TLS M. Thomson Internet-Draft Mozilla Intended status: Standards Track December 4, 2017 Expires: June 7, 2018 Example Handshake Traces for TLS 1.3 draft-ietf-tls-tls13-vectors-03 Abstract Examples of TLS 1.3 handshakes are shown. Private keys and inputs are provided so that these handshakes might be reproduced. Intermediate values, including secrets, traffic keys and ivs are shown so that implementations might be checked incrementally against these values. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on June 7, 2018. Copyright Notice Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Thomson Expires June 7, 2018 [Page 1] Internet-Draft TLS 1.3 Traces December 2017 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Private Keys . . . . . . . . . . . . . . . . . . . . . . . . 2 3. Simple 1-RTT Handshake . . . . . . . . . . . . . . . . . . . 3 4. Resumed 0-RTT Handshake . . . . . . . . . . . . . . . . . . . 13 5. HelloRetryRequest . . . . . . . . . . . . . . . . . . . . . . 22 6. Client Authentication . . . . . . . . . . . . . . . . . . . . 33 7. Security Considerations . . . . . . . . . . . . . . . . . . . 42 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 42 8.1. Normative References . . . . . . . . . . . . . . . . . . 42 8.2. Informative References . . . . . . . . . . . . . . . . . 42 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 43 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 43 1. Introduction TLS 1.3 [I-D.ietf-tls-tls13] defines a new key schedule and a number new cryptographic operations. This document includes sample handshakes that show all intermediate values. This allows an implementation to be verified incrementally, examining inputs and outputs of each cryptographic computation independently. Private keys are included with the traces so that implementations can be checked by importing these values and verifying that the same outputs are produced. 2. Private Keys Ephemeral private keys are shown as they are generated in the traces. The server in most examples uses an RSA certificate with a private key of: modulus (public): b4 bb 49 8f 82 79 30 3d 98 08 36 39 9b 36 c6 98 8c 0c 68 de 55 e1 bd b8 26 d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c 1a f1 9e aa 6a f9 8c 7c ed 43 12 09 98 e1 87 a8 0e e0 cc b0 52 4b 1b 01 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f da 43 08 46 74 80 30 53 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93 ef f0 ab 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e 3f public exponent: 01 00 01 private exponent: 04 de a7 05 d4 3a 6e a7 20 9d d8 07 21 11 a8 3c 81 e3 22 a5 92 78 b3 34 80 64 1e af 7c 0a 69 85 b8 e3 1c 44 f6 de 62 e1 b4 c2 30 9f 61 26 e7 7b 7c 41 e9 23 31 4b bf a3 88 13 05 dc 12 17 f1 6c 81 9c e5 38 e9 22 f3 69 82 8d 0e 57 19 5d 8c 84 88 46 02 Thomson Expires June 7, 2018 [Page 2] Internet-Draft TLS 1.3 Traces December 2017 07 b2 fa a7 26 bc f7 08 bb d7 db 7f 67 9f 89 34 92 fc 2a 62 2e 08 97 0a ac 44 1c e4 e0 c3 08 8d f2 5a e6 79 23 3d f8 a3 bd a2 ff 99 41 prime1: e4 35 fb 7c c8 37 37 75 6d ac ea 96 ab 7f 59 a2 cc 10 69 db 7d eb 19 0e 17 e3 3a 53 2b 27 3f 30 a3 27 aa 0a aa bc 58 cd 67 46 6a f9 84 5f ad c6 75 fe 09 4a f9 2c 4b d1 f2 c1 bc 33 dd 2e 05 15 prime2: ca bd 3b c0 e0 43 86 64 c8 d4 cc 9f 99 97 7a 94 d9 bb fe ad 8e 43 87 0a ba e3 f7 eb 8b 4e 0e ee 8a f1 d9 b4 71 9b a6 19 6c f2 cb ba ee eb f8 b3 49 0a fe 9e 9f fa 74 a8 8a a5 1f c6 45 62 93 03 exponent1: 3f 57 34 5c 27 fe 1b 68 7e 6e 76 16 27 b7 8b 1b 82 64 33 dd 76 0f a0 be a6 a6 ac f3 94 90 aa 1b 47 cd a4 86 9d 68 f5 84 dd 5b 50 29 bd 32 09 3b 82 58 66 1f e7 15 02 5e 5d 70 a4 5a 08 d3 d3 19 exponent2: 18 3d a0 13 63 bd 2f 28 85 ca cb dc 99 64 bf 47 64 f1 51 76 36 f8 64 01 28 6f 71 89 3c 52 cc fe 40 a6 c2 3d 0d 08 6b 47 c6 fb 10 d8 fd 10 41 e0 4d ef 7e 9a 40 ce 95 7c 41 77 94 e1 04 12 d1 39 coefficient: 83 9c a9 a0 85 e4 28 6b 2c 90 e4 66 99 7a 2c 68 1f 21 33 9a a3 47 78 14 e4 de c1 18 33 05 0e d5 0d d1 3c c0 38 04 8a 43 c5 9b 2a cc 41 68 89 c0 37 66 5f e5 af a6 05 96 9f 8c 01 df a5 ca 96 9d 3. Simple 1-RTT Handshake In this example, the simplest possible handshake is completed. The server is authenticated, but the client remains anonymous. After connecting, a few application data octets are exchanged. The server sends a session ticket that permits the use of 0-RTT in any resumed session. {client} create an ephemeral x25519 key pair: private key (32 octets): b1 6a 3c 97 a7 19 0b ec c4 00 2a 2f be 80 40 b5 99 45 df 0b bd 0c e1 ba db f4 aa 6d 4f 0f a1 9e public key (32 octets): 78 e5 89 74 13 f1 71 53 c7 0c f3 3f a3 4c 84 97 72 4b da b4 f5 7f 9d 01 c9 53 f5 88 f0 30 46 61 {client} send a ClientHello handshake message {client} send handshake record: Thomson Expires June 7, 2018 [Page 3] Internet-Draft TLS 1.3 Traces December 2017 payload (190 octets): 01 00 00 ba 03 03 c4 e2 ea b7 cc 4b bb 43 7d fa b4 7c a5 6a f8 a0 db 07 2b 90 e5 36 f9 c4 a4 9f ac 89 84 9c 10 b2 00 00 06 13 01 13 03 13 02 01 00 00 8b 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 23 00 00 00 28 00 26 00 24 00 1d 00 20 78 e5 89 74 13 f1 71 53 c7 0c f3 3f a3 4c 84 97 72 4b da b4 f5 7f 9d 01 c9 53 f5 88 f0 30 46 61 00 2b 00 03 02 7f 16 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 ciphertext (195 octets): 16 03 01 00 be 01 00 00 ba 03 03 c4 e2 ea b7 cc 4b bb 43 7d fa b4 7c a5 6a f8 a0 db 07 2b 90 e5 36 f9 c4 a4 9f ac 89 84 9c 10 b2 00 00 06 13 01 13 03 13 02 01 00 00 8b 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 23 00 00 00 28 00 26 00 24 00 1d 00 20 78 e5 89 74 13 f1 71 53 c7 0c f3 3f a3 4c 84 97 72 4b da b4 f5 7f 9d 01 c9 53 f5 88 f0 30 46 61 00 2b 00 03 02 7f 16 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 {server} extract secret "early": salt: (absent) ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a {server} create an ephemeral x25519 key pair: private key (32 octets): 20 eb 30 48 af fc bf 2b ff 56 df b5 1e 93 4d 78 a0 f5 d2 38 29 41 70 b1 0e ea 18 31 69 68 8b 65 public key (32 octets): ee 31 96 ca 63 98 21 a1 7b 51 68 ab 61 0d 70 57 d2 b2 50 84 89 1f 87 ef 26 cf 0c 26 84 e5 d6 7e {server} send a ServerHello handshake message {server} derive secret for handshake "tls13 derived": PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a Thomson Expires June 7, 2018 [Page 4] Internet-Draft TLS 1.3 Traces December 2017 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba {server} extract secret "handshake": salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba ikm (32 octets): 61 d3 4a ad f2 5e 22 3a 2c e6 fb 59 f8 a0 f9 d1 d7 5f 18 87 df b0 6c 0f ff f8 47 6d c3 c5 0f 47 secret (32 octets): 79 07 c2 82 34 f1 6c a8 71 a4 6b eb 25 da 54 7f dc 8a ab 96 d1 4e ef f8 0f 5b 12 f9 ad 8a c9 d6 {server} derive secret "tls13 c hs traffic": PRK (32 octets): 79 07 c2 82 34 f1 6c a8 71 a4 6b eb 25 da 54 7f dc 8a ab 96 d1 4e ef f8 0f 5b 12 f9 ad 8a c9 d6 hash (32 octets): 2a 63 e9 0b 84 e5 c9 79 80 56 98 41 19 3b 80 94 22 19 36 52 19 ad 23 90 b6 80 64 c2 ae bb 09 69 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72 61 66 66 69 63 20 2a 63 e9 0b 84 e5 c9 79 80 56 98 41 19 3b 80 94 22 19 36 52 19 ad 23 90 b6 80 64 c2 ae bb 09 69 output (32 octets): 40 2b 60 6f 3c b0 c8 5b 6d bf fb fd a9 df 79 14 58 4a 0e b9 21 1b b5 e9 0b a4 81 f2 5c 4b 94 e2 {server} derive secret "tls13 s hs traffic": PRK (32 octets): 79 07 c2 82 34 f1 6c a8 71 a4 6b eb 25 da 54 7f dc 8a ab 96 d1 4e ef f8 0f 5b 12 f9 ad 8a c9 d6 hash (32 octets): 2a 63 e9 0b 84 e5 c9 79 80 56 98 41 19 3b 80 94 22 19 36 52 19 ad 23 90 b6 80 64 c2 ae bb 09 69 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72 61 66 66 69 63 20 2a 63 e9 0b 84 e5 c9 79 80 56 98 41 19 3b 80 94 22 19 36 52 19 ad 23 90 b6 80 64 c2 ae bb 09 69 Thomson Expires June 7, 2018 [Page 5] Internet-Draft TLS 1.3 Traces December 2017 output (32 octets): a2 c1 53 5b 55 26 42 8b 49 cb e6 cc 3c 19 23 7c 37 4e 94 db 25 6c 96 4d 4d 13 76 a9 de 1a c5 12 {server} derive secret for master "tls13 derived": PRK (32 octets): 79 07 c2 82 34 f1 6c a8 71 a4 6b eb 25 da 54 7f dc 8a ab 96 d1 4e ef f8 0f 5b 12 f9 ad 8a c9 d6 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets): 44 50 97 b3 09 4b 9c e8 35 af 72 02 5d 0f d3 80 ae 2b ae 88 06 08 f6 b2 b9 92 42 92 eb 04 71 d1 {server} extract secret "master": salt (32 octets): 44 50 97 b3 09 4b 9c e8 35 af 72 02 5d 0f d3 80 ae 2b ae 88 06 08 f6 b2 b9 92 42 92 eb 04 71 d1 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 secret (32 octets): 23 07 37 68 ca 09 44 ef de d6 a1 fd 17 3e 7a 1f a7 51 b2 1b 6b f2 07 66 1c b2 94 bc 29 f4 49 c7 {server} send handshake record: payload (90 octets): 02 00 00 56 03 03 8e 58 c0 e7 0c 99 2d 7f fc 80 98 eb dc 67 ba 85 05 e4 2e 44 05 bf 77 23 95 49 24 7a b2 ba 20 3c 00 13 01 00 00 2e 00 28 00 24 00 1d 00 20 ee 31 96 ca 63 98 21 a1 7b 51 68 ab 61 0d 70 57 d2 b2 50 84 89 1f 87 ef 26 cf 0c 26 84 e5 d6 7e 00 2b 00 02 7f 16 ciphertext (95 octets): 16 03 03 00 5a 02 00 00 56 03 03 8e 58 c0 e7 0c 99 2d 7f fc 80 98 eb dc 67 ba 85 05 e4 2e 44 05 bf 77 23 95 49 24 7a b2 ba 20 3c 00 13 01 00 00 2e 00 28 00 24 00 1d 00 20 ee 31 96 ca 63 98 21 a1 7b 51 68 ab 61 0d 70 57 d2 b2 50 84 89 1f 87 ef 26 cf 0c 26 84 e5 d6 7e 00 2b 00 02 7f 16 {server} send a EncryptedExtensions handshake message {server} send a Certificate