[Docs] [txt|pdf|xml|html] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: (draft-thomson-tls-tls13-vectors) 00 01 02 03 04

TLS                                                           M. Thomson
Internet-Draft                                                   Mozilla
Intended status: Standards Track                            May 02, 2018
Expires: November 3, 2018


                  Example Handshake Traces for TLS 1.3
                    draft-ietf-tls-tls13-vectors-04

Abstract

   Examples of TLS 1.3 handshakes are shown.  Private keys and inputs
   are provided so that these handshakes might be reproduced.
   Intermediate values, including secrets, traffic keys and ivs are
   shown so that implementations might be checked incrementally against
   these values.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on November 3, 2018.

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.



Thomson                 Expires November 3, 2018                [Page 1]


Internet-Draft               TLS 1.3 Traces                     May 2018


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Private Keys  . . . . . . . . . . . . . . . . . . . . . . . .   2
   3.  Simple 1-RTT Handshake  . . . . . . . . . . . . . . . . . . .   3
   4.  Resumed 0-RTT Handshake . . . . . . . . . . . . . . . . . . .  15
   5.  HelloRetryRequest . . . . . . . . . . . . . . . . . . . . . .  26
   6.  Client Authentication . . . . . . . . . . . . . . . . . . . .  38
   7.  Compatibility Mode  . . . . . . . . . . . . . . . . . . . . .  49
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .  59
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  60
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .  60
     9.2.  Informative References  . . . . . . . . . . . . . . . . .  60
   Appendix A.  Acknowledgements . . . . . . . . . . . . . . . . . .  60
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  60

1.  Introduction

   TLS 1.3 [TLS13] defines a new key schedule and a number new
   cryptographic operations.  This document includes sample handshakes
   that show all intermediate values.  This allows an implementation to
   be verified incrementally, examining inputs and outputs of each
   cryptographic computation independently.

   A private key is included with the traces so that implementations can
   be checked by importing these values and verifying that the same
   outputs are produced.

2.  Private Keys

   Ephemeral private keys are shown as they are generated in the traces.

   The server in most examples uses an RSA certificate with a private
   key of:

   modulus (public):  b4 bb 49 8f 82 79 30 3d 98 08 36 39 9b 36 c6 98 8c
      0c 68 de 55 e1 bd b8 26 d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab
      bc 9a 95 13 7a ce 6c 1a f1 9e aa 6a f9 8c 7c ed 43 12 09 98 e1 87
      a8 0e e0 cc b0 52 4b 1b 01 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f
      da 43 08 46 74 80 30 53 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0
      3e 2b d1 93 ef f0 ab 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e
      3f

   public exponent:  01 00 01

   private exponent:  04 de a7 05 d4 3a 6e a7 20 9d d8 07 21 11 a8 3c 81
      e3 22 a5 92 78 b3 34 80 64 1e af 7c 0a 69 85 b8 e3 1c 44 f6 de 62
      e1 b4 c2 30 9f 61 26 e7 7b 7c 41 e9 23 31 4b bf a3 88 13 05 dc 12



Thomson                 Expires November 3, 2018                [Page 2]


Internet-Draft               TLS 1.3 Traces                     May 2018


      17 f1 6c 81 9c e5 38 e9 22 f3 69 82 8d 0e 57 19 5d 8c 84 88 46 02
      07 b2 fa a7 26 bc f7 08 bb d7 db 7f 67 9f 89 34 92 fc 2a 62 2e 08
      97 0a ac 44 1c e4 e0 c3 08 8d f2 5a e6 79 23 3d f8 a3 bd a2 ff 99
      41

   prime1:  e4 35 fb 7c c8 37 37 75 6d ac ea 96 ab 7f 59 a2 cc 10 69 db
      7d eb 19 0e 17 e3 3a 53 2b 27 3f 30 a3 27 aa 0a aa bc 58 cd 67 46
      6a f9 84 5f ad c6 75 fe 09 4a f9 2c 4b d1 f2 c1 bc 33 dd 2e 05 15

   prime2:  ca bd 3b c0 e0 43 86 64 c8 d4 cc 9f 99 97 7a 94 d9 bb fe ad
      8e 43 87 0a ba e3 f7 eb 8b 4e 0e ee 8a f1 d9 b4 71 9b a6 19 6c f2
      cb ba ee eb f8 b3 49 0a fe 9e 9f fa 74 a8 8a a5 1f c6 45 62 93 03

   exponent1:  3f 57 34 5c 27 fe 1b 68 7e 6e 76 16 27 b7 8b 1b 82 64 33
      dd 76 0f a0 be a6 a6 ac f3 94 90 aa 1b 47 cd a4 86 9d 68 f5 84 dd
      5b 50 29 bd 32 09 3b 82 58 66 1f e7 15 02 5e 5d 70 a4 5a 08 d3 d3
      19

   exponent2:  18 3d a0 13 63 bd 2f 28 85 ca cb dc 99 64 bf 47 64 f1 51
      76 36 f8 64 01 28 6f 71 89 3c 52 cc fe 40 a6 c2 3d 0d 08 6b 47 c6
      fb 10 d8 fd 10 41 e0 4d ef 7e 9a 40 ce 95 7c 41 77 94 e1 04 12 d1
      39

   coefficient:  83 9c a9 a0 85 e4 28 6b 2c 90 e4 66 99 7a 2c 68 1f 21
      33 9a a3 47 78 14 e4 de c1 18 33 05 0e d5 0d d1 3c c0 38 04 8a 43
      c5 9b 2a cc 41 68 89 c0 37 66 5f e5 af a6 05 96 9f 8c 01 df a5 ca
      96 9d

3.  Simple 1-RTT Handshake

   In this example, the simplest possible handshake is completed.  The
   server is authenticated, but the client remains anonymous.  After
   connecting, a few application data octets are exchanged.  The server
   sends a session ticket that permits the use of 0-RTT in any resumed
   session.

   {client}  create an ephemeral x25519 key pair:

      private key (32 octets):  33 21 0a 80 c1 a0 78 c8 52 0d 00 71 0a
         06 7b 00 59 68 26 01 05 f4 bf b5 94 a7 13 2b 62 34 33 ab

      public key (32 octets):  fa 0c d2 25 02 a7 23 6a e7 59 9e e0 14 16
         e8 05 d7 15 55 93 f0 28 b7 a6 f6 dd f4 9b ad 1a 6f 36

   {client}  send a ClientHello handshake message

   {client}  send handshake record:




Thomson                 Expires November 3, 2018                [Page 3]


Internet-Draft               TLS 1.3 Traces                     May 2018


      payload (190 octets):  01 00 00 ba 03 03 3a 02 32 16 f4 df 71 db
         f2 af d6 09 5f aa cd 8e b9 12 02 36 ca 79 90 c2 0d 40 cb 69 09
         57 75 35 00 00 06 13 01 13 03 13 02 01 00 00 8b 00 00 00 0b 00
         09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12
         00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 23 00
         00 00 33 00 26 00 24 00 1d 00 20 fa 0c d2 25 02 a7 23 6a e7 59
         9e e0 14 16 e8 05 d7 15 55 93 f0 28 b7 a6 f6 dd f4 9b ad 1a 6f
         36 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 04 03 05 03 06 03 02
         03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02
         02 02 00 2d 00 02 01 01

      ciphertext (195 octets):  16 03 01 00 be 01 00 00 ba 03 03 3a 02
         32 16 f4 df 71 db f2 af d6 09 5f aa cd 8e b9 12 02 36 ca 79 90
         c2 0d 40 cb 69 09 57 75 35 00 00 06 13 01 13 03 13 02 01 00 00
         8b 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00
         00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01
         03 01 04 00 23 00 00 00 33 00 26 00 24 00 1d 00 20 fa 0c d2 25
         02 a7 23 6a e7 59 9e e0 14 16 e8 05 d7 15 55 93 f0 28 b7 a6 f6
         dd f4 9b ad 1a 6f 36 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 04
         03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01
         04 02 05 02 06 02 02 02 00 2d 00 02 01 01

   {server}  extract secret "early":

      salt:  (absent)

      ikm (32 octets):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c
         e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

   {server}  create an ephemeral x25519 key pair:

      private key (32 octets):  9d ae 7f c7 6c 00 9e 64 32 41 68 c6 27
         99 1a 97 d3 95 9e 32 e7 c8 45 0c 14 f3 b5 30 bf 75 ef 87

      public key (32 octets):  aa 6c be 84 01 8c c1 a7 43 75 b6 d4 ea 18
         ad 51 71 c1 50 ae 55 80 a8 4c 62 ef 05 21 a1 16 8a 25

   {server}  send a ServerHello handshake message

   {server}  derive secret for handshake "tls13 derived":

      PRK (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2
         10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a





Thomson                 Expires November 3, 2018                [Page 4]


Internet-Draft               TLS 1.3 Traces                     May 2018


      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6
         97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

   {server}  extract secret "handshake":

      salt (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97
         16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

      ikm (32 octets):  de 19 c3 5f f1 64 46 31 c4 b4 59 9a 22 2c ee eb
         31 aa 4c f3 03 ef 15 48 de 68 ea 83 c9 4b 78 1c

      secret (32 octets):  95 96 d5 36 cf ab b0 51 28 69 b3 c3 66 39 1f
         b2 97 59 36 a8 cd da 1f 8c 66 b5 f0 26 54 04 5e 6b

   {server}  derive secret "tls13 c hs traffic":

      PRK (32 octets):  95 96 d5 36 cf ab b0 51 28 69 b3 c3 66 39 1f b2
         97 59 36 a8 cd da 1f 8c 66 b5 f0 26 54 04 5e 6b

      hash (32 octets):  58 53 80 f8 31 c7 62 08 c5 2c 34 8c 76 be 4a 4b
         a6 17 fd 16 da 68 b0 a9 50 38 82 fe ea ff 81 dc

      info (54 octets):  00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72
         61 66 66 69 63 20 58 53 80 f8 31 c7 62 08 c5 2c 34 8c 76 be 4a
         4b a6 17 fd 16 da 68 b0 a9 50 38 82 fe ea ff 81 dc

      output (32 octets):  ed 5d 2e 57 8f 39 41 2a 63 a1 8e 68 d4 52 e4
         09 21 5b 42 a8 63 40 29 f2 4c c9 c7 bb 3c 4d 29 de

   {server}  derive secret "tls13 s hs traffic":

      PRK (32 octets):  95 96 d5 36 cf ab b0 51 28 69 b3 c3 66 39 1f b2
         97 59 36 a8 cd da 1f 8c 66 b5 f0 26 54 04 5e 6b

      hash (32 octets):  58 53 80 f8 31 c7 62 08 c5 2c 34 8c 76 be 4a 4b
         a6 17 fd 16 da 68 b0 a9 50 38 82 fe ea ff 81 dc

      info (54 octets):  00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72
         61 66 66 69 63 20 58 53 80 f8 31 c7 62 08 c5 2c 34 8c 76 be 4a
         4b a6 17 fd 16 da 68 b0 a9 50 38 82 fe ea ff 81 dc




Thomson                 Expires November 3, 2018                [Page 5]


Internet-Draft               TLS 1.3 Traces                     May 2018


      output (32 octets):  76 53 d6 19 95 c3 c7 b9 a7 db 6e f8 80 0d e0
         63 e2 c4 10 1d 52 15 01 1c 8a 28 36 6e 8a 44 9b b3

   {server}  derive secret for master "tls13 derived":

      PRK (32 octets):  95 96 d5 36 cf ab b0 51 28 69 b3 c3 66 39 1f b2
         97 59 36 a8 cd da 1f 8c 66 b5 f0 26 54 04 5e 6b

      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output (32 octets):  ff e0 3e bf eb 8e f7 7a b4 95 7f 14 95 2f be
         d5 5a 1f 3b 9d 1c e9 4e 1e 00 f7 40 7d 99 72 99 1b

   {server}  extract secret "master":

      salt (32 octets):  ff e0 3e bf eb 8e f7 7a b4 95 7f 14 95 2f be d5
         5a 1f 3b 9d 1c e9 4e 1e 00 f7 40 7d 99 72 99 1b

      ikm (32 octets):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  fa 2f 37 bc 3a 87 b5 9c 46 10 26 27 17 59 84
         d8 4e 03 5f a5 64 75 9c 1e ec 3b 96 4c e9 7a 1f 14

   {server}  send handshake record:

      payload (90 octets):  02 00 00 56 03 03 42 ec 65 e2 f1 86 19 05 8f
         0a e6 42 76 a1 0d 47 b3 5d 5f 26 75 0b c5 a9 b7 aa c6 30 9f 19
         75 71 00 13 01 00 00 2e 00 33 00 24 00 1d 00 20 aa 6c be 84 01
         8c c1 a7 43 75 b6 d4 ea 18 ad 51 71 c1 50 ae 55 80 a8 4c 62 ef
         05 21 a1 16 8a 25 00 2b 00 02 7f 1c

      ciphertext (95 octets):  16 03 03 00 5a 02 00 00 56 03 03 42 ec 65
         e2 f1 86 19 05 8f 0a e6 42 76 a1 0d 47 b3 5d 5f 26 75 0b c5 a9
         b7 aa c6 30 9f 19 75 71 00 13 01 00 00 2e 00 33 00 24 00 1d 00
         20 aa 6c be 84 01 8c c1 a7 43 75 b6 d4 ea 18 ad 51 71 c1 50 ae
         55 80 a8 4c 62 ef 05 21 a1 16 8a 25 00 2b 00 02 7f 1c

   {server}  derive write traffic keys for handshake data:

      PRK (32 octets):  76 53 d6 19 95 c3 c7 b9 a7 db 6e f8 80 0d e0 63
         e2 c4 10 1d 52 15 01 1c 8a 28 36 6e 8a 44 9b b3




Thomson                 Expires November 3, 2018                [Page 6]


Internet-Draft               TLS 1.3 Traces                     May 2018


      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  6b de 0a 34 c4 42 3c f3 5b f4 a7 ec 1a b0
         aa 06

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  22 07 9a 1b e6 53 89 9a 59 a4 e5 51

   {server}  send a EncryptedExtensions handshake message

   {server}  send a Certificate handshake message

   {server}  send a CertificateVerify handshake message

   {server}  calculate finished "tls13 finished":

      PRK (32 octets):  76 53 d6 19 95 c3 c7 b9 a7 db 6e f8 80 0d e0 63
         e2 c4 10 1d 52 15 01 1c 8a 28 36 6e 8a 44 9b b3

      hash (0 octets):  (empty)

      info (18 octets):  00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
         64 00

      output (32 octets):  1c a5 43 d9 08 b8 ec 1c b7 25 55 7f 83 c4 de
         03 f1 71 85 07 b9 0a e4 39 ec 84 92 c2 22 5d 6e 75

   {server}  send a Finished handshake message

   {server}  send handshake record:

      payload (651 octets):  08 00 00 1e 00 1c 00 0a 00 14 00 12 00 1d
         00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 00 00 00 0b
         00 01 b9 00 00 01 b5 00 01 b0 30 82 01 ac 30 82 01 15 a0 03 02
         01 02 02 01 02 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30
         0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61 30 1e 17 0d 31 36
         30 37 33 30 30 31 32 33 35 39 5a 17 0d 32 36 30 37 33 30 30 31
         32 33 35 39 5a 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61
         30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d
         00 30 81 89 02 81 81 00 b4 bb 49 8f 82 79 30 3d 98 08 36 39 9b
         36 c6 98 8c 0c 68 de 55 e1 bd b8 26 d3 90 1a 24 61 ea fd 2d e4
         9a 91 d0 15 ab bc 9a 95 13 7a ce 6c 1a f1 9e aa 6a f9 8c 7c ed
         43 12 09 98 e1 87 a8 0e e0 cc b0 52 4b 1b 01 8c 3e 0b 63 26 4d
         44 9a 6d 38 e2 2a 5f da 43 08 46 74 80 30 53 0e f0 46 1c 8c a9
         d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93 ef f0 ab 9a 80 02 c4 74 28
         a6 d3 5a 8d 88 d7 9f 7f 1e 3f 02 03 01 00 01 a3 1a 30 18 30 09
         06 03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 05



Thomson                 Expires November 3, 2018                [Page 7]


Internet-Draft               TLS 1.3 Traces                     May 2018


         a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 85
         aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a 72 67 17 06 18 a5 4c 5f 8a
         7b 33 7d 2d f7 a5 94 36 54 17 f2 ea e8 f8 a5 8c 8f 81 72 f9 31
         9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01 51 56 72 60 96 fd 33 5e 5e
         67 f2 db f1 02 70 2e 60 8c ca e6 be c1 fc 63 a4 2a 99 be 5c 3e
         b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b 1c 3b 84 e0 a8 b2 f7 59 40
         9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8 96 12 29 ac 91 87 b4 2b 4d
         e1 00 00 0f 00 00 84 08 04 00 80 60 79 53 73 40 82 02 3f d3 8f
         e9 bd 96 ea f9 dd e4 45 12 7b ef 6f c8 5b 2a 29 82 27 a9 0d 26
         12 28 11 7b 93 f7 6c 00 02 56 02 b8 5b e9 6e 6e 75 a2 5b 72 bd
         d9 38 9d 7c 97 95 f3 14 24 60 17 18 9d 4b dd 30 b8 38 17 f5 9a
         5b c3 66 9a 98 d6 41 64 fd c7 80 77 2d ca 3d 06 63 79 24 1a 21
         32 c4 07 1e 21 f9 f3 f0 cd 1d f4 06 ab 1d 37 bd db 13 e1 c2 93
         f8 a4 46 8b 8e 5b c9 09 e5 78 94 e0 f1 14 00 00 20 16 cb aa 5b
         9c 4d 04 ea 5c 83 b2 0b 4c 88 04 7e 8f 95 d9 60 5b 71 24 d1 1d
         de b1 91 bb 6b 6d 18

      ciphertext (673 octets):  17 03 03 02 9c c7 ad d2 3a 51 68 b1 f3
         49 b7 59 e3 6b 17 1d ab c9 0b aa 31 29 a9 83 81 35 a2 2d a4 d2
         d5 96 c9 4b 86 f6 af be 4d 7e 6d 6d bd 07 0b 84 f7 0f 33 fa 57
         91 7d 7f 44 b1 e0 6d 47 46 64 3b fb 8f 2c dd 0a 2e db 1d 43 b7
         32 26 b1 be f9 5c 34 58 41 d1 20 fc 70 8d 49 09 bf a3 42 e4 99
         33 c1 00 02 03 3f ee 1e 82 67 0b 26 50 ba 93 c5 3a 87 f8 6d 5c
         bf 51 26 ad 05 58 6f 97 b1 31 4f 21 c0 b7 a2 0c 4b 4f 90 c3 66
         ec 8e d8 49 be a6 d5 b2 e0 bb 88 4f 9e 98 d7 19 5a 42 8f f8 d1
         26 5a 67 58 84 f3 8a 43 60 68 e3 72 9f 8a 50 99 1b f8 61 37 95
         0c 5e 0e b3 ad a2 23 59 c2 5a f7 00 31 cb 18 00 8c 2f a6 e7 c8
         dd 70 58 f8 ec e9 23 b0 96 7a c5 ed c0 39 7b 9d 9a ae cf 3f 0d
         cc 59 83 a4 76 9e 26 0f 15 e6 83 78 74 18 ce 06 75 47 ad f9 fa
         75 93 24 7d f7 d5 a1 60 32 7b de 57 f8 eb e4 74 55 6b 93 97 9f
         ae 3c d2 fa 90 c3 b5 e7 77 d6 2f 3b 1b 11 bb 92 08 a6 8d 55 06
         24 6f 76 ac ef b5 7d b1 b6 37 b4 60 38 24 1d aa 6a 07 b7 dd 8d
         45 c4 7b e1 2f 7e 5a 71 a1 00 95 02 9e ed 7e 27 8d de a9 f4 46
         2c 68 9e 1b c6 eb c6 b8 84 da b7 f9 de e7 6f 30 08 73 63 85 05
         f9 00 3c de 12 e4 28 24 ff 3a 17 64 3d a1 a7 62 7c 16 6c 89 38
         5c de 80 87 4b be 7a 19 ff 5c 5e 1a cd 94 eb 26 1b d4 90 4d 4e
         70 85 24 f3 8d 51 0d 17 2c 6d 61 79 fe e3 dc bb 80 85 b2 f4 3f
         fe 1c 39 b6 4e 49 34 a3 4c d0 91 fe fe ce 76 1c 74 0e 63 d1 e0
         4a 83 b0 55 75 15 26 0d 8b 40 b0 86 1b d7 75 91 4b 81 24 d6 ec
         42 e6 74 fb e4 8b c6 cf 5a 08 cf fa 98 00 15 08 61 33 27 85 6e
         d7 3f 95 2d b6 fd 9f eb 08 85 56 6d 91 79 3e 50 34 ac da 39 8b
         40 3b 6a ce 62 35 47 d5 2f f7 19 98 fe 31 a1 ef d7 f6 fb 85 ea
         b2 06 94 db f4 d5 00 0f 22 10 bc 3d 31 24 22 f9 d5 8d e9 d3 60
         39 bf 8f ae e9 e8 38 33 8c bf 36 b2 b4 82 bd b5 2c 1d 52 32 3b
         a7 4f b2 42 30 64 f9 3f e7 dc 11 54 4f cd ac 52 10 b8 78 91 a1
         7a 14 9b 3c 83 a8 f5 f4 ed b7 63 53 82 01 f7 77 d6 0a e0 5f 36
         a8 2a d6 50 a0 8d a3 64 0e 97 4d 90 ab a9 31 c1 4d 81 c6 ed 19
         1f 32 36 28 72 d1 0b f9 a6 b7 3a c2 a9 e2 89 7b a0 df 61 c6 97



