bc0908e d79828a2307b6668 7aadf862bd776c8f
         c18b8e9f8e200897 14856ee233b3902a 591d0d5f2925

      output (32 octets):  97e11121ec208603 baf556083a0846a7
         d3865e129dfd431e f58ed67ef3294ea0

   {client}  derive secret "server application traffic secret" (same as
      server)

   {client}  derive read traffic keys using label "application data key
      expansion" (same as server write traffic keys)

   {client}  send a Finished handshake message

   {client}  send record:

      cleartext (36 octets):  1400002066eb0ee7 18d53e225f390198
         cb11e509fa9b7a47 5631cc4bda677d8d 2cf83bcd

      ciphertext (58 octets):  1703010035f3a571 37af8ee7be72190f
         b3e3597bd91f5d47 eae71f3f0ac738bf 27c3352d1994095a
         bb3b0237762044b9 c792c6ba692dfe59 4354

   {client}  derive write traffic keys using label "application data key
      expansion":

      PRK (32 octets):  97e11121ec208603 baf556083a0846a7
         d3865e129dfd431e f58ed67ef3294ea0



Thomson                    Expires May 1, 2017                 [Page 11]


Internet-Draft               TLS 1.3 Traces                 October 2016


      key info (48 octets):  00102c544c532031 2e332c206170706c
         69636174696f6e20 64617461206b6579 20657870616e7369
         6f6e2c206b657900

      key output (16 octets):  e49f80706175ac01 dbbf084bfb4c1e52

      iv info (47 octets):  000c2b544c532031 2e332c206170706c
         69636174696f6e20 64617461206b6579 20657870616e7369
         6f6e2c20697600

      iv output (12 octets):  371f77d48eafc897 7f2bc95a

   {client}  derive secret "resumption master secret":

      handshake hash (64 octets):  6565a715d091d3e9 b9459f063075589a
         2bc00ba70008cc8f 98aabc8e6820aca1 66687aadf862bd77
         6c8fc18b8e9f8e20 089714856ee233b3 902a591d0d5f2925

      PRK (32 octets):  6304ef9c9685cfd5 940af49d657cc6b8
         942889b94a4fafef b0d3f181c440028c

      info (101 octets):  002021544c532031 2e332c2072657375
         6d7074696f6e206d 6173746572207365 63726574406565a7
         15d091d3e9b9459f 063075589a2bc00b a70008cc8f98aabc
         8e6820aca166687a adf862bd776c8fc1 8b8e9f8e20089714
         856ee233b3902a59 1d0d5f2925

      output (32 octets):  39ba24cd46a6a039 92281635246613af
         bf91ca4a3f0ec2c9 0aafd99c441f7b5e

   {server}  derive read traffic keys using label "application data key
      expansion" (same as client write traffic keys)

   {server}  derive secret "resumption master secret" (same as client)

   {server}  send a SessionTicket handshake message

   {server}  send record:

      cleartext (170 octets):  040000a60002a300 0101010000924e53
         53216ffddf432e46 e04edd3964cda3f3 50651903277c3a25
         9ec4661515360050 cf3e329e2bd535a9 62d66cdcaa31777a
         35f8cf6579f194fa d530346815c95bae a68f17c1573aa34c
         0b279ce1bfc02c4f f5fef1b022033911 78fadda4b941b657
         72a1cf139ed70ae2 c178cbd80d5408bb 4e635422667e5d15
         a4065d15687f3b80 9fc5a2682df6f538 57ba2c70cdfbe30a
         00080001000492f5 741d




Thomson                    Expires May 1, 2017                 [Page 12]


Internet-Draft               TLS 1.3 Traces                 October 2016


      ciphertext (192 octets):  17030100bb6e9e08 968779b20df43113
         ae8de08b64ce7399 8c5d172d7c35ead5 05828f494e9f9380
         3d963a50899cd3a9 bf7c8d05c5b6ff31 6d7bd5276f34695c
         62bd2ae07649b44e 561c892dbcec0e12 589fd86cd100e54a
         a454edf944bbb37f 471372176e3f42f0 d0743e718bd508a0
         1ff4419853d85639 91deaadf7e8f6e87 dea06197a0bd5ee2
         960a7c7d97354c46 039bb1053cc3bd64 6a4a631fa5dec790
         f54315dc613d24f8 49cb8173624056ce 837d602babdb6f03
         7c10d4ff8c0d687c

