[Docs] [txt|pdf|xml|html] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 05 06 07

Network Working Group                                 S. Smyshlyaev, Ed.
Internet-Draft                                                 CryptoPro
Intended status: Informational                              D. Belyavsky
Expires: April 20, 2019                                        Cryptocom
                                                             M. Saarinen
                                                  Independent Consultant
                                                        October 17, 2018


 GOST Cipher Suites for Transport Layer Security (TLS) Protocol Version
                                  1.2
                 draft-smyshlyaev-tls12-gost-suites-02

Abstract

   This document specifies a set of cipher suites for the Transport
   Layer Security (TLS) protocol Version 1.2 to support the Russian
   cryptographic standard algorithms.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on April 20, 2019.

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of



Smyshlyaev, et al.       Expires April 20, 2019                 [Page 1]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Conventions Used in This Document . . . . . . . . . . . . . .   3
   3.  Basic Terms and Definitions . . . . . . . . . . . . . . . . .   3
   4.  Cipher Suite Definitions  . . . . . . . . . . . . . . . . . .   5
     4.1.  Record Payload Protection . . . . . . . . . . . . . . . .   5
       4.1.1.  CTR_OMAC  . . . . . . . . . . . . . . . . . . . . . .   5
       4.1.2.  CNT_IMIT  . . . . . . . . . . . . . . . . . . . . . .   6
     4.2.  Key Exchange and Authentication . . . . . . . . . . . . .   7
       4.2.1.  Hello Messages  . . . . . . . . . . . . . . . . . . .   8
         4.2.1.1.  Signature Algorithms Extension  . . . . . . . . .   9
       4.2.2.  CertificateRequest  . . . . . . . . . . . . . . . . .  10
       4.2.3.  ClientKeyExchange . . . . . . . . . . . . . . . . . .  10
         4.2.3.1.  CTR_OMAC  . . . . . . . . . . . . . . . . . . . .  11
         4.2.3.2.  CNT_IMIT  . . . . . . . . . . . . . . . . . . . .  12
       4.2.4.  CertificateVerify . . . . . . . . . . . . . . . . . .  14
       4.2.5.  Finished  . . . . . . . . . . . . . . . . . . . . . .  15
     4.3.  Cryptographic Algorithms  . . . . . . . . . . . . . . . .  15
       4.3.1.  Block Cipher  . . . . . . . . . . . . . . . . . . . .  15
       4.3.2.  MAC . . . . . . . . . . . . . . . . . . . . . . . . .  16
       4.3.3.  Encryption Algorithm  . . . . . . . . . . . . . . . .  16
       4.3.4.  SNMAX . . . . . . . . . . . . . . . . . . . . . . . .  16
       4.3.5.  PRF and HASH  . . . . . . . . . . . . . . . . . . . .  16
   5.  Additional Algorithms . . . . . . . . . . . . . . . . . . . .  17
     5.1.  TLSTREE . . . . . . . . . . . . . . . . . . . . . . . . .  17
       5.1.1.  Key Tree Parameters . . . . . . . . . . . . . . . . .  17
     5.2.  KExp15 and KImp15 Algorithms  . . . . . . . . . . . . . .  18
     5.3.  KEG Algorithm . . . . . . . . . . . . . . . . . . . . . .  19
     5.4.  gostIMIT28147 . . . . . . . . . . . . . . . . . . . . . .  19
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  20
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .  20
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  20
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .  20
     8.2.  Informative References  . . . . . . . . . . . . . . . . .  21
   Appendix A.  Test Examples  . . . . . . . . . . . . . . . . . . .  22
     A.1.  Test Examples for CTR_OMAC cipher suites  . . . . . . . .  22
       A.1.1.  TLSTREE Examples  . . . . . . . . . . . . . . . . . .  22
         A.1.1.1.  TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC
                   ciphersuite . . . . . . . . . . . . . . . . . . .  22
         A.1.1.2.  TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC
                   ciphersuite . . . . . . . . . . . . . . . . . . .  24
       A.1.2.  Record Examples . . . . . . . . . . . . . . . . . . .  26
         A.1.2.1.  TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC
                   ciphersuite . . . . . . . . . . . . . . . . . . .  26



Smyshlyaev, et al.       Expires April 20, 2019                 [Page 2]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


         A.1.2.2.  TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC
                   ciphersuite . . . . . . . . . . . . . . . . . . .  29
       A.1.3.  Handshake Examples  . . . . . . . . . . . . . . . . .  32
         A.1.3.1.  TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC
                   ciphersuite . . . . . . . . . . . . . . . . . . .  32
         A.1.3.2.  TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC
                   ciphersuite . . . . . . . . . . . . . . . . . . .  46
     A.2.  Test Examples for CNT_IMIT cipher suites  . . . . . . . .  64
       A.2.1.  Record Examples . . . . . . . . . . . . . . . . . . .  64
       A.2.2.  Handshake Examples  . . . . . . . . . . . . . . . . .  66
   Appendix B.  Contributors . . . . . . . . . . . . . . . . . . . .  75
   Appendix C.  Acknowledgments  . . . . . . . . . . . . . . . . . .  75
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  75

1.  Introduction

   This document specifies three new cipher suites for the Transport
   Layer Security (TLS) Protocol Version 1.2 [RFC5246] to support the
   set of Russian cryptographic standard algorithms (called GOST
   algorithms).  All of them use the GOST R 34.11-2012 [GOST3411-2012]
   hash algorithm (the English version can be found in [RFC6986]) and
   the GOST R 34.10-2012 [GOST3410-2012] signature algorithm (the
   English version can be found in [RFC7091]) but use different
   encryption algorithms, so they are divided into two types: the
   CTR_OMAC cipher suites and the CNT_IMIT cipher suite.

   The CTR_OMAC cipher suites use the GOST R 34.12-2015 [GOST3412-2015]
   block ciphers (the English version can be found in [RFC7801]):

      TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC = {0xXX, 0xXX};
      TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC = {0xXX, 0xXX}.

   The CNT_IMIT cipher suites use the GOST 28147-89 [GOST28147-89] block
   cipher (the English version can be found in [RFC5830]):

      TLS_GOSTR341112_256_WITH_28147_CNT_IMIT = {0xXX, 0xXX}.

2.  Conventions Used in This Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

3.  Basic Terms and Definitions

   This document uses the following terms and definitions for the sets
   and operations on the elements of these sets:




Smyshlyaev, et al.       Expires April 20, 2019                 [Page 3]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   B*      the set of all byte strings of a finite length (hereinafter
           referred to as strings), including the empty string;

   B_s     The set of byte vectors of size s, s >= 0, for s = 0 the B_s
           set consists of a single empty element of size 0.  If W is an
           element of B_s, then W = (w^1, w^2, ..., w^s), where w^1,
           w^2, ..., w^s are in {0, ... , 255};

   b[i..j] the string b[i..j] = (b_i, b_{i+1}, ... , b_j) in B_{j-i+1}
           where 1<=i<=j<=s and b = (b_1, ... , b_s) in B_s

   |X|     the byte length of the byte string X;

   A | C   concatenation of strings A and C both belonging to B*, i.e.,
           a string in B_{|A|+|C|}, where the left substring in B_|A| is
           equal to A, and the right substring in B_|C| is equal to C;

   STR_s   the transformation that maps an integer i = 256^{s-1} * i_s +
           ... + 2 * i_2 + i_1 into the string STR_s(i) = (i_s, ... ,
           i_1) in B_s (the interpretation of the integer as a byte
           string in big-endian format);

   str_s   the transformation that maps an integer i = 256^{s-1} * i_s +
           ... + 2 * i_2 + i_1 into the string str_s(i) = (i_1, ... ,
           i_s) in B_s (the interpretation of the integer as a byte
           string in little-endian format);

   INT_s   the transformation inverse to the mapping STR_s that maps a
           string a = (a_s, ... , a_1) in B_s into the integer INT_s(a)
           = 256^{s-1} * a_s + ... + 256 * a_2 + a_1 (the interpretation
           of the byte string as an integer);

   k       the byte-length of the block cipher key;

   n       the block size of the block cipher (in bytes);

   Q_C     the public key stored in the client's certificate;

   k_C     the private key that corresponds to Q_C key;

   Q_S     the server's public key;

   k_C     the server's private key;

   r_C     the random string that corresponds to ClientHello.random
           field from [RFC5246];





Smyshlyaev, et al.       Expires April 20, 2019                 [Page 4]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   r_S     the random string that corresponds to ServerHello.random
           field from [RFC5246].