Thomson                 Expires November 3, 2018                [Page 8]


Internet-Draft               TLS 1.3 Traces                     May 2018


         35 37 a1 10 e5 d4 6c 35 62 75 89 65 36 f3 16 18 72 2a 56 ff 7d
         b2 8a 53 c6 c7 73 3c bb 47

   {server}  derive secret "tls13 c ap traffic":

      PRK (32 octets):  fa 2f 37 bc 3a 87 b5 9c 46 10 26 27 17 59 84 d8
         4e 03 5f a5 64 75 9c 1e ec 3b 96 4c e9 7a 1f 14

      hash (32 octets):  87 c5 9a d5 4c f0 89 e9 40 06 d8 eb b0 80 8f 8e
         32 e5 44 b1 b0 79 18 3b 8b eb 89 8e 80 b6 5a 6c

      info (54 octets):  00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72
         61 66 66 69 63 20 87 c5 9a d5 4c f0 89 e9 40 06 d8 eb b0 80 8f
         8e 32 e5 44 b1 b0 79 18 3b 8b eb 89 8e 80 b6 5a 6c

      output (32 octets):  f7 1a e9 97 5d 12 75 6a 41 53 17 a4 4c 63 01
         6e 98 39 5d 1e cd da 48 9b cc af 4a 3e 86 3f 87 35

   {server}  derive secret "tls13 s ap traffic":

      PRK (32 octets):  fa 2f 37 bc 3a 87 b5 9c 46 10 26 27 17 59 84 d8
         4e 03 5f a5 64 75 9c 1e ec 3b 96 4c e9 7a 1f 14

      hash (32 octets):  87 c5 9a d5 4c f0 89 e9 40 06 d8 eb b0 80 8f 8e
         32 e5 44 b1 b0 79 18 3b 8b eb 89 8e 80 b6 5a 6c

      info (54 octets):  00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72
         61 66 66 69 63 20 87 c5 9a d5 4c f0 89 e9 40 06 d8 eb b0 80 8f
         8e 32 e5 44 b1 b0 79 18 3b 8b eb 89 8e 80 b6 5a 6c

      output (32 octets):  e4 25 33 b9 1b e3 2a 43 fb 9e 5b 7d 9a 00 2d
         59 d8 c7 47 b0 83 b5 72 76 ed 98 bd 46 89 33 f6 72

   {server}  derive secret "tls13 exp master":

      PRK (32 octets):  fa 2f 37 bc 3a 87 b5 9c 46 10 26 27 17 59 84 d8
         4e 03 5f a5 64 75 9c 1e ec 3b 96 4c e9 7a 1f 14

      hash (32 octets):  87 c5 9a d5 4c f0 89 e9 40 06 d8 eb b0 80 8f 8e
         32 e5 44 b1 b0 79 18 3b 8b eb 89 8e 80 b6 5a 6c

      info (52 octets):  00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73
         74 65 72 20 87 c5 9a d5 4c f0 89 e9 40 06 d8 eb b0 80 8f 8e 32
         e5 44 b1 b0 79 18 3b 8b eb 89 8e 80 b6 5a 6c

      output (32 octets):  14 2d 61 52 63 bc e0 27 60 74 9e c8 d3 8e ac
         7a b0 ce 85 0f c1 e3 87 85 a0 33 8b 7e 74 d4 65 b2




Thomson                 Expires November 3, 2018                [Page 9]


Internet-Draft               TLS 1.3 Traces                     May 2018


   {server}  derive write traffic keys for application data:

      PRK (32 octets):  e4 25 33 b9 1b e3 2a 43 fb 9e 5b 7d 9a 00 2d 59
         d8 c7 47 b0 83 b5 72 76 ed 98 bd 46 89 33 f6 72

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  4e 01 d3 e4 ac 71 a2 83 4b b5 71 29 bb 88
         bf d6

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  a4 45 9e a6 d6 d7 fb 65 91 6b b8 fa

   {server}  derive read traffic keys for handshake data:

      PRK (32 octets):  ed 5d 2e 57 8f 39 41 2a 63 a1 8e 68 d4 52 e4 09
         21 5b 42 a8 63 40 29 f2 4c c9 c7 bb 3c 4d 29 de

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  fd 24 5c 26 ad 85 0f e2 d3 1b f9 6d 87 fe
         f2 56

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  bd 1f de f0 52 bb 30 8c 0a 88 c1 1c

   {client}  extract secret "early":

      salt:  (absent)

      ikm (32 octets):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c
         e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

   {client}  derive secret for handshake "tls13 derived":

      PRK (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2
         10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55






Thomson                 Expires November 3, 2018               [Page 10]


Internet-Draft               TLS 1.3 Traces                     May 2018


      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6
         97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

   {client}  extract secret "handshake":

      salt (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97
         16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

      ikm (32 octets):  de 19 c3 5f f1 64 46 31 c4 b4 59 9a 22 2c ee eb
         31 aa 4c f3 03 ef 15 48 de 68 ea 83 c9 4b 78 1c

      secret (32 octets):  95 96 d5 36 cf ab b0 51 28 69 b3 c3 66 39 1f
         b2 97 59 36 a8 cd da 1f 8c 66 b5 f0 26 54 04 5e 6b

   {client}  derive secret "tls13 c hs traffic" (same as server)

   {client}  derive secret "tls13 s hs traffic" (same as server)

   {client}  derive secret for master "tls13 derived" (same as server)

   {client}  extract secret "master" (same as server)

   {client}  derive read traffic keys for handshake data:

      PRK (32 octets):  76 53 d6 19 95 c3 c7 b9 a7 db 6e f8 80 0d e0 63
         e2 c4 10 1d 52 15 01 1c 8a 28 36 6e 8a 44 9b b3

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  6b de 0a 34 c4 42 3c f3 5b f4 a7 ec 1a b0
         aa 06

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  22 07 9a 1b e6 53 89 9a 59 a4 e5 51

   {client}  calculate finished "tls13 finished" (same as server)

   {client}  derive secret "tls13 c ap traffic" (same as server)

   {client}  derive secret "tls13 s ap traffic" (same as server)

   {client}  derive secret "tls13 exp master" (same as server)




Thomson                 Expires November 3, 2018               [Page 11]


Internet-Draft               TLS 1.3 Traces                     May 2018


   {client}  derive write traffic keys for handshake data (same as
      server read traffic keys)

   {client}  derive read traffic keys for application data (same as
      server write traffic keys)

   {client}  calculate finished "tls13 finished":

      PRK (32 octets):  ed 5d 2e 57 8f 39 41 2a 63 a1 8e 68 d4 52 e4 09
         21 5b 42 a8 63 40 29 f2 4c c9 c7 bb 3c 4d 29 de

      hash (0 octets):  (empty)

      info (18 octets):  00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
         64 00

      output (32 octets):  3a db dd 16 1f ca 16 ee 0b 3e ee c3 58 09 98
         0a 62 86 14 6f ac 25 d2 7b a9 7b 2a fa 3a 66 f9 b0

   {client}  send a Finished handshake message

   {client}  send handshake record:

      payload (36 octets):  14 00 00 20 e4 dd f9 c5 4e 5c 65 83 5b e0 e9
         f2 57 03 09 b1 06 f6 72 6e c0 88 2f ca e7 13 8b d7 93 cc c7 1b

      ciphertext (58 octets):  17 03 03 00 35 e8 a7 c0 73 d2 d5 90 fb a2
         33 02 b7 1e 8c 3c ba 0b d4 54 28 97 0c ec de d3 ae 95 24 95 98
         12 7a af 08 ed 15 b8 86 7b 08 67 e2 71 1d 9c e3 97 38 21 e9 a9
         ca dd

   {client}  derive write traffic keys for application data:

      PRK (32 octets):  f7 1a e9 97 5d 12 75 6a 41 53 17 a4 4c 63 01 6e
         98 39 5d 1e cd da 48 9b cc af 4a 3e 86 3f 87 35

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  ac 85 66 33 d0 d3 1c 93 c8 53 ba 4a 51 b5
         de f8

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  0d a9 f7 fe 9e 8d f9 98 05 12 e5 46

   {client}  derive secret "tls13 res master":





Thomson                 Expires November 3, 2018               [Page 12]


Internet-Draft               TLS 1.3 Traces                     May 2018


      PRK (32 octets):  fa 2f 37 bc 3a 87 b5 9c 46 10 26 27 17 59 84 d8
         4e 03 5f a5 64 75 9c 1e ec 3b 96 4c e9 7a 1f 14

      hash (32 octets):  80 ec 58 20 f2 d2 75 b0 7a 13 77 80 c4 ad 21 40
         4f 36 36 f0 09 11 33 eb f4 0b 9e 83 4c a4 81 45

      info (52 octets):  00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73
         74 65 72 20 80 ec 58 20 f2 d2 75 b0 7a 13 77 80 c4 ad 21 40 4f
         36 36 f0 09 11 33 eb f4 0b 9e 83 4c a4 81 45

      output (32 octets):  af b3 24 6c 40 8d c0 40 5b a4 c3 2f 40 3b df
         bb 14 8c 27 ad 59 5a 92 0c f7 12 84 e8 60 8b 48 4d

   {server}  calculate finished "tls13 finished" (same as client)

   {server}  derive read traffic keys for application data (same as
      client write traffic keys)

   {server}  derive secret "tls13 res master" (same as client)

   {server}  generate resumption secret "tls13 resumption":

      PRK (32 octets):  af b3 24 6c 40 8d c0 40 5b a4 c3 2f 40 3b df bb
         14 8c 27 ad 59 5a 92 0c f7 12 84 e8 60 8b 48 4d

      hash (2 octets):  00 00

      info (22 octets):  00 20 10 74 6c 73 31 33 20 72 65 73 75 6d 70 74
         69 6f 6e 02 00 00

      output (32 octets):  cd 0b 4e db 66 32 41 4e 03 e9 a1 fb 9c bf 10
         68 c1 3d 7e 0f 94 f7 1d a2 6a 69 51 ba f7 52 9e 76

   {server}  send a NewSessionTicket handshake message

   {server}  send handshake record:

      payload (205 octets):  04 00 00 c9 00 00 00 1e 83 6a d9 92 02 00
         00 00 b2 20 69 93 e6 82 7e f6 98 84 68 d2 55 00 00 00 00 6a 30
         23 72 43 90 67 fc 81 f4 d3 17 f1 b1 ef 33 00 70 15 93 bc b0 32
         cc ea 52 8c 5a 07 c3 7b 16 6f 89 7a 83 b7 15 48 18 b7 d1 1a 4e
         90 7c da 4e 3f af 48 95 97 21 44 b3 a7 d9 96 8d 96 28 b6 e5 66
         9c ce f4 26 0e 45 d6 4d 22 d3 b6 1a b5 7b 7f 59 dd f7 e2 cf 7a
         19 6f 9a 32 a3 d9 4f ea 13 eb 25 ab 2d 73 35 78 83 80 dc e7 4d
         47 76 8e cf f4 67 9e 88 af ac a6 18 97 b9 1c 53 ee 85 82 2c 9f
         08 7b e4 05 8f ed 0d 6e b5 e2 68 e6 54 f4 ec 0c 67 5f fb 08 6e
         06 7d 04 39 e3 9d ca f1 fb 60 31 98 db 00 08 00 2a 00 04 00 00
         04 00



Thomson                 Expires November 3, 2018               [Page 13]


Internet-Draft               TLS 1.3 Traces                     May 2018


      ciphertext (227 octets):  17 03 03 00 de a7 77 b6 77 11 b5 34 f1
         0e 38 1f 45 1f 16 da 00 20 dd 9a af a4 9d b4 62 c2 35 dc cc 6d
         bf c6 39 9c 7e ec 88 ae 2a d6 8b 97 ca 23 b1 72 15 59 e6 6f 67
         7c e6 8c d1 06 7f 41 27 7b ac 40 bb b9 3e 5b 81 0d b4 3c 1c 80
         bd 8b 72 17 17 ba 23 c6 a0 52 ef 78 b6 dc 2b be b4 da e0 06 77
         8b ab 88 a7 a5 d1 7e a3 b6 3f 12 6c 24 67 33 cc 15 b6 28 b5 b7
         43 71 6d 85 f8 f1 f6 77 32 91 c7 37 ae 06 f5 f6 ae 95 6b c3 00
         5d f2 a0 64 94 b0 65 77 68 84 3a e8 fe 95 0e be 81 da 4a c9 9c
         34 e8 e5 73 d5 99 63 75 bb 82 2b 51 67 b4 ae 3f 9c 06 76 f7 e7
         94 a1 61 0f cb 12 e8 f7 9f 08 75 91 3d b9 67 c8 17 90 e9 6f 60
         4e dd 6c 06 c7 70 a2 c0 a8 f6 50 27 8d 22 03 94 8e a6 b2 3c 14
         d3 89 97 4a

   {client}  generate resumption secret "tls13 resumption" (same as
      server)

   {client}  send application_data record:

      payload (50 octets):  00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e
         0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23
         24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31

      ciphertext (72 octets):  17 03 03 00 43 98 45 d6 12 28 f1 d9 a5 da
         a3 2a 06 64 2c 43 68 1c cf 70 65 24 e2 8d 57 15 2f 6b 8f ac d0
         89 fc 98 26 83 c3 30 a3 e1 1f 16 c5 f7 5d 2d 49 21 5c c0 8a 13
         a1 ec fd 41 a4 1b b1 38 c9 63 48 92 ab 22 63 00

   {server}  send application_data record:

      payload (50 octets):  00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e
         0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23
         24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31

      ciphertext (72 octets):  17 03 03 00 43 01 0a 55 e6 e1 14 d0 51 60
         0a b9 5e e7 a3 03 82 3a 23 ae c5 79 be df fa 3f c3 e0 30 18 01
         95 f8 83 6b 58 3b af 9a 14 ae c3 77 be 43 73 a1 a5 ea a1 4e af
         87 9d 3f ca 6f 9b 7e 46 bc 05 46 83 5d 76 71 e8

   {client}  send alert record:

      payload (2 octets):  01 00

      ciphertext (24 octets):  17 03 03 00 13 5f 93 e1 bd 82 9d 2b 00 9c
         ad ac 13 3b 7f 0c 1e 8c 94 40

   {server}  send alert record:

      payload (2 octets):  01 00



Thomson                 Expires November 3, 2018               [Page 14]


Internet-Draft               TLS 1.3 Traces                     May 2018


      ciphertext (24 octets):  17 03 03 00 13 09 39 38 d7 0c 6a 9b 1c 9c
         2e 35 6b 60 58 80 70 27 cd 6e

4.  Resumed 0-RTT Handshake

   This handshake resumes from the handshake in Section 3.  Since the
   server provided a session ticket that permitted 0-RTT, and the client
   is configured for 0-RTT, the client is able to send 0-RTT data.

   {client}  create an ephemeral x25519 key pair:

      private key (32 octets):  7f cf 6e 8b fb 63 48 3f 0a 1d 23 99 fb
         ce e4 d0 69 39 6c 17 02 62 fb d9 f2 46 81 11 af 24 ab 34

      public key (32 octets):  b5 b4 ca 2e 51 9a c8 32 92 3e af 84 f4 13
         3d 53 b2 00 53 63 d5 a7 ad 8e 07 0b d0 fd 15 d6 92 08

   {client}  extract secret "early":

      salt:  (absent)

      ikm (32 octets):  cd 0b 4e db 66 32 41 4e 03 e9 a1 fb 9c bf 10 68
         c1 3d 7e 0f 94 f7 1d a2 6a 69 51 ba f7 52 9e 76

      secret (32 octets):  90 a6 5b c0 8e 4a 66 d4 a9 cf 3c f7 ec 2d 85
         be d7 ae 08 af 83 1d 05 d7 0d 6c c0 a9 39 9c 1e 63

   {client}  send a ClientHello handshake message

   {client}  calculate finished "tls13 finished":

      PRK (32 octets):  04 5f b4 75 3e d5 65 30 5b 33 d2 04 0b 21 57 2d
         7d 24 b3 ee 18 e7 63 bd 1a 1b 20 cf 2a a6 1a 92

      hash (0 octets):  (empty)

      info (18 octets):  00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
         64 00

      output (32 octets):  89 60 f7 a3 5f 8e e3 52 30 20 1e cf 77 f8 b1
         29 8f 77 73 0f 0d 84 ab 51 31 a4 bb 00 9b 4f 3d 1f

   {client}  send handshake record:

      payload (512 octets):  01 00 01 fc 03 03 0b 27 b6 14 3a d0 49 dd
         d0 4e 5c b7 bb 33 22 d3 60 f6 0a 9b 8e 65 07 bc 79 69 84 19 5b
         d4 e8 cb 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b 00
         09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12



Thomson                 Expires November 3, 2018               [Page 15]