   {client}  send record:

      cleartext (50 octets):  0001020304050607 08090a0b0c0d0e0f
         1011121314151617 18191a1b1c1d1e1f 2021222324252627
         28292a2b2c2d2e2f 3031

      ciphertext (72 octets):  1703010043b20a2d ed0ab1f75406210a
         47c90bdc2005accd a938dea9d89ae18f e0d4ee831f31d30c
         22dfdf4cd54ef9b5 8d41175801c59f11 2174c4741262d95e
         ebce282c57885a6d

   {server}  send record:

      cleartext (50 octets):  0001020304050607 08090a0b0c0d0e0f
         1011121314151617 18191a1b1c1d1e1f 2021222324252627
         28292a2b2c2d2e2f 3031

      ciphertext (72 octets):  1703010043f3ce38 bdf2d147bc67a732
         86fd7aa19ab042fe 50a6de46fb66f9cd 205ccde487149928
         f72e56ab2b345770 6a574fe3964ea45b 5f20ae76e33819f7
         c54d7fdbb50bf7aa

   {client}  send record:

      cleartext (2 octets):  0100

      ciphertext (24 octets):  1703010013d60d81 f25a39b000df86f5
         0a29f040ef22f42a

   {server}  send record:

      cleartext (2 octets):  0100

      ciphertext (24 octets):  1703010013b8ba60 16a056a597287382
         226c61b64b545c87






Thomson                    Expires May 1, 2017                 [Page 13]


Internet-Draft               TLS 1.3 Traces                 October 2016


4.  Resumed 0-RTT Handshake

   This handshake resumes from the handshake in Section 3.  Since the
   server provided a session ticket that permitted 0-RTT, and the client
   is configured for 0-RTT, the client is able to send 0-RTT data.

   {client}  create an ephemeral x25519 key pair:

      private key (32 octets):  01c5c60e33afeed5 a0f82c5e4ca515fa
         6ebcda9c7f50ee64 7414fa1c22728b03

      public key (32 octets):  1206a37e316cf704 99d848efd024caaf
         c4b5050647f8aef2 27d81cf446082515

   {client}  send a ClientHello handshake message

   {client}  extract secret "early":

      salt (0 octets):  (empty)

      ikm (32 octets):  afdb6b1d2cc77780 d80026ca6d61b50e
         d7facf76ffd647ae f5565bf072da5420

      secret (32 octets):  50b55777d9078122 7376f3701a850c21
         040983207b0c2469 9580e18ba29bd5f6

   {client}  derive secret "client early traffic secret":

      handshake hash (64 octets):  44dd22c46277ede3 eac3a2dc694d8cb4
         20504c75e9aa00ec 418b6ca7d5555b71 ffc65d93ccb7b739
         b3f1ba164a8c1893 4e069aa123889906 2188e39045f3d821

      PRK (32 octets):  50b55777d9078122 7376f3701a850c21
         040983207b0c2469 9580e18ba29bd5f6

      info (104 octets):  002024544c532031 2e332c20636c6965
         6e74206561726c79 2074726166666963 2073656372657440
         44dd22c46277ede3 eac3a2dc694d8cb4 20504c75e9aa00ec
         418b6ca7d5555b71 ffc65d93ccb7b739 b3f1ba164a8c1893
         4e069aa123889906 2188e39045f3d821

      output (32 octets):  af68f3b851db647a 50ccd03afb94d52e
         8f1349a66f56f54d 683ca3a9900ed295

   {client}  send record:

      cleartext (512 octets):  010001fc030346bd 529e51ffb4df6f6b
         99049413c1b719d7 be796c195f3ce005 4d2866c5dd370000



Thomson                    Expires May 1, 2017                 [Page 14]