4.  Cipher Suite Definitions

4.1.  Record Payload Protection

   All of the cipher suites described in this document MUST use the
   stream cipher (see Section 4.3.3) to protect records.  The
   TLSCiphertext structure for the CTR_OMAC and CNT_IMIT cipher suits is
   specified in accordance with the GenericStreamCipher case (see
   Section 6.2.3.1 of [RFC5246]):


   struct {
       ContentType type;
       ProtocolVersion version;
       uint16 length;
       GenericStreamCipher fragment;
   } TLSCiphertext;


   Here TLSCiphertext.fragment is generated as described in
   Section 4.1.1 and Section 4.1.2.

   The connection key material consists of the sender_write_key (either
   the client_write_key or the server_write_key), the
   sender_write_MAC_key (either the client_write_MAC_key or the
   server_write_MAC_key) and the sender_write_IV (either the
   client_write_IV or the server_write_IV) parameters that are generated
   according to section 6.3 of [RFC5246].

4.1.1.  CTR_OMAC

   In case of the CTR_OMAC cipher_suites there is a certain key material
   which is used by the peer to protect a record that corresponds to the
   seqnum sequence number (in the following simply record key material)
   and consist of K_ENC_seqnum, K_MAC_seqnum and IV_seqnum values that
   are calculated using the TLSTREE function defined in Section 5.1 and
   the connection key material.  K_ENC_seqnum and K_MAC_seqnum are the
   keys for the encryption and MAC transformation respectively.
   IV_seqnum is initialization vector for the encryption algorithm and
   is calculated by adding seqnum value to sender_write_IV modulo
   2^{n*8/2}:

      K_ENC_seqnum = TLSTREE(sender_write_key, seqnum);

      K_MAC_seqnum = TLSTREE(sender_write_MAC_key, seqnum);



Smyshlyaev, et al.       Expires April 20, 2019                 [Page 5]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


      IV_seqnum = STR_{n/2}((INT_{n/2}(sender_write_IV) + seqnum) mod
      2^{n*8/2}).

   The TLSCiphertext.fragment that corresponds to the seqnum sequence
   number is equal to the ENCValue_seqnum value that is calculated as
   follows:

   1.  The MAC value (MACValue_seqnum) is generated by the MAC algorithm
   (see Section 4.3.2) similar to Section 6.2.3.1 of [RFC5246] except
   the used MAC key: the sender_write_MAC_key is replaced by the
   K^seqnum_MAC key:

      MACData_seqnum = str_8(seqnum) | type_seqnum | version_seqnum |
      length_seqnum | fragment_seqnum;

      MACValue_seqnum = MAC(K_MAC_seqnum, MACData_seqnum),

   where type_seqnum, version_seqnum, length_seqnum, fragment_seqnum are
   the TLSCompressed.type, the TLSCompressed.version, the
   TLSCompressed.length and the TLSCompressed.fragment values of the
   record with the seqnum sequence number.

   2.  The stream cipher ENC (see Section 4.3.3) encrypts the entire
   data with the MACValue as follows:

      ENCData_seqnum = fragment_seqnum | MACValue_seqnum;

      ENCValue_seqnum = ENC( K_ENC_seqnum, IV_seqnum, ENCData_seqnum).

4.1.2.  CNT_IMIT

   In case of the CNT_IMIT cipher_suites the TLSCiphertext.fragment that
   corresponds to the seqnum sequence number is equal to the
   ENCValue_seqnum value that is calculated as follows:

   1.  The MAC value (MACValue_seqnum) is generated by the MAC algorithm
   (see Section 4.3.2) as follows:

      MACData_i = str_8(i) | type_i | version_i | length_i | fragment_i,
      i in {0, ... , seqnum};

      MACValue_seqnum = MAC(sender_write_MAC_key, MACData_0 | ... |
      MACData_seqnum),

   where type_i, version_i, length_i, fragment_i are the
   TLSCompressed.type, the TLSCompressed.version, the
   TLSCompressed.length and the TLSCompressed.fragment values of the
   record with the i sequence number.



Smyshlyaev, et al.       Expires April 20, 2019                 [Page 6]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   2.  The stream cipher ENC (see Section 4.3.3) encrypts the entire
   data ENCData_i with the MACValue_i that correspond to the record
   sequence number i with the MACValue as follows:

      ENCData_i = fragment_i | MACValue_i, i in {0, ... , seqnum};

      ENCValue_0 | ... | ENCValue_seqnum = ENC(sender_write_key,
      sender_write_IV, ENCData_0 | ... |ENCData_seqnum).

4.2.  Key Exchange and Authentication

   All of the cipher suites described in this document uses ECDHE based
   schema to compute the TLS premaster secret.

         Client                                               Server

         ClientHello                  -------->
                                                         ServerHello
                                                         Certificate
                                                  CertificateRequest*
                                      <--------      ServerHelloDone
         Certificate*
         ClientKeyExchange
         CertificateVerify*
         [ChangeCipherSpec]
         Finished                     -------->
                                                  [ChangeCipherSpec]
                                      <--------             Finished
         Application Data             <------->     Application Data


   * message is not sent unless client authentication is desired



   Figure 1 shows all messages involved in the TLS key establishment
   protocol (aka full handshake).  A ServerKeyExchange MUST NOT be sent
   (the server's certificate contains all the necessary keying
   information required by the client to arrive at the premaster
   secret).

   The key exchange process consists of the following steps:

   1.  The client generates ECDHE key pair (Q_eph, k_eph), Q_eph is on
       the same curve as the server's long-term public key Q_S.

   2.  The client generates the premaster secret value PS.  The PS value
       is chosen by random from B_32.



Smyshlyaev, et al.       Expires April 20, 2019                 [Page 7]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   3.  Using k_eph, server long-term public key and some generated nonce
       value the client generates the encryption key for key-wrap
       algorithm and then sends the PS value wrapped with particular
       key-wrap algorithm.

   4.  The client sends its ephemeral public key Q_eph and the wrapped
       PS value in the ClientKeyExchange message.

   5.  The server extract the premaster secret value PS using its long-
       term secret key k_S in accordance with the key wrap algorithm.

   The server side of the channel is always authenticated; the client
   side is optionally authenticated.  The server is authenticated using
   it's long term private key from the certificate and proving that it
   knows a shared secret.  The client is authenticated when the server
   is checking its signature.

   The proposed cipher suites have direct impact only on the
   ClientHello, the ServerHello, the CertificateRequest, the
   ClientKeyExchange, the CertificateVerify and the Finished handshake
   messages, that are described bellow in greater detail in terms of the
   content and processing of these messages.

4.2.1.  Hello Messages

   The ClientHello message must meet the following requirements:

   o  The ClientHello.compression_methods field MUST contain exactly one
      byte, set to zero, which corresponds to the "null" compression
      method.

   o  While using cipher CTR_OMAC cipher suites the
      ClientHello.extensions field MUST contain the following three
      extensions: signature_algorithms (see Section 4.2.1.1),
      extended_master_secret (see [RFC7627]), renegotiation_info (see
      [RFC5746]).

   o  While using the CNT_IMIT cipher suite the ClientHello.extensions
      field MUST contain the signature_algorithms (see Section 4.2.1.1)
      extension.  And it is RECOMMENDED to contain the following two
      extensions: extended_master_secret (see [RFC7627]),
      renegotiation_info (see [RFC5746]).

   The ServerHello message must meet the following requirements:

   o  The ServerHello.compression_method field MUST contain exactly one
      byte, set to zero, which corresponds to the "null" compression
      method.