handshake message {server} send a CertificateVerify handshake message Thomson Expires June 7, 2018 [Page 6] Internet-Draft TLS 1.3 Traces December 2017 {server} calculate finished "tls13 finished": PRK (32 octets): a2 c1 53 5b 55 26 42 8b 49 cb e6 cc 3c 19 23 7c 37 4e 94 db 25 6c 96 4d 4d 13 76 a9 de 1a c5 12 hash (0 octets): (empty) info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 64 00 output (32 octets): d2 7d 01 ab e2 d9 d6 68 98 dc 10 f8 5d 92 2f d6 ff f5 1d b8 80 f4 af 64 52 b7 1c 05 c3 fc 42 67 {server} send a Finished handshake message {server} send handshake record: payload (651 octets): 08 00 00 1e 00 1c 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 00 00 00 0b 00 01 b9 00 00 01 b5 00 01 b0 30 82 01 ac 30 82 01 15 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 5a 17 0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 b4 bb 49 8f 82 79 30 3d 98 08 36 39 9b 36 c6 98 8c 0c 68 de 55 e1 bd b8 26 d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c 1a f1 9e aa 6a f9 8c 7c ed 43 12 09 98 e1 87 a8 0e e0 cc b0 52 4b 1b 01 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f da 43 08 46 74 80 30 53 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93 ef f0 ab 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e 3f 02 03 01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 05 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 85 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a 72 67 17 06 18 a5 4c 5f 8a 7b 33 7d 2d f7 a5 94 36 54 17 f2 ea e8 f8 a5 8c 8f 81 72 f9 31 9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01 51 56 72 60 96 fd 33 5e 5e 67 f2 db f1 02 70 2e 60 8c ca e6 be c1 fc 63 a4 2a 99 be 5c 3e b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b 1c 3b 84 e0 a8 b2 f7 59 40 9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8 96 12 29 ac 91 87 b4 2b 4d e1 00 00 0f 00 00 84 08 04 00 80 35 dc 65 98 6e 5d 7a 91 25 7a 91 01 85 5d 87 54 9c 1b 0d 19 6b 6c 19 da a2 67 38 30 ff 73 a4 51 ab 79 48 55 ca c3 40 e8 48 fd 10 5a 96 ed b4 23 48 99 8c d9 ac 0d f6 63 d8 92 7e 88 67 25 57 0a 41 52 28 af 19 67 a2 2d 9b 4d 36 7b b0 90 e4 f0 76 ea 5f a4 7d c5 7c ac 77 cb e6 21 7f 3e fa 6f 10 53 12 9e b9 1a cb 05 48 c6 38 16 89 8d 36 79 8d 6a c0 38 89 c4 13 c9 27 de df f9 39 d0 58 8c 14 00 00 20 4a 81 42 ca Thomson Expires June 7, 2018 [Page 7] Internet-Draft TLS 1.3 Traces December 2017 b4 49 41 89 68 94 06 27 07 e6 92 d6 32 a8 6a 12 4c be 2a 81 6b 3d ef a1 b3 15 40 db ciphertext (673 octets): 17 03 03 02 9c 6f 0c 3d 25 89 2d 11 1b 9e 10 b7 bf 9e cb 09 ec 5e 87 75 53 b3 15 3e b9 80 12 4c 44 59 58 b1 71 01 41 8b 00 d8 f0 2f af cc 55 ba 06 25 88 ba 53 0e f0 9a 8f b4 c7 d6 de 1f 8b 7e b8 d8 b6 d2 1e 01 34 a9 75 74 ae 71 2d 5c b6 c1 5d 19 b3 47 c7 8a 88 4a 71 ff b8 c2 e7 60 02 22 16 a7 93 8f 10 81 8c 3f 81 16 b4 5a 39 79 d0 9d 72 52 e3 b4 4f 10 ae 68 f5 a6 1b 31 d8 e0 b4 15 f8 09 7d d5 14 f1 ba d1 49 dc bc e5 cb 35 48 55 f6 1d 56 08 c7 b9 d5 85 9a d9 f4 e2 02 84 45 5d 9d ab 37 d5 6e 09 5e bd 88 68 89 a2 36 3f c9 7b 16 62 06 63 7c ca 01 ab 37 7e 9d 3f 3d 06 4f 6a fc 87 22 1a bf e6 d5 23 27 e9 96 91 6e d4 a3 ed 24 9d 5e 71 04 44 dc 78 64 e4 31 6d a8 01 83 b0 cc 0c 3b 38 0a 0a 87 a8 36 17 13 86 c7 f1 b8 db 0b 15 30 a4 39 6c 1a d4 53 2a 60 7a 55 31 90 63 83 f7 bb 9c cc 20 da a8 ec 47 af 17 e5 7e d6 fc c5 f0 61 b7 cb 5a 42 6d 96 96 19 3f e4 a5 13 56 82 a2 2e 0c 3f a2 26 9f 0a bf c6 31 6a 19 6f e8 7c f8 91 29 b7 7c 43 41 ae 6c 12 b6 c5 70 d6 fb b5 46 0f f7 c6 5d a5 80 b1 17 0c 49 12 e4 bd b5 9b 2d 14 f2 7a 05 35 3e 51 d2 18 a3 60 15 4c bf 08 f2 9c 64 4b 28 8f 3d 42 4e e8 ea bb f1 26 fd 6b e4 b2 b0 f1 97 5f e4 73 a3 df a8 83 78 bd 5b ea ce ee 52 0e 6e 2d c7 40 8e 83 8f 34 36 29 c1 a4 a3 dd fa 58 c3 c3 f8 08 5a 79 3a f2 49 38 3d e5 51 a8 a9 50 4a ea 31 31 28 27 ad d1 0c ed b3 39 e4 a2 32 11 85 aa 27 6f 76 2b 0a 6b cd 9e f8 f8 2c 0f de ac 3b 60 d6 5d 10 94 99 b9 1f 19 4b 88 4a cd c7 b0 d6 3b 8c f6 f0 d8 cb ab f1 3c a9 96 69 42 e1 6a 3d 75 24 ad f3 3e ee e5 de e8 91 6b 57 31 c3 6e 21 1a 2d fb fb 65 60 07 91 3b 51 c5 a0 97 50 df a9 70 8d 38 e0 a2 0b 5c ee c9 58 4b c7 aa 83 70 94 b9 6e fd 55 b0 7a c3 72 00 42 4c f9 eb 54 2d 53 b5 6e 71 32 33 83 c1 93 f2 cd f6 22 08 35 48 07 a0 19 3e cd 23 78 ed dd 72 74 27 fe 9d f9 d0 46 28 b8 9c 38 0b 3b 83 b5 e6 95 cf ba 2d 8d 2f 30 ce 0e 19 17 ee 05 2e 7e c9 4d 4d da 39 b6 93 e0 1e a9 68 ad 95 1d 40 cc 99 66 82 0e 7a 95 ff 17 e0 fd 0b 4d d0 d2 a8 70 d0 b5 ab d9 10 79 5a 3e d7 2d 66 54 ba e0 a7 3a 85 fc dc 9b f8 98 53 82 8c 2c 4e 07 51 be e6 e4 a7 de 11 {server} derive secret "tls13 c ap traffic": PRK (32 octets): 23 07 37 68 ca 09 44 ef de d6 a1 fd 17 3e 7a 1f a7 51 b2 1b 6b f2 07 66 1c b2 94 bc 29 f4 49 c7 hash (32 octets): ad 7f 35 b9 42 29 61 a5 31 91 f1 be 86 0e 47 19 77 4f e9 ee c7 0e d5 3f 29 fa ec af b1 f2 9c 0b info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72 61 66 66 69 63 20 ad 7f 35 b9 42 29 61 a5 31 91 f1 be 86 0e 47 19 77 4f e9 ee c7 0e d5 3f 29 fa ec af b1 f2 9c 0b Thomson Expires June 7, 2018 [Page 8] Internet-Draft TLS 1.3 Traces December 2017 output (32 octets): 4f c9 93 4a 78 39 af bf b1 ad 4a 09 f9 13 90 aa 58 f8 16 40 60 8d 63 86 38 78 c0 b9 9f 6c da aa {server} derive secret "tls13 s ap traffic": PRK (32 octets): 23 07 37 68 ca 09 44 ef de d6 a1 fd 17 3e 7a 1f a7 51 b2 1b 6b f2 07 66 1c b2 94 bc 29 f4 49 c7 hash (32 octets): ad 7f 35 b9 42 29 61 a5 31 91 f1 be 86 0e 47 19 77 4f e9 ee c7 0e d5 3f 29 fa ec af b1 f2 9c 0b info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72 61 66 66 69 63 20 ad 7f 35 b9 42 29 61 a5 31 91 f1 be 86 0e 47 19 77 4f e9 ee c7 0e d5 3f 29 fa ec af b1 f2 9c 0b output (32 octets): 71 9b 77 1c 5c 65 41 32 a7 25 1f 09 12 92 f7 68 b6 d8 9f af 36 f3 1f 79 44 05 00 fc 16 68 b2 b7 {server} derive secret "tls13 exp master": PRK (32 octets): 23 07 37 68 ca 09 44 ef de d6 a1 fd 17 3e 7a 1f a7 51 b2 1b 6b f2 07 66 1c b2 94 bc 29 f4 49 c7 hash (32 octets): ad 7f 35 b9 42 29 61 a5 31 91 f1 be 86 0e 47 19 77 4f e9 ee c7 0e d5 3f 29 fa ec af b1 f2 9c 0b info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73 74 65 72 20 ad 7f 35 b9 42 29 61 a5 31 91 f1 be 86 0e 47 19 77 4f e9 ee c7 0e d5 3f 29 fa ec af b1 f2 9c 0b output (32 octets): 9d 07 cc 4a ef bc c1 f1 75 81 54 ac 1a ba 78 8b 0e d5 f3 1b bc 7f a4 ca dd ce 7a 09 7a 3e 25 42 {client} extract secret "early": salt: (absent) ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a {client} derive secret for handshake "tls13 derived": PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a Thomson Expires June 7, 2018 [Page 9] Internet-Draft TLS 1.3 Traces December 2017 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba {client} extract secret "handshake": salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba ikm (32 octets): 61 d3 4a ad f2 5e 22 3a 2c e6 fb 59 f8 a0 f9 d1 d7 5f 18 87 df b0 6c 0f ff f8 47 6d c3 c5 0f 47 secret (32 octets): 79 07 c2 82 34 f1 6c a8 71 a4 6b eb 25 da 54 7f dc 8a ab 96 d1 4e ef f8 0f 5b 12 f9 ad 8a c9 d6 {client} derive secret "tls13 c hs traffic" (same as server) {client} derive secret "tls13 s hs traffic" (same as server) {client} derive secret for master "tls13 derived" (same as server) {client} extract secret "master" (same as server) {client} calculate finished "tls13 finished" (same as server) {client} derive secret "tls13 c ap traffic" (same as server) {client} derive secret "tls13 s ap traffic" (same as server) {client} derive secret "tls13 exp master" (same as server) {client} calculate finished "tls13 finished": PRK (32 octets): 40 2b 60 6f 3c b0 c8 5b 6d bf fb fd a9 df 79 14 58 4a 0e b9 21 1b b5 e9 0b a4 81 f2 5c 4b 94 e2 hash (0 octets): (empty) info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 64 00 Thomson Expires June 7, 2018 [Page 10] Internet-Draft TLS 1.3 Traces December 2017 output (32 octets): 47 af c3 66 da 4c 2d 41 64 19 fe c6 f7 af f1 3c 58 9b 56 a2 6a da e0 b6 f3 7a 8d f5 2e a1 d9 33 {client} send a Finished handshake message {client} send handshake record: payload (36 octets): 14 00 00 20 3a d4 3d b6 d0 42 77 0c 3f 79 f7 a9 1a cc 0a 41 1f 1b 92 21 f0 3f 9d 2a 6b 92 c4 d1 54 51 19 ed ciphertext (58 octets): 17 03 03 00 35 32 d7 1d 7f 1b 8e f2 da f3 58 4c 6c 09 c7 4a ed 85 6e 75 59 4e 6f 14 67 4c d9 48 f2 69 ab c1 cc 0e b7 bb 10 45 51 78 88 83 8f 51 34 75 a2 59 ef 80 9b 0f 94 1f {client} derive secret "tls13 res master": PRK (32 octets): 23 07 37 68 ca 09 44 ef de d6 a1 fd 17 3e 7a 1f a7 51 b2 1b 6b f2 07 66 1c b2 94 bc 29 f4 49 c7 hash (32 octets): 2d eb 11 8e 31 f3 d3 8b 38 de 1f cc 26 46 d2 21 ac e6 1f 97 fa 79 75 92 23 7a 65 9c 2b 6b 93 51 info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73 74 65 72 20 2d eb 11 8e 31 f3 d3 8b 38 de 1f cc 26 46 d2 21 ac e6 1f 97 fa 79 75 92 23 7a 65 9c 2b 6b 93 51 output (32 octets): ba dd 11 ad f0 7b 59 f9 d1 90 56 1e 4e 69 d6 5d 2d 0c cc 92 3b 08 4a cd 70 6e 00 cd 54 e6 5b 70 {server} calculate finished "tls13 finished" (same as client) {server} derive secret "tls13 res master" (same as client) {server} generate resumption secret "tls13 resumption": PRK (32 octets): ba dd 11 ad f0 7b 59 f9 d1 90 56 1e 4e 69 d6 5d 2d 0c cc 92 3b 08 4a cd 70 6e 00 cd 54 e6 5b 70 hash (2 octets): 00 00 info (22 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 75 6d 70 74 69 6f 6e 02 00 00 output (32 