Internet-Draft               TLS 1.3 Traces                 October 2016


         3e130113031302c0 2bc02fcca9cca8c0 0ac009c013c023c0
         27c014009eccaa00 3300320067003900 38006b0016001300
         9c002f003c003500 3d000a0005000401 0001950000000b00
         0900000673657276 6572ff0100010000 0a00140012001d00
         1700180019010001 0101020103010400 0b00020100002800
         260024001d002012 06a37e316cf70499 d848efd024caafc4
         b5050647f8aef227 d81cf44608251500 29009a0098010101
         0000924e5353216f fddf432e46e04edd 3964cda3f3506519
         03277c3a259ec466 1515360050cf3e32 9e2bd535a962d66c
         dcaa31777a35f8cf 6579f194fad53034 6815c95baea68f17
         c1573aa34c0b279c e1bfc02c4ff5fef1 b02203391178fadd
         a4b941b65772a1cf 139ed70ae2c178cb d80d5408bb4e6354
         22667e5d15a4065d 15687f3b809fc5a2 682df6f53857ba2c
         70cdfbe30a002a00 0492f5741d002b00 07067f1003030302
         000d0020001e0403 0503060302030804 0805080604010501
         0601020104020502 0602020200150060 0000000000000000
         0000000000000000 0000000000000000 0000000000000000
         0000000000000000 0000000000000000 0000000000000000
         0000000000000000 0000000000000000 0000000000000000
         0000000000000000 0000000000000000

      ciphertext (517 octets):  1603010200010001 fc030346bd529e51
         ffb4df6f6b990494 13c1b719d7be796c 195f3ce0054d2866
         c5dd3700003e1301 13031302c02bc02f cca9cca8c00ac009
         c013c023c027c014 009eccaa00330032 006700390038006b
         00160013009c002f 003c0035003d000a 0005000401000195
         0000000b00090000 06736572766572ff 01000100000a0014
         0012001d00170018 0019010001010102 01030104000b0002
         0100002800260024 001d00201206a37e 316cf70499d848ef
         d024caafc4b50506 47f8aef227d81cf4 460825150029009a
         0098010101000092 4e5353216ffddf43 2e46e04edd3964cd
         a3f350651903277c 3a259ec466151536 0050cf3e329e2bd5
         35a962d66cdcaa31 777a35f8cf6579f1 94fad530346815c9
         5baea68f17c1573a a34c0b279ce1bfc0 2c4ff5fef1b02203
         391178fadda4b941 b65772a1cf139ed7 0ae2c178cbd80d54
         08bb4e635422667e 5d15a4065d15687f 3b809fc5a2682df6
         f53857ba2c70cdfb e30a002a000492f5 741d002b0007067f
         1003030302000d00 20001e0403050306 0302030804080508
         0604010501060102 0104020502060202 0200150060000000
         0000000000000000 0000000000000000 0000000000000000
         0000000000000000 0000000000000000 0000000000000000
         0000000000000000 0000000000000000 0000000000000000
         0000000000000000 0000000000000000 0000000000

   {client}  derive write traffic keys using label "early handshake key
      expansion":





Thomson                    Expires May 1, 2017                 [Page 15]


Internet-Draft               TLS 1.3 Traces                 October 2016


      PRK (32 octets):  af68f3b851db647a 50ccd03afb94d52e
         8f1349a66f56f54d 683ca3a9900ed295

      key info (47 octets):  00102b544c532031 2e332c206561726c
         792068616e647368 616b65206b657920 657870616e73696f
         6e2c206b657900

      key output (16 octets):  eee93d2d1de2b7aa 0939dd335a5389ed

      iv info (46 octets):  000c2a544c532031 2e332c206561726c
         792068616e647368 616b65206b657920 657870616e73696f 6e2c20697600

      iv output (12 octets):  acef44f1be5aab86 64a9749a

   {client}  send a Finished handshake message

   {client}  send record:

      cleartext (36 octets):  140000205b3a3d1b 354919bcea11c379
         edf28d2e780fe28a 0f9d4c5bb3f104b4 30a4ba70

      ciphertext (58 octets):  17030100356c5477 611b08bfe7b2493f
         f05e70873262ae65 cb663667b93931b1 93f36c372e3c5483
         c6a49fc10096b367 09075f2dd5f3f36f 564f

   {client}  derive write traffic keys using label "early application
      data key expansion":