Smyshlyaev, et al.       Expires April 20, 2019                 [Page 8]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   o  While using the CTR_OMAC cipher suites the ServerHello.extensions
      field MUST contain the following two extensions:
      extended_master_secret (see [RFC7627]), renegotiation_info (see
      [RFC5746]).

   o  While using the CNT_IMIT cipher suite it is RECOMMENDED for the
      ServerHello.extensions field to contain the following two
      extensions: extended_master_secret (see [RFC7627]),
      renegotiation_info (see [RFC5746]).

   Note: If the extended_master_secret extension is agreed, then the
   master secret value MUST be calculated in accordance with [RFC7627].

4.2.1.1.  Signature Algorithms Extension

   The signature_algorithms extension is described in Section 7.4.1.4.1
   of (see [RFC5246]) and is specified as follows.


   SignatureAndHashAlgorithm
       supported_signature_algorithms<2..2^16-2>;

   struct {
       HashAlgorithm hash;
       SignatureAlgorithm signature;
   } SignatureAndHashAlgorithm;


   The set of supported hash algorithms is specified as follows:


   enum {
       gostr34112012_256(238),
       gostr34112012_512(239), (255)
   } HashAlgorithm;


   where gostr34112012_256 and gostr34112012_512 values correspond to
   the GOST R 34.11-2012 [GOST3411-2012] hash algorithm with 32-byte
   (256-bit) and 64-byte (512-bit) hash code respectively.

   The set of supported signature algorithms is specified as follows:









Smyshlyaev, et al.       Expires April 20, 2019                 [Page 9]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   enum {
       gostr34102012_256(238),
       gostr34102012_512(239), (255)
   } SignatureAlgorithm;


   where gostr34102012_256 and gostr34102012_512 values correspond to
   the GOST R 34.10-2012 [GOST3410-2012] signature algorithm with
   32-byte (256-bit) and 64-byte (512-bit) key length respectively.

4.2.2.  CertificateRequest

   When this message is sent: this message is sent when requesting
   client authentication.

   Meaning of this message: the server uses this message to suggest
   acceptable certificates.

   The TLS CertificateRequest message is extended as follows.


   struct {
       ClientCertificateType certificate_types<1..2^8-1>;
       SignatureAndHashAlgorithm
           supported_signature_algorithms<2..2^16-2>;
       DistinguishedName certificate_authorities<0..2^16-1>;
   } CertificateRequest;


   where the SignatureAndHashAlgorithm structure is specified in
   Section 4.2.1.1, the ClientCertificateType and the DistinguishedName
   structures are specified as follows.


   enum {
       gostr34102012_256(238),
       gostr34102012_512(239), (255)
   } ClientCertificateType;

   opaque DistinguishedName<1..2^16-1>;


4.2.3.  ClientKeyExchange

   The ClientKeyExchange structure is defined as follows.






Smyshlyaev, et al.       Expires April 20, 2019                [Page 10]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   enum { vko_kdf_gost, vko_gost } KeyExchangeAlgorithm;

   struct {
       select (KeyExchangeAlgorithm) {
           case vko_kdf_gost: PSKeyTransport;
           case vko_gost: TLSGostKeyTransportBlob;
       } exchange_keys;
   } ClientKeyExchange;


   The PSKeyTransport structure corresponds to the CTR_OMAC cipher
   suites and is described in Section 4.2.3.1 and the
   TLSGostKeyTransportBlob corresponds to CNT_IMIT cipher suite and is
   described in Section 4.2.3.2.

4.2.3.1.  CTR_OMAC

   The CTR_OMAC cipher suites use the KExp15 and the KImp15 algorithms
   defined in Section 5.2 for key wrapping.

   The export representation of the PS value is calculated as follows.

   1.  The client generates the keys K^EXP_MAC and K^EXP_ENC using the
   KEG function described in Section 5.3:

      H = HASH(r_C | r_S);

      K^EXP_MAC | K^EXP_ENC = KEG(k_eph, Q_S, H).

   2.  The client generates export representation of the premaster
   secret value PS:

      IV = H[25..24 + n / 2];

      PSExp = KExp15(PS, K^EXP_MAC, K^EXP_ENC, IV).

   3.  The client creates the PSKeyTransport structure that is defined
   as follows:













Smyshlyaev, et al.       Expires April 20, 2019                [Page 11]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   PSKeyTransport ::= SEQUENCE {
       PSEXP OCTET STRING,
       ephemeralPublicKey SubjectPublicKeyInfo
   }
   SubjectPublicKeyInfo ::= SEQUENCE {
       algorithm AlgorithmIdentifier,
       subjectPublicKey BITSTRING
   }
   AlgorithmIdentifier ::= SEQUENCE {
       algorithm OBJECT IDENTIFIER,
       parameters ANY OPTIONAL
   }


   Here the PSEXP field contains the PSExp value and the
   ephemeralPublicKey field contains the Q_eph value.

   After receiving the ClientKeyExchange message the server process it
   as follows.

   1.  Checks the next three conditions fulfilling and terminates the
   connection with fatal error if not.

   o  Q_eph is on the same curve as server public key;

   o  Q_eph is not equal to zero point;

   o  q * Q_eph is not equal to zero point.

   2.  Generates the keys K^EXP_MAC and K^EXP_ENC using the KEG function
   described in Section 5.3:

      H = HASH(r_C | r_S);

      K^EXP_MAC | K^EXP_ENC = KEG(k_S, Q_eph, H).

   3.  Extracts the common secret PS from the export representation
   PSExp:

      IV = H[25..24+n/2];

      PS = KImp15(PSExp, K^EXP_MAC, K^EXP_ENC, IV).

4.2.3.2.  CNT_IMIT

   The client generates the key KEK using the VKO function.  VKO is one
   of the functions VKO_GOSTR3410_2012_256 or VKO_GOSTR3410_2012_512
   described in [RFC7836].  The particular function depends on the



Smyshlyaev, et al.       Expires April 20, 2019                [Page 12]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   elliptic curve used in the server certificate.  The KEK calculation
   is made as follow

      UKM = HASH(r_C | r_S)

      KEK = VKO(k_eph, Q_S, UKM)

   Generates the diversified key KEK(UKM) using the function CryptoPro
   KEK Diversification Algorithm defined in [RFC4357]

   Generates export representation of the common secret PS:

      Compute a 4-byte MAC value, gost28147IMIT (UKM, KEK(UKM), CEK) as
      described in Section 5.4.  Call the result CEK_MAC.

      Encrypt CEK in ECB mode using KEK(UKM).  Call the ciphertext
      CEK_ENC.

      The wrapped key is the string UKM | CEK_ENC | CEK_MAC in B_44.

   The TLSGostKeyTransportBlob is defined as


  TLSGostKeyTransportBlob ::= SEQUENCE {
      keyBlob               GostR3410-KeyTransport,
  }
  GostR3410-KeyTransport ::=
      SEQUENCE {
          sessionEncryptedKey Gost28147-89-EncryptedKey,
          transportParameters [0] IMPLICIT GostR3410-TransportParameters
  }
  Gost28147-89-EncryptedKey ::=
      SEQUENCE {
          encryptedKey Gost28147-89-Key,
          macKey Gost28147-89-MAC
  }
  GostR3410-TransportParameters ::=
      SEQUENCE {
          encryptionParamSet OBJECT IDENTIFIER,
          ephemeralPublicKey [0] IMPLICIT SubjectPublicKeyInfo,
          ukm OCTET STRING
  }


   The Gost28147-89-EncryptedKey.encryptedKey value contains CEK_ENC
   value, the Gost28147-89-EncryptedKey.macKey contains CEK_MAC, and
   GostR3410-TransportParameters.ukm contains the UKM value.




Smyshlyaev, et al.       Expires April 20, 2019                [Page 13]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   There MUST be a keyBlob.transportParameters.ephemeralPublicKey field
   containing the client ephemeral public key Q_eph.

   After receiving ClientKeyExchange message server process it as
   follows

   o  Checks the next four conditions fulfilling and terminates the
      connection with fatal error if not.