Internet-Draft               TLS 1.3 Traces                     May 2018


         00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33 00
         26 00 24 00 1d 00 20 b5 b4 ca 2e 51 9a c8 32 92 3e af 84 f4 13
         3d 53 b2 00 53 63 d5 a7 ad 8e 07 0b d0 fd 15 d6 92 08 00 2a 00
         00 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 04 03 05 03 06 03 02
         03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02
         02 02 00 2d 00 02 01 01 00 15 00 5d 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 29 00 dd 00 b8 00 b2 20 69 93 e6 82 7e f6 98 84 68 d2 55 00
         00 00 00 6a 30 23 72 43 90 67 fc 81 f4 d3 17 f1 b1 ef 33 00 70
         15 93 bc b0 32 cc ea 52 8c 5a 07 c3 7b 16 6f 89 7a 83 b7 15 48
         18 b7 d1 1a 4e 90 7c da 4e 3f af 48 95 97 21 44 b3 a7 d9 96 8d
         96 28 b6 e5 66 9c ce f4 26 0e 45 d6 4d 22 d3 b6 1a b5 7b 7f 59
         dd f7 e2 cf 7a 19 6f 9a 32 a3 d9 4f ea 13 eb 25 ab 2d 73 35 78
         83 80 dc e7 4d 47 76 8e cf f4 67 9e 88 af ac a6 18 97 b9 1c 53
         ee 85 82 2c 9f 08 7b e4 05 8f ed 0d 6e b5 e2 68 e6 54 f4 ec 0c
         67 5f fb 08 6e 06 7d 04 39 e3 9d ca f1 fb 60 31 98 db 83 6a d9
         95 00 21 20 58 34 0e ab 95 8d 02 3c 39 84 b4 82 81 0b 58 ec 53
         7c d3 d1 c6 a9 9d ca 87 1c 73 57 54 1d 45 2f

      ciphertext (517 octets):  16 03 01 02 00 01 00 01 fc 03 03 0b 27
         b6 14 3a d0 49 dd d0 4e 5c b7 bb 33 22 d3 60 f6 0a 9b 8e 65 07
         bc 79 69 84 19 5b d4 e8 cb 00 00 06 13 01 13 03 13 02 01 00 01
         cd 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00
         00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01
         03 01 04 00 33 00 26 00 24 00 1d 00 20 b5 b4 ca 2e 51 9a c8 32
         92 3e af 84 f4 13 3d 53 b2 00 53 63 d5 a7 ad 8e 07 0b d0 fd 15
         d6 92 08 00 2a 00 00 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 04
         03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01
         04 02 05 02 06 02 02 02 00 2d 00 02 01 01 00 15 00 5d 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 29 00 dd 00 b8 00 b2 20 69 93 e6 82 7e f6
         98 84 68 d2 55 00 00 00 00 6a 30 23 72 43 90 67 fc 81 f4 d3 17
         f1 b1 ef 33 00 70 15 93 bc b0 32 cc ea 52 8c 5a 07 c3 7b 16 6f
         89 7a 83 b7 15 48 18 b7 d1 1a 4e 90 7c da 4e 3f af 48 95 97 21
         44 b3 a7 d9 96 8d 96 28 b6 e5 66 9c ce f4 26 0e 45 d6 4d 22 d3
         b6 1a b5 7b 7f 59 dd f7 e2 cf 7a 19 6f 9a 32 a3 d9 4f ea 13 eb
         25 ab 2d 73 35 78 83 80 dc e7 4d 47 76 8e cf f4 67 9e 88 af ac
         a6 18 97 b9 1c 53 ee 85 82 2c 9f 08 7b e4 05 8f ed 0d 6e b5 e2
         68 e6 54 f4 ec 0c 67 5f fb 08 6e 06 7d 04 39 e3 9d ca f1 fb 60
         31 98 db 83 6a d9 95 00 21 20 58 34 0e ab 95 8d 02 3c 39 84 b4
         82 81 0b 58 ec 53 7c d3 d1 c6 a9 9d ca 87 1c 73 57 54 1d 45 2f




Thomson                 Expires November 3, 2018               [Page 16]


Internet-Draft               TLS 1.3 Traces                     May 2018


   {client}  derive secret "tls13 c e traffic":

      PRK (32 octets):  90 a6 5b c0 8e 4a 66 d4 a9 cf 3c f7 ec 2d 85 be
         d7 ae 08 af 83 1d 05 d7 0d 6c c0 a9 39 9c 1e 63

      hash (32 octets):  02 ce c3 cc b1 be e9 72 06 ff bf 5b 0e db f9 43
         0a d8 02 05 96 0c 04 ba ff ad b6 dc d3 81 b9 0c

      info (53 octets):  00 20 11 74 6c 73 31 33 20 63 20 65 20 74 72 61
         66 66 69 63 20 02 ce c3 cc b1 be e9 72 06 ff bf 5b 0e db f9 43
         0a d8 02 05 96 0c 04 ba ff ad b6 dc d3 81 b9 0c

      output (32 octets):  b0 ea 52 04 68 97 4f 91 39 58 7d cf f5 6f 77
         85 69 96 02 fb c8 0c 0c 18 50 82 79 dc bf d0 7b 03

   {client}  derive secret "tls13 e exp master":

      PRK (32 octets):  90 a6 5b c0 8e 4a 66 d4 a9 cf 3c f7 ec 2d 85 be
         d7 ae 08 af 83 1d 05 d7 0d 6c c0 a9 39 9c 1e 63

      hash (32 octets):  02 ce c3 cc b1 be e9 72 06 ff bf 5b 0e db f9 43
         0a d8 02 05 96 0c 04 ba ff ad b6 dc d3 81 b9 0c

      info (54 octets):  00 20 12 74 6c 73 31 33 20 65 20 65 78 70 20 6d
         61 73 74 65 72 20 02 ce c3 cc b1 be e9 72 06 ff bf 5b 0e db f9
         43 0a d8 02 05 96 0c 04 ba ff ad b6 dc d3 81 b9 0c

      output (32 octets):  bc 79 ec a3 3d c5 5e 77 f4 a2 b3 1d e3 b2 eb
         b7 ff 1a 03 16 e6 a2 ea 2e 1e d1 88 1e 65 c0 ee ba

   {client}  derive write traffic keys for early application data:

      PRK (32 octets):  b0 ea 52 04 68 97 4f 91 39 58 7d cf f5 6f 77 85
         69 96 02 fb c8 0c 0c 18 50 82 79 dc bf d0 7b 03

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  ad 52 61 5a d7 8f ef c8 30 d7 b5 23 c5 6d
         39 6c

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  1a 68 22 06 82 d9 52 2f 6f d9 80 cb

   {client}  send application_data record:

      payload (6 octets):  41 42 43 44 45 46




Thomson                 Expires November 3, 2018               [Page 17]


Internet-Draft               TLS 1.3 Traces                     May 2018


      ciphertext (28 octets):  17 03 03 00 17 f0 a5 2c ad f2 f8 10 e3 ea
         31 4a 9e 0d 74 94 18 0c 07 e1 b6 dd 23 05

   {server}  extract secret "early" (same as client)

   {server}  calculate finished "tls13 finished" (same as client)

   {server}  create an ephemeral x25519 key pair:

      private key (32 octets):  73 c0 5e e2 5c db 68 51 18 f0 f7 dd 5f
         d2 dd 12 9d 17 a7 98 b9 1c c5 fe 62 ed 70 a9 ba af 53 2f

      public key (32 octets):  47 d1 32 89 df 6f a0 fc 57 3c 74 fa 73 40
         a2 6f 43 38 28 70 7d e5 72 7e 68 28 cb d0 81 9d a9 76

   {server}  derive secret "tls13 c e traffic" (same as client)

   {server}  derive secret "tls13 e exp master" (same as client)

   {server}  send a ServerHello handshake message

   {server}  derive secret for handshake "tls13 derived":

      PRK (32 octets):  90 a6 5b c0 8e 4a 66 d4 a9 cf 3c f7 ec 2d 85 be
         d7 ae 08 af 83 1d 05 d7 0d 6c c0 a9 39 9c 1e 63

      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output (32 octets):  95 c5 f6 ae c8 48 4c ad 65 ee ff f1 0c 48 a8
         4f 34 d6 53 d6 59 91 bf de 13 69 81 97 b3 b9 b4 5d

   {server}  extract secret "handshake":

      salt (32 octets):  95 c5 f6 ae c8 48 4c ad 65 ee ff f1 0c 48 a8 4f
         34 d6 53 d6 59 91 bf de 13 69 81 97 b3 b9 b4 5d

      ikm (32 octets):  4f 81 91 7a 09 87 67 f2 22 5f cf 33 e8 a5 d5 33
         d6 88 3b d8 ee 16 00 b2 c5 e4 f0 e8 24 02 06 37

      secret (32 octets):  96 eb 95 b5 63 62 0c 58 ca d2 c7 37 0f b7 4b
         8f 55 b2 0e 28 bd bc 2d 70 6e 6f db aa 9e 9e 60 93

   {server}  derive secret "tls13 c hs traffic":



Thomson                 Expires November 3, 2018               [Page 18]


Internet-Draft               TLS 1.3 Traces                     May 2018


      PRK (32 octets):  96 eb 95 b5 63 62 0c 58 ca d2 c7 37 0f b7 4b 8f
         55 b2 0e 28 bd bc 2d 70 6e 6f db aa 9e 9e 60 93

      hash (32 octets):  ab e0 a2 b9 a8 84 3e 92 93 a8 36 91 96 7c fa 4c
         d0 8d 8e fc 0b 13 63 39 a9 1a 6d 01 45 3d 32 91

      info (54 octets):  00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72
         61 66 66 69 63 20 ab e0 a2 b9 a8 84 3e 92 93 a8 36 91 96 7c fa
         4c d0 8d 8e fc 0b 13 63 39 a9 1a 6d 01 45 3d 32 91

      output (32 octets):  50 26 86 51 18 93 2f ba 00 9f b8 84 c2 6c e1
         8e 44 96 c8 f3 57 dd f0 d1 a9 0b c2 7b 4c 31 92 9c

   {server}  derive secret "tls13 s hs traffic":

      PRK (32 octets):  96 eb 95 b5 63 62 0c 58 ca d2 c7 37 0f b7 4b 8f
         55 b2 0e 28 bd bc 2d 70 6e 6f db aa 9e 9e 60 93

      hash (32 octets):  ab e0 a2 b9 a8 84 3e 92 93 a8 36 91 96 7c fa 4c
         d0 8d 8e fc 0b 13 63 39 a9 1a 6d 01 45 3d 32 91

      info (54 octets):  00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72
         61 66 66 69 63 20 ab e0 a2 b9 a8 84 3e 92 93 a8 36 91 96 7c fa
         4c d0 8d 8e fc 0b 13 63 39 a9 1a 6d 01 45 3d 32 91

      output (32 octets):  c9 23 18 b4 c5 6f ba 46 bf 6e ef 2a 9a 8f 02
         33 a2 8b ab 9b b9 66 67 4a 19 32 0b b5 3c 50 10 19

   {server}  derive secret for master "tls13 derived":

      PRK (32 octets):  96 eb 95 b5 63 62 0c 58 ca d2 c7 37 0f b7 4b 8f
         55 b2 0e 28 bd bc 2d 70 6e 6f db aa 9e 9e 60 93

      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output (32 octets):  b2 da f2 ee a8 bb d9 2b 5d 84 12 d4 26 7a 3c
         31 6c 09 cd 45 8e 71 ab dc c6 7b e6 b1 41 6c 0f 31

   {server}  extract secret "master":

      salt (32 octets):  b2 da f2 ee a8 bb d9 2b 5d 84 12 d4 26 7a 3c 31
         6c 09 cd 45 8e 71 ab dc c6 7b e6 b1 41 6c 0f 31




Thomson                 Expires November 3, 2018               [Page 19]


Internet-Draft               TLS 1.3 Traces                     May 2018


      ikm (32 octets):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  c5 ee bf b8 6e 50 81 37 24 5d 79 91 9a 3d 43
         19 61 bc 0d 5c c8 70 d9 08 9a 2f 30 34 b4 b9 6b 02

   {server}  send handshake record:

      payload (96 octets):  02 00 00 5c 03 03 3e 47 ec 55 17 e3 8e 7e f5
         cc bc 69 f9 2f 5b 20 b8 fa 46 a6 54 66 31 bb 99 fa 08 65 f4 af
         22 8c 00 13 01 00 00 34 00 29 00 02 00 00 00 33 00 24 00 1d 00
         20 47 d1 32 89 df 6f a0 fc 57 3c 74 fa 73 40 a2 6f 43 38 28 70
         7d e5 72 7e 68 28 cb d0 81 9d a9 76 00 2b 00 02 7f 1c

      ciphertext (101 octets):  16 03 03 00 60 02 00 00 5c 03 03 3e 47
         ec 55 17 e3 8e 7e f5 cc bc 69 f9 2f 5b 20 b8 fa 46 a6 54 66 31
         bb 99 fa 08 65 f4 af 22 8c 00 13 01 00 00 34 00 29 00 02 00 00
         00 33 00 24 00 1d 00 20 47 d1 32 89 df 6f a0 fc 57 3c 74 fa 73
         40 a2 6f 43 38 28 70 7d e5 72 7e 68 28 cb d0 81 9d a9 76 00 2b
         00 02 7f 1c

   {server}  derive write traffic keys for handshake data:

      PRK (32 octets):  c9 23 18 b4 c5 6f ba 46 bf 6e ef 2a 9a 8f 02 33
         a2 8b ab 9b b9 66 67 4a 19 32 0b b5 3c 50 10 19

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  0d 71 1f 45 1d c2 0e fc 7e f8 08 9b 44 79
         75 ac

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  ee 5d 71 8a 24 a8 e5 32 8d bc 58 00

   {server}  send a EncryptedExtensions handshake message

   {server}  calculate finished "tls13 finished":

      PRK (32 octets):  c9 23 18 b4 c5 6f ba 46 bf 6e ef 2a 9a 8f 02 33
         a2 8b ab 9b b9 66 67 4a 19 32 0b b5 3c 50 10 19

      hash (0 octets):  (empty)

      info (18 octets):  00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
         64 00





Thomson                 Expires November 3, 2018               [Page 20]


Internet-Draft               TLS 1.3 Traces                     May 2018


      output (32 octets):  89 20 c8 40 6e b4 0e d6 66 66 68 95 ae 3d 8d
         12 67 0e c0 e4 5f 0b cb 63 cf ef f5 13 38 e8 1a 5b

   {server}  send a Finished handshake message

   {server}  send handshake record:

      payload (74 octets):  08 00 00 22 00 20 00 0a 00 14 00 12 00 1d 00
         17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 00 00 00 00 2a
         00 00 14 00 00 20 b5 06 45 62 14 0c b7 fa 10 da 9a 57 ff 61 7b
         f2 66 d7 14 b7 8b 59 41 a0 af 36 3f ac c1 8d a6 b0

      ciphertext (96 octets):  17 03 03 00 5b c8 2d 5e 2c 40 f0 77 cc 7d
         8b c6 f5 0a 61 52 c2 ff e0 d9 30 60 11 a6 c2 7c 1c 2a c3 88 4c
         a6 1e f2 08 46 fb c3 dd 91 19 4e 26 b6 9a 4a 74 73 a2 51 4d e7
         76 68 92 9d 4c 77 63 64 51 21 70 9f 8a 64 a2 9d 14 88 0b 6d f1
         04 08 b5 74 da 7e 2e 5d 0b 6c da 9d 18 4f fe 57 62 b5 5f

   {server}  derive secret "tls13 c ap traffic":

      PRK (32 octets):  c5 ee bf b8 6e 50 81 37 24 5d 79 91 9a 3d 43 19
         61 bc 0d 5c c8 70 d9 08 9a 2f 30 34 b4 b9 6b 02

      hash (32 octets):  11 bf 9b 71 22 aa c5 07 85 59 ef 90 f7 8e e0 78
         32 a6 79 72 a2 c7 f4 bd 8f 56 15 d0 bc 19 7a 39

      info (54 octets):  00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72
         61 66 66 69 63 20 11 bf 9b 71 22 aa c5 07 85 59 ef 90 f7 8e e0
         78 32 a6 79 72 a2 c7 f4 bd 8f 56 15 d0 bc 19 7a 39

      output (32 octets):  bc 39 56 2d 42 a4 e7 62 8d cc 15 1b ba c1 16
         88 06 9c 1c 56 ca cd 17 d4 cc 53 4a bb 05 e3 c0 3e

   {server}  derive secret "tls13 s ap traffic":

      PRK (32 octets):  c5 ee bf b8 6e 50 81 37 24 5d 79 91 9a 3d 43 19
         61 bc 0d 5c c8 70 d9 08 9a 2f 30 34 b4 b9 6b 02

      hash (32 octets):  11 bf 9b 71 22 aa c5 07 85 59 ef 90 f7 8e e0 78
         32 a6 79 72 a2 c7 f4 bd 8f 56 15 d0 bc 19 7a 39

      info (54 octets):  00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72
         61 66 66 69 63 20 11 bf 9b 71 22 aa c5 07 85 59 ef 90 f7 8e e0
         78 32 a6 79 72 a2 c7 f4 bd 8f 56 15 d0 bc 19 7a 39

      output (32 octets):  a2 05 9e be 09 34 8a d4 2b 1d 6a 72 01 9e 8f
         89 06 0d e5 9f de 34 2d 4a d1 68 f2 08 5c ab c3 60




Thomson                 Expires November 3, 2018               [Page 21]


Internet-Draft               TLS 1.3 Traces                     May 2018


   {server}  derive secret "tls13 exp master":

      PRK (32 octets):  c5 ee bf b8 6e 50 81 37 24 5d 79 91 9a 3d 43 19
         61 bc 0d 5c c8 70 d9 08 9a 2f 30 34 b4 b9 6b 02

      hash (32 octets):  11 bf 9b 71 22 aa c5 07 85 59 ef 90 f7 8e e0 78
         32 a6 79 72 a2 c7 f4 bd 8f 56 15 d0 bc 19 7a 39

      info (52 octets):  00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73
         74 65 72 20 11 bf 9b 71 22 aa c5 07 85 59 ef 90 f7 8e e0 78 32
         a6 79 72 a2 c7 f4 bd 8f 56 15 d0 bc 19 7a 39

      output (32 octets):  e2 d4 f1 2f c6 26 c2 91 de 52 8c 4d d2 cb 1f
         d2 11 b2 d8 44 d9 53 d4 7a 48 d8 17 87 64 05 88 41

   {server}  derive write traffic keys for application data:

      PRK (32 octets):  a2 05 9e be 09 34 8a d4 2b 1d 6a 72 01 9e 8f 89
         06 0d e5 9f de 34 2d 4a d1 68 f2 08 5c ab c3 60

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  2e c4 83 49 b4 00 e4 9d bb 71 9a 98 91 11
         2d 99

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  b2 6b 47 20 2b 9a 93 55 45 90 c0 3c

   {server}  derive read traffic keys for early application data (same
      as client write traffic keys)

   {client}  derive secret for handshake "tls13 derived":

      PRK (32 octets):  90 a6 5b c0 8e 4a 66 d4 a9 cf 3c f7 ec 2d 85 be
         d7 ae 08 af 83 1d 05 d7 0d 6c c0 a9 39 9c 1e 63

      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output (32 octets):  95 c5 f6 ae c8 48 4c ad 65 ee ff f1 0c 48 a8
         4f 34 d6 53 d6 59 91 bf de 13 69 81 97 b3 b9 b4 5d

   {client}  extract secret "handshake":



Thomson                 Expires November 3, 2018               [Page 22]


Internet-Draft               TLS 1.3 Traces                     May 2018


      salt (32 octets):  95 c5 f6 ae c8 48 4c ad 65 ee ff f1 0c 48 a8 4f
         34 d6 53 d6 59 91 bf de 13 69 81 97 b3 b9 b4 5d

      ikm (32 octets):  4f 81 91 7a 09 87 67 f2 22 5f cf 33 e8 a5 d5 33
         d6 88 3b d8 ee 16 00 b2 c5 e4 f0 e8 24 02 06 37

      secret (32 octets):  96 eb 95 b5 63 62 0c 58 ca d2 c7 37 0f b7 4b
         8f 55 b2 0e 28 bd bc 2d 70 6e 6f db aa 9e 9e 60 93

   {client}  derive secret "tls13 c hs traffic" (same as server)

   {client}  derive secret "tls13 s hs traffic" (same as server)

   {client}  derive secret for master "tls13 derived" (same as server)

   {client}  extract secret "master" (same as server)

   {client}  derive read traffic keys for handshake data:

      PRK (32 octets):  c9 23 18 b4 c5 6f ba 46 bf 6e ef 2a 9a 8f 02 33
         a2 8b ab 9b b9 66 67 4a 19 32 0b b5 3c 50 10 19

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  0d 71 1f 45 1d c2 0e fc 7e f8 08 9b 44 79
         75 ac