      PRK (32 octets):  af68f3b851db647a 50ccd03afb94d52e
         8f1349a66f56f54d 683ca3a9900ed295

      key info (54 octets):  001032544c532031 2e332c206561726c
         79206170706c6963 6174696f6e206461 7461206b65792065
         7870616e73696f6e 2c206b657900

      key output (16 octets):  c713c8bb3ff78315 b982cfb9a07c80b0

      iv info (53 octets):  000c31544c532031 2e332c206561726c
         79206170706c6963 6174696f6e206461 7461206b65792065
         7870616e73696f6e 2c20697600

      iv output (12 octets):  3750adac15984d62 31053f36

   {client}  send record:

      cleartext (6 octets):  414243444546





Thomson                    Expires May 1, 2017                 [Page 16]


Internet-Draft               TLS 1.3 Traces                 October 2016


      ciphertext (28 octets):  17030100170a9923 e64e0860d54570f8
         d31b86197fd67248 d38cd32f

   {server}  create an ephemeral x25519 key pair:

      private key (32 octets):  0df26b2e9c055b1f bb96b97718ef6f1a
         5549839aff3e3f6a 60b6b356ff631611

      public key (32 octets):  e6c6574f90c8d810 e002c083efa8d895
         389061c5bcd71c63 6f5ae1daf0b30112

   {server}  extract secret "early" (same as client)

   {server}  derive secret "client early traffic secret" (same as
      client)

   {server}  derive read traffic keys using label "early handshake key
      expansion":

      PRK (32 octets):  af68f3b851db647a 50ccd03afb94d52e
         8f1349a66f56f54d 683ca3a9900ed295

      key info (47 octets):  00102b544c532031 2e332c206561726c
         792068616e647368 616b65206b657920 657870616e73696f
         6e2c206b657900

      key output (16 octets):  eee93d2d1de2b7aa 0939dd335a5389ed

      iv info (46 octets):  000c2a544c532031 2e332c206561726c
         792068616e647368 616b65206b657920 657870616e73696f 6e2c20697600

      iv output (12 octets):  acef44f1be5aab86 64a9749a

   {server}  send a ServerHello handshake message

   {server}  extract secret "handshake":

      salt (32 octets):  50b55777d9078122 7376f3701a850c21
         040983207b0c2469 9580e18ba29bd5f6

      ikm (32 octets):  5a2925fe53a03d94 3ae4e2c64dc2bc06
         2c916390403174ac fc64892091e56550

      secret (32 octets):  eff9edc8b2b872d3 e34214189cb5f10a
         45c873eef248f458 15c693215bbc2277

   {server}  derive secret "client handshake traffic secret":




Thomson                    Expires May 1, 2017                 [Page 17]


Internet-Draft               TLS 1.3 Traces                 October 2016


      handshake hash (64 octets):  4a158002aa771132 1d86db9554a8cac1
         f27fa052ab3f8356 1aefa6e1eadc336f ffc65d93ccb7b739
         b3f1ba164a8c1893 4e069aa123889906 2188e39045f3d821

      PRK (32 octets):  eff9edc8b2b872d3 e34214189cb5f10a
         45c873eef248f458 15c693215bbc2277

      info (108 octets):  002028544c532031 2e332c20636c6965
         6e742068616e6473 68616b6520747261 6666696320736563
         726574404a158002 aa7711321d86db95 54a8cac1f27fa052
         ab3f83561aefa6e1 eadc336fffc65d93 ccb7b739b3f1ba16
         4a8c18934e069aa1 238899062188e390 45f3d821

      output (32 octets):  f14973e577eff04c a6795e3f4c1b7752
         901b6e4fbde4ac02 e17e067f08d052f1

   {server}  derive secret "server handshake traffic secret":

      handshake hash (64 octets):  4a158002aa771132 1d86db9554a8cac1
         f27fa052ab3f8356 1aefa6e1eadc336f ffc65d93ccb7b739
         b3f1ba164a8c1893 4e069aa123889906 2188e39045f3d821

      PRK (32 octets):  eff9edc8b2b872d3 e34214189cb5f10a
         45c873eef248f458 15c693215bbc2277

      info (108 octets):  002028544c532031 2e332c2073657276
         65722068616e6473 68616b6520747261 6666696320736563
         726574404a158002 aa7711321d86db95 54a8cac1f27fa052
         ab3f83561aefa6e1 eadc336fffc65d93 ccb7b739b3f1ba16
         4a8c18934e069aa1 238899062188e390 45f3d821

      output (32 octets):  e6e9623c5c3d0023 c64f84145fca6a63
         736f3c8e37ba71da d139daf40f8e4ec0