      1.  Q_eph is on the same curve as server public key;

      2.  Q_eph is not equal to zero point;

      3.  q * Q_eph is not equal to zero point;

      4.  Checks if UKM = HASH(r_C | r_S).

   o  Generates the key KEK using the VKO function.

         KEK = VKO(k_S, Q_eph, UKM).

   o  Generates the diversified key KEK(UKM) using the function
      CryptoPro KEK Diversification Algorithm defined in [RFC4357]

   o  Extracts the common secret PS from the export representation:

         Decrypt CEK_ENC in ECB mode using KEK(UKM).  Call the result
         CEK.

         Compute a 4-byte MAC value, gost28147IMIT (UKM, KEK(UKM), CEK).
         If the result is not equal to CEK_MAC return a fault value.

4.2.4.  CertificateVerify

   The TLS CertificateVerify message is extended as follows.


   struct {
       SignatureAndHashAlgorithm algorithm;
       opaque signature<0..2^16-1>;
   } CertificateVerify;


   where SignatureAndHashAlgorithm structure is specified in
   Section 4.2.1.1.

   The CertificateVerify.signature field is specified as follows.




Smyshlyaev, et al.       Expires April 20, 2019                [Page 14]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


CertificateVerify.signature = SIGN_{k_C}(handshake_messages) = str_l(r) | str_l(s)


   where SIGN_{k_C} is the GOST R 34.10-2012 [GOST3410-2012] signature
   algorithm, k_C is a client long-term private key that corresponds to
   the client long-term public key Q_C from the client's certificate, l
   = 32 for gostr34102012_256 signature algorithm and l = 64 for
   gostr34102012_512 signature algorithm.

4.2.5.  Finished

   The TLS Finished message is specified as follows.


   struct {
       opaque verify_data[verify_data_length];
   } Finished;

   verify_data
       PRF(master_secret, finished_label, Hash(handshake_messages))
       [0..verify_data_length-1];


   where the verify_data_length value is equal to 32.

4.3.  Cryptographic Algorithms

4.3.1.  Block Cipher

   The cipher suite TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC MUST
   use Kuznyechik [RFC7801] as a base block cipher for the encryption
   and MAC algorithm.  The block length for this suite is 16 bytes and
   the key length is 32 bytes.  The cipher suite
   TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC MUST use Magma
   [GOST3412-2015] as a base block cipher for the encryption and MAC
   algorithm.  The block length for this suite is 8 bytes and the key
   length is 32 bytes.

   The cipher suite TLS_GOSTR341112_256_WITH_28147_CNT_IMIT MUST use
   GOST 28147-89 as a base block cipher [RFC5830] with the set of
   parameters id-tc26-gost-28147-param-Z defined in [RFC7836].  The
   block length for this suite is 8 bytes and the key length is 32
   bytes.








Smyshlyaev, et al.       Expires April 20, 2019                [Page 15]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


4.3.2.  MAC

   The CTR_OMAC cipher suites use the OMAC message authentication code
   construction defined in [GOST3413-2015], which can be considered as
   the CMAC mode defined in [CMAC] where Kuznyechik or Magma block
   cipher (see Section 4.3.1) are used instead of AES block cipher (see
   [IK2003] for more detail) as the MAC function.  The resulting MAC
   length is equal to the block length and the MAC key length is 32
   bytes.

   The CNT_IMIT cipher suite uses the message authentication code
   function gostIMIT28147 defined in Section 5.4 with the initialization
   vector IV = IV0, where IV0 in B_8 is a string of all zeros, with the
   CryptoPro Key Meshing algorithm defined in [RFC4357].  The resulting
   MAC length is 8 bytes and the MAC key length is 32 bytes.

4.3.3.  Encryption Algorithm

   The CTR_OMAC cipher suites use the block cipher in CTR-ACPKM
   encryption mode defined in [DraftRekeying] as the ENC encryption
   algorithm.  The section size N is 4 KB for
   TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC cipher suite and 1 KB
   for TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC cipher suite.  The
   initial counter nonce is defined as in Section 4.1.

   The CNT_IMIT cipher suite uses use the block cipher in counter
   encryption mode (CNT) defined in Section 6 of [RFC5830] with the
   CryptoPro Key Meshing algorithm defined in [RFC4357] as the ENC
   encryption algorithm.

4.3.4.  SNMAX

   The SNMAX parameter defines the maximal amount of messages that can
   be send during one TLS 1.2 connection.  For
   TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC cipher suite this amount
   is 2^64 - 1 messages and for TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC
   is 2^32 - 1 messages.

4.3.5.  PRF and HASH

   The pseudorandom function (PRF) for all the cipher suites defined in
   this document is the PRF_TLS_GOSTR3411_2012_256 function described in
   [RFC7836].

   The hash function Hash for all the cipher suites defined in this
   document is the GOST R 34.11-2012 [GOST3411-2012] hash algorithm with
   32-byte (256-bit) hash code.




Smyshlyaev, et al.       Expires April 20, 2019                [Page 16]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


5.  Additional Algorithms

5.1.  TLSTREE

   The TLSTREE function is defined as follows:

      TLSTREE(K_root, i) = KDF_3(KDF_2(KDF_1(K_root, Vec(i & C_1)),
      Vec(i & C_2)), Vec(i & C_2)),

   where

   o  K_root in B_32;

   o  i in {0, 1, ... , 2^64 - 1};

   o  C_1, C_2, C_3 are constants defined by the particular cipher suite
      (see Section 5.1.1);

   o  KDF_j(K, D), j = 1, 2, 3, K in B_32, D in B_8, is the key
      derivation functions based on the KDF_GOSTR3411_2012_256 function
      defined in [RFC7836]:

      KDF_1(K, D) = KDF_GOSTR3411_2012_256(K, "level1", D);
      KDF_2(K, D) = KDF_GOSTR3411_2012_256(K, "level2", D);
      KDF_3(K, D) = KDF_GOSTR3411_2012_256(K, "level3", D).


5.1.1.  Key Tree Parameters

   The CTR_OMAC cipher suites use the TLSTREE function for the re-keying
   approach.  The constants for it are defined as in the table below.


                           Key tree constants
+---------------------------------------------+------------------------+
|               CipherSuites                  |     C_1, C_2, C_3      |
+---------------------------------------------+------------------------+
|TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC | C_1=0xFFFFFFFF00000000 |
|                                             | C_2=0xFFFFFFFFFFF80000 |
|                                             | C_3=0xFFFFFFFFFFFFFFC0 |
+---------------------------------------------+------------------------+
|TLS_GOSTR341112_256_WITH__MAGMA_CTR_OMAC     | C_1=0xFFFFFFC000000000 |
|                                             | C_2=0xFFFFFFFFFE000000 |
|                                             | C_3=0xFFFFFFFFFFFFF000 |
+---------------------------------------------+------------------------+






Smyshlyaev, et al.       Expires April 20, 2019                [Page 17]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


5.2.  KExp15 and KImp15 Algorithms

   Algorithms KExp15 and KImp15 are keywrap algorithms that provide
   confidentiality and integrity of keys.  These algorithms use the
   block cipher defined by the particular cipher suite.

   The inputs of Kexp15 key export algorithm are

   o  key K in V*;

   o  MAC key K^Exp_MAC in B_k;

   o  encryption key K^Exp_ENC in B_k;

   o  IV value in B_{n/2}.

   The keys K^Exp_MAC and K^Exp_ENC MUST be independent.  The export
   representation of the key K is computed as follows

   o  Compute the MAC value of n byte length:
      KEYMAC = OMAC(K^Exp_MAC, IV | K),
      where OMAC(K, M) is a MAC function defined in Section 4.3.2.

   o  Compute the KEXP value:
      KEXP = encKey | encKeyMac = CTR(K^Exp_ENC, IV, KEYMAC),
      where |encKey| = |K|, |encKeyMAC| = |KEYMAC|, CTR(K, IV, M) is the
      counter encryption mode CTR defined in [GOST3413-2015] where s = n
      which can be considered as the CTR mode defined in [MODES].

   o  The export representation of key K is the result of the Kexp15
      algorithm and is defined as
      KExp15(K, K^Exp_MAC, K^Exp_ENC, IV) = KEXP.