octets): 20 b3 ed 07 48 14 86 03 09 cd 47 fb 81 0b 36 9c f1 86 b7 09 7c b7 76 ff 57 f8 a7 ce 12 18 fa fa {server} send a NewSessionTicket handshake message Thomson Expires June 7, 2018 [Page 11] Internet-Draft TLS 1.3 Traces December 2017 {server} send handshake record: payload (205 octets): 04 00 00 c9 00 00 00 1e 1a 46 fe 8d 02 00 00 00 b2 f7 34 a8 af 18 42 36 ce f0 ae ea b1 00 00 00 00 68 2d 66 eb 29 13 c9 eb 94 c6 9a 57 51 5d df 2f 00 70 c2 f3 4f 9b 2e d5 a5 30 91 16 c9 d7 4f ca eb 2b f8 87 51 9a a5 5a 7c 83 ff 27 fd c3 72 ba ec 38 7d be 58 8e d6 27 4b 1f f5 13 6c eb 68 ea 4a 39 ce 79 08 7c 6e 75 42 b4 9c 7c 0e 4b 97 fc 2a 29 73 27 71 8b 29 bf 63 6a dd 4e 6b 46 a4 1d f2 3f 45 01 28 80 20 b2 6c e5 75 d4 c9 f1 87 eb e5 48 07 1b 51 19 8c 4b 10 f9 4c f7 ce 94 aa 08 17 a7 2a a8 86 64 63 d9 d7 7f 9c db 81 e6 27 82 c1 33 2e 22 0c 55 2c dc 44 48 4b e7 ee f7 64 3d c3 8d 00 08 00 2a 00 04 00 00 04 00 ciphertext (227 octets): 17 03 03 00 de ce 84 1b 08 4c ba 5c 21 cd 70 f7 30 28 18 7c c9 a0 e9 e5 b8 88 f8 d0 ca 5a f7 7d df 96 eb cd fd 1e 70 c6 8b a2 44 a9 64 3d c8 c2 b3 9c 93 3d 0e a9 1a 8d 7a 35 df db 3d c3 45 57 bb eb e8 0c a4 0b 64 b8 45 cd 04 b2 18 2e 73 59 f5 53 60 0b 1b 1f 8a c1 29 fd 3c f5 eb 79 91 3a e4 27 02 a3 10 a7 17 5d e1 15 c7 fd 77 00 06 54 2d cf 8a 7a 94 53 8d 96 d9 71 72 02 28 4b ed af f5 ff ec a0 23 10 92 12 3e a6 b0 bc 12 99 ae c3 a9 8c 44 27 e4 35 7c 38 16 d0 a6 c5 d0 93 aa d5 9c 09 5c 99 76 91 b5 88 cc 3c 10 8e 95 d7 f8 39 f9 ec 2c a5 18 2c 80 53 12 a1 c2 d0 32 88 80 97 c1 4e 38 5a 3c c5 e9 37 0e b6 49 08 05 4b 52 64 4e 35 09 2a 34 4a 74 77 b8 bb be fb 22 a8 ff c3 9e 84 ac {client} generate resumption secret "tls13 resumption" (same as server) {client} send application_data record: payload (50 octets): 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 ciphertext (72 octets): 17 03 03 00 43 18 8a fa 7b 29 8e 8d ef c3 eb 5e f8 2f dc 60 92 3b b5 5c ca 31 a5 64 63 df ec 71 7a aa 99 77 9c c6 1f bf ca 90 73 b9 95 51 73 a0 b7 1c 1b f2 b9 2d b0 60 73 e9 65 5b 64 3e 12 ef 76 d8 c8 86 91 12 aa 35 {server} send application_data record: payload (50 octets): 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 Thomson Expires June 7, 2018 [Page 12] Internet-Draft TLS 1.3 Traces December 2017 ciphertext (72 octets): 17 03 03 00 43 d8 27 0a 4b 0b a6 c0 74 c3 83 0b 15 58 a1 cb 89 13 e2 21 d7 08 33 ee 02 74 58 e2 46 11 a0 d4 7f 9c d3 bd 66 ce 03 13 db 71 8e e4 d0 ef bc 3f 8a 4d 7e 35 04 3c 46 48 40 d8 7d eb 66 b7 7d 40 df 36 aa 7d {client} send alert record: payload (2 octets): 01 00 ciphertext (24 octets): 17 03 03 00 13 d5 92 9a 67 ba 50 4f 19 3a 59 7d 3a ab 2d c3 f9 04 12 7d {server} send alert record: payload (2 octets): 01 00 ciphertext (24 octets): 17 03 03 00 13 69 ed b3 40 6d 1e 57 51 97 75 4a c9 27 19 e0 5d 71 18 67 4. Resumed 0-RTT Handshake This handshake resumes from the handshake in Section 3. Since the server provided a session ticket that permitted 0-RTT, and the client is configured for 0-RTT, the client is able to send 0-RTT data. {client} create an ephemeral x25519 key pair: private key (32 octets): 25 ee 23 7a 20 17 98 ee e8 7f 37 60 53 e1 28 50 9a be 65 e7 87 34 4f f2 b9 ff 9d 04 fd 13 8a fa public key (32 octets): fa 5d e3 00 e6 9f 05 d6 19 a4 28 fc fb 02 88 b5 57 b6 40 6a 26 fc 51 13 c0 4e 4a 3c 86 9a 44 14 {client} extract secret "early": salt: (absent) ikm (32 octets): 20 b3 ed 07 48 14 86 03 09 cd 47 fb 81 0b 36 9c f1 86 b7 09 7c b7 76 ff 57 f8 a7 ce 12 18 fa fa secret (32 octets): 35 10 b5 e7 47 ce ef 42 b1 fe ff e7 a7 4f dc 0f 52 a5 ee fc a2 b6 76 b0 82 4e 06 17 c8 64 56 16 {client} send a ClientHello handshake message {client} calculate finished "tls13 finished": Thomson Expires June 7, 2018 [Page 13] Internet-Draft TLS 1.3 Traces December 2017 PRK (32 octets): de 0c 49 be 25 cd 0a b1 79 a9 d1 be e0 5a c0 cc a0 3d 51 10 4f cc ac db 13 12 b6 35 40 5a db 2c hash (0 octets): (empty) info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 64 00 output (32 octets): e6 12 24 d1 ef b4 01 4b 18 aa e8 db 83 4e 12 5b da e8 e8 bf f1 17 2f a6 a8 8c 35 39 77 c6 5a 68 {client} send handshake record: payload (512 octets): 01 00 01 fc 03 03 f4 74 90 c6 31 61 6b 80 01 47 e5 62 01 b1 13 6d b0 04 92 f7 e8 d9 56 2a 77 fb f9 77 1d 8a a4 6c 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 28 00 26 00 24 00 1d 00 20 fa 5d e3 00 e6 9f 05 d6 19 a4 28 fc fb 02 88 b5 57 b6 40 6a 26 fc 51 13 c0 4e 4a 3c 86 9a 44 14 00 2a 00 00 00 2b 00 03 02 7f 16 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 00 15 00 5d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 29 00 dd 00 b8 00 b2 f7 34 a8 af 18 42 36 ce f0 ae ea b1 00 00 00 00 68 2d 66 eb 29 13 c9 eb 94 c6 9a 57 51 5d df 2f 00 70 c2 f3 4f 9b 2e d5 a5 30 91 16 c9 d7 4f ca eb 2b f8 87 51 9a a5 5a 7c 83 ff 27 fd c3 72 ba ec 38 7d be 58 8e d6 27 4b 1f f5 13 6c eb 68 ea 4a 39 ce 79 08 7c 6e 75 42 b4 9c 7c 0e 4b 97 fc 2a 29 73 27 71 8b 29 bf 63 6a dd 4e 6b 46 a4 1d f2 3f 45 01 28 80 20 b2 6c e5 75 d4 c9 f1 87 eb e5 48 07 1b 51 19 8c 4b 10 f9 4c f7 ce 94 aa 08 17 a7 2a a8 86 64 63 d9 d7 7f 9c db 81 e6 27 82 c1 33 2e 22 0c 55 2c dc 44 48 4b e7 ee f7 64 3d c3 8d 1a 46 fe 90 00 21 20 34 60 d2 6b d5 55 86 97 91 90 dd 6d 8f 25 3d f3 fa d7 d1 64 61 28 f3 d9 3d 51 57 21 3b 90 86 b3 ciphertext (517 octets): 16 03 01 02 00 01 00 01 fc 03 03 f4 74 90 c6 31 61 6b 80 01 47 e5 62 01 b1 13 6d b0 04 92 f7 e8 d9 56 2a 77 fb f9 77 1d 8a a4 6c 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 28 00 26 00 24 00 1d 00 20 fa 5d e3 00 e6 9f 05 d6 19 a4 28 fc fb 02 88 b5 57 b6 40 6a 26 fc 51 13 c0 4e 4a 3c 86 9a 44 14 00 2a 00 00 00 2b 00 03 02 7f 16 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 Thomson Expires June 7, 2018 [Page 14] Internet-Draft TLS 1.3 Traces December 2017 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 00 15 00 5d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 29 00 dd 00 b8 00 b2 f7 34 a8 af 18 42 36 ce f0 ae ea b1 00 00 00 00 68 2d 66 eb 29 13 c9 eb 94 c6 9a 57 51 5d df 2f 00 70 c2 f3 4f 9b 2e d5 a5 30 91 16 c9 d7 4f ca eb 2b f8 87 51 9a a5 5a 7c 83 ff 27 fd c3 72 ba ec 38 7d be 58 8e d6 27 4b 1f f5 13 6c eb 68 ea 4a 39 ce 79 08 7c 6e 75 42 b4 9c 7c 0e 4b 97 fc 2a 29 73 27 71 8b 29 bf 63 6a dd 4e 6b 46 a4 1d f2 3f 45 01 28 80 20 b2 6c e5 75 d4 c9 f1 87 eb e5 48 07 1b 51 19 8c 4b 10 f9 4c f7 ce 94 aa 08 17 a7 2a a8 86 64 63 d9 d7 7f 9c db 81 e6 27 82 c1 33 2e 22 0c 55 2c dc 44 48 4b e7 ee f7 64 3d c3 8d 1a 46 fe 90 00 21 20 34 60 d2 6b d5 55 86 97 91 90 dd 6d 8f 25 3d f3 fa d7 d1 64 61 28 f3 d9 3d 51 57 21 3b 90 86 b3 {client} derive secret "tls13 c e traffic": PRK (32 octets): 35 10 b5 e7 47 ce ef 42 b1 fe ff e7 a7 4f dc 0f 52 a5 ee fc a2 b6 76 b0 82 4e 06 17 c8 64 56 16 hash (32 octets): 89 4e e7 2f 01 a8 67 e9 cc 87 5a 19 44 22 10 8a e9 51 45 f9 43 b0 89 1f 3c ab 07 4f 12 fa c4 0a info (53 octets): 00 20 11 74 6c 73 31 33 20 63 20 65 20 74 72 61 66 66 69 63 20 89 4e e7 2f 01 a8 67 e9 cc 87 5a 19 44 22 10 8a e9 51 45 f9 43 b0 89 1f 3c ab 07 4f 12 fa c4 0a output (32 octets): 7b dd 21 10 35 33 b9 d8 2b ae 6c 26 be 3e 78 e9 bd 37 91 42 96 24 db e0 a6 b3 9c e5 bf 69 eb 23 {client} derive secret "tls13 e exp master": PRK (32 octets): 35 10 b5 e7 47 ce ef 42 b1 fe ff e7 a7 4f dc 0f 52 a5 ee fc a2 b6 76 b0 82 4e 06 17 c8 64 56 16 hash (32 octets): 89 4e e7 2f 01 a8 67 e9 cc 87 5a 19 44 22 10 8a e9 51 45 f9 43 b0 89 1f 3c ab 07 4f 12 fa c4 0a info (54 octets): 00 20 12 74 6c 73 31 33 20 65 20 65 78 70 20 6d 61 73 74 65 72 20 89 4e e7 2f 01 a8 67 e9 cc 87 5a 19 44 22 10 8a e9 51 45 f9 43 b0 89 1f 3c ab 07 4f 12 fa c4 0a output (32 octets): da 05 9b c4 d7 bd 6e 30 45 b3 df d8 ab c8 68 1b 22 47 6f 44 b4 54 22 75 12 af a9 af c0 60 3f c1 {client} send application_data record: Thomson Expires June 7, 2018 [Page 15] Internet-Draft TLS 1.3 Traces December 2017 payload (6 octets): 41 42 43 44 45 46 ciphertext (28 octets): 17 03 03 00 17 d8 3a 80 c1 65 49 bf 19 49 38 a3 9c c1 54 a1 8b a7 cb bb a7 bf 02 e0 {server} extract secret "early" (same as client) {server} calculate finished "tls13 finished" (same as client) {server} create an ephemeral x25519 key pair: private key (32 octets): a3 41 34 2b 44 be 43 fa 13 b5 a2 fa 30 6a d7 24 ef 7f 73 a0 87 ac be 4a 79 10 82 b6 00 cd 08 b5 public key (32 octets): 66 62 56 0e 42 6c b1 13 d5 63 b1 69 e9 72 b5 c4 81 dd b6 cc f2 a5 79 39 ed d2 4b a9 e9 b6 2f 5f {server} derive secret "tls13 c e traffic" (same as client) {server} derive secret "tls13 e exp master" (same as client) {server} send a ServerHello handshake message {server} derive secret for handshake "tls13 derived": PRK (32 octets): 35 10 b5 e7 47 ce ef 42 b1 fe ff e7 a7 4f dc 0f 52 a5 ee fc a2 b6 76 b0 82 4e 06 17 c8 64 56 16 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets): 3c 5b 59 45 89 ee 0f a2 f1 18 d3 98 fc 3c 3e 50 f7 13 21 65 bc 5e 20 1a 97 da df 8e 36 ad 16 ba {server} extract secret "handshake": salt (32 octets): 3c 5b 59 45 89 ee 0f a2 f1 18 d3 98 fc 3c 3e 50 f7 13 21 65 bc 5e 20 1a 97 da df 8e 36 ad 16 ba ikm (32 octets): ca 49 06 0d 44 b4 58 b8 e2 6f b7 2a 18 6e bc 44 6b a8 e4 0e 8f b1 39 5c c7 f7 56 59 ee 86 f8 54 secret (32 octets): 6b a5 c1 83 92 4b a3 2c e0 99 85 c9 11 f2 97 bb 0a 7c de 27 63 1a 6f 2e e8 88 25 19 88 f3 07 54 Thomson Expires June 7, 2018 [Page 16] Internet-Draft