idnits 2.17.00 (12 Aug 2021) /tmp/idnits48868/draft-ietf-tls-tls13-vectors-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 30, 2017) is 1785 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: draft-ietf-tls-tls13 has been published as RFC 8446 Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 TLS M. Thomson 3 Internet-Draft Mozilla 4 Intended status: Standards Track June 30, 2017 5 Expires: January 1, 2018 7 Example Handshake Traces for TLS 1.3 8 draft-ietf-tls-tls13-vectors-01 10 Abstract 12 Examples of TLS 1.3 handshakes are shown. Private keys and inputs 13 are provided so that these handshakes might be reproduced. 14 Intermediate values, including secrets, traffic keys and ivs are 15 shown so that implementations might be checked incrementally against 16 these values. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at http://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on January 1, 2018. 35 Copyright Notice 37 Copyright (c) 2017 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (http://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 2. Private Keys . . . . . . . . . . . . . . . . . . . . . . . . 2 54 3. Simple 1-RTT Handshake . . . . . . . . . . . . . . . . . . . 3 55 4. Resumed 0-RTT Handshake . . . . . . . . . . . . . . . . . . . 14 56 5. HelloRetryRequest . . . . . . . . . . . . . . . . . . . . . . 25 57 6. Security Considerations . . . . . . . . . . . . . . . . . . . 35 58 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 35 59 7.1. Normative References . . . . . . . . . . . . . . . . . . 35 60 7.2. Informative References . . . . . . . . . . . . . . . . . 36 61 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 36 62 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 36 64 1. Introduction 66 TLS 1.3 [I-D.ietf-tls-tls13] defines a new key schedule and a number 67 new cryptographic operations. This document includes sample 68 handshakes that show all intermediate values. This allows an 69 implementation to be verified incrementally, examining inputs and 70 outputs of each cryptographic computation independently. 72 Private keys are included with the traces so that implementations can 73 be checked by importing these values and verifying that the same 74 outputs are produced. 76 2. Private Keys 78 Ephemeral private keys are shown as they are generated in the traces. 80 The server in most examples uses an RSA certificate with a private 81 key of: 83 modulus (public): b4bb498f8279303d 980836399b36c698 8c0c68de55e1bdb8 84 26d3901a2461eafd 2de49a91d015abbc 9a95137ace6c1af1 85 9eaa6af98c7ced43 120998e187a80ee0 ccb0524b1b018c3e 86 0b63264d449a6d38 e22a5fda43084674 8030530ef0461c8c 87 a9d9efbfae8ea6d1 d03e2bd193eff0ab 9a8002c47428a6d3 88 5a8d88d79f7f1e3f 90 public exponent: 010001 92 private exponent: 04dea705d43a6ea7 209dd8072111a83c 81e322a59278b334 93 80641eaf7c0a6985 b8e31c44f6de62e1 b4c2309f6126e77b 94 7c41e923314bbfa3 881305dc1217f16c 819ce538e922f369 95 828d0e57195d8c84 88460207b2faa726 bcf708bbd7db7f67 96 9f893492fc2a622e 08970aac441ce4e0 c3088df25ae67923 97 3df8a3bda2ff9941 99 prime1: e435fb7cc8373775 6dacea96ab7f59a2 cc1069db7deb190e 100 17e33a532b273f30 a327aa0aaabc58cd 67466af9845fadc6 101 75fe094af92c4bd1 f2c1bc33dd2e0515 103 prime2: cabd3bc0e0438664 c8d4cc9f99977a94 d9bbfead8e43870a 104 bae3f7eb8b4e0eee 8af1d9b4719ba619 6cf2cbbaeeebf8b3 105 490afe9e9ffa74a8 8aa51fc645629303 107 exponent1: 3f57345c27fe1b68 7e6e761627b78b1b 826433dd760fa0be 108 a6a6acf39490aa1b 47cda4869d68f584 dd5b5029bd32093b 109 8258661fe715025e 5d70a45a08d3d319 111 exponent2: 183da01363bd2f28 85cacbdc9964bf47 64f1517636f86401 112 286f71893c52ccfe 40a6c23d0d086b47 c6fb10d8fd1041e0 113 4def7e9a40ce957c 417794e10412d139 115 coefficient: 839ca9a085e4286b 2c90e466997a2c68 1f21339aa3477814 116 e4dec11833050ed5 0dd13cc038048a43 c59b2acc416889c0 117 37665fe5afa60596 9f8c01dfa5ca969d 119 3. Simple 1-RTT Handshake 121 In this example, the simplest possible handshake is completed. The 122 server is authenticated, but the client remains anonymous. After 123 connecting, a few application data octets are exchanged. The server 124 sends a session ticket that permits the use of 0-RTT in any resumed 125 session. 127 {client} create an ephemeral x25519 key pair: 129 private key (32 octets): 8d471715ed09bd58 e1ea7f90f4bd1b96 130 b23f5f53f6d1b3c5 8d12f5c06a3921a0 132 public key (32 octets): 1db0a34c651f3a3f 9011b8c1bdd7714a 133 a3593833e2e37cea a3a4796f6ee35657 135 {client} send a ClientHello handshake message 137 {client} send handshake record: 139 payload (512 octets): 010001fc0303e864 702db55462aa0e96 140 ed08c0d9a1dc18d5 1cffb1d668298ac0 45a2645780f30000 141 3e130113031302c0 2bc02fcca9cca8c0 0ac009c013c023c0 142 27c014009eccaa00 3300320067003900 38006b0016001300 143 9c002f003c003500 3d000a0005000401 0001950000000b00 144 0900000673657276 6572ff0100010000 0a00140012001d00 145 1700180019010001 0101020103010400 0b00020100002300 146 0000280026002400 1d00201db0a34c65 1f3a3f9011b8c1bd 147 d7714aa3593833e2 e37ceaa3a4796f6e e35657002b000706 148 7f1403030302000d 0020001e04030503 0603020308040805 149 0806040105010601 0201040205020602 0202002d00020101 150 001500fc00000000 0000000000000000 0000000000000000 151 0000000000000000 0000000000000000 0000000000000000 152 0000000000000000 0000000000000000 0000000000000000 153 0000000000000000 0000000000000000 0000000000000000 154 0000000000000000 0000000000000000 0000000000000000 155 0000000000000000 0000000000000000 0000000000000000 156 0000000000000000 0000000000000000 0000000000000000 157 0000000000000000 0000000000000000 0000000000000000 158 0000000000000000 0000000000000000 0000000000000000 159 0000000000000000 0000000000000000 0000000000000000 160 0000000000000000 0000000000000000 162 ciphertext (517 octets): 1603010200010001 fc0303e864702db5 163 5462aa0e96ed08c0 d9a1dc18d51cffb1 d668298ac045a264 164 5780f300003e1301 13031302c02bc02f cca9cca8c00ac009 165 c013c023c027c014 009eccaa00330032 006700390038006b 166 00160013009c002f 003c0035003d000a 0005000401000195 167 0000000b00090000 06736572766572ff 01000100000a0014 168 0012001d00170018 0019010001010102 01030104000b0002 169 0100002300000028 00260024001d0020 1db0a34c651f3a3f 170 9011b8c1bdd7714a a3593833e2e37cea a3a4796f6ee35657 171 002b0007067f1403 030302000d002000 1e04030503060302 172 0308040805080604 0105010601020104 0205020602020200 173 2d00020101001500 fc00000000000000 0000000000000000 174 0000000000000000 0000000000000000 0000000000000000 175 0000000000000000 0000000000000000 0000000000000000 176 0000000000000000 0000000000000000 0000000000000000 177 0000000000000000 0000000000000000 0000000000000000 178 0000000000000000 0000000000000000 0000000000000000 179 0000000000000000 0000000000000000 0000000000000000 180 0000000000000000 0000000000000000 0000000000000000 181 0000000000000000 0000000000000000 0000000000000000 182 0000000000000000 0000000000000000 0000000000000000 183 0000000000000000 0000000000000000 0000000000 185 {server} extract secret "early": 187 salt: (absent) 189 ikm (32 octets): 0000000000000000 0000000000000000 190 0000000000000000 0000000000000000 192 secret (32 octets): 33ad0a1c607ec03b 09e6cd9893680ce2 193 10adf300aa1f2660 e1b22e10f170f92a 195 {server} create an ephemeral x25519 key pair: 197 private key (32 octets): 