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  ee 5d 71 8a 24 a8 e5 32 8d bc 58 00

   {client}  calculate finished "tls13 finished" (same as server)

   {client}  derive secret "tls13 c ap traffic" (same as server)

   {client}  derive secret "tls13 s ap traffic" (same as server)

   {client}  derive secret "tls13 exp master" (same as server)

   {client}  send a EndOfEarlyData handshake message

   {client}  send handshake record:

      payload (4 octets):  05 00 00 00

      ciphertext (26 octets):  17 03 03 00 15 87 ea 08 9b c5 7f 33 1c 4f
         ad 29 80 d7 5e 3b c1 cc 55 40 e8 75




Thomson                 Expires November 3, 2018               [Page 23]


Internet-Draft               TLS 1.3 Traces                     May 2018


   {client}  derive write traffic keys for handshake data:

      PRK (32 octets):  50 26 86 51 18 93 2f ba 00 9f b8 84 c2 6c e1 8e
         44 96 c8 f3 57 dd f0 d1 a9 0b c2 7b 4c 31 92 9c

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  4c 0f 31 7d 9a b1 56 f2 7b 71 cb ca 63 3d
         f7 4f

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  e3 19 71 d9 f6 41 4b 45 de 4c 4c e2

   {client}  derive read traffic keys for application data (same as
      server write traffic keys)

   {client}  calculate finished "tls13 finished":

      PRK (32 octets):  50 26 86 51 18 93 2f ba 00 9f b8 84 c2 6c e1 8e
         44 96 c8 f3 57 dd f0 d1 a9 0b c2 7b 4c 31 92 9c

      hash (0 octets):  (empty)

      info (18 octets):  00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
         64 00

      output (32 octets):  68 9e a0 1d d9 3b e4 b2 38 94 de ab a8 d0 7c
         56 31 29 ad 6b ef dd 7b 3d 8d ef e5 8e 4f 7e 3a 44

   {client}  send a Finished handshake message

   {client}  send handshake record:

      payload (36 octets):  14 00 00 20 52 90 13 55 ab 06 bb fb ab 3a 81
         cc 67 e3 6f eb 5d 8d a1 63 2a 02 ba 83 0a 8f c8 5f 4c 22 66 cf

      ciphertext (58 octets):  17 03 03 00 35 39 ab 4d 04 21 bb 3e 2b 85
         53 d0 2c ee 16 d3 78 c5 0f a8 76 fd 44 b4 d8 c6 36 26 6e 44 70
         bd 05 f4 77 d4 fb 91 70 f4 42 96 e2 43 3c 78 0e ef c7 50 5f 9b
         e1 68

   {client}  derive write traffic keys for application data:

      PRK (32 octets):  bc 39 56 2d 42 a4 e7 62 8d cc 15 1b ba c1 16 88
         06 9c 1c 56 ca cd 17 d4 cc 53 4a bb 05 e3 c0 3e

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00



Thomson                 Expires November 3, 2018               [Page 24]


Internet-Draft               TLS 1.3 Traces                     May 2018


      key output (16 octets):  24 56 8c c4 56 c9 16 6a 17 54 e3 f8 4d da
         66 23

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  92 d2 da ec 04 ce c8 de 21 2a 8e 0c

   {client}  derive secret "tls13 res master":

      PRK (32 octets):  c5 ee bf b8 6e 50 81 37 24 5d 79 91 9a 3d 43 19
         61 bc 0d 5c c8 70 d9 08 9a 2f 30 34 b4 b9 6b 02

      hash (32 octets):  74 61 12 2a b1 9d 89 46 41 d8 1c 0b 32 71 a9 35
         90 9f be 21 87 ce 40 18 d1 81 d0 4b 1f 9b 95 8a

      info (52 octets):  00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73
         74 65 72 20 74 61 12 2a b1 9d 89 46 41 d8 1c 0b 32 71 a9 35 90
         9f be 21 87 ce 40 18 d1 81 d0 4b 1f 9b 95 8a

      output (32 octets):  98 85 4e 70 a8 c2 0f 1b 02 44 b8 d9 f2 e9 94
         37 7d 11 dd 0b 6b 09 42 29 de f0 cd 55 56 9a c1 20

   {server}  derive read traffic keys for handshake data:

      PRK (32 octets):  50 26 86 51 18 93 2f ba 00 9f b8 84 c2 6c e1 8e
         44 96 c8 f3 57 dd f0 d1 a9 0b c2 7b 4c 31 92 9c

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  4c 0f 31 7d 9a b1 56 f2 7b 71 cb ca 63 3d
         f7 4f

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  e3 19 71 d9 f6 41 4b 45 de 4c 4c e2

   {server}  calculate finished "tls13 finished" (same as client)

   {server}  derive read traffic keys for application data (same as
      client write traffic keys)

   {server}  derive secret "tls13 res master" (same as client)

   {client}  send application_data record:

      payload (50 octets):  00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e
         0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23
         24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31



Thomson                 Expires November 3, 2018               [Page 25]


Internet-Draft               TLS 1.3 Traces                     May 2018


      ciphertext (72 octets):  17 03 03 00 43 28 e8 c4 0d 6e 0a 83 0c 62
         58 8a 5a 29 e4 1e 24 48 3d 50 c8 57 f0 1f d2 25 6f a4 51 4e 2d
         4c a3 77 fd ff 96 26 0e a6 46 a6 92 4e 93 3d 96 74 29 3f 26 ab
         a3 a6 da 07 4c 16 c0 27 68 65 ab 02 df 0e 61 01

   {server}  send application_data record:

      payload (50 octets):  00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e
         0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23
         24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31

      ciphertext (72 octets):  17 03 03 00 43 54 25 7b ed c2 61 dd 2c f2
         a5 bd f1 3f ed fc 93 7a 46 dd 32 59 9b 6f 16 df 78 2e 92 42 bd
         43 b0 b4 7e 79 b6 b5 fd 5a 98 23 d7 6f a6 fc ad 1c 84 97 c3 8a
         62 20 70 af 9e 2a 72 6c 78 b3 ee bc 92 9b 27 66

   {client}  send alert record:

      payload (2 octets):  01 00

      ciphertext (24 octets):  17 03 03 00 13 5a d6 a3 97 6d 9d 6c b8 66
         b4 a3 5c 0f b4 53 90 ae dd 88

   {server}  send alert record:

      payload (2 octets):  01 00

      ciphertext (24 octets):  17 03 03 00 13 1d 7f 76 5d 2c d2 65 53 b2
         f3 a8 c4 0a 71 a7 e6 48 c3 87

5.  HelloRetryRequest

   In this example, the client initiates a handshake with an X25519
   [RFC7748] share.  The server however prefers P-256 [FIPS186] and
   sends a HelloRetryRequest that requires the client to generate a key
   share on the P-256 curve.

   {client}  create an ephemeral x25519 key pair:

      private key (32 octets):  2f 74 42 ae 1b ce d7 5e 82 f9 be 34 3c
         af cd fd 6c 14 28 e6 19 f1 f5 1a ae 58 68 01 1b 94 4c ab

      public key (32 octets):  18 77 ec d6 d3 b5 46 fb 68 dd 27 35 0f 25
         24 87 b7 e8 7b 8a 91 2c e1 a6 a8 8c d0 bb 02 cd 15 49

   {client}  send a ClientHello handshake message

   {client}  send handshake record:



Thomson                 Expires November 3, 2018               [Page 26]


Internet-Draft               TLS 1.3 Traces                     May 2018


      payload (174 octets):  01 00 00 aa 03 03 b7 c9 bc 82 7e a9 0b 53
         72 b5 ba 58 29 7e 40 ba 82 77 ce bf be eb 8e af 94 e8 85 36 5b
         91 c5 bb 00 00 06 13 01 13 03 13 02 01 00 00 7b 00 00 00 0b 00
         09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 08 00 06
         00 1d 00 17 00 18 00 33 00 26 00 24 00 1d 00 20 18 77 ec d6 d3
         b5 46 fb 68 dd 27 35 0f 25 24 87 b7 e8 7b 8a 91 2c e1 a6 a8 8c
         d0 bb 02 cd 15 49 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 04 03
         05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04
         02 05 02 06 02 02 02 00 2d 00 02 01 01

      ciphertext (179 octets):  16 03 01 00 ae 01 00 00 aa 03 03 b7 c9
         bc 82 7e a9 0b 53 72 b5 ba 58 29 7e 40 ba 82 77 ce bf be eb 8e
         af 94 e8 85 36 5b 91 c5 bb 00 00 06 13 01 13 03 13 02 01 00 00
         7b 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00
         00 0a 00 08 00 06 00 1d 00 17 00 18 00 33 00 26 00 24 00 1d 00
         20 18 77 ec d6 d3 b5 46 fb 68 dd 27 35 0f 25 24 87 b7 e8 7b 8a
         91 2c e1 a6 a8 8c d0 bb 02 cd 15 49 00 2b 00 03 02 7f 1c 00 0d
         00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05
         01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01

   {server}  send a ServerHello handshake message

   {server}  send handshake record:

      payload (176 octets):  02 00 00 ac 03 03 cf 21 ad 74 e5 9a 61 11
         be 1d 8c 02 1e 65 b8 91 c2 a2 11 16 7a bb 8c 5e 07 9e 09 e2 c8
         a8 33 9c 00 13 01 00 00 84 00 33 00 02 00 17 00 2c 00 74 00 72
         20 1c e9 22 bf 9a 57 cc 0c 63 8a 02 00 00 00 00 b5 89 27 72 3a
         7b 57 e1 de 6d 9d 65 d4 9b 4c 1d 00 30 39 bc 6d f6 e6 1b 34 45
         a1 12 cf 2c 5d f4 b3 bd 4c db 05 07 08 57 d9 f0 22 e8 6a c7 df
         91 a9 4a 1b e9 fd 61 ac b3 22 13 7a d5 63 70 dc fa 29 55 aa c6
         d6 ab 28 a2 98 43 62 89 9d 38 b7 b0 9b 3c 4d 86 76 a4 8b b2 c6
         bd 05 02 fc c5 61 b5 50 2e 00 2b 00 02 7f 1c

      ciphertext (181 octets):  16 03 03 00 b0 02 00 00 ac 03 03 cf 21
         ad 74 e5 9a 61 11 be 1d 8c 02 1e 65 b8 91 c2 a2 11 16 7a bb 8c
         5e 07 9e 09 e2 c8 a8 33 9c 00 13 01 00 00 84 00 33 00 02 00 17
         00 2c 00 74 00 72 20 1c e9 22 bf 9a 57 cc 0c 63 8a 02 00 00 00
         00 b5 89 27 72 3a 7b 57 e1 de 6d 9d 65 d4 9b 4c 1d 00 30 39 bc
         6d f6 e6 1b 34 45 a1 12 cf 2c 5d f4 b3 bd 4c db 05 07 08 57 d9
         f0 22 e8 6a c7 df 91 a9 4a 1b e9 fd 61 ac b3 22 13 7a d5 63 70
         dc fa 29 55 aa c6 d6 ab 28 a2 98 43 62 89 9d 38 b7 b0 9b 3c 4d
         86 76 a4 8b b2 c6 bd 05 02 fc c5 61 b5 50 2e 00 2b 00 02 7f 1c

   {client}  create an ephemeral P-256 key pair:

      private key (32 octets):  12 04 90 37 70 08 12 91 d2 e2 8c 2e 4c
         cc ae fd fa be a9 02 d6 24 cc 53 7e 17 7e f4 62 e0 4e 68



Thomson                 Expires November 3, 2018               [Page 27]


Internet-Draft               TLS 1.3 Traces                     May 2018


      public key (65 octets):  04 34 64 59 40 3b b6 5d 0e 0d 11 d1 03 8b
         e7 1b 03 a7 56 2b 01 e0 3a a1 b5 80 25 c4 65 88 a4 09 3f 1c 75
         98 bd 8c 79 ee 7e fc 5b a7 49 bd 24 3c 10 82 12 3a 37 f9 3f 9a
         00 8c ff 64 5b c4 e5 8f 20

   {client}  send a ClientHello handshake message

   {client}  send handshake record:

      payload (512 octets):  01 00 01 fc 03 03 b7 c9 bc 82 7e a9 0b 53
         72 b5 ba 58 29 7e 40 ba 82 77 ce bf be eb 8e af 94 e8 85 36 5b
         91 c5 bb 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b 00
         09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 08 00 06
         00 1d 00 17 00 18 00 33 00 47 00 45 00 17 00 41 04 34 64 59 40
         3b b6 5d 0e 0d 11 d1 03 8b e7 1b 03 a7 56 2b 01 e0 3a a1 b5 80
         25 c4 65 88 a4 09 3f 1c 75 98 bd 8c 79 ee 7e fc 5b a7 49 bd 24
         3c 10 82 12 3a 37 f9 3f 9a 00 8c ff 64 5b c4 e5 8f 20 00 2b 00
         03 02 7f 1c 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08
         05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2c
         00 74 00 72 20 1c e9 22 bf 9a 57 cc 0c 63 8a 02 00 00 00 00 b5
         89 27 72 3a 7b 57 e1 de 6d 9d 65 d4 9b 4c 1d 00 30 39 bc 6d f6
         e6 1b 34 45 a1 12 cf 2c 5d f4 b3 bd 4c db 05 07 08 57 d9 f0 22
         e8 6a c7 df 91 a9 4a 1b e9 fd 61 ac b3 22 13 7a d5 63 70 dc fa
         29 55 aa c6 d6 ab 28 a2 98 43 62 89 9d 38 b7 b0 9b 3c 4d 86 76
         a4 8b b2 c6 bd 05 02 fc c5 61 b5 50 2e 00 2d 00 02 01 01 00 15
         00 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      ciphertext (517 octets):  16 03 03 02 00 01 00 01 fc 03 03 b7 c9
         bc 82 7e a9 0b 53 72 b5 ba 58 29 7e 40 ba 82 77 ce bf be eb 8e
         af 94 e8 85 36 5b 91 c5 bb 00 00 06 13 01 13 03 13 02 01 00 01
         cd 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00
         00 0a 00 08 00 06 00 1d 00 17 00 18 00 33 00 47 00 45 00 17 00
         41 04 34 64 59 40 3b b6 5d 0e 0d 11 d1 03 8b e7 1b 03 a7 56 2b
         01 e0 3a a1 b5 80 25 c4 65 88 a4 09 3f 1c 75 98 bd 8c 79 ee 7e
         fc 5b a7 49 bd 24 3c 10 82 12 3a 37 f9 3f 9a 00 8c ff 64 5b c4
         e5 8f 20 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 04 03 05 03 06
         03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02
         06 02 02 02 00 2c 00 74 00 72 20 1c e9 22 bf 9a 57 cc 0c 63 8a
         02 00 00 00 00 b5 89 27 72 3a 7b 57 e1 de 6d 9d 65 d4 9b 4c 1d
         00 30 39 bc 6d f6 e6 1b 34 45 a1 12 cf 2c 5d f4 b3 bd 4c db 05



Thomson                 Expires November 3, 2018               [Page 28]


Internet-Draft               TLS 1.3 Traces                     May 2018


         07 08 57 d9 f0 22 e8 6a c7 df 91 a9 4a 1b e9 fd 61 ac b3 22 13
         7a d5 63 70 dc fa 29 55 aa c6 d6 ab 28 a2 98 43 62 89 9d 38 b7
         b0 9b 3c 4d 86 76 a4 8b b2 c6 bd 05 02 fc c5 61 b5 50 2e 00 2d
         00 02 01 01 00 15 00 b5 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

   {server}  extract secret "early":

      salt:  (absent)

      ikm (32 octets):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c
         e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

   {server}  create an ephemeral P-256 key pair:

      private key (32 octets):  02 03 21 a8 85 5a 5c ce 43 5e c4 eb 2c
         74 54 9d cd 14 b2 50 cc 88 ae b4 e1 a8 27 77 a2 a8 3d e2

      public key (65 octets):  04 a9 fc 26 e5 99 e4 8d ed 07 36 f4 b1 b2
         20 2b f4 9c f3 e5 eb 5a 37 0b aa 88 8b 45 50 27 32 36 85 e5 e8
         eb 52 e1 d3 63 73 08 76 d4 4a 1a cf 53 25 8e a6 e1 75 c1 4c 5f
         20 2c a0 eb b8 a7 3a f2 34

   {server}  send a ServerHello handshake message

   {server}  derive secret for handshake "tls13 derived":

      PRK (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2
         10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55





Thomson                 Expires November 3, 2018               [Page 29]


Internet-Draft               TLS 1.3 Traces                     May 2018


      output (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6
         97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

   {server}  extract secret "handshake":

      salt (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97
         16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

      ikm (32 octets):  67 5e 8f e3 7d f3 8e b4 ae d1 ac 3e a4 a0 a1 63
         a7 26 56 83 e4 3d ca 95 40 43 87 73 24 aa cf 70

      secret (32 octets):  56 b6 d9 4c b7 89 04 56 07 85 86 b5 d6 5d 69
         69 bc 7c 48 51 ff 7f 95 33 75 ed cb e2 60 4c 1f 8e

   {server}  derive secret "tls13 c hs traffic":

      PRK (32 octets):  56 b6 d9 4c b7 89 04 56 07 85 86 b5 d6 5d 69 69
         bc 7c 48 51 ff 7f 95 33 75 ed cb e2 60 4c 1f 8e

      hash (32 octets):  0b 61 d4 9c 83 fe f7 da 03 04 0f e3 5e 72 33 fe
         bd 0f 47 e2 c0 e0 9c 85 a4 a1 2f 89 a0 04 a1 6f

      info (54 octets):  00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72
         61 66 66 69 63 20 0b 61 d4 9c 83 fe f7 da 03 04 0f e3 5e 72 33
         fe bd 0f 47 e2 c0 e0 9c 85 a4 a1 2f 89 a0 04 a1 6f

      output (32 octets):  96 f0 1d 63 6d 87 b9 36 1c 0b 8b 93 0c de d9
         7b 59 06 0b 89 3b e2 4e 5d 64 b5 25 86 c0 39 ac 18

   {server}  derive secret "tls13 s hs traffic":

      PRK (32 octets):  56 b6 d9 4c b7 89 04 56 07 85 86 b5 d6 5d 69 69
         bc 7c 48 51 ff 7f 95 33 75 ed cb e2 60 4c 1f 8e

      hash (32 octets):  0b 61 d4 9c 83 fe f7 da 03 04 0f e3 5e 72 33 fe
         bd 0f 47 e2 c0 e0 9c 85 a4 a1 2f 89 a0 04 a1 6f

      info (54 octets):  00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72
         61 66 66 69 63 20 0b 61 d4 9c 83 fe f7 da 03 04 0f e3 5e 72 33
         fe bd 0f 47 e2 c0 e0 9c 85 a4 a1 2f 89 a0 04 a1 6f

      output (32 octets):  48 c0 79 83 b0 b1 9b 41 75 36 af 49 aa 3c 4f
         a1 20 26 fe fa 16 d0 40 12 8b 7f 87 19 6c ab fe 14

   {server}  derive secret for master "tls13 derived":

      PRK (32 octets):  56 b6 d9 4c b7 89 04 56 07 85 86 b5 d6 5d 69 69
         bc 7c 48 51 ff 7f 95 33 75 ed cb e2 60 4c 1f 8e



Thomson                 Expires November 3, 2018               [Page 30]


Internet-Draft               TLS 1.3 Traces                     May 2018


      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output (32 octets):  ef ff c0 f0 7a 08 0f cd c7 7e 55 8a 02 f1 77
         f7 32 a9 ff 20 12 8b 66 a0 de e7 1c a3 99 74 ba c8