TLS 1.3 Traces December 2017 {server} derive secret "tls13 c hs traffic": PRK (32 octets): 6b a5 c1 83 92 4b a3 2c e0 99 85 c9 11 f2 97 bb 0a 7c de 27 63 1a 6f 2e e8 88 25 19 88 f3 07 54 hash (32 octets): ef 88 42 5a 0d c1 df 66 77 f6 2d de 3e 93 79 b6 39 83 b3 a0 89 66 db aa d7 d4 c9 c6 b1 79 b3 b7 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72 61 66 66 69 63 20 ef 88 42 5a 0d c1 df 66 77 f6 2d de 3e 93 79 b6 39 83 b3 a0 89 66 db aa d7 d4 c9 c6 b1 79 b3 b7 output (32 octets): a2 ba 52 84 b4 0e 7d 65 af af 93 c0 93 06 dd e4 70 98 a4 ee 28 4c f4 6e 0b 59 09 fe 25 8c a6 4f {server} derive secret "tls13 s hs traffic": PRK (32 octets): 6b a5 c1 83 92 4b a3 2c e0 99 85 c9 11 f2 97 bb 0a 7c de 27 63 1a 6f 2e e8 88 25 19 88 f3 07 54 hash (32 octets): ef 88 42 5a 0d c1 df 66 77 f6 2d de 3e 93 79 b6 39 83 b3 a0 89 66 db aa d7 d4 c9 c6 b1 79 b3 b7 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72 61 66 66 69 63 20 ef 88 42 5a 0d c1 df 66 77 f6 2d de 3e 93 79 b6 39 83 b3 a0 89 66 db aa d7 d4 c9 c6 b1 79 b3 b7 output (32 octets): 58 6f 1a b9 cb 2d 93 70 66 1a 1e 0b c9 fc 8c 39 1a 34 67 b9 9e bd 58 16 c1 8c 46 a5 28 6e 96 77 {server} derive secret for master "tls13 derived": PRK (32 octets): 6b a5 c1 83 92 4b a3 2c e0 99 85 c9 11 f2 97 bb 0a 7c de 27 63 1a 6f 2e e8 88 25 19 88 f3 07 54 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets): 78 31 58 10 11 a6 70 a2 ce 59 0b 80 b8 e5 44 12 35 49 d6 bd 44 3c f6 9e 80 e8 0a 7e 38 93 d7 7e {server} extract secret "master": Thomson Expires June 7, 2018 [Page 17] Internet-Draft TLS 1.3 Traces December 2017 salt (32 octets): 78 31 58 10 11 a6 70 a2 ce 59 0b 80 b8 e5 44 12 35 49 d6 bd 44 3c f6 9e 80 e8 0a 7e 38 93 d7 7e ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 secret (32 octets): 6b 06 1b 95 b3 81 1d 3a 8a a8 3d a0 1d f0 e6 d5 c3 be 43 d8 3b 18 b3 bc b8 e8 52 78 14 2b 11 9c {server} send handshake record: payload (96 octets): 02 00 00 5c 03 03 4b 98 9e 4c 47 ca 09 2a 18 78 78 ae 45 7f d5 85 6e dc a0 f7 ae cf 00 4e d0 20 3a fe 0d 57 e3 86 00 13 01 00 00 34 00 29 00 02 00 00 00 28 00 24 00 1d 00 20 66 62 56 0e 42 6c b1 13 d5 63 b1 69 e9 72 b5 c4 81 dd b6 cc f2 a5 79 39 ed d2 4b a9 e9 b6 2f 5f 00 2b 00 02 7f 16 ciphertext (101 octets): 16 03 03 00 60 02 00 00 5c 03 03 4b 98 9e 4c 47 ca 09 2a 18 78 78 ae 45 7f d5 85 6e dc a0 f7 ae cf 00 4e d0 20 3a fe 0d 57 e3 86 00 13 01 00 00 34 00 29 00 02 00 00 00 28 00 24 00 1d 00 20 66 62 56 0e 42 6c b1 13 d5 63 b1 69 e9 72 b5 c4 81 dd b6 cc f2 a5 79 39 ed d2 4b a9 e9 b6 2f 5f 00 2b 00 02 7f 16 {server} send a EncryptedExtensions handshake message {server} calculate finished "tls13 finished": PRK (32 octets): 58 6f 1a b9 cb 2d 93 70 66 1a 1e 0b c9 fc 8c 39 1a 34 67 b9 9e bd 58 16 c1 8c 46 a5 28 6e 96 77 hash (0 octets): (empty) info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 64 00 output (32 octets): 98 90 9d e6 86 66 b5 12 80 1c 41 c6 3b 20 f9 fc 1f 7f 8f e1 19 64 75 d2 07 48 66 e3 a1 5d 14 15 {server} send a Finished handshake message {server} send handshake record: payload (74 octets): 08 00 00 22 00 20 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 00 00 00 00 2a 00 00 14 00 00 20 c9 f5 11 e0 94 08 c2 b3 ff b5 ac 45 3c 7c 0a 65 c0 8c 28 c9 bc 4f 38 54 46 91 9e b8 fd 84 7c e0 Thomson Expires June 7, 2018 [Page 18] Internet-Draft TLS 1.3 Traces December 2017 ciphertext (96 octets): 17 03 03 00 5b f5 a6 a6 20 f2 db 4e 20 1f 22 8d 73 b4 15 d8 5e a9 76 e1 55 27 5f 2d 89 a4 96 68 d7 be 48 9a 8b 85 20 5d 0b 59 30 79 e6 0e 10 6e 15 67 29 c2 11 90 0a de 1f 72 32 67 d8 c8 2b f5 dd 40 bb c5 63 99 1e bc 01 1e 49 14 ea 3a ee 25 37 3e eb 31 00 36 c8 f4 44 be 45 16 4d 3a 50 5d {server} derive secret "tls13 c ap traffic": PRK (32 octets): 6b 06 1b 95 b3 81 1d 3a 8a a8 3d a0 1d f0 e6 d5 c3 be 43 d8 3b 18 b3 bc b8 e8 52 78 14 2b 11 9c hash (32 octets): bc be 0c 61 2f 39 63 e4 2c 49 6c b3 03 e9 59 89 ba 96 f6 21 00 34 f4 63 05 b9 75 2a 53 d9 a7 dd info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72 61 66 66 69 63 20 bc be 0c 61 2f 39 63 e4 2c 49 6c b3 03 e9 59 89 ba 96 f6 21 00 34 f4 63 05 b9 75 2a 53 d9 a7 dd output (32 octets): c9 d1 12 6d be c2 7c a1 72 21 37 3f ef 10 4e cf a0 6d c4 a1 c4 5c 1d 55 3f 2b 1a 84 16 b4 6e cb {server} derive secret "tls13 s ap traffic": PRK (32 octets): 6b 06 1b 95 b3 81 1d 3a 8a a8 3d a0 1d f0 e6 d5 c3 be 43 d8 3b 18 b3 bc b8 e8 52 78 14 2b 11 9c hash (32 octets): bc be 0c 61 2f 39 63 e4 2c 49 6c b3 03 e9 59 89 ba 96 f6 21 00 34 f4 63 05 b9 75 2a 53 d9 a7 dd info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72 61 66 66 69 63 20 bc be 0c 61 2f 39 63 e4 2c 49 6c b3 03 e9 59 89 ba 96 f6 21 00 34 f4 63 05 b9 75 2a 53 d9 a7 dd output (32 octets): aa 91 af 99 99 34 3a 32 8e cf ad 72 cb be e1 20 71 d7 79 b3 8a 3d 18 5a 7d c7 c4 e7 f8 33 33 1c {server} derive secret "tls13 exp master": PRK (32 octets): 6b 06 1b 95 b3 81 1d 3a 8a a8 3d a0 1d f0 e6 d5 c3 be 43 d8 3b 18 b3 bc b8 e8 52 78 14 2b 11 9c hash (32 octets): bc be 0c 61 2f 39 63 e4 2c 49 6c b3 03 e9 59 89 ba 96 f6 21 00 34 f4 63 05 b9 75 2a 53 d9 a7 dd info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73 74 65 72 20 bc be 0c 61 2f 39 63 e4 2c 49 6c b3 03 e9 59 89 ba 96 f6 21 00 34 f4 63 05 b9 75 2a 53 d9 a7 dd Thomson Expires June 7, 2018 [Page 19] Internet-Draft TLS 1.3 Traces December 2017 output (32 octets): 3d 65 4f f5 ca 07 87 85 69 31 01 cc 71 0f 46 e2 93 5b 5e c4 61 14 ca bb 08 35 41 a0 84 66 d1 84 {client} derive secret for handshake "tls13 derived": PRK (32 octets): 35 10 b5 e7 47 ce ef 42 b1 fe ff e7 a7 4f dc 0f 52 a5 ee fc a2 b6 76 b0 82 4e 06 17 c8 64 56 16 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets): 3c 5b 59 45 89 ee 0f a2 f1 18 d3 98 fc 3c 3e 50 f7 13 21 65 bc 5e 20 1a 97 da df 8e 36 ad 16 ba {client} extract secret "handshake": salt (32 octets): 3c 5b 59 45 89 ee 0f a2 f1 18 d3 98 fc 3c 3e 50 f7 13 21 65 bc 5e 20 1a 97 da df 8e 36 ad 16 ba ikm (32 octets): ca 49 06 0d 44 b4 58 b8 e2 6f b7 2a 18 6e bc 44 6b a8 e4 0e 8f b1 39 5c c7 f7 56 59 ee 86 f8 54 secret (32 octets): 6b a5 c1 83 92 4b a3 2c e0 99 85 c9 11 f2 97 bb 0a 7c de 27 63 1a 6f 2e e8 88 25 19 88 f3 07 54 {client} derive secret "tls13 c hs traffic" (same as server) {client} derive secret "tls13 s hs traffic" (same as server) {client} derive secret for master "tls13 derived" (same as server) {client} extract secret "master" (same as server) {client} calculate finished "tls13 finished" (same as server) {client} derive secret "tls13 c ap traffic" (same as server) {client} derive secret "tls13 s ap traffic" (same as server) {client} derive secret "tls13 exp master" (same as server) {client} send a EndOfEarlyData handshake message {client} send handshake record: Thomson Expires June 7, 2018 [Page 20] Internet-Draft TLS 1.3 Traces December 2017 payload (4 octets): 05 00 00 00 ciphertext (26 octets): 17 03 03 00 15 1d ee d3 9b 27 ff 4f 3c 92 2f fd ef 73 89 56 5e cc 79 d1 13 71 {client} calculate finished "tls13 finished": PRK (32 octets): a2 ba 52 84 b4 0e 7d 65 af af 93 c0 93 06 dd e4 70 98 a4 ee 28 4c f4 6e 0b 59 09 fe 25 8c a6 4f hash (0 octets): (empty) info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 64 00 output (32 octets): 67 02 97 87 4f 08 e5 10 32 72 a8 be 0c 6d c3 b4 39 6e 82 28 34 62 6b 21 e6 be 28 b9 d4 b4 35 05 {client} send a Finished handshake message {client} send handshake record: payload (36 octets): 14 00 00 20 60 c3 2e 99 5e c1 0d d0 1d 73 79 e3 eb f1 9f 75 ef 74 0b 18 d4 24 06 c9 62 db 37 a4 53 74 9d 76 ciphertext (58 octets): 17 03 03 00 35 b1 a4 2d de c8 7d 6a 62 17 a5 53 19 3b 47 a6 6c 32 b4 51 ab f8 48 dc df 68 21 3b 44 21 76 a9 e5 9b 8e cf 5e 1a fe d8 94 43 9a 9d f0 c3 a2 4b da ac 97 fc 34 55 {client} derive secret "tls13 res master": PRK (32 octets): 6b 06 1b 95 b3 81 1d 3a 8a a8 3d a0 1d f0 e6 d5 c3 be 43 d8 3b 18 b3 bc b8 e8 52 78 14 2b 11 9c hash (32 octets): 04 5f 9f 6c d4 c6 84 65 a7 79 f4 89 b7 13 57 7f 42 e9 91 c1 b7 b7 34 db 01 28 a5 7b 88 35 41 27 info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73 74 65 72 20 04 5f 9f 6c d4 c6 84 65 a7 79 f4 89 b7 13 57 7f 42 e9 91 c1 b7 b7 34 db 01 28 a5 7b 88 35 41 27 output (32 octets): 40 7b 7c fa 1a 5d cd 73 e2 75 a6 80 13 16 68 24 4e a8 88 64 19 a6 fe cc 01 f5 7b df d5 5d 15 2a {server} calculate finished "tls13 finished" (same as client) {server} derive secret "tls13 res master" (same as client) Thomson Expires June 7, 2018 [Page 21] Internet-Draft TLS 1.3 Traces December 2017 {client} send application_data record: payload (50 octets): 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 ciphertext (72 octets): 17 03 03 00 43 89 8d 41 41 71 76 9c 87 23 f5 46 43 1e c6 80 49 5a fa a6 ac 32 5d 66 2f a5 9d 93 5a 99 d2 f5 94 63 b8 d9 cd d3 c1 b1 36 79 08 1d d0 98 7c 4d 26 40 9a bd 40 ca d0 be a6 d5 95 85 01 b1 fc 02 15 08 6d b9 {server} send application_data record: payload (50 octets): 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 ciphertext (72 octets): 17 03 03 00 43 8e 95 04 14 52 07 ad 99 f9 26 b4 7c 28 f6 0f a5 31 b9 7d 35 4f 55 ac fe 46 59 b0 37 f1 94 6e 6a 8d c8 da f7 a9 fc 36 27 02 3f c1 df 0b a1 8c a5 90 11 fc 2f 39 96 ea bc 2f 6d 50 85 93 d6 0b 23 87 d4 bc {client} send alert record: payload (2 octets): 01 00 ciphertext (24 octets): 17 03 03 00 13 e4 f4 3b 1b 15 