8b587c8205a29c7e 7bce7475cfa595d3 198 78d09e79b25d7db9 07cd92259a628dc3 200 public key (32 octets): b80ea5ef65d8ee1b 524abb29c857142e 201 a9e4591fc0e38dc2 4d2361a3988be019 203 {server} send a ServerHello handshake message 205 {server} derive secret for handshake "tls13 derived": 207 PRK (32 octets): 33ad0a1c607ec03b 09e6cd9893680ce2 208 10adf300aa1f2660 e1b22e10f170f92a 210 hash (32 octets): e3b0c44298fc1c14 9afbf4c8996fb924 211 27ae41e4649b934c a495991b7852b855 213 info (49 octets): 00200d746c733133 2064657269766564 214 20e3b0c44298fc1c 149afbf4c8996fb9 2427ae41e4649b93 215 4ca495991b7852b8 55 217 output (32 octets): 6f2615a108c702c5 678f54fc9dbab697 218 16c076189c48250c ebeac3576c3611ba 220 {server} extract secret "handshake": 222 salt (32 octets): 6f2615a108c702c5 678f54fc9dbab697 223 16c076189c48250c ebeac3576c3611ba 225 ikm (32 octets): 5aa03a79c923fa4c 683d9cba739516c4 226 c69ad15c0db40b7c 6e21e2ff71f40f06 228 secret (32 octets): e4e77cf10307c913 575026d3d193b181 229 f90ee4aa69f53f17 3426d62704623e85 231 {server} derive secret "tls13 c hs traffic": 233 PRK (32 octets): e4e77cf10307c913 575026d3d193b181 234 f90ee4aa69f53f17 3426d62704623e85 236 hash (32 octets): 1d88ec0fc94ca5fc dbf7bd3f4be8dac8 237 09f98d58af751934 771d7268c79310e3 239 info (54 octets): 002012746c733133 2063206873207472 240 6166666963201d88 ec0fc94ca5fcdbf7 bd3f4be8dac809f9 241 8d58af751934771d 7268c79310e3 243 output (32 octets): 041ae38c959b6d93 7dba0da43d2b3bc0 244 a81da11279935399 5720bc155657934a 246 {server} derive secret "tls13 s hs traffic": 248 PRK (32 octets): e4e77cf10307c913 575026d3d193b181 249 f90ee4aa69f53f17 3426d62704623e85 251 hash (32 octets): 1d88ec0fc94ca5fc dbf7bd3f4be8dac8 252 09f98d58af751934 771d7268c79310e3 254 info (54 octets): 002012746c733133 2073206873207472 255 6166666963201d88 ec0fc94ca5fcdbf7 bd3f4be8dac809f9 256 8d58af751934771d 7268c79310e3 258 output (32 octets): b05eae2a3c213f62 9ff677f9afff5589 259 368b1baf54b1bdc6 80f43b4e523f1e3b 261 {server} derive secret for master "tls13 derived": 263 PRK (32 octets): e4e77cf10307c913 575026d3d193b181 264 f90ee4aa69f53f17 3426d62704623e85 266 hash (32 octets): e3b0c44298fc1c14 9afbf4c8996fb924 267 27ae41e4649b934c a495991b7852b855 269 info (49 octets): 00200d746c733133 2064657269766564 270 20e3b0c44298fc1c 149afbf4c8996fb9 2427ae41e4649b93 271 4ca495991b7852b8 55 273 output (32 octets): 7ed62a7bc6fb30cf 5f526ab9cb7dcc25 274 cdd239c36a2985b6 938ce1619bf2647d 276 {server} extract secret "master": 278 salt (32 octets): 7ed62a7bc6fb30cf 5f526ab9cb7dcc25 279 cdd239c36a2985b6 938ce1619bf2647d 281 ikm (32 octets): 0000000000000000 0000000000000000 282 0000000000000000 0000000000000000 284 secret (32 octets): e845be8dbb7556ed 9a4921f663c88cd6 285 8387f72e4e2572dc 59f22c5cda035862 287 {server} send handshake record: 289 payload (82 octets): 0200004e7f14a6b9 ce3215b325616f22 290 48f11f776a98d174 8e895118182143cc 67c46f3f11831301 291 002800280024001d 0020b80ea5ef65d8 ee1b524abb29c857 292 142ea9e4591fc0e3 8dc24d2361a3988b e019 294 ciphertext (87 octets): 1603010052020000 4e7f14a6b9ce3215 295 b325616f2248f11f 776a98d1748e8951 18182143cc67c46f 296 3f11831301002800 280024001d0020b8 0ea5ef65d8ee1b52 297 4abb29c857142ea9 e4591fc0e38dc24d 2361a3988be019 299 {server} derive write traffic keys for handshake data: 301 PRK (32 octets): b05eae2a3c213f62 9ff677f9afff5589 302 368b1baf54b1bdc6 80f43b4e523f1e3b 304 key info (13 octets): 001009746c733133 206b657900 306 key output (16 octets): 1837f9353c2e7a0d 279923526c53aead 308 iv info (12 octets): 000c08746c733133 20697600 310 iv output (12 octets): 876dd44a5f0cc952 08425386 312 {server} send a EncryptedExtensions handshake message 314 {server} send a Certificate handshake message 316 {server} send a CertificateVerify handshake message 318 {server} calculate finished "tls13 finished": 320 PRK (32 octets): b05eae2a3c213f62 9ff677f9afff5589 321 368b1baf54b1bdc6 80f43b4e523f1e3b 323 hash (0 octets): (empty) 325 info (18 octets): 00200e746c733133 2066696e69736865 6400 327 output (32 octets): 15348eafde4ec0f8 3808818c95c7b285 328 acf763920eef62ac 0e314b391632ad9e 330 {server} send a Finished handshake message 332 {server} send handshake record: 334 payload (651 octets): 0800001e001c000a 00140012001d0017 335 0018001901000101 0102010301040000 00000b0001b90000 336 01b50001b0308201 ac30820115a00302 0102020102300d06 337 092a864886f70d01 010b0500300e310c 300a060355040313 338 03727361301e170d 3136303733303031 323335395a170d32 339 3630373330303132 3335395a300e310c 300a060355040313 340 0372736130819f30 0d06092a864886f7 0d01010105000381 341 8d00308189028181 00b4bb498f827930 3d980836399b36c6 342 988c0c68de55e1bd b826d3901a2461ea fd2de49a91d015ab 343 bc9a95137ace6c1a f19eaa6af98c7ced 43120998e187a80e 344 e0ccb0524b1b018c 3e0b63264d449a6d 38e22a5fda430846 345 748030530ef0461c 8ca9d9efbfae8ea6 d1d03e2bd193eff0 346 ab9a8002c47428a6 d35a8d88d79f7f1e 3f0203010001a31a 347 301830090603551d 1304023000300b06 03551d0f04040302 348 05a0300d06092a86 4886f70d01010b05 000381810085aad2 349 a0e5b9276b908c65 f73a7267170618a5 4c5f8a7b337d2df7 350 a594365417f2eae8 f8a58c8f8172f931 9cf36b7fd6c55b80 351 f21a030151567260 96fd335e5e67f2db f102702e608ccae6 352 bec1fc63a42a99be 5c3eb7107c3c54e9 b9eb2bd5203b1c3b 353 84e0a8b2f759409b a3eac9d91d402dcc 0cc8f8961229ac91 354 87b42b4de100000f 0000840804008052 e8915b097ea305da 355 d8a511a03ea45c34 a14e04a1f13a8b45 279654262702f9d8 356 b2b1897bfebae516 09b265eae67dc898 0ef9aac9514e84b3 357 3b1d8dc3105e5139 5854964d9bca28e8 aab0b968808c4d99 358 4c963253d13dc1ed c98945fa0c72cb74 959d9204740e968b 359 9dbc9d97914fb2fb e9671300d3aeb5eb 40d3fe5ad425e014 360 0000200d2c10fab6 abf8cbaa97b91816 2516fdfb4a1129c3 361 98bb5fe97848d910 208036 363 ciphertext (673 octets): 170301029cda8377 df12c42a7c157681 364 92a0a724c1a2a070 4f4901e91dd4a873 3dcee9461401f7c7 365 ad2b7584fe18d87b d12d05d718c46c04 3deef39e63b7a50e 366 747de04a55d8074a 14ff21803864d8ee 65482da8b307ed8f 367 11df14701c81bd3b ba9f86f7e83a392f 23532abd49396450 368 f3cf32d369b27eb9 2427ace4f141defe fa777cb75c5fa511 369 90d2399035164350 f0d59cdba5369141 d453467634ed876c 370 3e423b715d47272f f84b0e797850c89d ce8119b45af1c439 371 0e5c66661f4ed0e6 ca7018d189d71e76 7addc2e28f48ccd3 372 c61b236fb02160f2 38763de832b8f5b1 76d29809e6d95123 373 0fb0fb0a66c0d4c4 11a0fdd1fd7b3f54 7b0abfd5f4df3b60 374 a4aa4a230a69d7e0 b28c71a1bcbbc071 0474e682c1a27912 375 bc4463688b2d781f 0c41e48dd169378f d5a9416ce1e89930 376 a5166a4c6cf52b80 14c368a52ed0173e 56758688b99838f9 377 d54e4139e5bf34ff 4a5295dd6183774a db81074abd9a8ccd 378 621afc59b311cc65 0f28ce32b78fe0bc 5ea36a868bcd43ab 379 f2c49223eb02318a 609820cb516afc69 89593e77002be6d8 380 4b2b84159ce70e50 868fc8fd42b0d123 976f8caaf363b68d 381 c390dc07ee9fa818 22840d3c3bfe2e3c 62df1e98ce6acdb6 382 6f65a6b7f39599ab c21a9c6e1e3ec631 3bcf3a3add55f786 383 595b394e05dbc16d 66953061ffb564d7 2f023f74b3798e16 384 3454e8d206aa0e0a a737f5abe22df433 9ba24ce9500005aa 385 82ea5af110a202f8 24fd9f561e57f2cd 5a54b42d672401cc 386 ea1ef5a9967ecc65 b735a7b860156954 04e027e756157a3f 387 88546d127c53d638 54032aafb7760205 60defc8e8f98853c 388 40dd3c2772e619e4 723f2936c3b6da21 9d00caa6c13d77d9 389 cfb6acfa3148fb1a 45ffcc9594f43fb2 af18f1e54ef1750f 390 21bddce6449807b2 e7e8090ffda954a7 302722f2ea1333eb 391 e85fcb49ae7871d2 