   {server}  extract secret "master":

      salt (32 octets):  ef ff c0 f0 7a 08 0f cd c7 7e 55 8a 02 f1 77 f7
         32 a9 ff 20 12 8b 66 a0 de e7 1c a3 99 74 ba c8

      ikm (32 octets):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  67 f3 ca a1 17 80 44 45 c3 84 1d f0 d6 cf 0c
         be 84 eb 2d 1e 29 29 3c de 0e 59 8b c0 79 99 24 00

   {server}  send handshake record:

      payload (123 octets):  02 00 00 77 03 03 a9 8d a5 12 67 95 e8 50
         bf d4 69 ae 41 2c 8a d6 c6 a2 43 da b5 ca 68 9b cc 37 7b 7f 45
         7e 93 57 00 13 01 00 00 4f 00 33 00 45 00 17 00 41 04 a9 fc 26
         e5 99 e4 8d ed 07 36 f4 b1 b2 20 2b f4 9c f3 e5 eb 5a 37 0b aa
         88 8b 45 50 27 32 36 85 e5 e8 eb 52 e1 d3 63 73 08 76 d4 4a 1a
         cf 53 25 8e a6 e1 75 c1 4c 5f 20 2c a0 eb b8 a7 3a f2 34 00 2b
         00 02 7f 1c

      ciphertext (128 octets):  16 03 03 00 7b 02 00 00 77 03 03 a9 8d
         a5 12 67 95 e8 50 bf d4 69 ae 41 2c 8a d6 c6 a2 43 da b5 ca 68
         9b cc 37 7b 7f 45 7e 93 57 00 13 01 00 00 4f 00 33 00 45 00 17
         00 41 04 a9 fc 26 e5 99 e4 8d ed 07 36 f4 b1 b2 20 2b f4 9c f3
         e5 eb 5a 37 0b aa 88 8b 45 50 27 32 36 85 e5 e8 eb 52 e1 d3 63
         73 08 76 d4 4a 1a cf 53 25 8e a6 e1 75 c1 4c 5f 20 2c a0 eb b8
         a7 3a f2 34 00 2b 00 02 7f 1c

   {server}  derive write traffic keys for handshake data:

      PRK (32 octets):  48 c0 79 83 b0 b1 9b 41 75 36 af 49 aa 3c 4f a1
         20 26 fe fa 16 d0 40 12 8b 7f 87 19 6c ab fe 14

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  c9 66 8b e3 a4 eb 59 74 eb 92 ff 02 bb d7
         2e 0b



Thomson                 Expires November 3, 2018               [Page 31]


Internet-Draft               TLS 1.3 Traces                     May 2018


      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  a0 3e bc f0 df 01 00 7b 81 7b 21 de

   {server}  send a EncryptedExtensions handshake message

   {server}  send a Certificate handshake message

   {server}  send a CertificateVerify handshake message

   {server}  calculate finished "tls13 finished":

      PRK (32 octets):  48 c0 79 83 b0 b1 9b 41 75 36 af 49 aa 3c 4f a1
         20 26 fe fa 16 d0 40 12 8b 7f 87 19 6c ab fe 14

      hash (0 octets):  (empty)

      info (18 octets):  00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
         64 00

      output (32 octets):  c9 32 f8 bb a8 09 0c d8 3c fa ae 73 f8 41 79
         6c bb a9 97 73 28 e4 53 d6 a1 da c8 8c a8 0b 2b ec

   {server}  send a Finished handshake message

   {server}  send handshake record:

      payload (639 octets):  08 00 00 12 00 10 00 0a 00 08 00 06 00 17
         00 18 00 1d 00 00 00 00 0b 00 01 b9 00 00 01 b5 00 01 b0 30 82
         01 ac 30 82 01 15 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48
         86 f7 0d 01 01 0b 05 00 30 0e 31 0c 30 0a 06 03 55 04 03 13 03
         72 73 61 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 5a 17
         0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 0e 31 0c 30 0a 06
         03 55 04 03 13 03 72 73 61 30 81 9f 30 0d 06 09 2a 86 48 86 f7
         0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 b4 bb 49 8f
         82 79 30 3d 98 08 36 39 9b 36 c6 98 8c 0c 68 de 55 e1 bd b8 26
         d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c
         1a f1 9e aa 6a f9 8c 7c ed 43 12 09 98 e1 87 a8 0e e0 cc b0 52
         4b 1b 01 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f da 43 08 46 74
         80 30 53 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93
         ef f0 ab 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e 3f 02 03
         01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06
         03 55 1d 0f 04 04 03 02 05 a0 30 0d 06 09 2a 86 48 86 f7 0d 01
         01 0b 05 00 03 81 81 00 85 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a
         72 67 17 06 18 a5 4c 5f 8a 7b 33 7d 2d f7 a5 94 36 54 17 f2 ea
         e8 f8 a5 8c 8f 81 72 f9 31 9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01
         51 56 72 60 96 fd 33 5e 5e 67 f2 db f1 02 70 2e 60 8c ca e6 be
         c1 fc 63 a4 2a 99 be 5c 3e b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b



Thomson                 Expires November 3, 2018               [Page 32]


Internet-Draft               TLS 1.3 Traces                     May 2018


         1c 3b 84 e0 a8 b2 f7 59 40 9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8
         96 12 29 ac 91 87 b4 2b 4d e1 00 00 0f 00 00 84 08 04 00 80 7d
         29 50 6f 66 e0 87 bd b7 c1 5b 15 f5 f9 32 72 41 8a 59 c5 74 59
         13 33 9c f3 78 5a 39 86 78 55 66 d7 95 2d 9e a9 ab 9f 77 87 6e
         6a 39 8b 5b 88 2c 83 e5 43 d3 c1 80 95 30 ef 30 70 fb e4 eb a9
         07 2c 6c 23 95 6b de 0e 61 4c d0 13 aa e7 9c b1 86 76 0a 95 55
         aa 7c 62 2a 29 5c ce 9e f4 7b eb 28 06 10 29 4e a0 a4 cc ca 29
         92 00 ab f2 25 44 3d 0b 50 d1 f8 b1 fa 9b 98 f3 38 b8 00 65 08
         87 14 00 00 20 43 2a 86 e1 4a 5e 66 f5 57 83 3f 39 ea eb 85 71
         13 0b cd 59 ba 06 5d 8d 6d b4 26 ac 11 43 da 0e

      ciphertext (661 octets):  17 03 03 02 90 2a 10 90 52 02 96 ad d1
         82 97 94 74 52 0d 25 ef c8 1d 11 77 14 c5 0d d5 32 d9 df f1 fa
         fe 96 c7 3b 66 e4 7d 81 e6 25 2b 66 86 b8 86 37 10 26 0e 15 4b
         c4 8d 8a e2 f2 67 45 f5 98 ee 7b 46 70 cb 87 89 3a 73 81 7f cb
         09 45 5f e5 8d 49 5c 07 7a ca a3 b3 ae 9c cc a4 58 5b 12 6d f4
         8c 5f a4 f9 d2 b4 b5 0b dc 72 a8 42 eb 09 5f 71 f9 24 77 d4 5d
         d8 ee 69 62 81 87 86 0d f3 d6 8b 80 a3 c7 c7 d4 ca 36 61 69 2f
         a4 64 23 f5 64 2d 73 6e 27 63 b0 41 07 47 f6 55 eb db 18 37 c1
         6f 59 bd c2 db 64 e3 92 fd 92 77 b0 ac e7 1c 1a 15 da e4 13 6c
         84 aa 17 7b 69 4d 33 e0 b0 ac 68 0b f0 46 54 d0 03 75 84 c9 b4
         06 59 87 ff 49 02 70 07 f9 1b 95 29 ef a3 87 2c 6a df a9 a9 f8
         75 4a 57 f2 a1 6c 16 d3 34 06 ac 27 a8 93 ca 13 2c c3 3a 89 d2
         2f f1 fa 70 c0 c6 06 10 1d 89 64 ff 42 3d 13 b7 ac 11 b7 e9 47
         91 b0 51 45 6a 9b 6f 41 b6 66 00 79 60 8e 87 22 d2 ad 87 36 92
         bf db 79 f2 9e 67 e4 16 6d 82 a9 5c be 36 e3 d1 67 88 f5 32 33
         7b f9 4c bf 54 31 02 22 4e 45 ee 98 0d 05 d4 68 fa dc 12 91 a2
         6f 13 81 01 5c 21 f3 d5 d6 36 9f 29 51 7e a2 f6 1b 9b 7f 20 6a
         63 c8 10 d1 3b 74 e4 29 e6 6d 08 1e 41 7f 96 6e 82 88 da a5 52
         2d b6 cb 22 35 33 d6 e6 84 2a 70 6c e0 9f 3d 12 19 b6 4f 08 f5
         f4 d2 ca 3d 55 6d 88 64 1f 16 25 de 1e cc 65 5f e5 17 c1 f0 a5
         a4 9c 79 62 00 02 2d 22 cd cb 70 8c 27 fd d4 16 7a a8 68 fa f7
         be b6 ca 42 e2 da d2 b8 a7 7c 3f a8 68 83 35 de 97 f9 06 bf 69
         09 20 60 b4 23 dd 9c 1a 7e 9e c2 3c 78 4c 52 a7 a0 44 35 6c e1
         27 c3 54 73 ed 92 49 fe 68 1a 70 ca 11 db c1 e5 4f 51 12 ae 74
         d1 88 c2 db dc f0 66 13 28 02 10 5e 8b de ae 53 50 b1 b3 55 34
         a6 82 91 73 03 fb eb 65 3b bc 4b 0c 5c 77 4b b2 94 dc 50 44 c4
         7f 70 5b d6 80 73 af 3a e5 c6 45 29 1e fc 9d 9c 17 6b 19 bd 95
         47 55 dc a2 2e 2b 52 13 a5 37 2e d9 6b 9f 89 f6 30 80 89 f3 98
         2a 13 f2 41 30 3b 2e 5d c0 d4 3f fa 73 16 d2 79 bd 78 d1 65 e0
         33 61 16 66 fd 79 a3 90 95 db f5 5a 43 e0 89 b1 3b db 6a 33 ef
         b3 bb 0b 67 9c 58 9d 2a 3e 4f 56 18 46 dd 9b 34 c4 68 a9 ce 4d
         bd 63 59 29 f7 b5 1f 21 a9 67 92 97 22 7d 7e a1 db 4c

   {server}  derive secret "tls13 c ap traffic":

      PRK (32 octets):  67 f3 ca a1 17 80 44 45 c3 84 1d f0 d6 cf 0c be
         84 eb 2d 1e 29 29 3c de 0e 59 8b c0 79 99 24 00



Thomson                 Expires November 3, 2018               [Page 33]


Internet-Draft               TLS 1.3 Traces                     May 2018


      hash (32 octets):  91 14 ee f5 c3 d5 c0 86 d1 1a a9 f3 32 fd 35 54
         51 f8 70 7c 4f 14 92 ed 2e 84 7e 08 7e 6a bf 98

      info (54 octets):  00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72
         61 66 66 69 63 20 91 14 ee f5 c3 d5 c0 86 d1 1a a9 f3 32 fd 35
         54 51 f8 70 7c 4f 14 92 ed 2e 84 7e 08 7e 6a bf 98

      output (32 octets):  33 60 70 33 79 0d 4d 7d 0f d0 db d9 6f 3c 78
         21 75 8f 78 14 79 4f 9b b1 e9 c9 17 de 7b ef d4 b2

   {server}  derive secret "tls13 s ap traffic":

      PRK (32 octets):  67 f3 ca a1 17 80 44 45 c3 84 1d f0 d6 cf 0c be
         84 eb 2d 1e 29 29 3c de 0e 59 8b c0 79 99 24 00

      hash (32 octets):  91 14 ee f5 c3 d5 c0 86 d1 1a a9 f3 32 fd 35 54
         51 f8 70 7c 4f 14 92 ed 2e 84 7e 08 7e 6a bf 98

      info (54 octets):  00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72
         61 66 66 69 63 20 91 14 ee f5 c3 d5 c0 86 d1 1a a9 f3 32 fd 35
         54 51 f8 70 7c 4f 14 92 ed 2e 84 7e 08 7e 6a bf 98

      output (32 octets):  82 4f 40 74 98 f3 55 f7 c4 56 7d 1a c4 9d a3
         cc 44 1c fe a5 7c 86 6d 01 28 04 88 63 74 bb 4f a1

   {server}  derive secret "tls13 exp master":

      PRK (32 octets):  67 f3 ca a1 17 80 44 45 c3 84 1d f0 d6 cf 0c be
         84 eb 2d 1e 29 29 3c de 0e 59 8b c0 79 99 24 00

      hash (32 octets):  91 14 ee f5 c3 d5 c0 86 d1 1a a9 f3 32 fd 35 54
         51 f8 70 7c 4f 14 92 ed 2e 84 7e 08 7e 6a bf 98

      info (52 octets):  00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73
         74 65 72 20 91 14 ee f5 c3 d5 c0 86 d1 1a a9 f3 32 fd 35 54 51
         f8 70 7c 4f 14 92 ed 2e 84 7e 08 7e 6a bf 98

      output (32 octets):  aa 09 d0 be d1 a3 70 92 4b bd 25 44 60 e7 71
         c4 f1 3c 0a 68 8f 6b b9 f5 b1 e3 35 7b 72 42 c9 17

   {server}  derive write traffic keys for application data:

      PRK (32 octets):  82 4f 40 74 98 f3 55 f7 c4 56 7d 1a c4 9d a3 cc
         44 1c fe a5 7c 86 6d 01 28 04 88 63 74 bb 4f a1

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00





Thomson                 Expires November 3, 2018               [Page 34]


Internet-Draft               TLS 1.3 Traces                     May 2018


      key output (16 octets):  1d dd e3 13 e4 23 c0 bb b4 6e 21 55 4e 62
         bc 02

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  1d 33 01 7e 40 29 4c bc df b2 cd ec

   {server}  derive read traffic keys for handshake data:

      PRK (32 octets):  96 f0 1d 63 6d 87 b9 36 1c 0b 8b 93 0c de d9 7b
         59 06 0b 89 3b e2 4e 5d 64 b5 25 86 c0 39 ac 18

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  dd e8 55 4c 07 08 a0 f7 7c dd da 22 50 43
         b4 82

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  10 90 01 0f e7 e8 21 c7 40 6b 82 d0

   {client}  extract secret "early":

      salt:  (absent)

      ikm (32 octets):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c
         e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

   {client}  derive secret for handshake "tls13 derived":

      PRK (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2
         10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6
         97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

   {client}  extract secret "handshake":




Thomson                 Expires November 3, 2018               [Page 35]


Internet-Draft               TLS 1.3 Traces                     May 2018


      salt (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97
         16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

      ikm (32 octets):  67 5e 8f e3 7d f3 8e b4 ae d1 ac 3e a4 a0 a1 63
         a7 26 56 83 e4 3d ca 95 40 43 87 73 24 aa cf 70

      secret (32 octets):  56 b6 d9 4c b7 89 04 56 07 85 86 b5 d6 5d 69
         69 bc 7c 48 51 ff 7f 95 33 75 ed cb e2 60 4c 1f 8e

   {client}  derive secret "tls13 c hs traffic" (same as server)

   {client}  derive secret "tls13 s hs traffic" (same as server)

   {client}  derive secret for master "tls13 derived" (same as server)

   {client}  extract secret "master" (same as server)

   {client}  derive read traffic keys for handshake data:

      PRK (32 octets):  48 c0 79 83 b0 b1 9b 41 75 36 af 49 aa 3c 4f a1
         20 26 fe fa 16 d0 40 12 8b 7f 87 19 6c ab fe 14

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  c9 66 8b e3 a4 eb 59 74 eb 92 ff 02 bb d7
         2e 0b

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  a0 3e bc f0 df 01 00 7b 81 7b 21 de

   {client}  calculate finished "tls13 finished" (same as server)

   {client}  derive secret "tls13 c ap traffic" (same as server)

   {client}  derive secret "tls13 s ap traffic" (same as server)

   {client}  derive secret "tls13 exp master" (same as server)

   {client}  derive write traffic keys for handshake data (same as
      server read traffic keys)

   {client}  derive read traffic keys for application data (same as
      server write traffic keys)

   {client}  calculate finished "tls13 finished":





Thomson                 Expires November 3, 2018               [Page 36]


Internet-Draft               TLS 1.3 Traces                     May 2018


      PRK (32 octets):  96 f0 1d 63 6d 87 b9 36 1c 0b 8b 93 0c de d9 7b
         59 06 0b 89 3b e2 4e 5d 64 b5 25 86 c0 39 ac 18

      hash (0 octets):  (empty)

      info (18 octets):  00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
         64 00

      output (32 octets):  a2 e7 bc 56 e4 4c 66 f7 b1 f7 e9 5f 43 4b 03
         49 7c 09 11 73 96 b8 6e a1 88 a2 e7 5e 4b 5b 52 bd

   {client}  send a Finished handshake message

   {client}  send handshake record:

      payload (36 octets):  14 00 00 20 dd 60 b6 e8 68 65 0c d8 8a 16 ae
         ea be c9 ef 92 8b d1 4a 55 cc fc 9b 25 36 bb f8 5b ef cb a9 2f

      ciphertext (58 octets):  17 03 03 00 35 10 83 df 24 a1 2c 20 11 96
         5e 1c 0c d5 82 85 53 dc 17 d9 4f 60 a4 b9 03 58 8c d3 00 63 3b
         de 1c 93 48 a5 38 d4 a9 67 66 ce e5 2c 32 46 4c 84 8b cd 12 19
         9b 2f

   {client}  derive write traffic keys for application data:

      PRK (32 octets):  33 60 70 33 79 0d 4d 7d 0f d0 db d9 6f 3c 78 21
         75 8f 78 14 79 4f 9b b1 e9 c9 17 de 7b ef d4 b2

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  74 df 54 32 03 d8 58 9d c5 27 43 85 9f 6c
         cd da

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  c1 af 57 8c 97 99 e3 a6 48 08 70 35

   {client}  derive secret "tls13 res master":

      PRK (32 octets):  67 f3 ca a1 17 80 44 45 c3 84 1d f0 d6 cf 0c be
         84 eb 2d 1e 29 29 3c de 0e 59 8b c0 79 99 24 00

      hash (32 octets):  e6 a1 73 98 69 66 1d dc bb dc 11 0a ed ed 74 bc
         13 74 65 fa a9 20 ec 69 ea 9e cc 73 60 b2 9d d2

      info (52 octets):  00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73
         74 65 72 20 e6 a1 73 98 69 66 1d dc bb dc 11 0a ed ed 74 bc 13
         74 65 fa a9 20 ec 69 ea 9e cc 73 60 b2 9d d2



Thomson                 Expires November 3, 2018               [Page 37]


Internet-Draft               TLS 1.3 Traces                     May 2018


      output (32 octets):  5f 86 e4 2a b7 ff e8 49 b9 3e ed b3 f6 e3 88
         a8 a4 55 72 b1 cc 03 88 30 44 c6 dd 25 04 57 b9 8b

   {server}  calculate finished "tls13 finished" (same as client)

   {server}  derive read traffic keys for application data (same as
      client write traffic keys)

   {server}  derive secret "tls13 res master" (same as client)

   {client}  send alert record:

      payload (2 octets):  01 00

      ciphertext (24 octets):  17 03 03 00 13 a5 48 29 ee 82 c4 6f 8a 11
         08 8a ff d2 51 1e 5c 2d d6 d1

   {server}  send alert record:

      payload (2 octets):  01 00

      ciphertext (24 octets):  17 03 03 00 13 54 78 81 09 80 71 83 23 ed
         12 c2 e3 d1 a0 c0 f4 87 72 40

6.  Client Authentication

   In this example, the server requests client authentication.  The
   client uses a certificate with an RSA key, the server uses an ECDSA
   certificate with a P-256 key.  Note that private keys for this
   example are not included in the draft.