   {server}  extract secret "master":

      salt (32 octets):  eff9edc8b2b872d3 e34214189cb5f10a
         45c873eef248f458 15c693215bbc2277

      ikm (32 octets):  0000000000000000 0000000000000000
         0000000000000000 0000000000000000

      secret (32 octets):  faecb2e5b0bef416 13d0ff2ae3441ca9
         408b0074cbbea3a2 c270e1cb4a2578cc

   {server}  send record:





Thomson                    Expires May 1, 2017                 [Page 18]


Internet-Draft               TLS 1.3 Traces                 October 2016


      cleartext (88 octets):  020000547f101750 d392fda7530a72ee
         97ec5c43731022b2 168b2ddd967ed3be 04ddbdee74631301
         002e002900020000 00280024001d0020 e6c6574f90c8d810
         e002c083efa8d895 389061c5bcd71c63 6f5ae1daf0b30112

      ciphertext (93 octets):  1603010058020000 547f101750d392fd
         a7530a72ee97ec5c 43731022b2168b2d dd967ed3be04ddbd
         ee74631301002e00 2900020000002800 24001d0020e6c657
         4f90c8d810e002c0 83efa8d895389061 c5bcd71c636f5ae1 daf0b30112

   {server}  derive write traffic keys using label "handshake key
      expansion":

      PRK (32 octets):  e6e9623c5c3d0023 c64f84145fca6a63
         736f3c8e37ba71da d139daf40f8e4ec0

      key info (41 octets):  001025544c532031 2e332c2068616e64
         7368616b65206b65 7920657870616e73 696f6e2c206b6579 00

      key output (16 octets):  64cff1125fc9090b b3ebb29cf49b26a1

      iv info (40 octets):  000c24544c532031 2e332c2068616e64
         7368616b65206b65 7920657870616e73 696f6e2c20697600

      iv output (12 octets):  6292d575366424a0 80f01a22

   {server}  send a EncryptedExtensions handshake message

   {server}  send a Finished handshake message

   {server}  send record:

      cleartext (74 octets):  080000220020000a 00140012001d0017
         0018001901000101 0102010301040000 0000002a00001400
         00206a8db5af860c 85fee7da54cf130a 8fbb7d48563b457c
         6c48bf58e649877f 4241

      ciphertext (96 octets):  170301005bf374b2 5eb166088968e7d5
         fdd0a28ed3411f92 7b4e3fa412bde6c5 ce0ed3627c24b60e
         d67a87dd33444e78 8489c2edcc2b02c5 f520d81e1ab1bdc2
         8c2f9eef9c17a646 0d7043fe958a831b bfe82671b356f6bc
         d1bf43290b8d05a3

   {server}  derive secret "client application traffic secret":

      handshake hash (64 octets):  055666b5e4969791 a49484a3bc0e44db
         db8ac3e18a5dfe8b cc3d700a78d04b90 ffc65d93ccb7b739
         b3f1ba164a8c1893 4e069aa123889906 2188e39045f3d821



Thomson                    Expires May 1, 2017                 [Page 19]


Internet-Draft               TLS 1.3 Traces                 October 2016


      PRK (32 octets):  faecb2e5b0bef416 13d0ff2ae3441ca9
         408b0074cbbea3a2 c270e1cb4a2578cc

      info (110 octets):  00202a544c532031 2e332c20636c6965
         6e74206170706c69 636174696f6e2074 7261666669632073
         6563726574400556 66b5e4969791a494 84a3bc0e44dbdb8a
         c3e18a5dfe8bcc3d 700a78d04b90ffc6 5d93ccb7b739b3f1
         ba164a8c18934e06 9aa1238899062188 e39045f3d821

      output (32 octets):  4c9f3438c915bc4d 0a8a66ec606bed75
         db479d3853d995f1 bc2b97274abf4494