38 393 {server} derive secret "tls13 c ap traffic": 395 PRK (32 octets): e845be8dbb7556ed 9a4921f663c88cd6 396 8387f72e4e2572dc 59f22c5cda035862 398 hash (32 octets): 0e69e4a8fd0448d1 3862dc670e97c44f 399 c157d1adc99f3639 c9bd3f9dbc2990cf 401 info (54 octets): 002012746c733133 2063206170207472 402 6166666963200e69 e4a8fd0448d13862 dc670e97c44fc157 403 d1adc99f3639c9bd 3f9dbc2990cf 405 output (32 octets): 9e0bf6b565b4c386 d3f0a7faaecffac8 406 76716d97ef7e1920 9b6a82fbc2e78ab6 408 {server} derive secret "tls13 s ap traffic": 410 PRK (32 octets): e845be8dbb7556ed 9a4921f663c88cd6 411 8387f72e4e2572dc 59f22c5cda035862 413 hash (32 octets): 0e69e4a8fd0448d1 3862dc670e97c44f 414 c157d1adc99f3639 c9bd3f9dbc2990cf 416 info (54 octets): 002012746c733133 2073206170207472 417 6166666963200e69 e4a8fd0448d13862 dc670e97c44fc157 418 d1adc99f3639c9bd 3f9dbc2990cf 420 output (32 octets): d4a9974dc6c15c4b d5e35add69b1a20c 421 b78affe36ab431e8 264567a25f89d35b 423 {server} derive secret "tls13 exp master": 425 PRK (32 octets): e845be8dbb7556ed 9a4921f663c88cd6 426 8387f72e4e2572dc 59f22c5cda035862 428 hash (32 octets): 0e69e4a8fd0448d1 3862dc670e97c44f 429 c157d1adc99f3639 c9bd3f9dbc2990cf 431 info (52 octets): 002010746c733133 20657870206d6173 432 746572200e69e4a8 fd0448d13862dc67 0e97c44fc157d1ad 433 c99f3639c9bd3f9d bc2990cf 435 output (32 octets): 8169817e9b02ed1e b731b3bcfd656f73 436 a674abad0541074c 9c2ce0f1dda661b2 438 {server} derive write traffic keys for application data: 440 PRK (32 octets): d4a9974dc6c15c4b d5e35add69b1a20c 441 b78affe36ab431e8 264567a25f89d35b 443 key info (13 octets): 001009746c733133 206b657900 445 key output (16 octets): 474c6c4d95e3c4a7 c83d2a327573ad7a 447 iv info (12 octets): 000c08746c733133 20697600 449 iv output (12 octets): 57ae1cf30df22bd5 cc6c5903 451 {server} derive read traffic keys for handshake data: 453 PRK (32 octets): 041ae38c959b6d93 7dba0da43d2b3bc0 454 a81da11279935399 5720bc155657934a 456 key info (13 octets): 001009746c733133 206b657900 458 key output (16 octets): cacd295502a93689 37e8a8c58962b485 460 iv info (12 octets): 000c08746c733133 20697600 462 iv output (12 octets): 692cb0e95a3e2c80 7ac13112 464 {client} extract secret "early": 466 salt: (absent) 468 ikm (32 octets): 0000000000000000 0000000000000000 469 0000000000000000 0000000000000000 471 secret (32 octets): 33ad0a1c607ec03b 09e6cd9893680ce2 472 10adf300aa1f2660 e1b22e10f170f92a 474 {client} derive secret for handshake "tls13 derived": 476 PRK (32 octets): 33ad0a1c607ec03b 09e6cd9893680ce2 477 10adf300aa1f2660 e1b22e10f170f92a 479 hash (32 octets): e3b0c44298fc1c14 9afbf4c8996fb924 480 27ae41e4649b934c a495991b7852b855 482 info (49 octets): 00200d746c733133 2064657269766564 483 20e3b0c44298fc1c 149afbf4c8996fb9 2427ae41e4649b93 484 4ca495991b7852b8 55 486 output (32 octets): 6f2615a108c702c5 678f54fc9dbab697 487 16c076189c48250c ebeac3576c3611ba 489 {client} extract secret "handshake": 491 salt (32 octets): 6f2615a108c702c5 678f54fc9dbab697 492 16c076189c48250c ebeac3576c3611ba 494 ikm (32 octets): 5aa03a79c923fa4c 683d9cba739516c4 495 c69ad15c0db40b7c 6e21e2ff71f40f06 497 secret (32 octets): e4e77cf10307c913 575026d3d193b181 498 f90ee4aa69f53f17 3426d62704623e85 500 {client} derive secret "tls13 c hs traffic" (same as server) 502 {client} derive secret "tls13 s hs traffic" (same as server) 504 {client} derive secret for master "tls13 derived" (same as server) 506 {client} extract secret "master" (same as server) 508 {client} derive read traffic keys for handshake data: 510 PRK (32 octets): b05eae2a3c213f62 9ff677f9afff5589 511 368b1baf54b1bdc6 80f43b4e523f1e3b 513 key info (13 octets): 001009746c733133 206b657900 515 key output (16 octets): 1837f9353c2e7a0d 279923526c53aead 517 iv info (12 octets): 000c08746c733133 20697600 519 iv output (12 octets): 876dd44a5f0cc952 08425386 521 {client} calculate finished "tls13 finished" (same as server) 523 {client} derive secret "tls13 c ap traffic" (same as server) 525 {client} derive secret "tls13 s ap traffic" (same as server) 527 {client} derive secret "tls13 exp master" (same as server) 528 {client} derive write traffic keys for handshake data (same as 529 server read traffic keys) 531 {client} derive read traffic keys for application data (same as 532 server write traffic keys) 534 {client} calculate finished "tls13 finished": 536 PRK (32 octets): 041ae38c959b6d93 7dba0da43d2b3bc0 537 a81da11279935399 5720bc155657934a 539 hash (0 octets): (empty) 541 info (18 octets): 00200e746c733133 2066696e69736865 6400 543 output (32 octets): 507651b6fa3d5622 34091e1cdf3c7fba 544 bf2f235272831b99 dcc2accc8afb563e 546 {client} send a Finished handshake message 548 {client} send handshake record: 550 payload (36 octets): 14000020c87d6dd1 50b92a473cbff566 551 34f50b2ecba977b4 afa29a0fb654a8be 22124aae 553 ciphertext (58 octets): 17030100356d8eca 3665769dee5093cd 554 a2cbe4704aa214a9 4e399428cb0d584e 1878ce907f557200 555 ac1fd645c5285afa cd7570117b61501c 7586 557 {client} derive write traffic keys for application data: 559 PRK (32 octets): 9e0bf6b565b4c386 d3f0a7faaecffac8 560 76716d97ef7e1920 9b6a82fbc2e78ab6 562 key info (13 octets): 001009746c733133 206b657900 564 key output (16 octets): ac773626f67dfa1b 2bdae44cf89d424f 566 iv info (12 octets): 000c08746c733133 20697600 568 iv output (12 octets): 2726987b7549397b 1a8e0363 570 {client} derive secret "tls13 res master": 572 PRK (32 octets): e845be8dbb7556ed 9a4921f663c88cd6 573 8387f72e4e2572dc 59f22c5cda035862 575 hash (32 octets): 949f8ad1a8ce89e6 ff48d2dfa9da007f 576 3db6820ab1c23d66 0011167a8093751b 578 info (52 octets): 002010746c733133 20726573206d6173 579 74657220949f8ad1 a8ce89e6ff48d2df a9da007f3db6820a 580 b1c23d660011167a 8093751b 582 output (32 octets): 692dcd005454d3f6 1313150d8414bc06 583 f63fdaaad6e60d4d fcf0ee4350b9fc38 585 {server} calculate finished "tls13 finished" (same as client) 587 {server} derive read traffic keys for application data (same as 588 client write traffic keys) 590 {server} derive secret "tls13 res master" (same as client) 592 {server} send a SessionTicket handshake message 594 {server} send handshake record: 596 payload (186 octets): 040000b60000001e f1655d5400a299b4 597 f88531f21efd8d98 e8ad000000007142 3911a9eb9f743d9b 598 e589bc89f05a0060 b46fab142a9b5055 5b729017a7235dc3 599 8f9b80550570fce6 34302954540f8537 20d53a1e3eb34357 600 e6161c2655fde96d 7bcbb978c074c269 2696124089322d61 601 d5747dfd20d4b19d b61193d698283808 1bf8c7fde1740823 602 e87e58289843230f 28a9fbe716cb5594 1a5dd7151c873aba 603 36ae8cff557bb3f7 d2bfc7f126a25234 0008002a00040000 0400 605 ciphertext (208 octets): 17030100cbf400c9 f93f3a2e22b8c810 606 0a0ae955290eea5b 8c2288d72ebdb6b1 2a9b4fb321a82c84 607 ce6a90ea3008d395 0bb54657d46cae9c e4801ee47f688bf3 608 719a02378f7f2ac3 d5c54343da3f6434 3c098094788e3d18 609 51e786197f4c5ab7 fb1813b4d920f115 d6a54df4aa108908 610 2e5e93a02aefa91f 755fcd8ea6df0362 3fcb0b552ae026fb 611 8df11d5adfddbf60 c227be282444447e 6816321cdafcdcd5 612 9889b79c9092886b 021893605d9467cf 7c9b24817fe7ddbc 613 66380a8cf9be9497 d886e999c571fc18 759ee03b20321a10 615 {client} send application_data record: 617 payload (50 octets): 0001020304050607 08090a0b0c0d0e0f 618 1011121314151617 18191a1b1c1d1e1f 2021222324252627 619 28292a2b2c2d2e2f 3031 