   {client}  create an ephemeral x25519 key pair:

      private key (32 octets):  6d 8b a2 5f f1 2f 88 11 f2 67 80 03 48
         ea da fc c1 c5 74 1c 65 fc 45 8d fd b4 f8 f0 19 8f 01 c9

      public key (32 octets):  96 33 5a 91 2f 9a 39 44 4c cc 04 fd 51 51
         f0 de 0b da 04 02 75 dd 2f 07 10 5a 1c 7d 93 89 99 13

   {client}  send a ClientHello handshake message

   {client}  send handshake record:

      payload (186 octets):  01 00 00 b6 03 03 1d fe f2 73 b4 49 8b 2c
         68 e0 44 af 2c 39 12 ca 6e 91 4b d8 88 f9 09 41 8b f4 8b a3 b5
         75 a4 a1 00 00 06 13 01 13 03 13 02 01 00 00 87 00 00 00 0b 00
         09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12
         00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33 00



Thomson                 Expires November 3, 2018               [Page 38]


Internet-Draft               TLS 1.3 Traces                     May 2018


         26 00 24 00 1d 00 20 96 33 5a 91 2f 9a 39 44 4c cc 04 fd 51 51
         f0 de 0b da 04 02 75 dd 2f 07 10 5a 1c 7d 93 89 99 13 00 2b 00
         03 02 7f 1c 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08
         05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d
         00 02 01 01

      ciphertext (191 octets):  16 03 01 00 ba 01 00 00 b6 03 03 1d fe
         f2 73 b4 49 8b 2c 68 e0 44 af 2c 39 12 ca 6e 91 4b d8 88 f9 09
         41 8b f4 8b a3 b5 75 a4 a1 00 00 06 13 01 13 03 13 02 01 00 00
         87 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00
         00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01
         03 01 04 00 33 00 26 00 24 00 1d 00 20 96 33 5a 91 2f 9a 39 44
         4c cc 04 fd 51 51 f0 de 0b da 04 02 75 dd 2f 07 10 5a 1c 7d 93
         89 99 13 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 04 03 05 03 06
         03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02
         06 02 02 02 00 2d 00 02 01 01

   {server}  extract secret "early":

      salt:  (absent)

      ikm (32 octets):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c
         e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

   {server}  create an ephemeral x25519 key pair:

      private key (32 octets):  4c 22 f1 c1 22 00 9b 54 ae dc 6f 54 2e
         98 01 4d a2 91 e6 f5 b8 77 03 67 5e 49 f6 10 06 ae 86 65

      public key (32 octets):  c5 4d 65 0c e2 52 6e 90 24 f2 a3 68 9e 3b
         82 58 87 e5 82 b6 c0 e6 07 75 dd a0 bd 2f 8a 5b 6d 53

   {server}  send a ServerHello handshake message

   {server}  derive secret for handshake "tls13 derived":

      PRK (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2
         10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55



Thomson                 Expires November 3, 2018               [Page 39]


Internet-Draft               TLS 1.3 Traces                     May 2018


      output (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6
         97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

   {server}  extract secret "handshake":

      salt (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97
         16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

      ikm (32 octets):  49 a2 14 3a 0c 4b 7c a4 e9 c1 3a 6f 64 93 88 ec
         4d 34 87 b5 dc d0 68 37 bd 5c 41 23 a2 e0 1e 5b

      secret (32 octets):  f4 58 19 79 77 70 fb 25 ec e8 ec 05 ce 3a 97
         3e c3 30 47 00 5c 29 fd f8 b0 3d 35 73 ba 3b 8b 6d

   {server}  derive secret "tls13 c hs traffic":

      PRK (32 octets):  f4 58 19 79 77 70 fb 25 ec e8 ec 05 ce 3a 97 3e
         c3 30 47 00 5c 29 fd f8 b0 3d 35 73 ba 3b 8b 6d

      hash (32 octets):  b4 76 d4 d5 07 36 d3 7a 2a ed 25 98 2a 10 6e ec
         8c 28 f3 57 ef 19 8c b6 1d e4 a1 3b a2 78 1f 8d

      info (54 octets):  00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72
         61 66 66 69 63 20 b4 76 d4 d5 07 36 d3 7a 2a ed 25 98 2a 10 6e
         ec 8c 28 f3 57 ef 19 8c b6 1d e4 a1 3b a2 78 1f 8d

      output (32 octets):  06 bd cc 2f 05 32 35 23 70 af 13 71 84 d5 66
         31 4a cb 81 bb e1 d2 98 02 f5 78 ef 1e 43 72 26 35

   {server}  derive secret "tls13 s hs traffic":

      PRK (32 octets):  f4 58 19 79 77 70 fb 25 ec e8 ec 05 ce 3a 97 3e
         c3 30 47 00 5c 29 fd f8 b0 3d 35 73 ba 3b 8b 6d

      hash (32 octets):  b4 76 d4 d5 07 36 d3 7a 2a ed 25 98 2a 10 6e ec
         8c 28 f3 57 ef 19 8c b6 1d e4 a1 3b a2 78 1f 8d

      info (54 octets):  00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72
         61 66 66 69 63 20 b4 76 d4 d5 07 36 d3 7a 2a ed 25 98 2a 10 6e
         ec 8c 28 f3 57 ef 19 8c b6 1d e4 a1 3b a2 78 1f 8d

      output (32 octets):  bb 5b 26 0b 1a b5 ab eb 1b 23 63 39 ad c3 90
         39 1e dc 93 38 80 54 eb 6b d6 87 79 d1 38 40 61 f7

   {server}  derive secret for master "tls13 derived":

      PRK (32 octets):  f4 58 19 79 77 70 fb 25 ec e8 ec 05 ce 3a 97 3e
         c3 30 47 00 5c 29 fd f8 b0 3d 35 73 ba 3b 8b 6d



Thomson                 Expires November 3, 2018               [Page 40]


Internet-Draft               TLS 1.3 Traces                     May 2018


      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output (32 octets):  30 5e e3 40 d4 47 ef 6d 28 26 2a b4 9f 3a f7
         b0 2c e2 ff db c1 25 fb da 8a 36 45 f4 6f 79 04 e6

   {server}  extract secret "master":

      salt (32 octets):  30 5e e3 40 d4 47 ef 6d 28 26 2a b4 9f 3a f7 b0
         2c e2 ff db c1 25 fb da 8a 36 45 f4 6f 79 04 e6

      ikm (32 octets):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  c5 e8 54 45 75 ea 22 fb 0b 25 bc d1 72 1c c7
         56 ed 94 9c f7 7c 56 d4 24 b6 d2 eb d3 4b a7 4c ee

   {server}  send handshake record:

      payload (90 octets):  02 00 00 56 03 03 d8 ef 9b d4 2a f5 87 b5 27
         30 bd c6 67 4a 66 bf e4 04 1a 57 ef de 4f 63 9c c2 4c 22 f9 e9
         77 77 00 13 01 00 00 2e 00 33 00 24 00 1d 00 20 c5 4d 65 0c e2
         52 6e 90 24 f2 a3 68 9e 3b 82 58 87 e5 82 b6 c0 e6 07 75 dd a0
         bd 2f 8a 5b 6d 53 00 2b 00 02 7f 1c

      ciphertext (95 octets):  16 03 03 00 5a 02 00 00 56 03 03 d8 ef 9b
         d4 2a f5 87 b5 27 30 bd c6 67 4a 66 bf e4 04 1a 57 ef de 4f 63
         9c c2 4c 22 f9 e9 77 77 00 13 01 00 00 2e 00 33 00 24 00 1d 00
         20 c5 4d 65 0c e2 52 6e 90 24 f2 a3 68 9e 3b 82 58 87 e5 82 b6
         c0 e6 07 75 dd a0 bd 2f 8a 5b 6d 53 00 2b 00 02 7f 1c

   {server}  derive write traffic keys for handshake data:

      PRK (32 octets):  bb 5b 26 0b 1a b5 ab eb 1b 23 63 39 ad c3 90 39
         1e dc 93 38 80 54 eb 6b d6 87 79 d1 38 40 61 f7

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  44 f7 bd 7a d2 f2 13 b2 94 7b c7 29 be 6f
         b7 c4

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  38 29 95 dc ff fc c2 32 16 86 39 75



Thomson                 Expires November 3, 2018               [Page 41]


Internet-Draft               TLS 1.3 Traces                     May 2018


   {server}  send a EncryptedExtensions handshake message

   {server}  send a CertificateRequest handshake message

   {server}  send a Certificate handshake message

   {server}  send a CertificateVerify handshake message

   {server}  calculate finished "tls13 finished":

      PRK (32 octets):  bb 5b 26 0b 1a b5 ab eb 1b 23 63 39 ad c3 90 39
         1e dc 93 38 80 54 eb 6b d6 87 79 d1 38 40 61 f7

      hash (0 octets):  (empty)

      info (18 octets):  00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
         64 00

      output (32 octets):  c7 68 70 3c 8c 1f 97 a6 f7 6c e1 62 ac 22 08
         c4 d4 72 f3 eb 2d 72 71 1c 0f 2f b7 36 de 45 3e b9

   {server}  send a Finished handshake message

   {server}  send handshake record:

      payload (510 octets):  08 00 00 1e 00 1c 00 0a 00 14 00 12 00 1d
         00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 00 00 00 0d
         00 00 27 00 00 24 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08
         04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02
         0b 00 01 3b 00 00 01 37 00 01 32 30 82 01 2e 30 81 d5 a0 03 02
         01 02 02 01 07 30 0a 06 08 2a 86 48 ce 3d 04 03 02 30 13 31 11
         30 0f 06 03 55 04 03 13 08 65 63 64 73 61 32 35 36 30 1e 17 0d
         31 36 30 37 33 30 30 31 32 34 30 30 5a 17 0d 32 36 30 37 33 30
         30 31 32 34 30 30 5a 30 13 31 11 30 0f 06 03 55 04 03 13 08 65
         63 64 73 61 32 35 36 30 59 30 13 06 07 2a 86 48 ce 3d 02 01 06
         08 2a 86 48 ce 3d 03 01 07 03 42 00 04 08 d5 30 16 15 75 f4 cf
         e7 f1 54 ee 34 48 18 00 86 00 1e 88 43 1a 79 ee 62 ee 6e 2f 83
         ef 38 ba 61 e9 fb 37 f3 4e 00 7a 7d f4 d2 f5 b5 6d 1f 04 ec e4
         5d 62 1f 46 84 06 f5 c3 a1 51 58 94 8d d0 a3 1a 30 18 30 09 06
         03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 07 80
         30 0a 06 08 2a 86 48 ce 3d 04 03 02 03 48 00 30 45 02 21 00 df
         30 fd 45 07 f5 ed d2 2c 1a 6f f8 6d b4 79 ca 69 3f ee ca 3b 71
         b3 f9 ef 55 6b 29 37 c0 59 4d 02 20 62 e2 a4 72 50 d3 20 fe a8
         3c 7e 2d cb 5b 76 a5 0e 02 00 c0 9a db d1 3f ee 94 6e 51 3e 01
         1d 11 00 00 0f 00 00 4a 04 03 00 46 30 44 02 20 30 e4 bf a4 27
         2e fb 5c 47 f7 a8 95 68 62 19 07 5d a8 59 00 a1 83 51 88 a7 dc
         81 04 7e f8 18 40 02 20 7f af cb e9 ab db 07 6d 0d b8 ed 0e fe
         2c 90 17 47 3d a6 99 4f e7 40 21 15 e8 3e d3 99 04 3c 7f 14 00



Thomson                 Expires November 3, 2018               [Page 42]


Internet-Draft               TLS 1.3 Traces                     May 2018


         00 20 ab a1 88 14 12 63 9b 3b 55 a5 c3 9b a4 57 c0 7f 44 92 b7
         64 74 0c 52 6d 57 9e 83 98 40 5b ec 1c

      ciphertext (532 octets):  17 03 03 02 0f e7 f9 f2 8e 34 e1 1e 5c
         23 32 33 8e 43 43 e3 2f e5 17 0e 24 cf d2 64 45 c3 58 79 45 3d
         2a 55 40 45 0f 90 73 32 b6 7b 7a 87 36 bd 32 29 39 c9 47 e8 ff
         5c 3a bb 07 ac b8 95 91 4e 0e 3e 2e 2e 3d 0e bb 71 b9 31 58 5f
         10 6c 5b b7 f9 c7 8d 86 91 76 5c 52 7a bb 61 04 12 97 9a c3 6d
         63 22 cd e6 a4 64 38 c5 a9 ac b0 d1 96 15 4d a1 ec fe f3 d8 1c
         41 c9 9b 39 6a df 7f 47 b5 29 09 72 b6 e4 c1 73 94 af 05 06 f1
         41 37 c1 b1 91 7c a5 f1 e4 da 3a 61 8b ea a8 63 c5 80 4e 1e 28
         ce 2d f7 c4 3f 47 c4 6d c4 80 f2 1b 02 9a 62 b8 8a 57 58 8a 6d
         67 8e 8d 3f 7f da f4 cf 16 18 b6 4d eb db fc 09 88 eb 40 92 ea
         10 bb 0e ec 14 8f 62 46 47 03 f1 15 50 8d 77 05 5d 42 df de 74
         42 7e f6 89 c7 a6 5f ff 1c bf a1 2c 5e fa 2c e3 77 3d bf f2 a1
         ea 2f 28 1d 8c be 97 83 41 e8 1d 4c f0 81 01 7b 00 b2 1d 13 36
         29 7c 99 19 6a 55 f9 c6 2f 78 04 dc fe 20 ee 03 34 ab 7b 52 5f
         6a 67 f6 ed dc cf d3 32 af 0c e6 86 3e eb 0c b8 e3 2b f1 6a 24
         84 ad 1d c6 de 4e 3a b3 ad 78 43 04 fc d2 62 65 b4 ef 5f ac d6
         6e 21 87 30 b2 b4 98 06 fd 75 e5 e1 a9 e8 9e 70 06 7b 9b fa b4
         52 9e 01 7c 04 72 21 d8 99 77 d3 cc 25 b1 be 85 5c ae e1 bc 5d
         e8 20 9a 37 75 c9 79 2c 78 00 a7 6f 62 c2 24 b8 90 9c ff bd 94
         d7 c8 38 f4 d9 5e 2c a6 d2 6e 8e ae 0f 0c 7b ac f3 85 1c 31 1f
         b1 fd 0c 19 72 80 61 8f 43 c5 ed ba b5 d3 6d 50 59 cb 7a e5 04
         f4 cc 2d 42 f9 81 83 eb eb a6 e3 70 35 d6 bd 45 fc 64 f3 50 ef
         15 6e 7e e0 15 ce 0d d6 c8 9e 23 0b aa 54 33 5b 46 0c fd 04 3b
         21 cc a2 66 72 2c c6 4b 92 e8 67 42 a9 51 67 c7 88 4d fb 61 f8
         88 90 4f 73 1e f8 3c 52 4d f9 27 18 86 06 89 8b ea e5 2d 87 88
         98 d1 88 29 2e 39 fa 15 73 7f f2 85 43 59 b0

   {server}  derive secret "tls13 c ap traffic":

      PRK (32 octets):  c5 e8 54 45 75 ea 22 fb 0b 25 bc d1 72 1c c7 56
         ed 94 9c f7 7c 56 d4 24 b6 d2 eb d3 4b a7 4c ee

      hash (32 octets):  eb b3 96 15 37 1e 46 21 1d 85 43 f4 0b c5 05 b8
         80 16 8c 02 d3 d8 37 ca 46 58 5a 19 98 b0 34 56

      info (54 octets):  00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72
         61 66 66 69 63 20 eb b3 96 15 37 1e 46 21 1d 85 43 f4 0b c5 05
         b8 80 16 8c 02 d3 d8 37 ca 46 58 5a 19 98 b0 34 56

      output (32 octets):  a7 95 27 3b d4 3f 76 6c 34 b0 dd 5e 57 12 9d
         cb 6a 62 53 d4 25 39 69 f8 43 fc 64 db fb 4d e8 d1

   {server}  derive secret "tls13 s ap traffic":





Thomson                 Expires November 3, 2018               [Page 43]


Internet-Draft               TLS 1.3 Traces                     May 2018


      PRK (32 octets):  c5 e8 54 45 75 ea 22 fb 0b 25 bc d1 72 1c c7 56
         ed 94 9c f7 7c 56 d4 24 b6 d2 eb d3 4b a7 4c ee

      hash (32 octets):  eb b3 96 15 37 1e 46 21 1d 85 43 f4 0b c5 05 b8
         80 16 8c 02 d3 d8 37 ca 46 58 5a 19 98 b0 34 56

      info (54 octets):  00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72
         61 66 66 69 63 20 eb b3 96 15 37 1e 46 21 1d 85 43 f4 0b c5 05
         b8 80 16 8c 02 d3 d8 37 ca 46 58 5a 19 98 b0 34 56

      output (32 octets):  92 e7 e7 04 3b 35 7d 6c a6 ca ba 36 0e f1 4f
         b9 c6 f8 0b f2 f4 b4 26 f2 e5 8d 62 96 79 b7 41 aa

   {server}  derive secret "tls13 exp master":

      PRK (32 octets):  c5 e8 54 45 75 ea 22 fb 0b 25 bc d1 72 1c c7 56
         ed 94 9c f7 7c 56 d4 24 b6 d2 eb d3 4b a7 4c ee

      hash (32 octets):  eb b3 96 15 37 1e 46 21 1d 85 43 f4 0b c5 05 b8
         80 16 8c 02 d3 d8 37 ca 46 58 5a 19 98 b0 34 56

      info (52 octets):  00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73
         74 65 72 20 eb b3 96 15 37 1e 46 21 1d 85 43 f4 0b c5 05 b8 80
         16 8c 02 d3 d8 37 ca 46 58 5a 19 98 b0 34 56

      output (32 octets):  ae a4 f5 ae fb fd 28 fd 24 34 e1 75 96 b2 98
         21 65 bc fd db cb 01 8f 22 81 2f 1d 1e d9 37 08 ac

   {server}  derive write traffic keys for application data:

      PRK (32 octets):  92 e7 e7 04 3b 35 7d 6c a6 ca ba 36 0e f1 4f b9
         c6 f8 0b f2 f4 b4 26 f2 e5 8d 62 96 79 b7 41 aa

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  b5 02 c5 17 59 fd 20 90 ef 80 f0 b6 d5 3d
         1d 06

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  19 46 48 8e ca 45 0f 53 3b eb 59 3e

   {server}  derive read traffic keys for handshake data:

      PRK (32 octets):  06 bd cc 2f 05 32 35 23 70 af 13 71 84 d5 66 31
         4a cb 81 bb e1 d2 98 02 f5 78 ef 1e 43 72 26 35

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00



Thomson                 Expires November 3, 2018               [Page 44]


Internet-Draft               TLS 1.3 Traces                     May 2018


      key output (16 octets):  72 ff ef 49 b3 34 ca dc c9 bf ec ee ae 2f
         7e d5

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  6b 89 8b 86 fe 32 91 19 81 ef 9f 03

   {client}  extract secret "early":

      salt:  (absent)

      ikm (32 octets):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c
         e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

   {client}  derive secret for handshake "tls13 derived":

      PRK (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2
         10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6
         97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

   {client}  extract secret "handshake":

      salt (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97
         16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

      ikm (32 octets):  49 a2 14 3a 0c 4b 7c a4 e9 c1 3a 6f 64 93 88 ec
         4d 34 87 b5 dc d0 68 37 bd 5c 41 23 a2 e0 1e 5b

      secret (32 octets):  f4 58 19 79 77 70 fb 25 ec e8 ec 05 ce 3a 97
         3e c3 30 47 00 5c 29 fd f8 b0 3d 35 73 ba 3b 8b 6d

   {client}  derive secret "tls13 c hs traffic" (same as server)