b0 75 40 6c 2f 32 68 61 99 82 35 6d 78 53 {server} send alert record: payload (2 octets): 01 00 ciphertext (24 octets): 17 03 03 00 13 06 18 b6 94 51 58 6b 0d b9 6c 39 08 0f 6b d7 d1 f1 0b 41 5. HelloRetryRequest In this example, the client initiates a handshake with an X25519 [RFC7748] share. The server however prefers P-256 [FIPS186] and sends a HelloRetryRequest that requires the client to generate a key share on the P-256 curve. {client} create an ephemeral x25519 key pair: private key (32 octets): 52 99 b5 dc 31 26 3d a4 eb 70 79 f3 f9 29 68 d5 1e ce c2 0c 3b aa 64 67 f2 d8 d2 c2 49 88 09 10 Thomson Expires June 7, 2018 [Page 22] Internet-Draft TLS 1.3 Traces December 2017 public key (32 octets): 9e d2 81 f2 d1 e0 f8 c3 99 a4 90 a8 6a cd 71 9d 46 56 77 db dc b4 45 1f 97 39 e1 22 40 8a d4 32 {client} send a ClientHello handshake message {client} send handshake record: payload (174 octets): 01 00 00 aa 03 03 24 cc 22 ad 4c 8b 8c ed c8 e7 ee ac 95 93 1b 24 9d 3a dd 7d 98 c5 e0 d8 35 f5 d7 81 0d fb b1 80 00 00 06 13 01 13 03 13 02 01 00 00 7b 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 08 00 06 00 1d 00 17 00 18 00 28 00 26 00 24 00 1d 00 20 9e d2 81 f2 d1 e0 f8 c3 99 a4 90 a8 6a cd 71 9d 46 56 77 db dc b4 45 1f 97 39 e1 22 40 8a d4 32 00 2b 00 03 02 7f 16 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 ciphertext (179 octets): 16 03 01 00 ae 01 00 00 aa 03 03 24 cc 22 ad 4c 8b 8c ed c8 e7 ee ac 95 93 1b 24 9d 3a dd 7d 98 c5 e0 d8 35 f5 d7 81 0d fb b1 80 00 00 06 13 01 13 03 13 02 01 00 00 7b 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 08 00 06 00 1d 00 17 00 18 00 28 00 26 00 24 00 1d 00 20 9e d2 81 f2 d1 e0 f8 c3 99 a4 90 a8 6a cd 71 9d 46 56 77 db dc b4 45 1f 97 39 e1 22 40 8a d4 32 00 2b 00 03 02 7f 16 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 {server} send a ServerHello handshake message {server} send handshake record: payload (176 octets): 02 00 00 ac 03 03 cf 21 ad 74 e5 9a 61 11 be 1d 8c 02 1e 65 b8 91 c2 a2 11 16 7a bb 8c 5e 07 9e 09 e2 c8 a8 33 9c 00 13 01 00 00 84 00 28 00 02 00 17 00 2c 00 74 00 72 3c c7 0f 98 68 ee 6d bc bb 7b 7c 21 00 00 00 00 73 d2 77 2a 29 c9 93 b4 e0 c3 78 de 45 9e 99 ea 00 30 97 19 7d a5 86 38 74 31 85 03 d3 dd e2 41 7d 5f b7 8c 92 76 13 14 10 ea a9 2e 9e 8a f5 4e a0 92 86 7b 67 7d 64 4f 96 d8 c5 fd 48 30 d1 70 dd 1b 3f 8a 85 17 ab ee 19 60 52 d8 e4 29 3d 62 f0 3b 6d 29 b6 88 4b 7c 00 cc 5e 6c e7 ac 36 47 0e a7 00 2b 00 02 7f 16 ciphertext (181 octets): 16 03 03 00 b0 02 00 00 ac 03 03 cf 21 ad 74 e5 9a 61 11 be 1d 8c 02 1e 65 b8 91 c2 a2 11 16 7a bb 8c 5e 07 9e 09 e2 c8 a8 33 9c 00 13 01 00 00 84 00 28 00 02 00 17 00 2c 00 74 00 72 3c c7 0f 98 68 ee 6d bc bb 7b 7c 21 00 00 00 00 73 d2 77 2a 29 c9 93 b4 e0 c3 78 de 45 9e 99 ea 00 30 97 19 7d a5 86 38 74 31 85 03 d3 dd e2 41 7d 5f b7 8c 92 76 13 14 10 ea a9 2e 9e 8a f5 4e a0 92 86 7b 67 7d 64 4f 96 d8 c5 fd 48 30 Thomson Expires June 7, 2018 [Page 23] Internet-Draft TLS 1.3 Traces December 2017 d1 70 dd 1b 3f 8a 85 17 ab ee 19 60 52 d8 e4 29 3d 62 f0 3b 6d 29 b6 88 4b 7c 00 cc 5e 6c e7 ac 36 47 0e a7 00 2b 00 02 7f 16 {client} create an ephemeral P-256 key pair: private key (32 octets): e5 d7 d7 16 54 b7 0d 85 b7 ef f8 ff 9f b4 10 f8 cc 6d 5c 0d 46 cb 4f 3c 96 28 61 c5 20 88 5d e0 public key (65 octets): 04 17 35 66 97 92 26 4a 94 82 cf 17 8e 99 0a e8 49 a3 55 2f 71 ec b8 4c 7b 02 2b 84 f0 57 eb b9 03 a2 e7 ad 9d 2f 7d 44 e3 59 1a d0 04 33 a6 b2 d8 6d 57 9a af 1b 6a 2b 01 72 df 0e 6e 00 08 7a bb {client} send a ClientHello handshake message {client} send handshake record: payload (512 octets): 01 00 01 fc 03 03 24 cc 22 ad 4c 8b 8c ed c8 e7 ee ac 95 93 1b 24 9d 3a dd 7d 98 c5 e0 d8 35 f5 d7 81 0d fb b1 80 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 08 00 06 00 1d 00 17 00 18 00 28 00 47 00 45 00 17 00 41 04 17 35 66 97 92 26 4a 94 82 cf 17 8e 99 0a e8 49 a3 55 2f 71 ec b8 4c 7b 02 2b 84 f0 57 eb b9 03 a2 e7 ad 9d 2f 7d 44 e3 59 1a d0 04 33 a6 b2 d8 6d 57 9a af 1b 6a 2b 01 72 df 0e 6e 00 08 7a bb 00 2b 00 03 02 7f 16 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2c 00 74 00 72 3c c7 0f 98 68 ee 6d bc bb 7b 7c 21 00 00 00 00 73 d2 77 2a 29 c9 93 b4 e0 c3 78 de 45 9e 99 ea 00 30 97 19 7d a5 86 38 74 31 85 03 d3 dd e2 41 7d 5f b7 8c 92 76 13 14 10 ea a9 2e 9e 8a f5 4e a0 92 86 7b 67 7d 64 4f 96 d8 c5 fd 48 30 d1 70 dd 1b 3f 8a 85 17 ab ee 19 60 52 d8 e4 29 3d 62 f0 3b 6d 29 b6 88 4b 7c 00 cc 5e 6c e7 ac 36 47 0e a7 00 2d 00 02 01 01 00 15 00 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ciphertext (517 octets): 16 03 03 02 00 01 00 01 fc 03 03 24 cc 22 ad 4c 8b 8c ed c8 e7 ee ac 95 93 1b 24 9d 3a dd 7d 98 c5 e0 d8 35 f5 d7 81 0d fb b1 80 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 08 00 06 00 1d 00 17 00 18 00 28 00 47 00 45 00 17 00 Thomson Expires June 7, 2018 [Page 24] Internet-Draft TLS 1.3 Traces December 2017 41 04 17 35 66 97 92 26 4a 94 82 cf 17 8e 99 0a e8 49 a3 55 2f 71 ec b8 4c 7b 02 2b 84 f0 57 eb b9 03 a2 e7 ad 9d 2f 7d 44 e3 59 1a d0 04 33 a6 b2 d8 6d 57 9a af 1b 6a 2b 01 72 df 0e 6e 00 08 7a bb 00 2b 00 03 02 7f 16 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2c 00 74 00 72 3c c7 0f 98 68 ee 6d bc bb 7b 7c 21 00 00 00 00 73 d2 77 2a 29 c9 93 b4 e0 c3 78 de 45 9e 99 ea 00 30 97 19 7d a5 86 38 74 31 85 03 d3 dd e2 41 7d 5f b7 8c 92 76 13 14 10 ea a9 2e 9e 8a f5 4e a0 92 86 7b 67 7d 64 4f 96 d8 c5 fd 48 30 d1 70 dd 1b 3f 8a 85 17 ab ee 19 60 52 d8 e4 29 3d 62 f0 3b 6d 29 b6 88 4b 7c 00 cc 5e 6c e7 ac 36 47 0e a7 00 2d 00 02 01 01 00 15 00 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 {server} extract secret "early": salt: (absent) ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a {server} create an ephemeral P-256 key pair: private key (32 octets): b1 6d 06 d1 40 ff d5 a9 3b b1 bf 4d 58 d7 3d 97 06 62 b9 a5 50 25 ca 63 bc b1 b4 f6 75 ac 73 15 public key (65 octets): 04 89 cf b4 c1 91 61 f7 0e b1 5a 43 81 40 02 13 53 46 37 bd b4 fe d0 20 a9 2e 59 d9 58 10 ff eb e3 a8 dd bd f2 e2 cc 65 71 fe 17 df 28 3a 37 22 f1 23 f3 32 fc b0 cb 3d 8b bb 9f 0b 65 e0 07 46 ae {server} send a ServerHello handshake message {server} derive secret for handshake "tls13 derived": PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a Thomson Expires June 7, 2018 [Page 25] Internet-Draft TLS 1.3 Traces December 2017 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba {server} extract secret "handshake": salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba ikm (32 octets): ba 1c d6 f8 aa 98 a2 de ff b7 ba bb 8e 52 4d 2f d3 e8 2d 5c ff 5d 7b e3 0a 20 80 ef 62 6a 92 b3 secret (32 octets): 8e f8 e6 41 ab fd 33 02 a2 4a c0 03 d0 98 2a 3e 6e ef cd 99 46 ed 19 82 b8 1b 4d e2 ab c8 7d e8 {server} derive secret "tls13 c hs traffic": PRK (32 octets): 8e f8 e6 41 ab fd 33 02 a2 4a c0 03 d0 98 2a 3e 6e ef cd 99 46 ed 19 82 b8 1b 4d e2 ab c8 7d e8 hash (32 octets): 87 73 ef 3f d6 03 64 ff ab 64 c5 f1 66 f8 30 09 c2 9e c6 70 16 76 e5 cc 60 b5 1a 2f 2a dd 9e 27 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72 61 66 66 69 63 20 87 73 ef 3f d6 03 64 ff ab 64 c5 f1 66 f8 30 09 c2 9e c6 70 16 76 e5 cc 60 b5 1a 2f 2a dd 9e 27 output (32 octets): 1e af b2 10 3a c5 96 e5 a8 67 3e ae 2c 42 0c ff b2 d9 45 99 d9 00 08 94 0b db a8 8c a7 71 26 26 {server} derive secret "tls13 s hs traffic": PRK (32 octets): 8e f8 e6 41 ab fd 33 02 a2 4a c0 03 d0 98 2a 3e 6e ef cd 99 46 ed 19 82 b8 1b 4d e2 ab c8 7d e8 hash (32 octets): 87 73 ef 3f d6 03 64 ff ab 64 c5 f1 66 f8 30 09 c2 9e c6 70 16 76 e5 cc 60 b5 1a 2f 2a dd 9e 27 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72 61 66 66 69 63 20 87 73 ef 3f d6 03 64 ff ab 64 c5 f1 66 f8 30 09 c2 9e c6 70 16 76 e5 cc 60 b5 1a 2f 2a dd 9e 27 Thomson Expires June 7, 2018 [Page 26] Internet-Draft TLS 1.3 Traces December 2017 output (32 octets): 82 54 e1 25 3f 75 bf a5 bb 5c 4e f2 b1 bb 79 73 e0 b7 b8 32 51 31 2b ce 86 30 8e a1 27 b5 52 e0 {server} derive secret for master "tls13 derived": PRK (32 octets): 8e f8 e6 41 ab fd 33 02 a2 4a c0 03 d0 98 2a 3e 6e ef cd 99 46 ed 19 82 b8 1b 4d e2 ab c8 7d e8 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets): 91 74 25 ca 4f 3e 40 22 e2 e6 bb 99 25 f2 f7 08 e9 7c 1c 75 56 cd e8 63 52 1f 40 b3 c8 2f 49 36 {server} extract secret "master": salt (32 octets): 91 74 25 ca 4f 3e 40 22 e2 e6 bb 99 25 f2 f7 08 e9 7c 1c 75 56 cd e8 63 52 1f 40 b3 c8 2f 49 36 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 secret (32 octets): 5f 5f 3a b7 4a c0 3b 74 79 0f 0f 40 33 f9 e9 3c 18 44 95 ac 41 03 a9 f2 2d 43 d8 dc 57 86 a2 95 {server} send handshake record: payload (123 octets): 02 00 00 77 03 03 eb 62 5e d0 a8 a3 3c 5f a3 c2 77 5a eb a4 c6 2a 4f 31 71 f2 ff ea e4 ea 53 38 27 30 41 6f f7 3a 00 13 01 00 00 4f 00 28 00 45 00 17 00 41 04 89 cf b4 c1 91 61 f7 0e b1 5a 43 81 40 02 13 53 46 37 bd b4 fe d0 20 a9 2e 59 d9 58 10 ff eb e3 a8 dd bd f2 e2 cc 65 71 fe 17 df 28 3a 37 22 f1 23 f3 32 fc b0 cb 3d 8b bb 9f 0b 65 e0 07 46 ae 00 2b 00 02 7f 16 ciphertext (128 octets): 16 03 03 00 7b 02 00 00 77 03 03 eb 62 5e d0 a8 a3 3c 5f a3 c2 77 5a eb a4 c6 2a 4f 31 71 f2 ff ea e4 ea 53 38 27 30 41 6f f7 3a 00 13 01 00 00 4f 00 28 00 45 00 17 00 41 04 89 cf b4 c1 91 61 f7 0e b1 5a 43 81 40 02 13 53 46 37 bd b4 fe d0 20 a9 2e 59 d9 58 10 ff eb e3 a8 dd