621 ciphertext (72 octets): 17030100434a1777 5d0e717b22921157 622 5501be876d5d690b 4b28bd0211495711 bf97d20deaf2e440 623 63a8e4c48ff3cf9d f3b44540bcdc53d5 1c8d4d184081b566 624 15d323aa833a407a 626 {server} send application_data record: 628 payload (50 octets): 0001020304050607 08090a0b0c0d0e0f 629 1011121314151617 18191a1b1c1d1e1f 2021222324252627 630 28292a2b2c2d2e2f 3031 632 ciphertext (72 octets): 1703010043ef6eb6 0c6fc258b170589e 633 9a1cbefba4c52d79 15a3afb3e52da65f ef6b1dc37970a3ab 634 79d5e3a513678ae5 b2bfdb2880d60f08 280f4f2ebf94c3d7 635 1ce803e6a9295686 637 {client} send alert record: 639 payload (2 octets): 0100 641 ciphertext (24 octets): 17030100134b8329 8e645242f1bf8265 642 bcd6f42b795de36d 644 {server} send alert record: 646 payload (2 octets): 0100 648 ciphertext (24 octets): 17030100133d38b5 673386ae3d722ccd 649 d2996292b5a12165 651 4. Resumed 0-RTT Handshake 653 This handshake resumes from the handshake in Section 3. Since the 654 server provided a session ticket that permitted 0-RTT, and the client 655 is configured for 0-RTT, the client is able to send 0-RTT data. 657 {client} create an ephemeral x25519 key pair: 659 private key (32 octets): ecd667eb15e77201 1a8522a5e9a90a5f 660 1b4080c508baca79 68f8831d0d10811f 662 public key (32 octets): edb6949f0f6c1e2e 47001f5ea2c7d54b 663 d8ec7167b52cfd1a 29dfbe5f5888cd29 665 {client} extract secret "early": 667 salt: (absent) 669 ikm (32 octets): 692dcd005454d3f6 1313150d8414bc06 670 f63fdaaad6e60d4d fcf0ee4350b9fc38 672 secret (32 octets): bc9ef911288790a9 9e5ca2ea520d231e 673 c60a28e1e958e1c6 551dbbe0bedfe63b 675 {client} send a ClientHello handshake message 677 {client} calculate finished "tls13 finished": 679 PRK (32 octets): 7688634eb081913f 83cc5c987d302235 680 c6fbc79efcd8094b 02ce1030a5f9184b 682 hash (0 octets): (empty) 684 info (18 octets): 00200e746c733133 2066696e69736865 6400 686 output (32 octets): eb21444eb694b6ad 592708e27a9177a9 687 96aa9bf9f3c786d8 e88e18a293338a48 689 {client} send handshake record: 691 payload (512 octets): 010001fc03032089 2088de8aa414b2bf 692 0237acf603f9b20b 532df97f894fc82c aeac2e1a899f0000 693 3e130113031302c0 2bc02fcca9cca8c0 0ac009c013c023c0 694 27c014009eccaa00 3300320067003900 38006b0016001300 695 9c002f003c003500 3d000a0005000401 0001950000000b00 696 0900000673657276 6572ff0100010000 0a00140012001d00 697 1700180019010001 0101020103010400 0b00020100002800 698 260024001d0020ed b6949f0f6c1e2e47 001f5ea2c7d54bd8 699 ec7167b52cfd1a29 dfbe5f5888cd2900 2a0000002b000706 700 7f1403030302000d 0020001e04030503 0603020308040805 701 0806040105010601 0201040205020602 0202002d00020101 702 0015002b00000000 0000000000000000 0000000000000000 703 0000000000000000 0000000000000000 0000000000000000 704 2900cd00a800a299 b4f88531f21efd8d 98e8ad0000000071 705 423911a9eb9f743d 9be589bc89f05a00 60b46fab142a9b50 706 555b729017a7235d c38f9b80550570fc e634302954540f85 707 3720d53a1e3eb343 57e6161c2655fde9 6d7bcbb978c074c2 708 692696124089322d 61d5747dfd20d4b1 9db61193d6982838 709 081bf8c7fde17408 23e87e5828984323 0f28a9fbe716cb55 710 941a5dd7151c873a ba36ae8cff557bb3 f7d2bfc7f126a252 711 34f1655d5a002120 ce6d44ae651c47df 33882f31a7542f19 712 cab76d4be58175d6 505f2fae5c1ec390 714 ciphertext (517 octets): 1603010200010001 fc030320892088de 715 8aa414b2bf0237ac f603f9b20b532df9 7f894fc82caeac2e 716 1a899f00003e1301 13031302c02bc02f cca9cca8c00ac009 717 c013c023c027c014 009eccaa00330032 006700390038006b 718 00160013009c002f 003c0035003d000a 0005000401000195 719 0000000b00090000 06736572766572ff 01000100000a0014 720 0012001d00170018 0019010001010102 01030104000b0002 721 0100002800260024 001d0020edb6949f 0f6c1e2e47001f5e 722 a2c7d54bd8ec7167 b52cfd1a29dfbe5f 5888cd29002a0000 723 002b0007067f1403 030302000d002000 1e04030503060302 724 0308040805080604 0105010601020104 0205020602020200 725 2d00020101001500 2b00000000000000 0000000000000000 726 0000000000000000 0000000000000000 0000000000000000 727 00000000002900cd 00a800a299b4f885 31f21efd8d98e8ad 728 0000000071423911 a9eb9f743d9be589 bc89f05a0060b46f 729 ab142a9b50555b72 9017a7235dc38f9b 80550570fce63430 730 2954540f853720d5 3a1e3eb34357e616 1c2655fde96d7bcb 731 b978c074c2692696 124089322d61d574 7dfd20d4b19db611 732 93d6982838081bf8 c7fde1740823e87e 58289843230f28a9 733 fbe716cb55941a5d d7151c873aba36ae 8cff557bb3f7d2bf 734 c7f126a25234f165 5d5a002120ce6d44 ae651c47df33882f 735 31a7542f19cab76d 4be58175d6505f2f ae5c1ec390 737 {client} derive secret "tls13 c e traffic": 739 PRK (32 octets): bc9ef911288790a9 9e5ca2ea520d231e 740 c60a28e1e958e1c6 551dbbe0bedfe63b 742 hash (32 octets): 39ce46d03e297f31 b63f1504b052e330 743 2f20f7a289b6b9ce 19f2f42172c9446f 745 info (53 octets): 002011746c733133 2063206520747261 746 666669632039ce46 d03e297f31b63f15 04b052e3302f20f7 747 a289b6b9ce19f2f4 2172c9446f 749 output (32 octets): 53480f2ff5f8966c 7819a2f4d861b3f7 750 15bbe2c21c0c6273 6a00526d8de55837 752 {client} derive write traffic keys for early application data: 754 PRK (32 octets): 53480f2ff5f8966c 7819a2f4d861b3f7 755 15bbe2c21c0c6273 6a00526d8de55837 757 key info (13 octets): 001009746c733133 206b657900 759 key output (16 octets): a29e150bd59e2b81 5c968627498f96c2 761 iv info (12 octets): 000c08746c733133 20697600 763 iv output (12 octets): d96cd2f516516ad1 1a70abb6 765 {client} send application_data record: 767 payload (6 octets): 414243444546 768 ciphertext (28 octets): 1703010017fb2460 727da934b3a6058f 769 c3a4acb6ce74f0a0 8ef7f847 771 {server} extract secret "early" (same as client) 773 {server} calculate finished "tls13 finished" (same as client) 775 {server} create an ephemeral x25519 key pair: 777 private key (32 octets): 959df6054b219c94 dd0066ffd786a9da 778 86871b99a55b58a7 435ce3a22a3f929d 780 public key (32 octets): df70bd1d47959b2a dfd4b4cc6a62ce45 781 a02e45106ef974c6 ccf49720920b0a4a 783 {server} derive secret "tls13 c e traffic" (same as client) 785 {server} send a ServerHello handshake message 787 {server} derive secret for handshake "tls13 derived": 789 PRK (32 octets): bc9ef911288790a9 9e5ca2ea520d231e 790 c60a28e1e958e1c6 551dbbe0bedfe63b 792 hash (32 octets): e3b0c44298fc1c14 9afbf4c8996fb924 793 27ae41e4649b934c a495991b7852b855 795 info (49 octets): 00200d746c733133 2064657269766564 796 20e3b0c44298fc1c 149afbf4c8996fb9 2427ae41e4649b93 797 4ca495991b7852b8 55 799 output (32 octets): 1d86e68a77be72ef ffa5684961146be3 800 d09a83eed9e29c08 0f94cdde489b2e66 802 {server} extract secret "handshake": 804 salt (32 octets): 1d86e68a77be72ef ffa5684961146be3 805 d09a83eed9e29c08 0f94cdde489b2e66 807 ikm (32 octets): df9b4a07733c5460 fc088eb1db60f6eb 808 6a0c67080e3c842e eaa0021cdd860e26 810 secret (32 octets): 79975c2bb824f1ec 93b582e0f5bf7030 811 2a2f9d81bd477d8b c52cf4d669d5392a 813 {server} derive secret "tls13 c hs traffic": 815 PRK (32 octets): 79975c2bb824f1ec 93b582e0f5bf7030 816 2a2f9d81bd477d8b c52cf4d669d5392a 818 hash (32 octets): d4999a597a672010 646addfdf8a3583b 819 ff3b1217c0c04894 c680910bbd02b86a 821 info (54 octets): 002012746c733133 2063206873207472 822 616666696320d499 9a597a672010646a ddfdf8a3583bff3b 823 1217c0c04894c680 910bbd02b86a 825 output (32 octets): e553af85fd9769a9 d3467db9b5b29797 826 7526f2f1b9cc25c1 c265093353dbceed 828 {server} derive secret "tls13 s hs traffic": 830 PRK (32 octets): 