   {server}  derive secret "server application traffic secret":

      handshake hash (64 octets):  055666b5e4969791 a49484a3bc0e44db
         db8ac3e18a5dfe8b cc3d700a78d04b90 ffc65d93ccb7b739
         b3f1ba164a8c1893 4e069aa123889906 2188e39045f3d821

      PRK (32 octets):  faecb2e5b0bef416 13d0ff2ae3441ca9
         408b0074cbbea3a2 c270e1cb4a2578cc

      info (110 octets):  00202a544c532031 2e332c2073657276
         6572206170706c69 636174696f6e2074 7261666669632073
         6563726574400556 66b5e4969791a494 84a3bc0e44dbdb8a
         c3e18a5dfe8bcc3d 700a78d04b90ffc6 5d93ccb7b739b3f1
         ba164a8c18934e06 9aa1238899062188 e39045f3d821

      output (32 octets):  8045d1d46cc35dfa 71b8ded37d54fc72
         afd5ccdaaed73a24 13cdea56a0e363d4

   {server}  derive write traffic keys using label "application data key
      expansion":

      PRK (32 octets):  8045d1d46cc35dfa 71b8ded37d54fc72
         afd5ccdaaed73a24 13cdea56a0e363d4

      key info (48 octets):  00102c544c532031 2e332c206170706c
         69636174696f6e20 64617461206b6579 20657870616e7369
         6f6e2c206b657900

      key output (16 octets):  8bef5ef0dfa457f1 fcc656c8c187dba9

      iv info (47 octets):  000c2b544c532031 2e332c206170706c
         69636174696f6e20 64617461206b6579 20657870616e7369
         6f6e2c20697600

      iv output (12 octets):  d38dc8e37a7c9464 7e4f4cb5




Thomson                    Expires May 1, 2017                 [Page 20]


Internet-Draft               TLS 1.3 Traces                 October 2016


   {server}  derive read traffic keys using label "early application
      data key expansion" (same as client write traffic keys)

   {client}  extract secret "handshake":

      salt (32 octets):  50b55777d9078122 7376f3701a850c21
         040983207b0c2469 9580e18ba29bd5f6

      ikm (32 octets):  5a2925fe53a03d94 3ae4e2c64dc2bc06
         2c916390403174ac fc64892091e56550

      secret (32 octets):  eff9edc8b2b872d3 e34214189cb5f10a
         45c873eef248f458 15c693215bbc2277

   {client}  derive secret "client handshake traffic secret":

      handshake hash (64 octets):  4a158002aa771132 1d86db9554a8cac1
         f27fa052ab3f8356 1aefa6e1eadc336f ffc65d93ccb7b739
         b3f1ba164a8c1893 4e069aa123889906 2188e39045f3d821

      PRK (32 octets):  eff9edc8b2b872d3 e34214189cb5f10a
         45c873eef248f458 15c693215bbc2277

      info (108 octets):  002028544c532031 2e332c20636c6965
         6e742068616e6473 68616b6520747261 6666696320736563
         726574404a158002 aa7711321d86db95 54a8cac1f27fa052
         ab3f83561aefa6e1 eadc336fffc65d93 ccb7b739b3f1ba16
         4a8c18934e069aa1 238899062188e390 45f3d821

      output (32 octets):  f14973e577eff04c a6795e3f4c1b7752
         901b6e4fbde4ac02 e17e067f08d052f1

   {client}  derive secret "server handshake traffic secret":

      handshake hash (64 octets):  4a158002aa771132 1d86db9554a8cac1
         f27fa052ab3f8356 1aefa6e1eadc336f ffc65d93ccb7b739
         b3f1ba164a8c1893 4e069aa123889906 2188e39045f3d821

      PRK (32 octets):  eff9edc8b2b872d3 e34214189cb5f10a
         45c873eef248f458 15c693215bbc2277

      info (108 octets):  002028544c532031 2e332c2073657276
         65722068616e6473 68616b6520747261 6666696320736563
         726574404a158002 aa7711321d86db95 54a8cac1f27fa052
         ab3f83561aefa6e1 eadc336fffc65d93 ccb7b739b3f1ba16
         4a8c18934e069aa1 238899062188e390 45f3d821





Thomson                    Expires May 1, 2017                 [Page 21]