   The import of key K via KImp15 algorithm is restoring the key K from
   export representation KEXP with keys K^Exp_MAC and K^Exp_ENC from B_k
   and value IV from B_{n/2}. This is performed as follows

   o  The string KEXP is decrypted on the key K^Exp_ENC with counter
      encryption mode CTR.  The result of this operation is the string
      K|KEYMAC.

   o  Compute the MAC value of n byte length:
      KEYMAC' = OMAC(K^Exp_MAC, IV | K).

   o  If KEYMAC is not equal to KEYMAC' return a fault value.

   o  Otherwise the result of the KImp15 algorithm is defined as
      KImp15(KEXP, K^KExp_MAC, K^KExp_ENC, IV) and is equal to string K.



Smyshlyaev, et al.       Expires April 20, 2019                [Page 18]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   For every pair of keys (K^Exp_ENC, K^Exp_MAC) the IV values MUST be
   unique.  For the import of key K with the KImp15 algorithm every IV
   value MUST be sent with the export key representation or be a
   preshared value.

5.3.  KEG Algorithm

   The KEG algorithm of export key generation takes on input private key
   d, public key Q and string h from B_32.  Then it returns the string
   from B_64.

   The KEG algorithm is defined by two distinct ways depending on the
   private key length.

   If the length of private key d is 64 bytes the KEG algorithm is
   defined as follows:

   KEG(d, Q, h) = VKO_512(d, Q, UKM),

   where VKO_512 is the VKO_GOSTR3410_2012_512 function defined in
   [RFC7836] and the UKM parameter is equal to r = INT_32(h[1..16]) if r
   is not equal to 0 and is equal to 1 otherwise.

   If the length of private key d is 32 bytes the KEG algorithm is
   defined as follows:

   KEG(d, Q, h) = KDFTREE_256(K_EXP, "kdf tree", seed, 1),

   where KDFTREE_256 is the KDF_TREE_GOSTR3411_2012_256 function defined
   in [RFC7836] and the parameters K_EXP and seed are defined as

      K_EXP = VKO_256(d, Q, UKM);

      UKM is equal to r if r is not equal to 0 and is equal to 1
      otherwise;

      r = INT_32(h[1..16]);

      seed = h[17..24],

   where VKO_256 is the function VKO_GOSTR3410_2012_256 defined in
   [RFC7836].

5.4.  gostIMIT28147

   gost28147IMIT (IV, K, M) IV in B_8, K in B_32, M in B* is a MAC
   computation algorithm with 4 bytes output that proceed as follow




Smyshlyaev, et al.       Expires April 20, 2019                [Page 19]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   1.  Divide M into 8 byte blocks: M = M_0 | M_1 | ... | M_r.

   2.  Let M' = M_0 (xor) IV | M_1 | M_2 | ... | M_r.

   3.  Compute MAC value with 4 byte length with algorithm described in
       [RFC5830] using K as key and M' as input.

   4.  The result of MAC computation is the result of gost28147IMIT (IV,
       K, M) algorithm.

6.  IANA Considerations

   IANA has added the following entries in the TLS Cipher Suite
   Registry: TODO

7.  Security Considerations

8.  References

8.1.  Normative References

   [DraftRekeying]
              Smyshlyaev, S., "Re-keying Mechanisms for Symmetric Keys",
              2018, <https://tools.ietf.org/html/
              draft-irtf-cfrg-re-keying-12>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC4357]  Popov, V., Kurepkin, I., and S. Leontiev, "Additional
              Cryptographic Algorithms for Use with GOST 28147-89, GOST
              R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94
              Algorithms", RFC 4357, DOI 10.17487/RFC4357, January 2006,
              <https://www.rfc-editor.org/info/rfc4357>.

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246,
              DOI 10.17487/RFC5246, August 2008,
              <https://www.rfc-editor.org/info/rfc5246>.

   [RFC5746]  Rescorla, E., Ray, M., Dispensa, S., and N. Oskov,
              "Transport Layer Security (TLS) Renegotiation Indication
              Extension", RFC 5746, DOI 10.17487/RFC5746, February 2010,
              <https://www.rfc-editor.org/info/rfc5746>.





Smyshlyaev, et al.       Expires April 20, 2019                [Page 20]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   [RFC5830]  Dolmatov, V., Ed., "GOST 28147-89: Encryption, Decryption,
              and Message Authentication Code (MAC) Algorithms",
              RFC 5830, DOI 10.17487/RFC5830, March 2010,
              <https://www.rfc-editor.org/info/rfc5830>.

   [RFC6986]  Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.11-2012:
              Hash Function", RFC 6986, DOI 10.17487/RFC6986, August
              2013, <https://www.rfc-editor.org/info/rfc6986>.

   [RFC7091]  Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.10-2012:
              Digital Signature Algorithm", RFC 7091,
              DOI 10.17487/RFC7091, December 2013,
              <https://www.rfc-editor.org/info/rfc7091>.

   [RFC7627]  Bhargavan, K., Ed., Delignat-Lavaud, A., Pironti, A.,
              Langley, A., and M. Ray, "Transport Layer Security (TLS)
              Session Hash and Extended Master Secret Extension",
              RFC 7627, DOI 10.17487/RFC7627, September 2015,
              <https://www.rfc-editor.org/info/rfc7627>.

   [RFC7801]  Dolmatov, V., Ed., "GOST R 34.12-2015: Block Cipher
              "Kuznyechik"", RFC 7801, DOI 10.17487/RFC7801, March 2016,
              <https://www.rfc-editor.org/info/rfc7801>.

   [RFC7836]  Smyshlyaev, S., Ed., Alekseev, E., Oshkin, I., Popov, V.,
              Leontiev, S., Podobaev, V., and D. Belyavsky, "Guidelines
              on the Cryptographic Algorithms to Accompany the Usage of
              Standards GOST R 34.10-2012 and GOST R 34.11-2012",
              RFC 7836, DOI 10.17487/RFC7836, March 2016,
              <https://www.rfc-editor.org/info/rfc7836>.

8.2.  Informative References

   [CMAC]     Dworkin, M., "Recommendation for Block Cipher Modes of
              Operation: the CMAC Mode for Authentication", NIST Special
              Publication 800-38B, 2005.

   [GOST28147-89]
              Government Committee of the USSR for Standards,
              "Cryptographic Protection for Data Processing System,
              Gosudarstvennyi Standard of USSR (In Russian)",
              GOST 28147-89, 1989.

   [GOST3410-2012]
              Federal Agency on Technical Regulating and Metrology,
              "Information technology. Cryptographic data security.
              Signature and verification processes of [electronic]
              digital signature", GOST R 34.10-2012, 2012.



Smyshlyaev, et al.       Expires April 20, 2019                [Page 21]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   [GOST3411-2012]
              Federal Agency on Technical Regulating and Metrology,
              "Information technology. Cryptographic Data Security.
              Hashing function", GOST R 34.11-2012, 2012.

   [GOST3412-2015]
              Federal Agency on Technical Regulating and Metrology,
              "Information technology. Cryptographic data security.
              Block ciphers", GOST R 34.12-2015, 2015.

   [GOST3413-2015]
              Federal Agency on Technical Regulating and Metrology,
              "Information technology. Cryptographic data security.
              Modes of operation for block ciphers", GOST R 34.13-2015,
              2015.

   [IK2003]   Iwata T., Kurosawa K. (2003), "OMAC: One-Key CBC MAC.",
              FSE 2003. Lecture Notes in Computer Science,  vol 2887.
              Springer, Berlin, Heidelberg, 2003.

   [MODES]    Dworkin, M., "Recommendation for Block Cipher Modes of
              Operation: Methods and Techniques", NIST Special
              Publication  800-38A, December 2001.