79975c2bb824f1ec 93b582e0f5bf7030 831 2a2f9d81bd477d8b c52cf4d669d5392a 833 hash (32 octets): d4999a597a672010 646addfdf8a3583b 834 ff3b1217c0c04894 c680910bbd02b86a 836 info (54 octets): 002012746c733133 2073206873207472 837 616666696320d499 9a597a672010646a ddfdf8a3583bff3b 838 1217c0c04894c680 910bbd02b86a 840 output (32 octets): a98f17d9d9d01b97 a8a9fcfe1aa80cf2 841 f0efaf4448bab35c 025d0d3658ef495d 843 {server} derive secret for master "tls13 derived": 845 PRK (32 octets): 79975c2bb824f1ec 93b582e0f5bf7030 846 2a2f9d81bd477d8b c52cf4d669d5392a 848 hash (32 octets): e3b0c44298fc1c14 9afbf4c8996fb924 849 27ae41e4649b934c a495991b7852b855 851 info (49 octets): 00200d746c733133 2064657269766564 852 20e3b0c44298fc1c 149afbf4c8996fb9 2427ae41e4649b93 853 4ca495991b7852b8 55 855 output (32 octets): fbe525046f48f930 eac2f07f1d4c94cf 856 76aa0844f5e5874e f6512dccc7e5164f 858 {server} extract secret "master": 860 salt (32 octets): fbe525046f48f930 eac2f07f1d4c94cf 861 76aa0844f5e5874e f6512dccc7e5164f 863 ikm (32 octets): 0000000000000000 0000000000000000 864 0000000000000000 0000000000000000 866 secret (32 octets): 53850ec90133d5cd 448fa5200e7683b1 867 19236c0fe93dc8b6 cad87f9ffee80f67 869 {server} send handshake record: 871 payload (88 octets): 020000547f147535 eed9d16cb9437c49 872 bed2329972bacd25 bb6708cef33db49b c96bd1b09cb31301 873 002e002900020000 00280024001d0020 df70bd1d47959b2a 874 dfd4b4cc6a62ce45 a02e45106ef974c6 ccf49720920b0a4a 876 ciphertext (93 octets): 1603010058020000 547f147535eed9d1 877 6cb9437c49bed232 9972bacd25bb6708 cef33db49bc96bd1 878 b09cb31301002e00 2900020000002800 24001d0020df70bd 879 1d47959b2adfd4b4 cc6a62ce45a02e45 106ef974c6ccf497 20920b0a4a 881 {server} derive write traffic keys for handshake data: 883 PRK (32 octets): a98f17d9d9d01b97 a8a9fcfe1aa80cf2 884 f0efaf4448bab35c 025d0d3658ef495d 886 key info (13 octets): 001009746c733133 206b657900 888 key output (16 octets): 46de8022452f1a01 dae81c9c14282ab6 890 iv info (12 octets): 000c08746c733133 20697600 892 iv output (12 octets): 2d1a4735b9701a76 e6ea43a4 894 {server} send a EncryptedExtensions handshake message 896 {server} calculate finished "tls13 finished": 898 PRK (32 octets): a98f17d9d9d01b97 a8a9fcfe1aa80cf2 899 f0efaf4448bab35c 025d0d3658ef495d 901 hash (0 octets): (empty) 903 info (18 octets): 00200e746c733133 2066696e69736865 6400 905 output (32 octets): 50c8ac03c17b913f 6d3e5a1d9f884eaa 906 6a01596674c96228 8b82a3becb43c8c3 908 {server} send a Finished handshake message 910 {server} send handshake record: 912 payload (74 octets): 080000220020000a 00140012001d0017 913 0018001901000101 0102010301040000 0000002a00001400 914 00202f15bde7b069 12686d1dd4e09752 6119fab819f31004 915 23cd33cab05d579a aeb8 917 ciphertext (96 octets): 170301005b19e0b8 d03449cf5ad5a4a8 918 b678b4cff2810a0d 3fb6f4573a3e95df 546560e8edb94ef6 919 6ad0ad7757cf572f 60898e54020eed36 8b8024e313750873 920 b7df20af09b3dd72 06da50583e126217 d3e0ad6c7bcef09f 921 cc70e1f967014842 923 {server} derive secret "tls13 c ap traffic": 925 PRK (32 octets): 53850ec90133d5cd 448fa5200e7683b1 926 19236c0fe93dc8b6 cad87f9ffee80f67 928 hash (32 octets): c6cf7192a7fd5f7c dd0a659ac9f46320 929 8fc1bc089670fa8d de33a5ae2135c063 931 info (54 octets): 002012746c733133 2063206170207472 932 616666696320c6cf 7192a7fd5f7cdd0a 659ac9f463208fc1 933 bc089670fa8dde33 a5ae2135c063 935 output (32 octets): 1053e7b2069c9d9b c6cf82f8deac40ec 936 927bbb9fd5ad49fe ae1ff4278e2a0031 938 {server} derive secret "tls13 s ap traffic": 940 PRK (32 octets): 53850ec90133d5cd 448fa5200e7683b1 941 19236c0fe93dc8b6 cad87f9ffee80f67 943 hash (32 octets): c6cf7192a7fd5f7c dd0a659ac9f46320 944 8fc1bc089670fa8d de33a5ae2135c063 946 info (54 octets): 002012746c733133 2073206170207472 947 616666696320c6cf 7192a7fd5f7cdd0a 659ac9f463208fc1 948 bc089670fa8dde33 a5ae2135c063 950 output (32 octets): 117f89a3ba4efc76 5b2b940c62a31f06 951 304cb3877d117131 1edeab60a6abc91f 953 {server} derive secret "tls13 exp master": 955 PRK (32 octets): 53850ec90133d5cd 448fa5200e7683b1 956 19236c0fe93dc8b6 cad87f9ffee80f67 958 hash (32 octets): c6cf7192a7fd5f7c dd0a659ac9f46320 959 8fc1bc089670fa8d de33a5ae2135c063 961 info (52 octets): 002010746c733133 20657870206d6173 962 74657220c6cf7192 a7fd5f7cdd0a659a c9f463208fc1bc08 963 9670fa8dde33a5ae 2135c063 965 output (32 octets): 882fb13091b8f95e 5c65aa3d807e4323 966 64731f93c69018ae c054ec387f27982c 968 {server} derive write traffic keys for application data: 970 PRK (32 octets): 117f89a3ba4efc76 5b2b940c62a31f06 971 304cb3877d117131 1edeab60a6abc91f 973 key info (13 octets): 001009746c733133 206b657900 975 key output (16 octets): 40dd3fc22423a700 776b1cce944e7aa3 977 iv info (12 octets): 000c08746c733133 20697600 979 iv output (12 octets): 4b49f66dd01682ea 569164a7 981 {server} derive read traffic keys for early application data (same 982 as client write traffic keys) 984 {client} derive secret for handshake "tls13 derived": 986 PRK (32 octets): bc9ef911288790a9 9e5ca2ea520d231e 987 c60a28e1e958e1c6 551dbbe0bedfe63b 989 hash (32 octets): e3b0c44298fc1c14 9afbf4c8996fb924 990 27ae41e4649b934c a495991b7852b855 992 info (49 octets): 00200d746c733133 2064657269766564 993 20e3b0c44298fc1c 149afbf4c8996fb9 2427ae41e4649b93 994 4ca495991b7852b8 55 996 output (32 octets): 1d86e68a77be72ef ffa5684961146be3 997 d09a83eed9e29c08 0f94cdde489b2e66 999 {client} extract secret "handshake": 1001 salt (32 octets): 1d86e68a77be72ef ffa5684961146be3 1002 d09a83eed9e29c08 0f94cdde489b2e66 1004 ikm (32 octets): df9b4a07733c5460 fc088eb1db60f6eb 1005 6a0c67080e3c842e eaa0021cdd860e26 1007 secret (32 octets): 79975c2bb824f1ec 93b582e0f5bf7030 1008 2a2f9d81bd477d8b c52cf4d669d5392a 1010 {client} derive secret "tls13 c hs traffic" (same as server) 1012 {client} derive secret "tls13 s hs traffic" (same as server) 1014 {client} derive secret for master "tls13 derived" (same as server) 1016 {client} extract secret "master" (same as server) 1018 {client} derive read traffic keys for handshake data: 1020 PRK (32 octets): a98f17d9d9d01b97 a8a9fcfe1aa80cf2 1021 f0efaf4448bab35c 025d0d3658ef495d 1023 key info (13 octets): 001009746c733133 206b657900 1025 key output (16 octets): 46de8022452f1a01 dae81c9c14282ab6 1027 iv info (12 octets): 000c08746c733133 20697600 1029 iv output (12 octets): 2d1a4735b9701a76 e6ea43a4 1031 {client} calculate finished "tls13 finished" (same as server) 1033 {client} derive secret "tls13 c ap traffic" (same as server) 1035 {client} derive secret "tls13 s ap traffic" (same as server) 1037 {client} derive secret "tls13 exp master" (same as server) 1039 {client} send a EndOfEarlyData handshake message 1041 {client} send handshake record: 1043 payload (4 octets): 05000000 1045 ciphertext (26 octets): 17030100155d2a07 204498a910fd60e4 1046 6eb384049ec93d62 b12c 1048 {client} derive write traffic keys for handshake data: 1050 PRK (32 octets): e553af85fd9769a9 d3467db9b5b29797 1051 7526f2f1b9cc25c1 c265093353dbceed 1053 key info (13 octets): 001009746c733133 206b657900 1055 key output (16 octets): 867143c4068df3a5 ae6b12a486b9b847 1057 iv info (12 octets): 000c08746c733133 20697600 1058 iv output (12 octets): 5e04c80f859988e7 c102c719 1060 {client} derive read traffic keys for application data (same as 1061 server