bd f2 e2 cc 65 71 fe 17 df 28 3a 37 22 f1 23 f3 32 fc b0 cb 3d 8b bb 9f 0b 65 e0 07 46 ae 00 2b 00 02 7f 16 {server} send a EncryptedExtensions handshake message Thomson Expires June 7, 2018 [Page 27] Internet-Draft TLS 1.3 Traces December 2017 {server} send a Certificate handshake message {server} send a CertificateVerify handshake message {server} calculate finished "tls13 finished": PRK (32 octets): 82 54 e1 25 3f 75 bf a5 bb 5c 4e f2 b1 bb 79 73 e0 b7 b8 32 51 31 2b ce 86 30 8e a1 27 b5 52 e0 hash (0 octets): (empty) info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 64 00 output (32 octets): a3 3a 40 a0 16 61 06 92 2f 96 9d 66 28 69 0e ad 71 29 6b 1c 9f 44 14 64 e8 f4 c4 c2 33 14 10 15 {server} send a Finished handshake message {server} send handshake record: payload (639 octets): 08 00 00 12 00 10 00 0a 00 08 00 06 00 17 00 18 00 1d 00 00 00 00 0b 00 01 b9 00 00 01 b5 00 01 b0 30 82 01 ac 30 82 01 15 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 5a 17 0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 b4 bb 49 8f 82 79 30 3d 98 08 36 39 9b 36 c6 98 8c 0c 68 de 55 e1 bd b8 26 d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c 1a f1 9e aa 6a f9 8c 7c ed 43 12 09 98 e1 87 a8 0e e0 cc b0 52 4b 1b 01 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f da 43 08 46 74 80 30 53 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93 ef f0 ab 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e 3f 02 03 01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 05 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 85 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a 72 67 17 06 18 a5 4c 5f 8a 7b 33 7d 2d f7 a5 94 36 54 17 f2 ea e8 f8 a5 8c 8f 81 72 f9 31 9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01 51 56 72 60 96 fd 33 5e 5e 67 f2 db f1 02 70 2e 60 8c ca e6 be c1 fc 63 a4 2a 99 be 5c 3e b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b 1c 3b 84 e0 a8 b2 f7 59 40 9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8 96 12 29 ac 91 87 b4 2b 4d e1 00 00 0f 00 00 84 08 04 00 80 96 ac 87 45 e8 60 64 a1 18 d3 35 75 88 1c c7 db 99 b7 ad 5c f6 42 04 2f 0c 6a 4c 65 42 d6 15 3e f7 b4 71 2d 9f 9f 7c 16 7a 9c fe 1b 9f 7a e7 41 4b ff 4c d1 3c dd 81 1d ce 07 ce 22 7b f2 ec 74 38 e9 22 6e 7d da 00 0e f8 34 85 60 ed 21 6b 28 a8 bc 6d b6 10 Thomson Expires June 7, 2018 [Page 28] Internet-Draft TLS 1.3 Traces December 2017 3c aa 96 00 d8 84 7c a6 f0 ea 40 64 da 4f 7d 6d c7 b5 98 ff 54 36 a0 4e 01 7d e3 2c 12 eb f3 2e 55 3b e2 60 3e 0f 63 20 63 42 b8 14 00 00 20 a4 98 49 23 dd 33 35 94 bd 90 4b 9e 80 1b c1 88 73 31 57 ba 4b 16 c7 62 cd a9 f6 f3 0f e9 a6 88 ciphertext (661 octets): 17 03 03 02 90 11 09 c2 d4 04 4a ea 1f e6 a7 d0 e1 52 4a 86 e6 b3 fd 43 3a 4a 86 8a 8c 10 1a 58 ab b3 38 1e 66 c6 9a bc b0 0d c0 ba d7 b4 9c c3 24 55 aa 28 c8 e5 13 13 a0 9b 4f 19 fc 3c b9 9b 35 5e 8a 4a fc 74 84 c4 c6 d4 de 32 d5 75 01 4c 53 71 48 ce 7d df 31 d9 3a f5 fb f1 ac dd b8 c7 13 32 e7 ce d7 7a 2f 4d e0 16 dd 98 5a 2c ec 06 8a e2 49 fd a9 bc a4 d7 23 19 5a df d8 b8 03 95 00 e9 e1 d6 c6 01 20 6a 6a 85 33 56 1a ab ca f5 cc f2 e2 b7 c5 9e 74 75 1a 41 ca 95 15 03 26 a8 f2 25 56 7f bb 9f ad 99 39 b6 d6 ca a2 47 90 05 d9 4b b8 95 18 ca 63 84 cf 66 dd 97 36 2f 8c 40 13 26 d4 22 d5 3f bd 68 1b 14 09 16 ec 14 31 45 32 49 04 dd 7f 63 26 96 81 a1 36 f2 e6 15 f4 7e e9 e3 2a a3 25 2e 0c 3b 1d 47 a9 92 63 50 b4 98 5b 96 51 ef c5 14 80 09 61 6d 75 df dd e9 33 1f e2 ae e5 44 c4 a1 40 10 2a db c1 12 d4 45 1e 1b 90 46 02 9e 71 b9 36 60 49 c9 ac aa 36 82 79 f0 dc 27 00 bb 15 1d 96 6d 2d 71 a7 55 44 6a 74 9f 3f fb 2b 10 11 0d 2f 9d c2 1e f7 1d b7 2b 53 ae 2b a8 70 70 f2 79 15 b8 a3 4a 4c 92 03 70 36 3b f7 75 98 a8 99 3d 6d 97 45 53 f7 6a 83 dd e2 a5 5c 30 10 ed bf 86 ec 45 6c 5e 12 f4 fb 28 3f d5 25 e2 2b f8 4e 28 03 41 9a 1f 5c 0d 83 7c e5 bc b1 8c 36 18 06 35 c1 d3 28 30 f4 af f6 60 7a 72 81 1e 4e 19 02 b1 c0 88 4e 3c 97 dd 44 3f 69 5e e3 fe 76 db 3e cc d4 36 ae 87 0f 7f 1d b1 3e 00 cc 41 9c c4 5a 44 69 29 92 c2 e1 62 41 fb 31 d4 ed e3 95 77 2b 31 fd e3 cc 4d b3 27 64 0f 48 d8 3f 63 5f 95 be f6 7f b3 60 c3 c9 8e db d6 ae 57 4f ae d0 dc 59 38 20 b2 48 3e 6f 2d ae 39 51 5d 9c 54 b9 d1 66 5a 7c ac 02 16 fa 32 55 0a a4 46 a5 e3 7c 9d af 54 ed 38 71 39 eb 85 47 cc 53 13 7b 02 37 4b 4a 03 4d 38 18 69 57 81 da 2a 23 ec 82 b5 81 98 3d 69 5b 84 37 94 07 cc 87 dc 85 4e 0d 06 3e 6d 62 d2 3c 97 97 5e 91 7d b6 d5 21 82 83 a2 e8 15 16 43 37 5f 0b a1 84 59 91 ed 6f 40 9a 68 31 b5 7a 1c 5d dd 88 fe b6 e9 cc 66 ee 1f 3c 28 60 f6 1d f0 f8 1e bb 3b 0a 87 2d 0c 2d 00 ae 84 44 5f 47 89 31 7d 02 e1 b6 75 a8 db cc 45 66 34 28 95 ff 20 77 d8 9d 20 2d 86 43 22 be 4c c6 b3 f0 bf df {server} derive secret "tls13 c ap traffic": PRK (32 octets): 5f 5f 3a b7 4a c0 3b 74 79 0f 0f 40 33 f9 e9 3c 18 44 95 ac 41 03 a9 f2 2d 43 d8 dc 57 86 a2 95 hash (32 octets): 62 05 ce 54 b4 21 f2 e9 c4 2e ed 68 3d 19 12 89 cd 9b 1f 9a 84 4d 94 c2 3e 95 b8 94 cc 4e 8a 42 Thomson Expires June 7, 2018 [Page 29] Internet-Draft TLS 1.3 Traces December 2017 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72 61 66 66 69 63 20 62 05 ce 54 b4 21 f2 e9 c4 2e ed 68 3d 19 12 89 cd 9b 1f 9a 84 4d 94 c2 3e 95 b8 94 cc 4e 8a 42 output (32 octets): de 2e 40 35 e0 1c 52 ea e4 d5 b8 b3 46 50 c3 32 04 53 6b 07 03 09 21 e4 31 95 37 b4 a0 90 1e e0 {server} derive secret "tls13 s ap traffic": PRK (32 octets): 5f 5f 3a b7 4a c0 3b 74 79 0f 0f 40 33 f9 e9 3c 18 44 95 ac 41 03 a9 f2 2d 43 d8 dc 57 86 a2 95 hash (32 octets): 62 05 ce 54 b4 21 f2 e9 c4 2e ed 68 3d 19 12 89 cd 9b 1f 9a 84 4d 94 c2 3e 95 b8 94 cc 4e 8a 42 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72 61 66 66 69 63 20 62 05 ce 54 b4 21 f2 e9 c4 2e ed 68 3d 19 12 89 cd 9b 1f 9a 84 4d 94 c2 3e 95 b8 94 cc 4e 8a 42 output (32 octets): 14 ff 87 2f 92 e2 e2 5c c2 18 e0 15 bf db f7 b9 1d b3 42 c7 20 00 e2 bd 1d 5c 08 06 d7 56 ab 4d {server} derive secret "tls13 exp master": PRK (32 octets): 5f 5f 3a b7 4a c0 3b 74 79 0f 0f 40 33 f9 e9 3c 18 44 95 ac 41 03 a9 f2 2d 43 d8 dc 57 86 a2 95 hash (32 octets): 62 05 ce 54 b4 21 f2 e9 c4 2e ed 68 3d 19 12 89 cd 9b 1f 9a 84 4d 94 c2 3e 95 b8 94 cc 4e 8a 42 info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73 74 65 72 20 62 05 ce 54 b4 21 f2 e9 c4 2e ed 68 3d 19 12 89 cd 9b 1f 9a 84 4d 94 c2 3e 95 b8 94 cc 4e 8a 42 output (32 octets): 10 9f ba 7b bc 8d 86 f3 f8 56 bf d6 a1 0e f3 c2 fb f6 8c 6e 06 70 1b ab 97 6b a8 0c bf 00 12 d5 {client} extract secret "early": salt: (absent) ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a {client} derive secret for handshake "tls13 derived": Thomson Expires June 7, 2018 [Page 30] Internet-Draft TLS 1.3 Traces December 2017 PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba {client} extract secret "handshake": salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba ikm (32 octets): ba 1c d6 f8 aa 98 a2 de ff b7 ba bb 8e 52 4d 2f d3 e8 2d 5c ff 5d 7b e3 0a 20 80 ef 62 6a 92 b3 secret (32 octets): 8e f8 e6 41 ab fd 33 02 a2 4a c0 03 d0 98 2a 3e 6e ef cd 99 46 ed 19 82 b8 1b 4d e2 ab c8 7d e8 {client} derive secret "tls13 c hs traffic" (same as server) {client} derive secret "tls13 s hs traffic" (same as server) {client} derive secret for master "tls13 derived" (same as server) {client} extract secret "master" (same as server) {client} calculate finished "tls13 finished" (same as server) {client} derive secret "tls13 c ap traffic" (same as server) {client} derive secret "tls13 s ap traffic" (same as server) {client} derive secret "tls13 exp master" (same as server) {client} calculate finished "tls13 finished": PRK (32 octets): 1e af b2 10 3a c5 96 e5 a8 67 3e ae 2c 42 0c ff b2 d9 45 99 d9 00 08 94 0b db a8 8c a7 71 26 26 hash (0 octets): (empty) Thomson Expires June 7, 2018 [Page 31] Internet-Draft TLS 1.3 Traces December 2017 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 64 00 output (32 octets): 19 3b 17 c6 19 fb 94 85 1f 97 91 db 7b 9a 9e 03 9d 4f 81 96 9a 93 71 02 06 4b 45 a3 be e9 a3 12 {client} send a Finished handshake message {client} send handshake record: payload (36 octets): 14 00 00 20 3c 9c 63 c4 72 e5 d6 ab 04 4d 14 59 2e 5a d8 a2 ef 4c 1d 70 f7 f7 7a 13 3c 8d cc fc 05 a6 df 52 ciphertext (58 octets): 17 03 03 00 35 cd db d8 39 c3 4d 8d b2 a1 fc 58 5e 55 78 f6 5f ec 70 81 d6 95 00 88 09 02 5c 0c 9d 4f 87 5a f9 e7 10 d7 52 a2 0a 3d 2c 59 86 7e 92 6e b4 39 52 e2 8f 91 83 da {client} derive secret "tls13 res master": PRK (32 octets): 5f 5f 3a b7 4a c0 3b 74 79 0f 0f 40 33 f9 e9 3c 18 44 95 ac 41 03 a9 f2 2d 43 d8 dc 57 86 a2 95 hash (32 octets): cb 0c c7 bc 35 ef 49 7c be e7 ea fa 2b ff a2 2f 8d a5 b8 28 5e 83 35 48 0c 33 65 81 32 22 2c c2 info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73 74 65 72 20 cb 0c c7 bc 35 ef 49 7c be e7 ea fa 2b ff a2 2f 8d a5 b8 28 5e 83 35 48 0c 33 65 81 32 22 2c c2 output (32 octets): 18 8c 90 bc 6f a9 7a 8d d5 55 1d 80 b1 ae 18 42 4c f3 e2 f6 90 bc 70 54 e3 6b 33 3f 17 30 17 f3 {server} calculate finished "tls13 finished" (same as client) {server} derive secret "tls13 res master" (same as client) {client} send alert record: payload (2 octets): 01 00 ciphertext (24 octets): 17 03 03 00 13 93 21 5e 8c f7 98 69 b6 9a 28 57 8f 90 f4 c6 94 6e 5c 9b {server} send alert record: payload (2 octets): 01 00 Thomson