Internet-Draft               TLS 1.3 Traces                 October 2016


      output (32 octets):  e6e9623c5c3d0023 c64f84145fca6a63
         736f3c8e37ba71da d139daf40f8e4ec0

   {client}  extract secret "master" (same as server)

   {client}  derive read traffic keys using label "handshake key
      expansion":

      PRK (32 octets):  e6e9623c5c3d0023 c64f84145fca6a63
         736f3c8e37ba71da d139daf40f8e4ec0

      key info (41 octets):  001025544c532031 2e332c2068616e64
         7368616b65206b65 7920657870616e73 696f6e2c206b6579 00

      key output (16 octets):  64cff1125fc9090b b3ebb29cf49b26a1

      iv info (40 octets):  000c24544c532031 2e332c2068616e64
         7368616b65206b65 7920657870616e73 696f6e2c20697600

      iv output (12 octets):  6292d575366424a0 80f01a22

   {client}  send record:

      cleartext (2 octets):  0101

      ciphertext (24 octets):  1703010013687eb4 9a969a751172cf83
         fb367fc3e6554ff2

   {client}  derive write traffic keys using label "handshake key
      expansion":

      PRK (32 octets):  f14973e577eff04c a6795e3f4c1b7752
         901b6e4fbde4ac02 e17e067f08d052f1

      key info (41 octets):  001025544c532031 2e332c2068616e64
         7368616b65206b65 7920657870616e73 696f6e2c206b6579 00

      key output (16 octets):  a73add6f2e57fc83 c79573d270cc6509

      iv info (40 octets):  000c24544c532031 2e332c2068616e64
         7368616b65206b65 7920657870616e73 696f6e2c20697600

      iv output (12 octets):  d61dd1b8a247c421 c244041f

   {client}  derive secret "client application traffic secret":






Thomson                    Expires May 1, 2017                 [Page 22]


Internet-Draft               TLS 1.3 Traces                 October 2016


      handshake hash (64 octets):  055666b5e4969791 a49484a3bc0e44db
         db8ac3e18a5dfe8b cc3d700a78d04b90 ffc65d93ccb7b739
         b3f1ba164a8c1893 4e069aa123889906 2188e39045f3d821

      PRK (32 octets):  faecb2e5b0bef416 13d0ff2ae3441ca9
         408b0074cbbea3a2 c270e1cb4a2578cc

      info (110 octets):  00202a544c532031 2e332c20636c6965
         6e74206170706c69 636174696f6e2074 7261666669632073
         6563726574400556 66b5e4969791a494 84a3bc0e44dbdb8a
         c3e18a5dfe8bcc3d 700a78d04b90ffc6 5d93ccb7b739b3f1
         ba164a8c18934e06 9aa1238899062188 e39045f3d821

      output (32 octets):  4c9f3438c915bc4d 0a8a66ec606bed75
         db479d3853d995f1 bc2b97274abf4494

   {client}  derive secret "server application traffic secret" (same as
      server)

   {client}  derive read traffic keys using label "application data key
      expansion" (same as server write traffic keys)

   {client}  send a Finished handshake message

   {client}  send record:

      cleartext (36 octets):  140000208a5ff8f5 2a3e97eaaa1feb1c
         0ee058d9b923c788 592c46fcdd240e5d 17a80d40

      ciphertext (58 octets):  170301003551e152 cd27816eb07f79e8
         9c71bf328d373b5b b8390821a319a957 03b3a563f0042de9
         713c82a48cd42321 4c7efa9806153dec 62de

   {client}  derive write traffic keys using label "application data key
      expansion":

      PRK (32 octets):  4c9f3438c915bc4d 0a8a66ec606bed75
         db479d3853d995f1 bc2b97274abf4494

      key info (48 octets):  00102c544c532031 2e332c206170706c
         69636174696f6e20 64617461206b6579 20657870616e7369
         6f6e2c206b657900

      key output (16 octets):  aeffc85a70981079 9828a861b510d20a

      iv info (47 octets):  000c2b544c532031 2e332c206170706c
         69636174696f6e20 64617461206b6579 20657870616e7369
         6f6e2c20697600



Thomson                    Expires May 1, 2017                 [Page 23]