write traffic keys) 1063 {client} calculate finished "tls13 finished": 1065 PRK (32 octets): e553af85fd9769a9 d3467db9b5b29797 1066 7526f2f1b9cc25c1 c265093353dbceed 1068 hash (0 octets): (empty) 1070 info (18 octets): 00200e746c733133 2066696e69736865 6400 1072 output (32 octets): 17c916392da3bfd7 1448ad824b4ec15e 1073 062a7da6925fd07e 9e3ed647a38555ed 1075 {client} send a Finished handshake message 1077 {client} send handshake record: 1079 payload (36 octets): 1400002064283341 14b550e38e4b03ef 1080 e0fba441c3e73804 76bae41722a0ab8e be0f8b67 1082 ciphertext (58 octets): 17030100351f82bd 499964e8f8b70cb4 1083 85cc0dd0efe07561 887202f33db44327 3d667fe7d1a48cb2 1084 7502638cf4fc2b99 bc7efa1f1e33d210 186d 1086 {client} derive write traffic keys for application data: 1088 PRK (32 octets): 1053e7b2069c9d9b c6cf82f8deac40ec 1089 927bbb9fd5ad49fe ae1ff4278e2a0031 1091 key info (13 octets): 001009746c733133 206b657900 1093 key output (16 octets): 38c79b0728fa3451 774f093adac1dd04 1095 iv info (12 octets): 000c08746c733133 20697600 1097 iv output (12 octets): a3d605be250cfd5d 209615ee 1099 {client} derive secret "tls13 res master": 1101 PRK (32 octets): 53850ec90133d5cd 448fa5200e7683b1 1102 19236c0fe93dc8b6 cad87f9ffee80f67 1104 hash (32 octets): 2233547d4b607f2b 5f516e0f29f467d9 1105 88e805512434d38a 87154d47488b72b4 1107 info (52 octets): 002010746c733133 20726573206d6173 1108 746572202233547d 4b607f2b5f516e0f 29f467d988e80551 1109 2434d38a87154d47 488b72b4 1111 output (32 octets): 91eeb3e2bb46fcf6 810ec7bff5c1d905 1112 22d1cc1b196e3ef4 a72f6f6bd86f5aae 1114 {server} derive read traffic keys for handshake data: 1116 PRK (32 octets): e553af85fd9769a9 d3467db9b5b29797 1117 7526f2f1b9cc25c1 c265093353dbceed 1119 key info (13 octets): 001009746c733133 206b657900 1121 key output (16 octets): 867143c4068df3a5 ae6b12a486b9b847 1123 iv info (12 octets): 000c08746c733133 20697600 1125 iv output (12 octets): 5e04c80f859988e7 c102c719 1127 {server} calculate finished "tls13 finished" (same as client) 1129 {server} derive read traffic keys for application data (same as 1130 client write traffic keys) 1132 {server} derive secret "tls13 res master" (same as client) 1134 {client} send application_data record: 1136 payload (50 octets): 0001020304050607 08090a0b0c0d0e0f 1137 1011121314151617 18191a1b1c1d1e1f 2021222324252627 1138 28292a2b2c2d2e2f 3031 1140 ciphertext (72 octets): 1703010043108855 d836d933a3b33e5e 1141 3bcccfe9ebbb75ad 3d4ee46f02063528 384adfec59cede3b 1142 13d5dd68442833ef 1c13014af62d56e3 c9661c0eb0ef4fdc 1143 e7808b45f077ca2b 1145 {server} send application_data record: 1147 payload (50 octets): 0001020304050607 08090a0b0c0d0e0f 1148 1011121314151617 18191a1b1c1d1e1f 2021222324252627 1149 28292a2b2c2d2e2f 3031 1151 ciphertext (72 octets): 1703010043c23be9 5ad85b168bd2e206 1152 cd17b2b598f67cdf 558992521a6ed4ec eeff45ec22a93675 1153 1bd733fc63e3a98d 092dcd93ec848c08 afdfda839f524e2e 1154 69b474197cae81cb 1156 {client} send alert record: 1158 payload (2 octets): 0100 1160 ciphertext (24 octets): 1703010013c4f33d 08ac5ad28a35c0b3 1161 2559bf45718f9bc7 1163 {server} send alert record: 1165 payload (2 octets): 0100 1167 ciphertext (24 octets): 17030100139f73be 8cc18eb517547f85 1168 26b1219f757cdc2d 1170 5. HelloRetryRequest 1172 In this example, the client initiates a handshake with an X25519 1173 [RFC7748] share. The server however prefers P-256 [FIPS186] and 1174 sends a HelloRetryRequest that requires the client to generate a key 1175 share on the P-256 curve. 1177 {client} create an ephemeral x25519 key pair: 1179 private key (32 octets): 68f119d51cf43e70 b7bc4080d5911317 1180 b22482211908f4a0 7cd3ee6148f05a65 1182 public key (32 octets): fff63faea1e4f9b0 8ae2fc158749f72a 1183 b274015b21903399 434279416a1c3866 1185 {client} send a ClientHello handshake message 1187 {client} send handshake record: 1189 payload (174 octets): 010000aa03032b47 3d43b9e45db4ff9f 1190 9ae53f63f495bc90 a308136caa6570cd 6a3d682e23fc0000 1191 0613011303130201 00007b0000000b00 0900000673657276 1192 6572ff0100010000 0a00080006001d00 1700180028002600 1193 24001d0020fff63f aea1e4f9b08ae2fc 158749f72ab27401 1194 5b21903399434279 416a1c3866002b00 03027f14000d0020 1195 001e040305030603 0203080408050806 0401050106010201 1196 0402050206020202 002d00020101 1198 ciphertext (179 octets): 16030100ae010000 aa03032b473d43b9 1199 e45db4ff9f9ae53f 63f495bc90a30813 6caa6570cd6a3d68 1200 2e23fc0000061301 130313020100007b 0000000b00090000 1201 06736572766572ff 01000100000a0008 0006001d00170018 1202 002800260024001d 0020fff63faea1e4 f9b08ae2fc158749 1203 f72ab274015b2190 3399434279416a1c 3866002b0003027f 1204 14000d0020001e04 0305030603020308 0408050806040105 1205 0106010201040205 0206020202002d00 020101 1207 {server} send a HelloRetryRequest handshake message 1209 {server} send handshake record: 1211 payload (16 octets): 0600000c7f141301 0006002800020017 1213 ciphertext (21 octets): 1603010010060000 0c7f141301000600 1214 2800020017 1216 {client} create an ephemeral P-256 key pair: 1218 private key (32 octets): 686029ea60fdbf90 952a205f36867184 1219 21d39ccb83e1332e 6449da8f62a455f7 1221 public key (65 octets): 0439a9c0e3dea88c 76323ea8a30a779f 1222 caa782d88935df99 ca2f94f386227247 066af9a46ebc7f88 1223 6f1d8e81a08779f2 6c5420c69609a68a 6762b91329670b5d e1 1225 {client} send a ClientHello handshake message 1227 {client} send handshake record: 1229 payload (207 octets): 010000cb03032b47 3d43b9e45db4ff9f 1230 9ae53f63f495bc90 a308136caa6570cd 6a3d682e23fc0000 1231 0613011303130201 00009c0000000b00 0900000673657276 1232 6572ff0100010000 0a00080006001d00 1700180028004700 1233 45001700410439a9 c0e3dea88c76323e a8a30a779fcaa782 1234 d88935df99ca2f94 f386227247066af9 a46ebc7f886f1d8e 1235 81a08779f26c5420 c69609a68a6762b9 1329670b5de1002b 1236 0003027f14000d00 20001e0403050306 0302030804080508 1237 0604010501060102 0104020502060202 02002d00020101 1239 ciphertext (212 octets): 16030100cf010000 cb03032b473d43b9 1240 e45db4ff9f9ae53f 63f495bc90a30813 6caa6570cd6a3d68 1241 2e23fc0000061301 130313020100009c 0000000b00090000 1242 06736572766572ff 01000100000a0008 0006001d00170018 1243 0028004700450017 00410439a9c0e3de a88c76323ea8a30a 1244 779fcaa782d88935 df99ca2f94f38622 7247066af9a46ebc 1245 7f886f1d8e81a087 79f26c5420c69609 a68a6762b9132967 1246 0b5de1002b000302 7f14000d0020001e 0403050306030203 1247 0804080508060401 0501060102010402 050206020202002d 00020101 1249 {server} extract secret "early": 1251 salt: (absent) 1252 ikm (32 octets): 0000000000000000 0000000000000000 1253 0000000000000000 0000000000000000 1255 secret (32 octets): 33ad0a1c607ec03b 09e6cd9893680ce2 1256 10adf300aa1f2660 e1b22e10f170f92a 1258 {server} create an ephemeral P-256 key pair: 1260 private key (32 octets): cf5cb678b37d617e 4e3b978d52758db3 1261 5bee4147c5a4c48d f62ec7f3e26b7b0d 1263 public key (65 octets): 0438bafba512d58e 57a62ceaee1c0c3e 1264 5678082cacf126d3 dac009720572d79f 341f7098b24fb7f1 1265 b8ee222d6433f310 e8862c8b9f2c9337 fe6eb1a54665d465 3b 1267 {server} send a ServerHello handshake message 1269 {server} derive secret for handshake "tls13 derived": 1271 PRK (32 octets): 33ad0a1c607ec03b 09e6cd9893680ce2 1272 10adf300aa1f2660 e1b22e10f170f92a 1274 hash (32 octets): e3b0c44298fc1c14 9afbf4c8996fb924 1275 