Expires June 7, 2018 [Page 32] Internet-Draft TLS 1.3 Traces December 2017 ciphertext (24 octets): 17 03 03 00 13 4a b5 80 73 c0 a8 93 de 17 76 47 6d ec d2 5e 97 84 e3 d1 6. Client Authentication In this example, the server requests client authentication. The client uses a certificate with an RSA key, the server uses an ECDSA certificate with a P-256 key. {client} create an ephemeral x25519 key pair: private key (32 octets): a4 0d c1 93 0c 00 af 0e 9d 3b c2 6c f9 0f 5e ee 7d ba 97 17 1f 53 2b 71 7f ef bf bf 87 08 38 c9 public key (32 octets): d5 dd 20 0f ad 08 39 7b 40 f3 e6 14 45 24 0c 75 78 5e b2 e5 0b 72 7c 5a 04 91 64 0d c1 2c 3a 0e {client} send a ClientHello handshake message {client} send handshake record: payload (186 octets): 01 00 00 b6 03 03 a3 ce 03 a9 0c 76 17 79 2d ee d9 6e 55 b1 6a b8 fc 10 91 2c 67 f3 3d db d1 50 b3 25 d5 ca d6 58 00 00 06 13 01 13 03 13 02 01 00 00 87 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 28 00 26 00 24 00 1d 00 20 d5 dd 20 0f ad 08 39 7b 40 f3 e6 14 45 24 0c 75 78 5e b2 e5 0b 72 7c 5a 04 91 64 0d c1 2c 3a 0e 00 2b 00 03 02 7f 16 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 ciphertext (191 octets): 16 03 01 00 ba 01 00 00 b6 03 03 a3 ce 03 a9 0c 76 17 79 2d ee d9 6e 55 b1 6a b8 fc 10 91 2c 67 f3 3d db d1 50 b3 25 d5 ca d6 58 00 00 06 13 01 13 03 13 02 01 00 00 87 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 28 00 26 00 24 00 1d 00 20 d5 dd 20 0f ad 08 39 7b 40 f3 e6 14 45 24 0c 75 78 5e b2 e5 0b 72 7c 5a 04 91 64 0d c1 2c 3a 0e 00 2b 00 03 02 7f 16 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 {server} extract secret "early": salt: (absent) Thomson Expires June 7, 2018 [Page 33] Internet-Draft TLS 1.3 Traces December 2017 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a {server} create an ephemeral x25519 key pair: private key (32 octets): 01 f2 df a3 5d 2f f7 47 3c b2 b2 85 25 74 2d a0 58 a0 35 c7 f8 21 bc 86 bf c2 11 72 16 be cc aa public key (32 octets): b5 89 13 10 62 da ed c2 12 1b b7 5c 36 88 0b 71 12 c1 96 7f fe 17 db 5f a7 ef ef 22 90 90 1e 3d {server} send a ServerHello handshake message {server} derive secret for handshake "tls13 derived": PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba {server} extract secret "handshake": salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba ikm (32 octets): 94 2f 83 fa ee 2f ad ad 24 2e eb fb c7 a6 6d 5e c7 71 04 b1 3c d4 97 e0 b1 0d 9d 70 69 1d e8 6a secret (32 octets): 53 d7 91 87 9a 6b 33 f3 86 45 35 3b 3e 03 49 e5 e0 88 e4 0b 6c 37 00 12 0c 80 04 25 d3 d5 e9 9f {server} derive secret "tls13 c hs traffic": PRK (32 octets): 53 d7 91 87 9a 6b 33 f3 86 45 35 3b 3e 03 49 e5 e0 88 e4 0b 6c 37 00 12 0c 80 04 25 d3 d5 e9 9f Thomson Expires June 7, 2018 [Page 34] Internet-Draft TLS 1.3 Traces December 2017 hash (32 octets): 7a a6 f3 63 a4 49 35 45 a9 31 9b da 72 05 59 8c e1 5c bc 83 48 40 ce 04 c0 0e 8f 96 0b 27 80 7b info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72 61 66 66 69 63 20 7a a6 f3 63 a4 49 35 45 a9 31 9b da 72 05 59 8c e1 5c bc 83 48 40 ce 04 c0 0e 8f 96 0b 27 80 7b output (32 octets): e8 d4 bb 93 8c a3 de 6d 1d 7c 78 01 a5 57 20 aa df cd 34 2d c8 a4 47 04 1d 21 7c 83 c8 df f3 94 {server} derive secret "tls13 s hs traffic": PRK (32 octets): 53 d7 91 87 9a 6b 33 f3 86 45 35 3b 3e 03 49 e5 e0 88 e4 0b 6c 37 00 12 0c 80 04 25 d3 d5 e9 9f hash (32 octets): 7a a6 f3 63 a4 49 35 45 a9 31 9b da 72 05 59 8c e1 5c bc 83 48 40 ce 04 c0 0e 8f 96 0b 27 80 7b info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72 61 66 66 69 63 20 7a a6 f3 63 a4 49 35 45 a9 31 9b da 72 05 59 8c e1 5c bc 83 48 40 ce 04 c0 0e 8f 96 0b 27 80 7b output (32 octets): 8b fc e8 b0 11 4e ac cd 83 64 68 b5 e4 60 30 fd 32 1c 37 20 7a 41 cd 22 66 4f 56 53 14 f2 1e 05 {server} derive secret for master "tls13 derived": PRK (32 octets): 53 d7 91 87 9a 6b 33 f3 86 45 35 3b 3e 03 49 e5 e0 88 e4 0b 6c 37 00 12 0c 80 04 25 d3 d5 e9 9f hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets): 6f d8 3c 95 03 f0 45 fb a0 08 69 a3 23 22 28 0f 38 85 3f cd 95 15 f1 3c e5 09 60 f0 e6 00 24 84 {server} extract secret "master": salt (32 octets): 6f d8 3c 95 03 f0 45 fb a0 08 69 a3 23 22 28 0f 38 85 3f cd 95 15 f1 3c e5 09 60 f0 e6 00 24 84 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Thomson Expires June 7, 2018 [Page 35] Internet-Draft TLS 1.3 Traces December 2017 secret (32 octets): 86 05 00 52 9e e3 a6 0a 26 44 3e 62 2a 4c 00 0a b3 ff 0d ea 05 05 5c c3 ed f3 bf 01 f7 11 db ba {server} send handshake record: payload (90 octets): 02 00 00 56 03 03 0b 21 fe 7a 05 5c 66 77 67 7b 21 e0 7d fc 22 f9 65 92 1c 5c 3e 0c c8 85 b1 71 5e 2e 01 a8 91 3d 00 13 01 00 00 2e 00 28 00 24 00 1d 00 20 b5 89 13 10 62 da ed c2 12 1b b7 5c 36 88 0b 71 12 c1 96 7f fe 17 db 5f a7 ef ef 22 90 90 1e 3d 00 2b 00 02 7f 16 ciphertext (95 octets): 16 03 03 00 5a 02 00 00 56 03 03 0b 21 fe 7a 05 5c 66 77 67 7b 21 e0 7d fc 22 f9 65 92 1c 5c 3e 0c c8 85 b1 71 5e 2e 01 a8 91 3d 00 13 01 00 00 2e 00 28 00 24 00 1d 00 20 b5 89 13 10 62 da ed c2 12 1b b7 5c 36 88 0b 71 12 c1 96 7f fe 17 db 5f a7 ef ef 22 90 90 1e 3d 00 2b 00 02 7f 16 {server} send a EncryptedExtensions handshake message {server} send a CertificateRequest handshake message {server} send a Certificate handshake message {server} send a CertificateVerify handshake message {server} calculate finished "tls13 finished": PRK (32 octets): 8b fc e8 b0 11 4e ac cd 83 64 68 b5 e4 60 30 fd 32 1c 37 20 7a 41 cd 22 66 4f 56 53 14 f2 1e 05 hash (0 octets): (empty) info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 64 00 output (32 octets): 23 48 7f 1e 47 29 a3 ef 3d fb e1 61 bd 0c d1 c0 42 51 86 74 be 62 54 5b f1 62 25 7a d7 d9 4e 9d {server} send a Finished handshake message {server} send handshake record: payload (512 octets): 08 00 00 1e 00 1c 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 00 00 00 0d 00 00 27 00 00 24 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 0b 00 01 3b 00 00 01 37 00 01 32 30 82 01 2e 30 81 d5 a0 03 02 01 02 02 01 07 30 0a 06 08 2a 86 48 ce 3d 04 03 02 30 13 31 11 Thomson Expires June 7, 2018 [Page 36] Internet-Draft TLS 1.3 Traces December 2017 30 0f 06 03 55 04 03 13 08 65 63 64 73 61 32 35 36 30 1e 17 0d 31 36 30 37 33 30 30 31 32 34 30 30 5a 17 0d 32 36 30 37 33 30 30 31 32 34 30 30 5a 30 13 31 11 30 0f 06 03 55 04 03 13 08 65 63 64 73 61 32 35 36 30 59 30 13 06 07 2a 86 48 ce 3d 02 01 06 08 2a 86 48 ce 3d 03 01 07 03 42 00 04 08 d5 30 16 15 75 f4 cf e7 f1 54 ee 34 48 18 00 86 00 1e 88 43 1a 79 ee 62 ee 6e 2f 83 ef 38 ba 61 e9 fb 37 f3 4e 00 7a 7d f4 d2 f5 b5 6d 1f 04 ec e4 5d 62 1f 46 84 06 f5 c3 a1 51 58 94 8d d0 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 07 80 30 0a 06 08 2a 86 48 ce 3d 04 03 02 03 48 00 30 45 02 21 00 df 30 fd 45 07 f5 ed d2 2c 1a 6f f8 6d b4 79 ca 69 3f ee ca 3b 71 b3 f9 ef 55 6b 29 37 c0 59 4d 02 20 62 e2 a4 72 50 d3 20 fe a8 3c 7e 2d cb 5b 76 a5 0e 02 00 c0 9a db d1 3f ee 94 6e 51 3e 01 1d 11 00 00 0f 00 00 4c 04 03 00 48 30 46 02 21 00 f7 46 ae b2 e0 10 2f 37 94 0d d8 90 2b 0a 80 63 33 b7 63 69 06 28 9b ae f0 a9 7d 92 12 ab 14 30 02 21 00 a7 81 31 62 2d 82 7b ce 23 d5 04 c7 f8 1e 2a 78 d7 fb d6 59 fa 09 e1 e7 4c 5a 74 b9 b0 e5 5f 3e 14 00 00 20 c6 c0 d6 02 f0 3c e5 92 6c 9e 53 05 04 a0 0a 5f d5 40 97 5d de c4 6a fd 8a 18 fa 20 85 17 08 d6 ciphertext (534 octets): 17 03 03 02 11 17 bf 02 f6 e5 be bf f8 97 3f de b8 5f 0c cd 77 d7 5e 02 12 69 d8 47 5d 82 a4 26 74 bf e3 6c c7 a2 89 6f 63 42 3a aa 5f e2 b2 f8 96 6a 85 61 cb 25 f4 c4 e2 8e c2 df 74 64 85 cf 64 fd f4 28 e6 fb c9 02 49 89 3a 62 a8 15 c5 7a f9 8d 03 73 44 4f 90 85 40 1c e2 5f 4b fb 30 e9 99 85 6a b0 eb 87 70 ef b0 1a cb 7e 30 c3 be d5 3d a3 03 32 b7 dc 1b 31 78 89 49 a8 05 71 4a 06 81 75 4b 41 d4 57 93 c8 b8 28 29 b1 9f 6a fa ea b5 bc c1 78 3d 0b 5e 39 63 03 67 7e fc 73 26 5a 2c 0c cc 07 02 6f e0 98 46 3b 7e e1 d7 c7 e9 81 ff 7c 89 61 d0 9d e7 fc be 92 77 98 25 98 a5 e9 0f 53 3a 23 5e 1a e3 81 01 fc 87 07 69 3e c3 ff 90 47 75 52 87 91 74 65 d3 a6 44 12 2c 73 6c 1f e5 98 a2 a9 45 87 c3 d2 4f b8 6a d2 18 97 2d 99 38 c0 89 42 ce 28 64 20 db a4 3a 39 84 46 55 5f 3b 12 d0 84 5b e9 c8 fe 0c 8d 71 f6 99 97 b7 08 b7 51 9c 7b 78 70 98 5d ad 45 89 40 a5 8f e4 1a 93 be 45 1f 31 08 42 7a d7 fd 3a 6f 27 ef e0 9f 35 d4 ad b3 a5 61 b3 41 87 ad 07 59 90 ac a8 b1 4c ec 21 cd c3 1b 78 e8 bb b8 e0 30 d7 f7 c8 0c 56 dc 7c 2f f8 b5 53 0f 95 8c 0f ab 81 3b c8 3e b3 d7 a9 72 5d 36 0f b2 d8 33 7c df c9 3c b3 d7 ed ea ea 75 75 cd cc 43 64 a1 a9 f2 19 e4 ae a9 3c c0 6e 2a 31 51 a8 c7 f0 ef 15 16 a2 fd 34 1a bf b5 b3 9f 32 7c 6b 31 54 33 6e 5c 6e 94 ed 2c c2 ca 95 ff 69 d4 25 48 3c 63 d2 a4 04 60 b0 03 c0 4a b6 f5 bf 0e dc 3c 4e 66 21 a7 6f ff ff 1a 4d ae 84 7b 17 b8 e5 ea 2b b5 47 e0 5f e3 8a 0f dc 63 78 fd cf 45 5c b9 92 17 8f e6 12 9d bd a3 49 a4 c5 6c d3 1e 04 ab bc 4c 5d 2d f5 0d 0c 06 04 75 ec 11 8b 0e 3d 82 f0 79 cb 5e ec 44 1f c1 f1 78 88 db f7 9b 04 f4 fa 89 39 ab be 4f 65 c4 b6 26 43 5c c8 dc {server} derive secret "tls13 c ap traffic": Thomson Expires June 7, 2018 [Page 37] Internet-Draft TLS 1.3 Traces December 2017 PRK (32 octets): 86 05 00 52 9e e3 a6 0a 26 44 3e 62 2a 4c 00 0a b3 ff 0d ea 05 05 5c c3 ed f3 bf 01 f7 11 db ba hash (32 octets): 35 56 64 82 3a 07 6c 67 8f 60 11 3d f2 c4 fa 18 3e 44 c0 