Appendix A.  Test Examples

A.1.  Test Examples for CTR_OMAC cipher suites

A.1.1.  TLSTREE Examples

A.1.1.1.  TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC ciphersuite


          TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC
       ***********************************************
       Root Key K_root:
       00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A
       11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00

       seqnum = 0
       First level key from Divers_1:
       F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1
       39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42

       Second level key from Divers_2:
       51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F
       08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4




Smyshlyaev, et al.       Expires April 20, 2019                [Page 22]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


       The resulting key from Divers 3:
       19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38
       17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D

       seqnum = 4095
       First level key from Divers_1:
       F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1
       39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42

       Second level key from Divers_2:
       51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F
       08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4

       The resulting key from Divers 3:
       19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38
       17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D

       seqnum = 4096
       First level key from Divers_1:
       F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1
       39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42

       Second level key from Divers_2:
       51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F
       08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4

       The resulting key from Divers 3:
       FB 30 EE 53 CF CF 89 D7 48 FC 0C 72 EF 16 0B 8B
       53 CB BB FD 03 12 82 B0 26 21 4A B2 E0 77 58 FF

       seqnum = 33554431
       First level key from Divers_1:
       F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1
       39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42

       Second level key from Divers_2:
       51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F
       08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4

       The resulting key from Divers 3:
       B8 5B 36 DC 22 82 32 6B C0 35 C5 72 DC 93 F1 8D
       83 AA 01 74 F3 94 20 9A 51 3B B3 74 DC 09 35 AE

       seqnum = 33554432
       First level key from Divers_1:
       F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1
       39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42




Smyshlyaev, et al.       Expires April 20, 2019                [Page 23]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


       Second level key from Divers_2:
       3F EA 59 38 DA 2B F8 DD C4 7E C1 DC 55 61 89 66
       79 02 BE 42 0D F4 C3 7D AF 21 75 3B CB 1D C7 F3

       The resulting key from Divers 3:
       0F D7 C0 9E FD F8 E8 15 73 EE CC F8 6E 4B 95 E3
       AF 7F 34 DA B1 17 7C FD 7D B9 7B 6D A9 06 40 8A

       seqnum = 274877906943
       First level key from Divers_1:
       F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1
       39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42

       Second level key from Divers_2:
       AB F3 A5 37 98 3A 1B 98 40 06 6D E6 8A 49 BF 25
       97 7E E5 C3 F5 2D 33 3E 3C 22 0F 1D 15 C5 08 93

       The resulting key from Divers 3:
       48 0F 99 72 BA F2 5D 4C 36 9A 96 AF 91 BC A4 55
       3F 79 D8 F0 C5 61 8B 19 FD 44 CF DC 57 FA 37 33

       seqnum = 274877906944
       First level key from Divers_1:
       15 60 0D 9E 8F A6 85 54 CF 15 2D C7 4F BC 42 51
       17 B0 3E 09 76 BB 28 EA 98 24 C3 B7 0F 28 CB D8

       Second level key from Divers_2:
       6C C2 8E B0 93 24 72 12 5C 7A D3 F8 09 73 B3 C8
       C4 13 7D A5 73 BC 17 1A 24 ED D4 A3 71 F1 F8 73

       The resulting key from Divers 3:
       25 28 C1 C6 A8 F0 92 7B F2 BE 27 BB 78 D2 7F 21
       46 D6 55 93 B0 C7 17 3A 06 CB 9D 88 DF 92 32 65



A.1.1.2.  TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC ciphersuite


          TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC
         ***********************************************
         Root Key K_root:
         00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A
         11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00

         seqnum = 0
         First level key from Divers_1:
         F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1



Smyshlyaev, et al.       Expires April 20, 2019                [Page 24]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


         39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42

         Second level key from Divers_2:
         51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F
         08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4

         The resulting key from Divers 3:
         19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38
         17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D

         seqnum = 63
         First level key from Divers_1:
         F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1
         39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42

         Second level key from Divers_2:
         51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F
         08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4

         The resulting key from Divers 3:
         19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38
         17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D

         seqnum = 64
         First level key from Divers_1:
         F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1
         39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42

         Second level key from Divers_2:
         51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F
         08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4

         The resulting key from Divers 3:
         AE BE 1E F4 18 71 3B F0 44 B9 FC D9 E5 72 D4 37
         FB 38 B5 D8 29 56 7A 6F 79 18 39 6D 9F 4E 09 6B

         seqnum = 524287
         First level key from Divers_1:
         F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1
         39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42

         Second level key from Divers_2:
         51 37 D5 C4 A6 E6 BE 42 C4 40 D1 0A 95 EE A0 7F
         08 9E 74 0D 38 90 EB 52 65 2C 0C B9 3F 20 7B B4

         The resulting key from Divers 3:
         6F 18 D4 00 3E A2 CB 30 F5 FE C1 93 A2 34 F0 7D
         7C 43 94 98 7F 50 75 8D E2 2B 22 0D 8A 10 51 06



Smyshlyaev, et al.       Expires April 20, 2019                [Page 25]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


         seqnum = 524288
         First level key from Divers_1:
         F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1
         39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42

         Second level key from Divers_2:
         F6 59 EB 85 EE BD 2A 8D CC 1B B3 F7 C6 00 57 FF
         6D 33 B6 0F 74 65 DD 42 B5 11 2C F3 A6 B1 AB 66

         The resulting key from Divers 3:
         E5 4B 16 41 5B 3B 66 3E 78 0B 06 2D 24 F7 36 C4
         49 54 63 C3 A8 91 E1 FA 46 F7 AE 99 FF F9 F3 78

         seqnum = 4294967295
         First level key from Divers_1:
         F3 55 89 F0 9B F8 01 B1 CA 11 42 73 B9 5F D6 C1
         39 2E 78 F9 FB 81 4D A0 5A 7C CA 08 9E C8 65 42

         Second level key from Divers_2:
         F4 BC 10 1A BB 68 86 2A 8C E3 1E A0 0D DF A7 FE
         B8 29 10 F1 24 F4 B1 E2 9E A8 3B E0 06 C2 26 8D

         The resulting key from Divers 3:
         CF 60 09 04 C7 1E 7B 88 A4 9A C8 E2 45 77 4B 3D
         BE ED FB 81 DE 9A 0E 2F 4E 46 C3 56 07 BC 2F 04

         seqnum = 4294967296
         First level key from Divers_1:
         55 CC 95 E0 D1 FB 54 85 AF 8E F6 9A CD 72 B2 32
         79 7C D2 E8 5D 86 CD FD 1D E5 5B D1 FA 14 37 78

         Second level key from Divers_2:
         72 16 91 E1 01 C4 28 96 A6 40 AE 18 3F BB 44 5B
         76 37 9C 57 E1 FD 8A 7D 49 A6 23 E4 23 8C 0E 1D

         The resulting key from Divers 3:
         16 18 0B 24 64 54 00 B8 36 14 38 37 D8 6A AC 93
         95 2A E3 EB 82 44 D5 EC 2A B0 2C FF 30 78 11 38



A.1.2.  Record Examples

A.1.2.1.  TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC ciphersuite


   TLS_GOSTR341112_256_WITH__MAGMA_CTR_OMAC
   ********************************************************



Smyshlyaev, et al.       Expires April 20, 2019                [Page 26]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   It is assumed that during Handshake following keys were established:

   - MAC key:
   00000:   00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A
   00010:   11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00
   - Encryption key:
   00000:   22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11
   00010:   33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22
   - IV:
   00000:   00 00 00 00
   ---------------------------------------------------------
   seqnum = 0

   Application data:
   00000:   00 00 00 00 00 00 00

   TLSPlaintext:
   00000:   17 03 03 00 07 00 00 00 00 00 00 00

   K_MAC_0:
   00000:   19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38
   00010:   17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D

   MAC value:
   00000:   F3 3E B6 89 6F EC E2 86

   K_ENC_0:
   00000:   58 AF BE 9A 4C 31 98 AA AB AA 26 92 C4 19 F1 79
   00010:   7C 9B 92 DE B3 CC 74 46 B3 63 57 71 13 F0 FB 56