Internet-Draft               TLS 1.3 Traces                 October 2016


      iv output (12 octets):  a240fcfee10fc824 5f977745

   {client}  derive secret "resumption master secret":

      handshake hash (64 octets):  86dd36a494000932 c9f58c7410cff699
         2b53f90b2e457196 cb0a62a306fabc32 ffc65d93ccb7b739
         b3f1ba164a8c1893 4e069aa123889906 2188e39045f3d821

      PRK (32 octets):  faecb2e5b0bef416 13d0ff2ae3441ca9
         408b0074cbbea3a2 c270e1cb4a2578cc

      info (101 octets):  002021544c532031 2e332c2072657375
         6d7074696f6e206d 6173746572207365 637265744086dd36
         a494000932c9f58c 7410cff6992b53f9 0b2e457196cb0a62
         a306fabc32ffc65d 93ccb7b739b3f1ba 164a8c18934e069a
         a1238899062188e3 9045f3d821

      output (32 octets):  a42c624281007958 cf5b386cdeea9505
         78f5a4e8ce376e5b 5e1cc521f50a8e13

   {server}  derive read traffic keys using label "handshake key
      expansion":

      PRK (32 octets):  f14973e577eff04c a6795e3f4c1b7752
         901b6e4fbde4ac02 e17e067f08d052f1

      key info (41 octets):  001025544c532031 2e332c2068616e64
         7368616b65206b65 7920657870616e73 696f6e2c206b6579 00

      key output (16 octets):  a73add6f2e57fc83 c79573d270cc6509

      iv info (40 octets):  000c24544c532031 2e332c2068616e64
         7368616b65206b65 7920657870616e73 696f6e2c20697600

      iv output (12 octets):  d61dd1b8a247c421 c244041f

   {server}  derive read traffic keys using label "application data key
      expansion" (same as client write traffic keys)

   {server}  derive secret "resumption master secret" (same as client)

   {client}  send record:

      cleartext (50 octets):  0001020304050607 08090a0b0c0d0e0f
         1011121314151617 18191a1b1c1d1e1f 2021222324252627
         28292a2b2c2d2e2f 3031





Thomson                    Expires May 1, 2017                 [Page 24]


Internet-Draft               TLS 1.3 Traces                 October 2016


      ciphertext (72 octets):  1703010043002960 3d4a0b22d5c35dbe
         6b57d8015fbe1364 a6eb5047be44ddb7 9c52225b97d85854
         59322c960eb231a5 99464c714b5a3a5e 06dd664311d9d4ac
         182853c7597e7a9d

   {server}  send record:

      cleartext (50 octets):  0001020304050607 08090a0b0c0d0e0f
         1011121314151617 18191a1b1c1d1e1f 2021222324252627
         28292a2b2c2d2e2f 3031

      ciphertext (72 octets):  170301004387d132 c8efbcd1bb57be5b
         1b8bdd232247d909 45f87d6076a8f110 addb8c27ba05b107
         28e5b103aaac58ce 4b6693dbf77066ed a8168a4f6df78d8f
         4f9a743dc72b3156

   {client}  send record:

      cleartext (2 octets):  0100

      ciphertext (24 octets):  17030100136a2ffa 499ba7a94e2cc32d
         e33f03e69da02d0e

   {server}  send record:

      cleartext (2 octets):  0100

      ciphertext (24 octets):  1703010013e01536 07df77f766766ee3
         b61e6746db71bbed

5.  Security Considerations

   It probably isn't a good idea to use the private key here.  If it
   weren't for the fact that it is too small to provide any meaningful
   security, it is now very well known.

6.  Normative References

   [I-D.ietf-tls-tls13]
              Rescorla, E., "The Transport Layer Security (TLS) Protocol
              Version 1.3", draft-ietf-tls-tls13-18 (work in progress),
              October 2016.

Appendix A.  Acknowledgements

   None of this would have been possible without Franziskus Kiefer, Eric
   Rescorla and Tim Taubert, who did a lot of the work in NSS.




Thomson                    Expires May 1, 2017                 [Page 25]


Internet-Draft               TLS 1.3 Traces                 October 2016


Author's Address

   Martin Thomson
   Mozilla

   Email: martin.thomson@gmail.com













































Thomson                    Expires May 1, 2017                 [Page 26]