0b 0a 94 38 c7 93 d2 96 e9 2a 76 e3 06 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72 61 66 66 69 63 20 35 56 64 82 3a 07 6c 67 8f 60 11 3d f2 c4 fa 18 3e 44 c0 0b 0a 94 38 c7 93 d2 96 e9 2a 76 e3 06 output (32 octets): 49 94 c4 1b d3 5f 90 84 9c da c8 1c ee eb 48 cf 0a 25 08 9c da 15 66 d0 c8 51 ce 42 67 55 0e 42 {server} derive secret "tls13 s ap traffic": PRK (32 octets): 86 05 00 52 9e e3 a6 0a 26 44 3e 62 2a 4c 00 0a b3 ff 0d ea 05 05 5c c3 ed f3 bf 01 f7 11 db ba hash (32 octets): 35 56 64 82 3a 07 6c 67 8f 60 11 3d f2 c4 fa 18 3e 44 c0 0b 0a 94 38 c7 93 d2 96 e9 2a 76 e3 06 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72 61 66 66 69 63 20 35 56 64 82 3a 07 6c 67 8f 60 11 3d f2 c4 fa 18 3e 44 c0 0b 0a 94 38 c7 93 d2 96 e9 2a 76 e3 06 output (32 octets): 04 94 45 e6 ca b5 c5 4c 87 af 8a d9 c9 4f c1 28 14 f5 4c 22 bb c4 6a 08 5e 9e 3f 55 91 1e 77 0c {server} derive secret "tls13 exp master": PRK (32 octets): 86 05 00 52 9e e3 a6 0a 26 44 3e 62 2a 4c 00 0a b3 ff 0d ea 05 05 5c c3 ed f3 bf 01 f7 11 db ba hash (32 octets): 35 56 64 82 3a 07 6c 67 8f 60 11 3d f2 c4 fa 18 3e 44 c0 0b 0a 94 38 c7 93 d2 96 e9 2a 76 e3 06 info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73 74 65 72 20 35 56 64 82 3a 07 6c 67 8f 60 11 3d f2 c4 fa 18 3e 44 c0 0b 0a 94 38 c7 93 d2 96 e9 2a 76 e3 06 output (32 octets): 84 69 2c 16 37 b0 91 ce 55 73 7a bc e2 46 9b 74 5c f4 77 80 ea d7 68 be 99 35 59 2c 16 0d 0d 57 {client} extract secret "early": salt: (absent) Thomson Expires June 7, 2018 [Page 38] Internet-Draft TLS 1.3 Traces December 2017 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a {client} derive secret for handshake "tls13 derived": PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba {client} extract secret "handshake": salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba ikm (32 octets): 94 2f 83 fa ee 2f ad ad 24 2e eb fb c7 a6 6d 5e c7 71 04 b1 3c d4 97 e0 b1 0d 9d 70 69 1d e8 6a secret (32 octets): 53 d7 91 87 9a 6b 33 f3 86 45 35 3b 3e 03 49 e5 e0 88 e4 0b 6c 37 00 12 0c 80 04 25 d3 d5 e9 9f {client} derive secret "tls13 c hs traffic" (same as server) {client} derive secret "tls13 s hs traffic" (same as server) {client} derive secret for master "tls13 derived" (same as server) {client} extract secret "master" (same as server) {client} calculate finished "tls13 finished" (same as server) {client} derive secret "tls13 c ap traffic" (same as server) {client} derive secret "tls13 s ap traffic" (same as server) {client} derive secret "tls13 exp master" (same as server) Thomson Expires June 7, 2018 [Page 39] Internet-Draft TLS 1.3 Traces December 2017 {client} send a Certificate handshake message {client} send a CertificateVerify handshake message {client} calculate finished "tls13 finished": PRK (32 octets): e8 d4 bb 93 8c a3 de 6d 1d 7c 78 01 a5 57 20 aa df cd 34 2d c8 a4 47 04 1d 21 7c 83 c8 df f3 94 hash (0 octets): (empty) info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 64 00 output (32 octets): 03 c1 ff eb e1 ec af c1 16 94 42 a3 5f b7 8c 4a f4 3d 55 4e c8 5b 94 ae 3f e9 18 3f 54 55 f1 84 {client} send a Finished handshake message {client} send handshake record: payload (623 octets): 0b 00 01 bf 00 00 01 bb 00 01 b6 30 82 01 b2 30 82 01 1b a0 03 02 01 02 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 11 31 0f 30 0d 06 03 55 04 03 13 06 63 6c 69 65 6e 74 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 5a 17 0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 11 31 0f 30 0d 06 03 55 04 03 13 06 63 6c 69 65 6e 74 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 c3 81 75 e0 04 a6 8d 09 3f 82 3b 9c 37 9d 20 1f bc 0b b7 a1 c7 91 90 5e 3f bf 76 84 7e 44 e7 51 eb bc d3 60 bd 94 5c 81 e5 22 2b cc 88 46 d3 a8 a0 f9 3e 9b f5 be ba bd 92 ed f1 de 1f f1 90 21 70 3e 7a b6 c0 90 15 13 f9 7e 39 b1 11 f0 9c 93 48 97 1c 7b 21 19 84 a7 54 cd 45 fe 09 5a f0 ea 42 36 82 9b cc f7 a7 fe 9b 28 88 e7 8a b4 77 69 0a 5b 9e 1c cb e9 1c 6a 4a 0f 97 a7 e0 28 42 01 02 03 01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 07 80 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 1a 7a 5a 01 85 32 b0 22 af 07 67 d4 86 16 0c ff 2d 16 7a 19 15 d2 38 35 b5 45 94 91 6d c6 80 be 5d 2e 62 60 76 c5 d5 27 22 eb cc 77 5d 7d 99 f9 80 be 2f c9 4d 34 ac f6 cc 00 ba 90 cb cf b0 60 8a a1 e7 e3 97 1e f0 c0 7a 41 d4 7a d8 34 5d 1f 81 fe 41 8a 1c f4 10 54 42 9f d2 17 bd 77 7d c1 cf 08 f0 5d f9 07 99 c6 59 36 1e 0f 1a 8e e4 ac 0f 78 97 42 0b db c8 23 da 80 a2 f2 ba 23 08 1c 00 00 0f 00 00 84 08 04 00 80 84 10 d9 4d 75 9a c5 a1 87 9c 61 71 49 48 04 09 7f 9d 94 6f 41 e0 02 2a 66 ee 8e 0d 3b bc f4 37 c2 6f db cb 1d b6 69 45 94 f9 01 71 82 e2 80 5c 1a 68 24 e1 06 d1 86 dd 42 37 53 60 89 14 3d 06 12 ec 33 08 50 2c d5 a1 54 3e 82 fb 9d b5 58 7e 54 07 6e 18 7a d6 ad 9b 89 35 42 a7 54 1d f0 47 49 7f fb 6c e2 Thomson Expires June 7, 2018 [Page 40] Internet-Draft TLS 1.3 Traces December 2017 5d df f8 fd e7 ed 8a 67 98 f2 b7 de 1f a8 d9 f9 67 76 15 3a 3d 01 9c 5a cc af 97 14 00 00 20 49 3e e4 87 b7 fc 2b f5 19 b7 cd 2b 6b 33 b5 0f 5b e6 d5 23 37 a4 96 2e 39 d0 ec 13 92 f0 76 80 ciphertext (645 octets): 17 03 03 02 80 4d 75 ab 8f 1d 72 06 a6 3e 00 ac cd 41 c6 aa d6 3f e1 4d df 20 42 8f 59 68 d7 fc 60 61 2f d2 5f f6 49 ae 82 c6 2e 3b 1e 6b 0d 07 d4 26 ae d4 3f a8 1f c2 76 15 43 92 5d 9a 8c 53 57 b2 0d 5d f1 7d fe 67 7d 8f df 7c b3 5f 07 48 02 a0 c5 5a 12 31 de a8 d4 27 1d fa 5f 5d 65 21 a4 f4 67 c4 78 5d b0 54 1d f1 fb 84 8f 8b 01 e6 8d cb 9c 63 a3 86 3a 6b d3 e8 8d b5 a3 67 34 53 2d f3 68 b0 f5 7a 12 b5 65 94 b2 e1 6b 69 4e 5c e6 c1 e6 f3 ab 6f 1f a0 a9 f5 40 e3 80 2d 6b f2 4f eb e4 2b 72 1f 13 ab 80 90 f1 54 e4 14 54 72 f9 1b 9a fe d6 c5 b4 51 39 7e a0 fd 19 8c 04 48 af 73 44 42 91 57 43 11 53 4d 22 91 07 65 9b 88 00 5c f0 51 db 32 70 83 44 4c 2c 00 14 e9 22 a2 bd 94 a2 c9 d8 40 70 7b 4c 76 0c 56 ff 09 36 b1 b7 ad 8c 76 f7 bf c2 dc 8b 75 19 d2 29 ad 7b a5 6d 0a 16 12 d0 56 f8 78 da 5a b9 91 c9 ce 3d d0 44 62 8c 5a 0f ab 4d 51 14 af 7f 95 7e f1 f5 27 05 6b 5d 16 0e 8b b2 ad 6d b0 a9 3b e2 3c 5f 68 7e 0a 28 ec 76 32 a2 1f 24 4f 9e ac 1d 04 4f f9 2d 3c 1f b1 8e f8 1a bb cf 38 08 24 d4 cb 1c e4 51 7a d6 c1 45 f0 56 8b 41 b9 36 26 65 68 ac 23 1e c9 48 eb b3 32 1f 5f b0 14 36 21 af 9b 3c e7 51 7b 08 88 e0 71 c6 17 4b 7b 05 a7 bf ce a2 d9 e2 50 16 1a f7 0f 93 73 a9 c2 fc 2d 41 06 85 52 38 bc 54 f0 78 40 6c 75 82 7a 46 1e c2 c3 59 19 f6 75 16 44 fd ce b6 11 31 3e f5 57 09 b5 2b 32 69 24 12 32 92 d1 bd 9d 1d 19 2f 6d 4d d6 bd e8 f3 c8 2c 30 49 f4 f6 dd f7 4d 18 4d 72 76 57 9f ce 90 a6 6b bd 6b 50 17 82 6d cd 0d 31 25 bc a5 47 df b2 f9 ab 53 43 fd a4 2a bb eb 5b f9 ca 6d 02 45 8e 7e 7b af 21 04 70 e5 e6 93 ee a4 c2 ca 50 2f e8 e6 d4 78 7b 57 18 6d 85 40 7d df 0d 5e 0c 8a be 1a 73 46 d6 cd 30 86 5a c5 fc 9d f2 d3 8e 84 1e f3 67 91 be e0 dd 3a 1a 95 b9 c3 2d 3e 8e 97 04 c8 7b fe bd 35 ea f5 cb db 4a 72 32 46 82 04 a5 75 63 2c ed 27 76 70 6c d5 02 a5 66 d1 30 c1 ab 40 9a 1c e4 ab 08 c5 8c 04 ae 75 33 94 8b 63 4b ff 14 54 b6 91 a1 e9 88 c6 de 54 85 7e 12 05 65 fc bc 6e 3d 01 ed fa 7a ab c5 f9 2c 45 b4 df 22 50 c0 {client} derive secret "tls13 res master": PRK (32 octets): 86 05 00 52 9e e3 a6 0a 26 44 3e 62 2a 4c 00 0a b3 ff 0d ea 05 05 5c c3 ed f3 bf 01 f7 11 db ba hash (32 octets): 7f 2d 4e 12 6e 73 62 ae 2f ea 3c b9 1f 32 ec b0 f7 ba 7f 60 c4 ee a4 41 0f 80 26 dc 33 25 77 88 info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73 74 65 72 20 7f 2d 4e 12 6e 73 62 ae 2f ea 3c b9 1f 32 ec b0 f7 ba 7f 60 c4 ee a4 41 0f 80 26 dc 33 25 77 88 Thomson Expires June 7, 2018 [Page 41] Internet-Draft TLS 1.3 Traces December 2017 output (32 octets): 42 f1 0b 54 0d ee 84 7b 5b 1c 5b 0d 89 2c f7 11 7d 9a 13 9b 89 20 64 88 a3 52 eb ee d8 cb 6f 90 {server} calculate finished "tls13 finished" (same as client) {server} derive secret "tls13 res master" (same as client) {client} send alert record: payload (2 octets): 01 00 ciphertext (24 octets): 17 03 03 00 13 70 16 fa 95 9e 65 31 0b cf 54 11 09 dd 74 cc 4b bd 42 95 {server} send alert record: payload (2 octets): 01 00 ciphertext (24 octets): 17 03 03 00 13 92 e3 7d 92 18 1a 14 ec cf 3e 35 13 f4 54 63 4f b1 70 d9 7. Security Considerations It probably isn't a good idea to use the private key here. If it weren't for the fact that it is too small to provide any meaningful security, it is now very well known. 8. References 8.1. Normative References [I-D.ietf-tls-tls13] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", draft-ietf-tls-tls13-22 (work in progress), November 2017. 8.2. Informative References [FIPS186] National Institute of Standards and Technology (NIST), "Digital Signature Standard (DSS)", NIST PUB 186-4 , July 2013. [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves for Security", RFC 7748, DOI 10.17487/RFC7748, January 2016, . Thomson Expires June 7, 2018 [Page 42] Internet-Draft TLS 1.3 Traces December 2017 8.3. URIs [1] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS Appendix A. Acknowledgements This draft is generated using tests that were written for NSS [1]. None of this would have been possible without Franziskus Kiefer, Eric Rescorla and Tim Taubert, who did a lot of the work in NSS. Author's Address Martin Thomson Mozilla Email: martin.thomson@gmail.com Thomson Expires June 7, 2018 [Page 43]