   {client}  derive secret "tls13 s hs traffic" (same as server)

   {client}  derive secret for master "tls13 derived" (same as server)



Thomson                 Expires November 3, 2018               [Page 45]


Internet-Draft               TLS 1.3 Traces                     May 2018


   {client}  extract secret "master" (same as server)

   {client}  derive read traffic keys for handshake data:

      PRK (32 octets):  bb 5b 26 0b 1a b5 ab eb 1b 23 63 39 ad c3 90 39
         1e dc 93 38 80 54 eb 6b d6 87 79 d1 38 40 61 f7

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  44 f7 bd 7a d2 f2 13 b2 94 7b c7 29 be 6f
         b7 c4

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  38 29 95 dc ff fc c2 32 16 86 39 75

   {client}  calculate finished "tls13 finished" (same as server)

   {client}  derive secret "tls13 c ap traffic" (same as server)

   {client}  derive secret "tls13 s ap traffic" (same as server)

   {client}  derive secret "tls13 exp master" (same as server)

   {client}  derive write traffic keys for handshake data (same as
      server read traffic keys)

   {client}  derive read traffic keys for application data (same as
      server write traffic keys)

   {client}  send a Certificate handshake message

   {client}  send a CertificateVerify handshake message

   {client}  calculate finished "tls13 finished":

      PRK (32 octets):  06 bd cc 2f 05 32 35 23 70 af 13 71 84 d5 66 31
         4a cb 81 bb e1 d2 98 02 f5 78 ef 1e 43 72 26 35

      hash (0 octets):  (empty)

      info (18 octets):  00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
         64 00

      output (32 octets):  87 1c e8 63 61 9c 37 09 02 b2 fc aa 08 16 68
         db 0f c5 32 8b bc 3f 0e df 74 66 01 e3 ad e7 d2 a2

   {client}  send a Finished handshake message



Thomson                 Expires November 3, 2018               [Page 46]


Internet-Draft               TLS 1.3 Traces                     May 2018


   {client}  send handshake record:

      payload (623 octets):  0b 00 01 bf 00 00 01 bb 00 01 b6 30 82 01
         b2 30 82 01 1b a0 03 02 01 02 02 01 01 30 0d 06 09 2a 86 48 86
         f7 0d 01 01 0b 05 00 30 11 31 0f 30 0d 06 03 55 04 03 13 06 63
         6c 69 65 6e 74 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39
         5a 17 0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 11 31 0f 30
         0d 06 03 55 04 03 13 06 63 6c 69 65 6e 74 30 81 9f 30 0d 06 09
         2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81
         00 c3 81 75 e0 04 a6 8d 09 3f 82 3b 9c 37 9d 20 1f bc 0b b7 a1
         c7 91 90 5e 3f bf 76 84 7e 44 e7 51 eb bc d3 60 bd 94 5c 81 e5
         22 2b cc 88 46 d3 a8 a0 f9 3e 9b f5 be ba bd 92 ed f1 de 1f f1
         90 21 70 3e 7a b6 c0 90 15 13 f9 7e 39 b1 11 f0 9c 93 48 97 1c
         7b 21 19 84 a7 54 cd 45 fe 09 5a f0 ea 42 36 82 9b cc f7 a7 fe
         9b 28 88 e7 8a b4 77 69 0a 5b 9e 1c cb e9 1c 6a 4a 0f 97 a7 e0
         28 42 01 02 03 01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 02
         30 00 30 0b 06 03 55 1d 0f 04 04 03 02 07 80 30 0d 06 09 2a 86
         48 86 f7 0d 01 01 0b 05 00 03 81 81 00 1a 7a 5a 01 85 32 b0 22
         af 07 67 d4 86 16 0c ff 2d 16 7a 19 15 d2 38 35 b5 45 94 91 6d
         c6 80 be 5d 2e 62 60 76 c5 d5 27 22 eb cc 77 5d 7d 99 f9 80 be
         2f c9 4d 34 ac f6 cc 00 ba 90 cb cf b0 60 8a a1 e7 e3 97 1e f0
         c0 7a 41 d4 7a d8 34 5d 1f 81 fe 41 8a 1c f4 10 54 42 9f d2 17
         bd 77 7d c1 cf 08 f0 5d f9 07 99 c6 59 36 1e 0f 1a 8e e4 ac 0f
         78 97 42 0b db c8 23 da 80 a2 f2 ba 23 08 1c 00 00 0f 00 00 84
         08 04 00 80 8c 72 81 c7 26 a8 cb 2e 3e 17 d1 22 7f 3a 56 77 69
         f4 31 a0 9c e1 37 f9 18 83 11 6c 53 4c d2 09 89 40 27 9b a9 1d
         dc d7 17 7f 71 70 59 43 1b d6 c5 0b 24 77 7f 55 6d 2f bf e4 8d
         c4 b9 6c 6b 5f bd cb 4c 57 5a 58 88 98 c6 e1 48 ef 5f af dd 2c
         1f ee a5 3f 56 72 f0 aa b4 1f 9a 22 cb fa e4 e0 8b 29 5b 14 99
         c4 71 a8 6a 86 65 55 92 f0 f6 a0 43 d3 fd 84 05 0e 7b b4 b7 6f
         9f 26 76 c7 12 9a 14 00 00 20 34 ef 9a 48 bb 59 75 19 12 14 15
         7f 60 73 9f 40 9a a4 f0 0b 68 b7 9e 1d ee d2 91 e5 09 76 32 df

      ciphertext (645 octets):  17 03 03 02 80 bd 53 8f 8a 51 8e 53 29
         91 44 38 97 42 f7 be 7c e8 d5 cc bc dc 49 7e 99 7e fb eb 45 60
         ae 3f ac ab 2f 07 82 53 1a 3a ed 15 9b 74 88 41 04 dc 95 9b 90
         63 7d 8c f5 a6 24 25 d5 f3 b7 16 57 6b b3 c0 13 99 92 62 0b 91
         ee 02 fa 02 32 3c 8c 3e c9 e6 a6 d1 cc 3b 4a e1 37 94 38 da c9
         17 39 8d c9 5c 33 94 19 f7 b4 c0 a8 4e 04 73 af 06 50 4d dc e9
         df 3d 7e b5 a5 3e dd 17 8d 2a 4f 83 c9 2f fa d2 3e 8c 28 a6 17
         94 f3 c8 45 96 b1 77 0e c5 b4 ec 1f a4 0a 06 8c e0 40 61 dc 80
         1b d0 d3 a7 d0 73 10 0d c6 e7 42 7d aa 0c 9b 8d 2f 4e 16 c4 e4
         3c 84 16 22 b4 ae e1 5e c7 e3 3a c1 b6 4f 74 85 7e 89 82 f8 85
         3d 9a 5e 36 96 9d ad 26 08 b6 88 1f cc 27 a7 39 aa 29 9a ce c4
         73 f7 d9 f5 73 4e 5b 24 d9 57 30 4a a5 6b 06 1c be 70 b5 0f 3f
         20 3a d1 64 ca 62 76 7d 9d 2b 7c dc 7c ce 9d 05 df ec 43 dc a6
         9a d4 2d f5 7a 09 3d 0a e0 b6 e0 a9 40 dc 0e dc 04 27 8c ae fe
         f8 ec 26 8f 29 5c 9c cc 76 3e 38 f2 f1 e1 dd 7f d6 14 17 b6 aa



Thomson                 Expires November 3, 2018               [Page 47]


Internet-Draft               TLS 1.3 Traces                     May 2018


         bc 31 a1 94 0b 96 1e ba 3e 85 cd 58 23 fa e7 28 99 9d ec f1 b0
         7c cc a4 72 94 88 f1 c7 d1 ab e2 56 88 17 ad 19 4f 71 f5 16 cc
         30 28 fa 6e 38 a1 8f 40 e3 bf 68 41 88 84 c6 94 5a de 07 51 b0
         ab fe 09 d5 1d 4e 3b d9 95 b5 50 b5 da 84 61 79 30 a5 98 89 19
         56 3d 2c b2 96 ec d9 1b a6 cd d1 09 1c ff d8 d9 14 b3 78 1a 43
         3e e7 67 03 19 ca ed 45 d5 83 de 8b 66 b3 49 3e df 82 bc d9 14
         ba ce e3 06 22 2a 3b 34 de 7f 1c a4 85 7b 9c 9d 19 72 b9 7a a8
         26 34 01 be db 19 3b 20 1d f8 dc 33 e3 e9 d6 a6 b8 b0 bc be d3
         02 36 08 9a 19 7d 18 8f 21 a0 72 ec 42 7e 5a b8 e5 62 3c 4c 2e
         84 ad 88 91 ff 9f b1 68 69 a3 69 63 0d a6 5b f5 0d 4a 6c 92 fa
         fc 7d 3f b3 00 7e dc b7 7b 55 82 9f 06 ac 49 9f 6a 9b 2a 26 9d
         a0 ef 27 67 29 c9 37 84 db 6d 0c 81 e7 d6 2a e6 8a d5 c5 6a db
         21 40 a1 1a 6a ed 8c 35 e7 9f ab 13 5d 37 79 d9 9e 9f 8e a4 58
         c7 7f 9f 15 f1 53 7c 4c 16 25 fb f3 d7 6c d1 a2 d9 e5 39 a0 34
         26 70 9b 69 32 33 2d 66 76 c4 e6 71 0a 73 d8 1e e5 57 c4 39 81
         99 7d 89 74 c2 51 b4 d5 4f 4b cd bc 61 a8 fc c4 a0 d3 ba a6 c0
         a6 0a

   {client}  derive write traffic keys for application data:

      PRK (32 octets):  a7 95 27 3b d4 3f 76 6c 34 b0 dd 5e 57 12 9d cb
         6a 62 53 d4 25 39 69 f8 43 fc 64 db fb 4d e8 d1

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  99 a9 9b 02 57 00 7a b1 61 ba cf 9d e9 80
         30 5b

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  4a f0 6c c7 ce be e4 bc ff e2 0d 0d

   {client}  derive secret "tls13 res master":

      PRK (32 octets):  c5 e8 54 45 75 ea 22 fb 0b 25 bc d1 72 1c c7 56
         ed 94 9c f7 7c 56 d4 24 b6 d2 eb d3 4b a7 4c ee

      hash (32 octets):  52 fc a8 f6 61 6c 96 7f 0e 93 42 dd ab 79 03 1d
         64 cf 07 e3 56 f4 75 13 33 1c 37 05 61 94 9b ff

      info (52 octets):  00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73
         74 65 72 20 52 fc a8 f6 61 6c 96 7f 0e 93 42 dd ab 79 03 1d 64
         cf 07 e3 56 f4 75 13 33 1c 37 05 61 94 9b ff

      output (32 octets):  8b 90 6f 3a d8 2d ba 92 f6 b9 ad 03 7f 71 e3
         f4 70 eb f4 63 68 7a 2c 92 ec ee ca 3a 22 52 be af

   {server}  calculate finished "tls13 finished" (same as client)



Thomson                 Expires November 3, 2018               [Page 48]


Internet-Draft               TLS 1.3 Traces                     May 2018


   {server}  derive read traffic keys for application data (same as
      client write traffic keys)

   {server}  derive secret "tls13 res master" (same as client)

   {client}  send alert record:

      payload (2 octets):  01 00

      ciphertext (24 octets):  17 03 03 00 13 43 c0 93 e4 62 a8 18 6c fe
         a7 1e 94 46 ff ba bd e7 3b 79

   {server}  send alert record:

      payload (2 octets):  01 00

      ciphertext (24 octets):  17 03 03 00 13 8e d0 6a 3a 56 ab b0 fb 05
         04 ed 3b 3f f9 1d 8c 93 77 8e

7.  Compatibility Mode

   This example shows use of the handshake with the client requesting
   that the server use compatibility mode as defined in Appendix D.4 of
   [TLS13].

   {client}  create an ephemeral x25519 key pair:

      private key (32 octets):  90 d4 67 c3 48 e3 d2 4d 7e bb 3d d0 4c
         46 16 9a 16 bb 64 ec 6c d3 4d 56 45 ee ac 7c 2f 02 c9 b5

      public key (32 octets):  17 6f 7c 2d 12 36 9d 89 37 4c ae 31 9c 36
         34 ca 43 0f 82 d6 89 60 90 9b ef 1d 87 ad 1e 9d 32 32

   {client}  send a ClientHello handshake message

   {client}  send handshake record:

      payload (218 octets):  01 00 00 d6 03 03 54 dd 27 fd c8 0f 86 ea
         a7 d3 79 87 46 73 58 44 60 31 0f 38 aa ec 8f e9 3d 6c 32 b8 c0
         0b e1 9c 20 ae 8b b2 af 77 86 0c f6 9d 70 e9 70 b6 29 81 c5 25
         56 65 9d 47 33 c2 ab e8 54 86 3e fe 09 ea 86 00 06 13 01 13 03
         13 02 01 00 00 87 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72
         ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00
         01 01 01 02 01 03 01 04 00 33 00 26 00 24 00 1d 00 20 17 6f 7c
         2d 12 36 9d 89 37 4c ae 31 9c 36 34 ca 43 0f 82 d6 89 60 90 9b
         ef 1d 87 ad 1e 9d 32 32 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e
         04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02
         01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01



Thomson                 Expires November 3, 2018               [Page 49]


Internet-Draft               TLS 1.3 Traces                     May 2018


      ciphertext (223 octets):  16 03 01 00 da 01 00 00 d6 03 03 54 dd
         27 fd c8 0f 86 ea a7 d3 79 87 46 73 58 44 60 31 0f 38 aa ec 8f
         e9 3d 6c 32 b8 c0 0b e1 9c 20 ae 8b b2 af 77 86 0c f6 9d 70 e9
         70 b6 29 81 c5 25 56 65 9d 47 33 c2 ab e8 54 86 3e fe 09 ea 86
         00 06 13 01 13 03 13 02 01 00 00 87 00 00 00 0b 00 09 00 00 06
         73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17
         00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33 00 26 00 24 00
         1d 00 20 17 6f 7c 2d 12 36 9d 89 37 4c ae 31 9c 36 34 ca 43 0f
         82 d6 89 60 90 9b ef 1d 87 ad 1e 9d 32 32 00 2b 00 03 02 7f 1c
         00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04
         01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01

   {server}  extract secret "early":

      salt:  (absent)

      ikm (32 octets):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c
         e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

   {server}  create an ephemeral x25519 key pair:

      private key (32 octets):  50 16 8d 5c 6e 6c a8 2d 2a a3 35 ba ae
         c1 bd 59 f5 19 94 ee 4a d9 79 86 5b 3d fa dc 3c 71 aa 22

      public key (32 octets):  37 69 88 a2 1d dd bc 38 a2 e6 fc de 82 33
         7a ff e6 79 a3 9c 3f e3 fb 5a 29 f9 5f 9f e8 e5 a0 42

   {server}  send a ServerHello handshake message

   {server}  send handshake record:

      payload (122 octets):  02 00 00 76 03 03 21 c5 c5 ee bb d5 fc 32
         cd 26 52 41 8e 6d 51 4b da df d0 51 e5 d4 37 e0 bf 0c 0a 31 8d
         30 a4 b7 20 ae 8b b2 af 77 86 0c f6 9d 70 e9 70 b6 29 81 c5 25
         56 65 9d 47 33 c2 ab e8 54 86 3e fe 09 ea 86 13 01 00 00 2e 00
         33 00 24 00 1d 00 20 37 69 88 a2 1d dd bc 38 a2 e6 fc de 82 33
         7a ff e6 79 a3 9c 3f e3 fb 5a 29 f9 5f 9f e8 e5 a0 42 00 2b 00
         02 7f 1c

      ciphertext (127 octets):  16 03 03 00 7a 02 00 00 76 03 03 21 c5
         c5 ee bb d5 fc 32 cd 26 52 41 8e 6d 51 4b da df d0 51 e5 d4 37
         e0 bf 0c 0a 31 8d 30 a4 b7 20 ae 8b b2 af 77 86 0c f6 9d 70 e9
         70 b6 29 81 c5 25 56 65 9d 47 33 c2 ab e8 54 86 3e fe 09 ea 86
         13 01 00 00 2e 00 33 00 24 00 1d 00 20 37 69 88 a2 1d dd bc 38




Thomson                 Expires November 3, 2018               [Page 50]


Internet-Draft               TLS 1.3 Traces                     May 2018


         a2 e6 fc de 82 33 7a ff e6 79 a3 9c 3f e3 fb 5a 29 f9 5f 9f e8
         e5 a0 42 00 2b 00 02 7f 1c

   {server}  send change_cipher_spec record:

      payload (1 octets):  01

      ciphertext (6 octets):  14 03 03 00 01 01

   {server}  derive secret for handshake "tls13 derived":

      PRK (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2
         10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6
         97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

   {server}  extract secret "handshake":

      salt (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97
         16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

      ikm (32 octets):  18 5a df 44 30 f3 14 a4 a4 04 47 0e 5d d5 45 35
         b3 cb 4f b7 9f 75 da 58 b6 fa f7 e2 cf ff f0 36

      secret (32 octets):  50 9a 53 59 61 77 d3 24 94 53 e7 bf ac fe 6e
         6d 1d be 83 7e d6 bd ab 06 d2 d8 97 59 33 b9 07 d9

   {server}  derive secret "tls13 c hs traffic":

      PRK (32 octets):  50 9a 53 59 61 77 d3 24 94 53 e7 bf ac fe 6e 6d
         1d be 83 7e d6 bd ab 06 d2 d8 97 59 33 b9 07 d9

      hash (32 octets):  b3 8d da d9 ff b9 64 09 bb de 07 05 47 b4 c6 94
         cc b7 9b 4a ed a1 71 a4 6f 09 2d 79 ae fb e7 4c

      info (54 octets):  00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72
         61 66 66 69 63 20 b3 8d da d9 ff b9 64 09 bb de 07 05 47 b4 c6
         94 cc b7 9b 4a ed a1 71 a4 6f 09 2d 79 ae fb e7 4c





Thomson                 Expires November 3, 2018               [Page 51]


Internet-Draft               TLS 1.3 Traces                     May 2018


      output (32 octets):  4b 4c d4 8c 4f 39 9c 05 77 bd 73 11 5b b5 12
         f1 af 4e 3c 65 fa da 60 d5 24 6b 3e 64 b5 7d c5 ec

   {server}  derive secret "tls13 s hs traffic":

      PRK (32 octets):  50 9a 53 59 61 77 d3 24 94 53 e7 bf ac fe 6e 6d
         1d be 83 7e d6 bd ab 06 d2 d8 97 59 33 b9 07 d9

      hash (32 octets):  b3 8d da d9 ff b9 64 09 bb de 07 05 47 b4 c6 94
         cc b7 9b 4a ed a1 71 a4 6f 09 2d 79 ae fb e7 4c

      info (54 octets):  00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72
         61 66 66 69 63 20 b3 8d da d9 ff b9 64 09 bb de 07 05 47 b4 c6
         94 cc b7 9b 4a ed a1 71 a4 6f 09 2d 79 ae fb e7 4c

      output (32 octets):  2c e0 bf ee 1c 9c bf 77 3a 21 40 b1 4b 14 a0
         8c 65 de ee 09 4a bc db 0f 01 8a 1d 50 33 1f 30 cd

   {server}  derive secret for master "tls13 derived":

      PRK (32 octets):  50 9a 53 59 61 77 d3 24 94 53 e7 bf ac fe 6e 6d
         1d be 83 7e d6 bd ab 06 d2 d8 97 59 33 b9 07 d9

      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output (32 octets):  42 60 f4 bc 75 60 30 9b de 27 31 79 f9 2c 94
         f1 13 e3 10 02 fb ba b3 b3 17 98 a3 05 04 10 e2 33