   IV_0:
   00000:   00 00 00 00

   TLSCiphertext:
   00000:   17 03 03 00 0F 9B 42 0D A8 6F AF 36 7F 05 14 43
   00010:   CE 9C 10 72
   ---------------------------------------------------------
   seqnum = 4095

   Application data:
   00000:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00010:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00020:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   . . .
   003D0:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   003E0:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   003F0:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00




Smyshlyaev, et al.       Expires April 20, 2019                [Page 27]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   TLSPlaintext:
   00000:   17 03 03 04 00 00 00 00 00 00 00 00 00 00 00 00
   00010:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00020:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   . . .
   003D0:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   003E0:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   003F0:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00400:   00 00 00 00 00

   K_MAC_4095:
   00000:   19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38
   00010:   17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D

   MAC value:
   00000:   58 D3 BB 60 8F BC 98 B8

   K_ENC_4095:
   00000:   58 AF BE 9A 4C 31 98 AA AB AA 26 92 C4 19 F1 79
   00010:   7C 9B 92 DE B3 CC 74 46 B3 63 57 71 13 F0 FB 56

   IV_4095:
   00000:   00 00 0F FF

   TLSCiphertext:
   00000:   17 03 03 04 08 B7 11 43 8B 16 20 1F 3C 49 33 95
   00010:   21 C9 C8 CA 75 66 D4 C2 0F D3 3E 58 1F 80 07 DC
   00020:   76 04 3E 2B 35 C8 E8 4B B2 55 08 27 66 13 59 6F
   . . .
   003D0:   E7 77 70 BF 45 17 E1 F8 DD 1B 2C 05 64 AD 68 FC
   003E0:   4A 88 9A 48 B8 B1 FF 0E A4 E1 BB 70 4D 56 A4 75
   003F0:   2F 51 A5 82 CC 54 1A 80 8F 8C 8B 62 97 68 88 C8
   00400:   10 59 DE 41 27 63 A3 E0 99 9A CD DA 77

   ---------------------------------------------------------
   seqnum = 4096

   Application data:
   00000:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00010:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00020:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   . . .
   007D0:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   007E0:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   007F0:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

   TLSPlaintext:
   00000:   17 03 03 08 00 00 00 00 00 00 00 00 00 00 00 00



Smyshlyaev, et al.       Expires April 20, 2019                [Page 28]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   00010:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00020:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   . . .
   007D0:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   007E0:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   007F0:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00800:   00 00 00 00 00

   K_MAC_4096:
   00000:   FB 30 EE 53 CF CF 89 D7 48 FC 0C 72 EF 16 0B 8B
   00010:   53 CB BB FD 03 12 82 B0 26 21 4A B2 E0 77 58 FF

   MAC value:
   00000:   50 55 A2 6A BE 19 63 81

   K_ENC_4096:
   00000:   ED F2 FD 02 47 71 60 23 83 09 00 2D 1D 57 DF 9F
   00010:   D2 ED 18 D6 45 66 C7 6F 4B F0 3D 3A BF 7B BB 1E

   IV_4096:
   00000:   00 00 10 00

   TLSCiphertext:
   00000:   17 03 03 08 08 99 95 26 07 03 47 1D ED A2 E6 55
   00010:   B6 B3 93 83 5E 33 8B 1E D0 0E DD 22 47 A2 FB 88
   00020:   FB B7 A8 94 80 62 08 8A F3 2C AE B6 AA 2C 4F 2A
   . . .
   007D0:   7F 0B 24 61 E7 5F E1 06 34 B8 4D C5 70 35 72 5A
   007E0:   CA 4F 0C BC A9 B0 6C B9 F7 6F BD 2F 80 46 2B 8D
   007F0:   77 5E BD 41 6F 63 41 39 AC 89 C2 ED 3D F1 9F E2
   00800:   4E F8 C0 5A A8 90 93 1B 01 86 FD 7D DF



A.1.2.2.  TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC ciphersuite


   TLS_GOSTR341112_256_WITH__KUZNYECHIK_CTR_OMAC
   ***********************************************
   It is assumed that during Handshake following keys were established:

   - MAC key:
   00000:   00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A
   00010:   11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00
   - Encryption key:
   00000:   22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11
   00010:   33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 22
   - IV:



Smyshlyaev, et al.       Expires April 20, 2019                [Page 29]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   00000:   00 00 00 00 00 00 00 00

   ---------------------------------------------------------
   seqnum = 0

   Application data:
   00000:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

   TLSPlaintext:
   00000:   17 03 03 00 0F 00 00 00 00 00 00 00 00 00 00 00
   00010:   00 00 00 00

   K_MAC_0:
   00000:   19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38
   00010:   17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D

   MAC value:
   00000:   FD 17 19 DD 95 08 37 EB 7C 7B B8 F5 00 37 99 81

   K_ENC_0:
   00000:   58 AF BE 9A 4C 31 98 AA AB AA 26 92 C4 19 F1 79
   00010:   7C 9B 92 DE B3 CC 74 46 B3 63 57 71 13 F0 FB 56

   IV_0:
   00000:   00 00 00 00 00 00 00 00

   TLSCiphertext:
   00000:   17 03 03 00 1F 4D 1A 30 52 36 57 3B FF C1 4E 46
   00010:   DC BE 74 6D B6 C9 9A 17 5A 81 C4 71 1E 2F 84 C3
   00020:   92 C5 40 7C

   ---------------------------------------------------------
   seqnum = 63

   Application data:
   00000:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00010:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00020:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   . . .
   00FD0:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00FE0:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00FF0:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

   TLSPlaintext:
   00000:   17 03 03 10 00 00 00 00 00 00 00 00 00 00 00 00
   00010:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00020:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   . . .



Smyshlyaev, et al.       Expires April 20, 2019                [Page 30]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   00FD0:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00FE0:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00FF0:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   01000:   00 00 00 00 00

   K_MAC_63:
   00000:   19 A7 6E D3 0F 4D 6D 1F 5B 72 63 EC 49 1A D8 38
   00010:   17 C0 B5 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D

   Mac value:
   00000:   98 46 27 61 D0 26 24 4A 2C 0B 7D 1B CC CB E7 B0

   K_ENC_63:
   00000:   58 AF BE 9A 4C 31 98 AA AB AA 26 92 C4 19 F1 79
   00010:   7C 9B 92 DE B3 CC 74 46 B3 63 57 71 13 F0 FB 56

   IV_63:
   00000:   00 00 00 00 00 00 00 3F

   TLSCiphertext:
   00000:   17 03 03 10 10 12 93 51 D2 6E 14 07 13 A2 1B 37
   00010:   68 24 A2 23 17 CD C0 D8 8E 01 CF A3 FE 21 41 5F
   00020:   5C 5E 05 86 9C CF 38 A5 1B C2 E0 ED 68 94 46 A8
   . . .
   00FE0:   19 AD 99 8C 06 25 21 E6 7B 63 59 A4 F5 C8 16 F9
   00FF0:   47 6B A7 13 26 82 BB A8 CE 0B ED AD 65 E4 20 A2
   01000:   97 B6 E2 C6 1F A4 06 D9 B8 CA 36 FD 9F CD 3A EE
   01010:   24 78 F4 D1 96

   ---------------------------------------------------------
   seqnum = 64

   Application data:
   00000:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00010:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00020:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   . . .
   01FD0:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   01FE0:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   01FF0:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

   TLSPlaintext:
   00000:   17 03 03 20 00 00 00 00 00 00 00 00 00 00 00 00
   00010:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00020:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   . . .
   01FD0:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   01FE0:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00



Smyshlyaev, et al.       Expires April 20, 2019                [Page 31]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   01FF0:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   02000:   00 00 00 00 00

   K_MAC_64:
   00000:   AE BE 1E F4 18 71 3B F0 44 B9 FC D9 E5 72 D4 37
   00010:   FB 38 B5 D8 29 56 7A 6F 79 18 39 6D 9F 4E 09 6B