27ae41e4649b934c a495991b7852b855 1277 info (49 octets): 00200d746c733133 2064657269766564 1278 20e3b0c44298fc1c 149afbf4c8996fb9 2427ae41e4649b93 1279 4ca495991b7852b8 55 1281 output (32 octets): 6f2615a108c702c5 678f54fc9dbab697 1282 16c076189c48250c ebeac3576c3611ba 1284 {server} extract secret "handshake": 1286 salt (32 octets): 6f2615a108c702c5 678f54fc9dbab697 1287 16c076189c48250c ebeac3576c3611ba 1289 ikm (32 octets): df4cde9bf625ee9b e21cc6bd4a51f662 1290 00c857b0b104cb68 7731c3851eefbc9a 1292 secret (32 octets): 61ebb724b8eaa8d4 83de05c018a83947 1293 b5c2a866847154ce 2b2e33fce8e538cf 1295 {server} derive secret "tls13 c hs traffic": 1297 PRK (32 octets): 61ebb724b8eaa8d4 83de05c018a83947 1298 b5c2a866847154ce 2b2e33fce8e538cf 1300 hash (32 octets): dad1f7541198d854 97203f23e9856b9a 1301 97937e6a2d22f3c0 1e22be12bee0ee56 1303 info (54 octets): 002012746c733133 2063206873207472 1304 616666696320dad1 f7541198d8549720 3f23e9856b9a9793 1305 7e6a2d22f3c01e22 be12bee0ee56 1307 output (32 octets): f52e0805a26cd615 ec012fd6b1950258 1308 a9aae77b336a8cac a443df877e99ec61 1310 {server} derive secret "tls13 s hs traffic": 1312 PRK (32 octets): 61ebb724b8eaa8d4 83de05c018a83947 1313 b5c2a866847154ce 2b2e33fce8e538cf 1315 hash (32 octets): dad1f7541198d854 97203f23e9856b9a 1316 97937e6a2d22f3c0 1e22be12bee0ee56 1318 info (54 octets): 002012746c733133 2073206873207472 1319 616666696320dad1 f7541198d8549720 3f23e9856b9a9793 1320 7e6a2d22f3c01e22 be12bee0ee56 1322 output (32 octets): ed0ea7ec428dd7bb 3f89df21b4679286 1323 fb19f61c5fe0ef81 35c0f54d687bc50c 1325 {server} derive secret for master "tls13 derived": 1327 PRK (32 octets): 61ebb724b8eaa8d4 83de05c018a83947 1328 b5c2a866847154ce 2b2e33fce8e538cf 1330 hash (32 octets): e3b0c44298fc1c14 9afbf4c8996fb924 1331 27ae41e4649b934c a495991b7852b855 1333 info (49 octets): 00200d746c733133 2064657269766564 1334 20e3b0c44298fc1c 149afbf4c8996fb9 2427ae41e4649b93 1335 4ca495991b7852b8 55 1337 output (32 octets): 3f0c9f13e5dd95f7 27c7bf2c82b4f75f 1338 91e26cf5e1f89ae5 36becd5b48f08357 1340 {server} extract secret "master": 1342 salt (32 octets): 3f0c9f13e5dd95f7 27c7bf2c82b4f75f 1343 91e26cf5e1f89ae5 36becd5b48f08357 1345 ikm (32 octets): 0000000000000000 0000000000000000 1346 0000000000000000 0000000000000000 1348 secret (32 octets): 23bdfa8bb085b65a 8095c55a79f20ab0 1349 7646d7bac8c67803 2aa5985df2a1b7c1 1351 {server} send handshake record: 1353 payload (115 octets): 0200006f7f1439d0 5400265319e5a369 1354 3e2a5479b46a5e8c 10a12daa5d01cdc0 cb21730536d51301 1355 0049002800450017 00410438bafba512 d58e57a62ceaee1c 1356 0c3e5678082cacf1 26d3dac009720572 d79f341f7098b24f 1357 b7f1b8ee222d6433 f310e8862c8b9f2c 9337fe6eb1a54665 d4653b 1359 ciphertext (120 octets): 1603010073020000 6f7f1439d0540026 1360 5319e5a3693e2a54 79b46a5e8c10a12d aa5d01cdc0cb2173 1361 0536d51301004900 2800450017004104 38bafba512d58e57 1362 a62ceaee1c0c3e56 78082cacf126d3da c009720572d79f34 1363 1f7098b24fb7f1b8 ee222d6433f310e8 862c8b9f2c9337fe 1364 6eb1a54665d4653b 1366 {server} derive write traffic keys for handshake data: 1368 PRK (32 octets): ed0ea7ec428dd7bb 3f89df21b4679286 1369 fb19f61c5fe0ef81 35c0f54d687bc50c 1371 key info (13 octets): 001009746c733133 206b657900 1373 key output (16 octets): ea3b74f7e0223840 dc5fbc1d3864b73b 1375 iv info (12 octets): 000c08746c733133 20697600 1377 iv output (12 octets): 97621bb779bba789 402021f6 1379 {server} send a EncryptedExtensions handshake message 1381 {server} send a Certificate handshake message 1383 {server} send a CertificateVerify handshake message 1385 {server} calculate finished "tls13 finished": 1387 PRK (32 octets): ed0ea7ec428dd7bb 3f89df21b4679286 1388 fb19f61c5fe0ef81 35c0f54d687bc50c 1390 hash (0 octets): (empty) 1392 info (18 octets): 00200e746c733133 2066696e69736865 6400 1394 output (32 octets): 03c5ee66699c919c db206db4053b9314 1395 f56449f899baead8 c0d82b63fefaa19b 1397 {server} send a Finished handshake message 1399 {server} send handshake record: 1401 payload (639 octets): 080000120010000a 0008000600170018 1402 001d000000000b00 01b9000001b50001 b0308201ac308201 1403 15a0030201020201 02300d06092a8648 86f70d01010b0500 1404 300e310c300a0603 5504031303727361 301e170d31363037 1405 3330303132333539 5a170d3236303733 303031323335395a 1406 300e310c300a0603 5504031303727361 30819f300d06092a 1407 864886f70d010101 050003818d003081 8902818100b4bb49 1408 8f8279303d980836 399b36c6988c0c68 de55e1bdb826d390 1409 1a2461eafd2de49a 91d015abbc9a9513 7ace6c1af19eaa6a 1410 f98c7ced43120998 e187a80ee0ccb052 4b1b018c3e0b6326 1411 4d449a6d38e22a5f da43084674803053 0ef0461c8ca9d9ef 1412 bfae8ea6d1d03e2b d193eff0ab9a8002 c47428a6d35a8d88 1413 d79f7f1e3f020301 0001a31a30183009 0603551d13040230 1414 00300b0603551d0f 0404030205a0300d 06092a864886f70d 1415 01010b0500038181 0085aad2a0e5b927 6b908c65f73a7267 1416 170618a54c5f8a7b 337d2df7a5943654 17f2eae8f8a58c8f 1417 8172f9319cf36b7f d6c55b80f21a0301 5156726096fd335e 1418 5e67f2dbf102702e 608ccae6bec1fc63 a42a99be5c3eb710 1419 7c3c54e9b9eb2bd5 203b1c3b84e0a8b2 f759409ba3eac9d9 1420 1d402dcc0cc8f896 1229ac9187b42b4d e100000f00008408 1421 0400806f43289ae7 efa4a473bedf613e 4e92e9554fb2871a 1422 df28b8612b27998c be8e8690f4c81b8a cb3fb981396962e0 1423 7a506b790cb6cb07 1caeb49acc217f39 058d7375cf9d2174 1424 a8fa29ba60dc35ef 7a43827278489428 2c75d4750400532e 1425 069fafa01577b431 bbf764f4be901643 07a30b59081c286b 1426 18ba58649637d676 d5cee614000020bc 521faec41d6c9d2d 1427 e9f0de7887121fb7 e7a6000a82caa148 565ab19e0aef8f 1429 ciphertext (661 octets): 1703010290b02e90 0efe58c26b437b75 1430 4cb31ff7e592e595 405b265fa8c3f2bd 6b9a168fbaf70940 1431 91d27872271925ac b0e8d878f17a60ea c39a6b233bcbb2f4 1432 9f6774b77c11827e e77798976db2b76b c236a8cae6751c0b 1433 498402f364d0118c d21483365d82a82e df95f3bcf5a2a0ed 1434 3941ef0be0619fbc 2a4489c241f2fc75 3381cf064813ca4e 1435 dec9bd213c29f4cd 5c3d7b52bc34ef9d 6d3db2e3ce370414 1436 d9e87c18e7190448 8dd0d7cd359fcb2d ee00aba5283c2dd4 1437 31afa8e17bf25643 00fbc24f11ae9fb6 6c4cec5f38b03e10 1438 fbb510b4f3a716e8 4e395128b526aa00 24425fec5e0d9072 1439 b42fdabfa93686bb 0036963bf3d6d122 fb205fb024c41422 1440 7e2f054787af00aa b17b78ad2d5c31c1 5812c0420b0ea344 1441 2f3f5197533e9325 082f44434e502d4e fb73c5987fd3ee55 1442 228c92bd600e1f81 22a447caba8f2fd2 fbf49d43f99a441d 1443 2695809c89dc1c89 9c7975b8a78ec2a9 8399922e58d538f8 1444 009bc07b50573da6 1bbe41ef1f251ee9 dcca0e2d9e8c20fb 1445 c3659b8eef131094 cc9effc3697ac767 248616db9576ccb1 1446 b937775cd97aeb81 f015dcc4bc53143f 0337e90ad800f7cc 1447 6c09b23352acbf06 59c1d0ac6a145342 9d288a83f2c16ecd 1448 419abf7bcfeb05df b70292296847cd7d d91d305ec162436b 1449 6e645028a3d9c068 1cd118093c9a9978 08585fc3ddecab33 1450 fff96c099b607516 4db17fb609747daf c511dcfe212c49e3 1451 399c74fe7d36b962 5206204cf411e42c 6b5da8c5cc7d522d 1452 c8a7747f4cd08e50 a180ed43d8ac0a4c cbc93207e1bd667f 1453 e2f784eeeb5be6cc 22ffd75c2d134a02 7618bf3f270c4809 1454 58c2016507f7f825 dc7a116f7f06670b 8c926c47a919b4ec 1455 f8eab3c0451be841 e90a55e9ce7fee05 919525b0042e4943 1456 4c70e792e055a6a6 50d69a4c9697bde8 0d8d004b41 1458 {server} derive secret "tls13 c ap traffic": 1460 PRK (32 octets): 23bdfa8bb085b65a 8095c55a79f20ab0 1461 7646d7bac8c67803 2aa5985df2a1b7c1 1463 hash (32 octets): d35385d7ef5cda3f e72850e6b878c915 1464 