   {server}  extract secret "master":

      salt (32 octets):  42 60 f4 bc 75 60 30 9b de 27 31 79 f9 2c 94 f1
         13 e3 10 02 fb ba b3 b3 17 98 a3 05 04 10 e2 33

      ikm (32 octets):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  6a c7 28 bf 27 30 55 d8 24 4f 71 01 07 fe 11
         91 ec 30 47 c0 e9 86 14 aa d5 2f 51 62 27 7f 00 7b

   {server}  derive write traffic keys for handshake data:

      PRK (32 octets):  2c e0 bf ee 1c 9c bf 77 3a 21 40 b1 4b 14 a0 8c
         65 de ee 09 4a bc db 0f 01 8a 1d 50 33 1f 30 cd



Thomson                 Expires November 3, 2018               [Page 52]


Internet-Draft               TLS 1.3 Traces                     May 2018


      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  1e f6 3e cc 95 0c e3 96 b0 11 16 ad 52 35
         3f f1

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  73 ab 6b 2d c5 8a 11 fd 05 70 4a ce

   {server}  send a EncryptedExtensions handshake message

   {server}  send a Certificate handshake message

   {server}  send a CertificateVerify handshake message

   {server}  calculate finished "tls13 finished":

      PRK (32 octets):  2c e0 bf ee 1c 9c bf 77 3a 21 40 b1 4b 14 a0 8c
         65 de ee 09 4a bc db 0f 01 8a 1d 50 33 1f 30 cd

      hash (0 octets):  (empty)

      info (18 octets):  00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
         64 00

      output (32 octets):  37 10 db 07 3f 25 97 e5 f6 0f cb 4b 14 df bb
         ff 45 1e 50 c4 af 44 24 c2 6b 04 55 f1 de 1f 14 41

   {server}  send a Finished handshake message

   {server}  send handshake record:

      payload (651 octets):  08 00 00 1e 00 1c 00 0a 00 14 00 12 00 1d
         00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 00 00 00 0b
         00 01 b9 00 00 01 b5 00 01 b0 30 82 01 ac 30 82 01 15 a0 03 02
         01 02 02 01 02 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30
         0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61 30 1e 17 0d 31 36
         30 37 33 30 30 31 32 33 35 39 5a 17 0d 32 36 30 37 33 30 30 31
         32 33 35 39 5a 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61
         30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d
         00 30 81 89 02 81 81 00 b4 bb 49 8f 82 79 30 3d 98 08 36 39 9b
         36 c6 98 8c 0c 68 de 55 e1 bd b8 26 d3 90 1a 24 61 ea fd 2d e4
         9a 91 d0 15 ab bc 9a 95 13 7a ce 6c 1a f1 9e aa 6a f9 8c 7c ed
         43 12 09 98 e1 87 a8 0e e0 cc b0 52 4b 1b 01 8c 3e 0b 63 26 4d
         44 9a 6d 38 e2 2a 5f da 43 08 46 74 80 30 53 0e f0 46 1c 8c a9
         d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93 ef f0 ab 9a 80 02 c4 74 28
         a6 d3 5a 8d 88 d7 9f 7f 1e 3f 02 03 01 00 01 a3 1a 30 18 30 09
         06 03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 05



Thomson                 Expires November 3, 2018               [Page 53]


Internet-Draft               TLS 1.3 Traces                     May 2018


         a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 85
         aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a 72 67 17 06 18 a5 4c 5f 8a
         7b 33 7d 2d f7 a5 94 36 54 17 f2 ea e8 f8 a5 8c 8f 81 72 f9 31
         9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01 51 56 72 60 96 fd 33 5e 5e
         67 f2 db f1 02 70 2e 60 8c ca e6 be c1 fc 63 a4 2a 99 be 5c 3e
         b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b 1c 3b 84 e0 a8 b2 f7 59 40
         9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8 96 12 29 ac 91 87 b4 2b 4d
         e1 00 00 0f 00 00 84 08 04 00 80 58 c8 c3 2b e7 b4 d2 a7 42 2b
         f3 32 1d 0b dc 63 4c 8e 54 7e 12 0e 57 f8 90 ac 3c 2b 93 b1 c9
         9d 36 4b 9a 59 9e ad f4 cb 17 50 22 2f 65 61 aa b6 b6 89 10 15
         eb 6b 27 4c 21 72 4a df 97 f0 00 ff 03 de 8f 14 24 53 28 5f b4
         4b 7e 65 96 7c ea 58 74 3e a1 cb 7a 28 62 d0 18 12 64 6b ff 50
         04 9e 5b e1 ea 5d c3 50 ed 7e 53 a4 38 5d d3 f0 aa dc e4 bc ec
         9d 64 8f 82 0d e1 3d da e4 2f 9f 96 20 14 00 00 20 ed 0a 13 2e
         5f e8 fb 5b 43 aa aa 7b ab 9e 46 34 63 64 11 0a 1b 25 33 75 ab
         fc 6d ea 46 ef 91 c0

      ciphertext (673 octets):  17 03 03 02 9c 1e 4e 15 9f 57 8e 9d 1d
         73 88 13 e5 1b e1 89 ea 1c 80 1b 85 ab bc 4f 0d 52 92 7f aa 30
         6c 04 e6 7f a8 02 ab 02 38 56 18 aa 0e b3 d1 af a0 84 62 ec f3
         a0 04 a5 f2 dc 51 be 25 10 8f dd d6 38 92 04 88 3a 39 bd f1 0d
         bb de 5f 33 4a c5 bf 11 85 86 de c0 38 2d cf 00 b2 69 13 8a fe
         27 28 37 0c c1 9a 3d 58 12 4c b1 99 be b9 7c a0 a8 a9 ab af 01
         c2 38 f2 9c 45 b5 30 28 f8 d8 d2 2a 49 0b d8 2c f2 53 3a 76 72
         4d 67 d8 a7 2a b0 fb 94 53 63 fb 92 4f 8c a5 e1 32 e6 b3 3c 85
         29 4b 12 1c 69 8d df 37 52 ec f3 bc b9 f9 b9 01 37 bf d3 ad 0d
         fd 04 52 2c 27 1e 63 23 11 37 93 a5 c7 36 ee fa b2 73 a4 79 c3
         d8 b0 07 2d 0c 39 d9 4f 7d 1b ea c3 2f 02 15 be 45 04 14 6e 83
         c8 d3 37 c8 27 e7 f0 05 d4 83 a8 46 ef 6c c8 1a 13 ed 52 88 d1
         69 4e c1 76 a2 7f fb 62 c5 93 ab 1e df dc 8c 6f 0c ec 57 34 7a
         e8 81 ab 17 ab a9 49 b4 f5 1a 0b 61 49 09 00 ff 92 16 bd b2 26
         99 5b 54 9c 8d 5d 19 31 a0 11 de 06 bf 75 0f 8c 1c 54 8b 4b d7
         00 2d 9a 76 7e 7b 66 77 f6 4b d2 3f e7 a5 ce 3c 55 5e 7b 8b c6
         ed e8 72 f5 d9 6a fa c0 50 e9 a0 2c 80 1a 0f 15 12 4a 46 42 aa
         89 cc d0 e5 fe b6 70 a9 68 dd db 31 7b fc e9 db 82 9f 63 d4 5a
         bf e6 1a f9 56 d1 b3 c6 ea 8d fe 17 3b 13 d3 db 69 38 7b 54 23
         f2 78 d2 d7 49 e1 9e 2e 61 d4 f6 85 b6 e6 57 40 8f 99 3a b5 b4
         5c 3c dc ed fd be 44 b0 5f 6a dd 3a 5d e9 30 46 f2 af bb 30 ea
         03 26 47 eb 7d b7 8a c4 6a 1c 54 52 e3 e9 39 69 82 ef 55 2e 69
         cc a5 a7 9d 57 af 22 10 2f da 06 7d 2d 48 f6 9a 91 5c 41 87 81
         29 10 ec b4 7e 76 41 78 e0 ad cc 92 10 42 bc 9f ac 44 53 54 09
         10 b5 02 9d 79 e4 1f 87 d2 66 01 16 18 45 2b 38 b0 0f 97 a6 32
         20 30 4c d8 56 b8 0c f7 d7 f0 dc 30 7d 2b 9b 57 db 57 ad 29 3a
         58 85 f9 4f c2 65 c1 84 af d9 0b 85 a2 52 12 f5 6c 8c c8 29 c1
         b7 d1 6d ce 0b 8b 48 26 44 2d 79 6f 76 fb 1a 8d ff d3 06 96 cf
         07 c8 c9 58 4a f9 76 ba 4c 86 4b f4 75 12 fb 8c a3 3f 8d 96 1a
         5b 66 68 d1 b5 ad c3 8f 16 aa 8b 87 91 be da 44 5c a4 89 8b 0b
         c8 c8 de 04 22 81 25 21 42 50 cf 49 f4 3d ce d2 28 f5 4c 01 d6



Thomson                 Expires November 3, 2018               [Page 54]


Internet-Draft               TLS 1.3 Traces                     May 2018


         b2 e1 fa d7 33 50 e9 a3 69 1e ee fc af 8a 4c a3 66 45 92 0e 72
         97 af 36 1e 01 27 0e d1 fe

   {server}  derive secret "tls13 c ap traffic":

      PRK (32 octets):  6a c7 28 bf 27 30 55 d8 24 4f 71 01 07 fe 11 91
         ec 30 47 c0 e9 86 14 aa d5 2f 51 62 27 7f 00 7b

      hash (32 octets):  9e 61 88 ec d4 0e c8 d1 45 81 2f 15 70 04 59 47
         bc 41 6a fc cf a8 ca 34 1a 4a 76 01 f6 a7 39 cd

      info (54 octets):  00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72
         61 66 66 69 63 20 9e 61 88 ec d4 0e c8 d1 45 81 2f 15 70 04 59
         47 bc 41 6a fc cf a8 ca 34 1a 4a 76 01 f6 a7 39 cd

      output (32 octets):  07 04 02 00 14 0c 44 d3 60 5a 53 0b 0d b2 ee
         e6 ad 5b ff 4a 51 64 20 df 10 95 d6 26 15 b5 3b be

   {server}  derive secret "tls13 s ap traffic":

      PRK (32 octets):  6a c7 28 bf 27 30 55 d8 24 4f 71 01 07 fe 11 91
         ec 30 47 c0 e9 86 14 aa d5 2f 51 62 27 7f 00 7b

      hash (32 octets):  9e 61 88 ec d4 0e c8 d1 45 81 2f 15 70 04 59 47
         bc 41 6a fc cf a8 ca 34 1a 4a 76 01 f6 a7 39 cd

      info (54 octets):  00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72
         61 66 66 69 63 20 9e 61 88 ec d4 0e c8 d1 45 81 2f 15 70 04 59
         47 bc 41 6a fc cf a8 ca 34 1a 4a 76 01 f6 a7 39 cd

      output (32 octets):  a1 16 af 52 37 f0 00 ca 95 4a 76 f0 bf 59 78
         2d db 81 45 9e b5 f0 36 eb 72 10 ed 9e ab 6c 23 36

   {server}  derive secret "tls13 exp master":

      PRK (32 octets):  6a c7 28 bf 27 30 55 d8 24 4f 71 01 07 fe 11 91
         ec 30 47 c0 e9 86 14 aa d5 2f 51 62 27 7f 00 7b

      hash (32 octets):  9e 61 88 ec d4 0e c8 d1 45 81 2f 15 70 04 59 47
         bc 41 6a fc cf a8 ca 34 1a 4a 76 01 f6 a7 39 cd

      info (52 octets):  00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73
         74 65 72 20 9e 61 88 ec d4 0e c8 d1 45 81 2f 15 70 04 59 47 bc
         41 6a fc cf a8 ca 34 1a 4a 76 01 f6 a7 39 cd

      output (32 octets):  a6 e6 ca 68 ff 08 62 3b ca de 3d 27 35 95 eb
         ae 49 93 aa e4 7d c1 d8 cf 2f 1d 12 e9 d8 ee 91 5e




Thomson                 Expires November 3, 2018               [Page 55]


Internet-Draft               TLS 1.3 Traces                     May 2018


   {server}  derive write traffic keys for application data:

      PRK (32 octets):  a1 16 af 52 37 f0 00 ca 95 4a 76 f0 bf 59 78 2d
         db 81 45 9e b5 f0 36 eb 72 10 ed 9e ab 6c 23 36

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  b2 1c 13 11 a2 57 45 a0 c1 d8 de 68 c7 ce
         7a dc

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  d1 7b 34 2a f3 32 e9 90 1f 42 44 43

   {server}  derive read traffic keys for handshake data:

      PRK (32 octets):  4b 4c d4 8c 4f 39 9c 05 77 bd 73 11 5b b5 12 f1
         af 4e 3c 65 fa da 60 d5 24 6b 3e 64 b5 7d c5 ec

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  cc 08 24 4c 19 61 00 74 6d 6e bd e5 6f ee
         e9 01

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  c0 52 e0 7a ce 1d 8e 0f af aa f1 a9

   {client}  extract secret "early":

      salt:  (absent)

      ikm (32 octets):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c
         e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

   {client}  derive secret for handshake "tls13 derived":

      PRK (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2
         10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55






Thomson                 Expires November 3, 2018               [Page 56]


Internet-Draft               TLS 1.3 Traces                     May 2018


      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6
         97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

   {client}  extract secret "handshake":

      salt (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97
         16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

      ikm (32 octets):  18 5a df 44 30 f3 14 a4 a4 04 47 0e 5d d5 45 35
         b3 cb 4f b7 9f 75 da 58 b6 fa f7 e2 cf ff f0 36

      secret (32 octets):  50 9a 53 59 61 77 d3 24 94 53 e7 bf ac fe 6e
         6d 1d be 83 7e d6 bd ab 06 d2 d8 97 59 33 b9 07 d9

   {client}  derive secret "tls13 c hs traffic" (same as server)

   {client}  derive secret "tls13 s hs traffic" (same as server)

   {client}  derive secret for master "tls13 derived" (same as server)

   {client}  extract secret "master" (same as server)

   {client}  derive read traffic keys for handshake data:

      PRK (32 octets):  2c e0 bf ee 1c 9c bf 77 3a 21 40 b1 4b 14 a0 8c
         65 de ee 09 4a bc db 0f 01 8a 1d 50 33 1f 30 cd

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  1e f6 3e cc 95 0c e3 96 b0 11 16 ad 52 35
         3f f1

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  73 ab 6b 2d c5 8a 11 fd 05 70 4a ce

   {client}  calculate finished "tls13 finished" (same as server)

   {client}  derive secret "tls13 c ap traffic" (same as server)

   {client}  derive secret "tls13 s ap traffic" (same as server)

   {client}  derive secret "tls13 exp master" (same as server)




Thomson                 Expires November 3, 2018               [Page 57]


Internet-Draft               TLS 1.3 Traces                     May 2018


   {client}  send change_cipher_spec record:

      payload (1 octets):  01

      ciphertext (6 octets):  14 03 03 00 01 01

   {client}  derive write traffic keys for handshake data (same as
      server read traffic keys)

   {client}  derive read traffic keys for application data (same as
      server write traffic keys)

   {client}  calculate finished "tls13 finished":

      PRK (32 octets):  4b 4c d4 8c 4f 39 9c 05 77 bd 73 11 5b b5 12 f1
         af 4e 3c 65 fa da 60 d5 24 6b 3e 64 b5 7d c5 ec

      hash (0 octets):  (empty)

      info (18 octets):  00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
         64 00

      output (32 octets):  00 f1 67 b7 01 24 2f d4 77 08 23 d6 4b a7 f5
         09 0e 8b 93 bd 24 9d bd 4d 1d 2f 6c 75 e3 4d 68 4a

   {client}  send a Finished handshake message

   {client}  send handshake record:

      payload (36 octets):  14 00 00 20 9c dd a7 08 0e f0 6b ce 6c 90 bb
         d0 03 1e 1b c8 82 1a 64 70 ea 2a 61 d6 d8 42 b1 51 a6 1c 35 2c

      ciphertext (58 octets):  17 03 03 00 35 df 43 9f 06 1c 68 4c 3c 96
         08 9b 15 58 8c 8d bf af 32 67 a3 d0 83 60 ae b1 d1 59 ce 92 85
         f7 4e 91 b7 91 7b 4d 7a 1d 11 d6 7d cf 8b 8c fe 4c af 5d a9 58
         b4 a9

   {client}  derive write traffic keys for application data:

      PRK (32 octets):  07 04 02 00 14 0c 44 d3 60 5a 53 0b 0d b2 ee e6
         ad 5b ff 4a 51 64 20 df 10 95 d6 26 15 b5 3b be

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  f0 72 a4 38 13 be 60 17 99 b4 c1 21 2c 45
         28 18

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00



Thomson                 Expires November 3, 2018               [Page 58]


Internet-Draft               TLS 1.3 Traces                     May 2018


      iv output (12 octets):  47 c6 45 c2 e5 1c 04 f6 e9 21 f4 99

   {client}  derive secret "tls13 res master":

      PRK (32 octets):  6a c7 28 bf 27 30 55 d8 24 4f 71 01 07 fe 11 91
         ec 30 47 c0 e9 86 14 aa d5 2f 51 62 27 7f 00 7b

      hash (32 octets):  7a 0a 30 81 19 4d bc f1 bd af c6 f4 02 a0 62 a2
         b1 e3 3a c9 6e ea 6f c3 22 62 c5 20 49 bf d7 1a

      info (52 octets):  00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73
         74 65 72 20 7a 0a 30 81 19 4d bc f1 bd af c6 f4 02 a0 62 a2 b1
         e3 3a c9 6e ea 6f c3 22 62 c5 20 49 bf d7 1a

      output (32 octets):  69 5c b5 3a dd e2 0c 27 6b 9d 87 11 a8 df 03
         6c cc ce be 5c 82 ed ab 0c 3a 6c 5f 39 84 54 1e 77

   {server}  calculate finished "tls13 finished" (same as client)

   {server}  derive read traffic keys for application data (same as
      client write traffic keys)

   {server}  derive secret "tls13 res master" (same as client)

   {client}  send alert record:

      payload (2 octets):  01 00

      ciphertext (24 octets):  17 03 03 00 13 85 3c c0 b9 9c 64 e3 78 5c
         c8 53 b5 61 a1 24 0f f6 35 75

   {server}  send alert record:

      payload (2 octets):  01 00

      ciphertext (24 octets):  17 03 03 00 13 2b cd 23 33 71 26 6e b4 bc
         ce 2d 27 56 f3 8f 37 15 ea 19

8.  Security Considerations

   It probably isn't a good idea to use the private key here.  If it
   weren't for the fact that it is too small to provide any meaningful
   security, it is now very well known.








Thomson                 Expires November 3, 2018               [Page 59]


Internet-Draft               TLS 1.3 Traces                     May 2018


9.  References

9.1.  Normative References

   [TLS13]    Rescorla, E., "The Transport Layer Security (TLS) Protocol
              Version 1.3", draft-ietf-tls-tls13-28 (work in progress),
              March 2018.

9.2.  Informative References

   [FIPS186]  National Institute of Standards and Technology (NIST),
              "Digital Signature Standard (DSS)", NIST PUB 186-4 , July
              2013.

   [RFC7748]  Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
              for Security", RFC 7748, DOI 10.17487/RFC7748, January
              2016, <https://www.rfc-editor.org/info/rfc7748>.

9.3.  URIs

   [1] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS

Appendix A.  Acknowledgements

   This draft is generated using tests that were written for NSS [1].
   None of this would have been possible without Franziskus Kiefer, Eric
   Rescorla and Tim Taubert, who did a lot of the work in NSS.

Author's Address

   Martin Thomson
   Mozilla

   Email: martin.thomson@gmail.com

















Thomson                 Expires November 3, 2018               [Page 60]


Html markup produced by rfcmarkup 1.126, available from https://tools.ietf.org/tools/rfcmarkup/