e603150fe9dd009a 83ebf3e8b73525dc 1466 info (54 octets): 002012746c733133 2063206170207472 1467 616666696320d353 85d7ef5cda3fe728 50e6b878c915e603 1468 150fe9dd009a83eb f3e8b73525dc 1470 output (32 octets): 3e97f6ece946f6cf a25aac0c4294f752 1471 adf68ce3769ba8f1 a72140e960e00b75 1473 {server} derive secret "tls13 s ap traffic": 1475 PRK (32 octets): 23bdfa8bb085b65a 8095c55a79f20ab0 1476 7646d7bac8c67803 2aa5985df2a1b7c1 1478 hash (32 octets): d35385d7ef5cda3f e72850e6b878c915 1479 e603150fe9dd009a 83ebf3e8b73525dc 1481 info (54 octets): 002012746c733133 2073206170207472 1482 616666696320d353 85d7ef5cda3fe728 50e6b878c915e603 1483 150fe9dd009a83eb f3e8b73525dc 1485 output (32 octets): 9bf644ffdb8feb85 11240075595cb94f 1486 411a5682e3cb4a82 f0b1f7daf0322a92 1488 {server} derive secret "tls13 exp master": 1490 PRK (32 octets): 23bdfa8bb085b65a 8095c55a79f20ab0 1491 7646d7bac8c67803 2aa5985df2a1b7c1 1493 hash (32 octets): d35385d7ef5cda3f e72850e6b878c915 1494 e603150fe9dd009a 83ebf3e8b73525dc 1496 info (52 octets): 002010746c733133 20657870206d6173 1497 74657220d35385d7 ef5cda3fe72850e6 b878c915e603150f 1498 e9dd009a83ebf3e8 b73525dc 1500 output (32 octets): c8dd1dcfbb99ea14 e3ad390c6a4cd3e0 1501 c4f20c2221aa33e2 68eb807de344a179 1503 {server} derive write traffic keys for application data: 1505 PRK (32 octets): 9bf644ffdb8feb85 11240075595cb94f 1506 411a5682e3cb4a82 f0b1f7daf0322a92 1508 key info (13 octets): 001009746c733133 206b657900 1510 key output (16 octets): d46da4e755ba9e74 7a46246bda64c866 1512 iv info (12 octets): 000c08746c733133 20697600 1514 iv output (12 octets): 73deb5c4dfcc38ff 19bb9943 1516 {server} derive read traffic keys for handshake data: 1518 PRK (32 octets): f52e0805a26cd615 ec012fd6b1950258 1519 a9aae77b336a8cac a443df877e99ec61 1521 key info (13 octets): 001009746c733133 206b657900 1523 key output (16 octets): f34edc87549aca05 6bf5d3ebbfb58934 1525 iv info (12 octets): 000c08746c733133 20697600 1527 iv output (12 octets): 018f4bc56b7fa73b 50a1b497 1529 {client} extract secret "early": 1531 salt: (absent) 1533 ikm (32 octets): 0000000000000000 0000000000000000 1534 0000000000000000 0000000000000000 1536 secret (32 octets): 33ad0a1c607ec03b 09e6cd9893680ce2 1537 10adf300aa1f2660 e1b22e10f170f92a 1539 {client} derive secret for handshake "tls13 derived": 1541 PRK (32 octets): 33ad0a1c607ec03b 09e6cd9893680ce2 1542 10adf300aa1f2660 e1b22e10f170f92a 1544 hash (32 octets): e3b0c44298fc1c14 9afbf4c8996fb924 1545 27ae41e4649b934c a495991b7852b855 1547 info (49 octets): 00200d746c733133 2064657269766564 1548 20e3b0c44298fc1c 149afbf4c8996fb9 2427ae41e4649b93 1549 4ca495991b7852b8 55 1551 output (32 octets): 6f2615a108c702c5 678f54fc9dbab697 1552 16c076189c48250c ebeac3576c3611ba 1554 {client} extract secret "handshake": 1556 salt (32 octets): 6f2615a108c702c5 678f54fc9dbab697 1557 16c076189c48250c ebeac3576c3611ba 1559 ikm (32 octets): df4cde9bf625ee9b e21cc6bd4a51f662 1560 00c857b0b104cb68 7731c3851eefbc9a 1562 secret (32 octets): 61ebb724b8eaa8d4 83de05c018a83947 1563 b5c2a866847154ce 2b2e33fce8e538cf 1565 {client} derive secret "tls13 c hs traffic" (same as server) 1567 {client} derive secret "tls13 s hs traffic" (same as server) 1569 {client} derive secret for master "tls13 derived" (same as server) 1571 {client} extract secret "master" (same as server) 1573 {client} derive read traffic keys for handshake data: 1575 PRK (32 octets): ed0ea7ec428dd7bb 3f89df21b4679286 1576 fb19f61c5fe0ef81 35c0f54d687bc50c 1578 key info (13 octets): 001009746c733133 206b657900 1580 key output (16 octets): ea3b74f7e0223840 dc5fbc1d3864b73b 1582 iv info (12 octets): 000c08746c733133 20697600 1584 iv output (12 octets): 97621bb779bba789 402021f6 1586 {client} calculate finished "tls13 finished" (same as server) 1588 {client} derive secret "tls13 c ap traffic" (same as server) 1589 {client} derive secret "tls13 s ap traffic" (same as server) 1591 {client} derive secret "tls13 exp master" (same as server) 1593 {client} derive write traffic keys for handshake data (same as 1594 server read traffic keys) 1596 {client} derive read traffic keys for application data (same as 1597 server write traffic keys) 1599 {client} calculate finished "tls13 finished": 1601 PRK (32 octets): f52e0805a26cd615 ec012fd6b1950258 1602 a9aae77b336a8cac a443df877e99ec61 1604 hash (0 octets): (empty) 1606 info (18 octets): 00200e746c733133 2066696e69736865 6400 1608 output (32 octets): c6ceb1fb180f7d97 62734c4b88430995 1609 2c56d60e95490950 2884f84f4a6be5f0 1611 {client} send a Finished handshake message 1613 {client} send handshake record: 1615 payload (36 octets): 14000020735ebda7 9ccdab14ab392f67 1616 c0866555678946a1 b1b13f3d1a240d3f 1403efb9 1618 ciphertext (58 octets): 17030100357d5aa6 afb0db48fa79159d 1619 8074fb1eb26ac08d 6be5c0674197dbd6 efab491f8e99036c 1620 c16fe5a80f6207a6 c110c8975d753c84 1fa9 1622 {client} derive write traffic keys for application data: 1624 PRK (32 octets): 3e97f6ece946f6cf a25aac0c4294f752 1625 adf68ce3769ba8f1 a72140e960e00b75 1627 key info (13 octets): 001009746c733133 206b657900 1629 key output (16 octets): a2a1d780fe8dcc66 a2c9524da5adcb36 1631 iv info (12 octets): 000c08746c733133 20697600 1633 iv output (12 octets): 774928e1cb918bb5 fabbdec1 1635 {client} derive secret "tls13 res master": 1637 PRK (32 octets): 23bdfa8bb085b65a 8095c55a79f20ab0 1638 7646d7bac8c67803 2aa5985df2a1b7c1 1640 hash (32 octets): 24852c1da1686926 86e24b558b6aaa12 1641 698570f0e85c3925 23ad59b8b89e2aae 1643 info (52 octets): 002010746c733133 20726573206d6173 1644 7465722024852c1d a168692686e24b55 8b6aaa12698570f0 1645 e85c392523ad59b8 b89e2aae 1647 output (32 octets): a4fccac589ec1324 762aa9ace2eb916b 1648 3124acfa5297f8ac b5a025f99375d171 1650 {server} calculate finished "tls13 finished" (same as client) 1652 {server} derive read traffic keys for application data (same as 1653 client write traffic keys) 1655 {server} derive secret "tls13 res master" (same as client) 1657 {client} send alert record: 1659 payload (2 octets): 0100 1661 ciphertext (24 octets): 1703010013b48a63 7c14b155f5bc2804 1662 04056c6a4b0a34e2 1664 {server} send alert record: 1666 payload (2 octets): 0100 1668 ciphertext (24 octets): 1703010013523066 0fa8cae6196c4565 1669 ac8207fcaf163e8f 1671 6. Security Considerations 1673 It probably isn't a good idea to use the private key here. If it 1674 weren't for the fact that it is too small to provide any meaningful 1675 security, it is now very well known. 1677 7. References 1679 7.1. Normative References 1681 [I-D.ietf-tls-tls13] 1682 Rescorla, E., "The Transport Layer Security (TLS) Protocol 1683 Version 1.3", draft-ietf-tls-tls13-20 (work in progress), 1684 April 2017. 1686 7.2. Informative References 1688 [FIPS186] National Institute of Standards and Technology (NIST), 1689 "Digital Signature Standard (DSS)", NIST PUB 186-4 , July 1690 2013. 1692 [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves 1693 for Security", RFC 7748, DOI 10.17487/RFC7748, January 1694 2016, . 1696 Appendix A. Acknowledgements 1698 None of this would have been possible without Franziskus Kiefer, Eric 1699 Rescorla and Tim Taubert, who did a lot of the work in NSS. 1701 Author's Address 1703 Martin Thomson 1704 Mozilla 1706 Email: martin.thomson@gmail.com