   Mac value:
   00000:   EA C3 97 87 84 2B 1D BD 60 80 CC 3F BF AE 5C 2F

   K_ENC_64:
   00000:   64 F5 5A FC 37 A1 74 D9 53 3E 70 8B CD 14 FA 4A
   00010:   EE C3 7B C0 E3 2B A4 99 01 B4 66 9E 96 A6 3D 96

   IV_64:
   00000:   00 00 00 00 00 00 00 40

   TLSCiphertext:
   00000:   17 03 03 20 10 E6 66 BB 98 AC 5B 0F 39 31 D8 55
   00010:   1B 93 36 85 96 EE F0 EB A8 26 9C B8 BD AA E7 EB
   00020:   80 C8 30 D7 5A B7 D4 6C 25 06 DC 8B 83 E1 F2 D3
   . . .
   01FE0:   B3 02 67 2C CB 02 86 CD 40 48 FB D5 38 1A 65 55
   01FF0:   26 11 25 51 01 4F A8 ED F5 C2 1B 7D 1D B3 9D 6B
   02000:   AD EC 0D 7C 07 05 34 8B 5C 55 6C 4D 50 81 69 1A
   02010:   A9 EC 36 F8 B5



A.1.3.  Handshake Examples

A.1.3.1.  TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC ciphersuite


   Server certificate curve OID:
   id-tc26-gost-3410-2012-256-paramSetB, "1.2.643.2.2.36.0"


   Server public key Q_s:
   x = 0xE823FFEB48C2A92D1AFDDB0BC7265699
         D35640ECC69AF3DC85E7C21960DD109A

   y = 0xC80CBACDAECF6F04631A03118E5D0B9E
         DEEEC7CBEAF765C4AB299447706FD6CA

   Server private key k_s:
   0x03495493ABCA61B3B65E158398455D70
     C22107DA5B68195BB65B99C01A0FD3C0



Smyshlyaev, et al.       Expires April 20, 2019                [Page 32]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   ---------------------------Client---------------------------

   ClientHello message:
   msg_type:                01
   length:                  000040
   body:
     client_version:
       major:               03
       minor:               03
     random:                933EA21EC3802A561550EC78D6ED51AC
                            2439D7E749C31BC3A3456165889684CA
     session_id:
       length:              00
       vector:              --
     cipher_suites:
       length:              0004
       vector:
         CipherSuite:       FF88
         CipherSuite:       FF89
     compression_methods:
       length:              01
       vector:
         CompressionMethod: 00
     extensions:
       length:              0013
         Extension: /* signature_algorithms */
           extension_type:  000D
           extension_data:
             length:        0006
             vector:
               supported_signature_algorithms:
                 length:    0004
                 vector:
                   /* 1 pair of algorithms */
                   hash:    EE
                   signature:
                            EE
                   /* 2 pair of algorithms */
                   hash:    EF
                   signature:
                            EF
         Extension: /* renegotiation_info */
           extension_type:  FF01
           extension_data:
             length:        0001
             vector:
               renegotiated_connection:
                 length:    00



Smyshlyaev, et al.       Expires April 20, 2019                [Page 33]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


                 vector:    --
         Extension: /* extended_master_secret */
           extension_type:  0017
           extension_data:
             length:        0000
             vector:        --

   00000:   01 00 00 40 03 03 93 3E A2 1E C3 80 2A 56 15 50
   00010:   EC 78 D6 ED 51 AC 24 39 D7 E7 49 C3 1B C3 A3 45
   00020:   61 65 88 96 84 CA 00 00 04 FF 88 FF 89 01 00 00
   00030:   13 00 0D 00 06 00 04 EE EE EF EF FF 01 00 01 00
   00040:   00 17 00 00

   Record layer message:
   type:                    16
   version:
     major:                 03
     minor:                 03
   length:                  0044
   fragment:                010000400303933EA21EC3802A561550
                            EC78D6ED51AC2439D7E749C31BC3A345
                            6165889684CA000004FF88FF89010000
                            13000D00060004EEEEEFEFFF01000100
                            00170000


   00000:   16 03 03 00 44 01 00 00 40 03 03 93 3E A2 1E C3
   00010:   80 2A 56 15 50 EC 78 D6 ED 51 AC 24 39 D7 E7 49
   00020:   C3 1B C3 A3 45 61 65 88 96 84 CA 00 00 04 FF 88
   00030:   FF 89 01 00 00 13 00 0D 00 06 00 04 EE EE EF EF
   00040:   FF 01 00 01 00 00 17 00 00


   ---------------------------Server---------------------------

   ServerHello message:
   msg_type:                02
   length:                  000041
   body:
     client_version:
       major:               03
       minor:               03
     random:                933EA21E49C31BC3A3456165889684CA
                            A5576CE7924A24F58113808DBD9EF856
     session_id:
       length:              10
       vector:              C3802A561550EC78D6ED51AC2439D7E7
     cipher_suite:



Smyshlyaev, et al.       Expires April 20, 2019                [Page 34]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


         CipherSuite:       FF88
     compression_method:
         CompressionMethod: 00
     extensions:
       length:              0009
         Extension: /* renegotiation_info */
           extension_type:  FF01
           extension_data:
             length:        0001
             vector:
               renegotiated_connection:
                 length:    00
                 vector:    --
         Extension: /* extended_master_secret */
           extension_type:  0017
           extension_data:
             length:        0000
             vector:        --

   00000:   02 00 00 41 03 03 93 3E A2 1E 49 C3 1B C3 A3 45
   00010:   61 65 88 96 84 CA A5 57 6C E7 92 4A 24 F5 81 13
   00020:   80 8D BD 9E F8 56 10 C3 80 2A 56 15 50 EC 78 D6
   00030:   ED 51 AC 24 39 D7 E7 FF 88 00 00 09 FF 01 00 01
   00040:   00 00 17 00 00

   Record layer message::
   type:                    16
   version:
     major:                 03
     minor:                 03
   length:                  0045
   fragment:                020000410303933EA21E49C31BC3A345
                            6165889684CAA5576CE7924A24F58113
                            808DBD9EF85610C3802A561550EC78D6
                            ED51AC2439D7E7FF88000009FF010001
                            0000170000

   00000:   16 03 03 00 45 02 00 00 41 03 03 93 3E A2 1E 49
   00010:   C3 1B C3 A3 45 61 65 88 96 84 CA A5 57 6C E7 92
   00020:   4A 24 F5 81 13 80 8D BD 9E F8 56 10 C3 80 2A 56
   00030:   15 50 EC 78 D6 ED 51 AC 24 39 D7 E7 FF 88 00 00
   00040:   09 FF 01 00 01 00 00 17 00 00


   ---------------------------Server---------------------------

   Certificate message:
   msg_type:                0B



Smyshlyaev, et al.       Expires April 20, 2019                [Page 35]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   length:                  0001C6
   body:
     certificate_list:
       length:              0001C3
       vector:
         ASN.1Cert:
           length:          0001C0
           vector:          308201BC30820169A003020102020101
                            300A06082A850307010103023042312C
                            302A06092A864886F70D010901161D74
                                          . . .
                            C24737BEB0FF7D291D391E4D79514AE2
                            8AC284F45169886F65B0080F53501EF7
                            06012FBF9396B9766911213C18ECE1FD

   00000:   0B 00 01 C6 00 01 C3 00 01 C0 30 82 01 BC 30 82
   00010:   01 69 A0 03 02 01 02 02 01 01 30 0A 06 08 2A 85
   00020:   03 07 01 01 03 02 30 42 31 2C 30 2A 06 09 2A 86
   00030:   48 86 F7 0D 01 09 01 16 1D 74 6C 73 31 32 5F 73
   00040:   65 72 76 65 72 32 35 36 41 40 63 72 79 70 74 6F
   00050:   70 72 6F 2E 72 75 31 12 30 10 06 03 55 04 03 13
   00060:   09 53 65 72 76 65 72 32 35 36 30 1E 17 0D 31 37
   00070:   30 35 32 35 30 39 32 32 34 37 5A 17 0D 33 30 30
   00080:   35 30 31 30 39 32 32 34 37 5A 30 42 31 2C 30 2A
   00090:   06 09 2A 86 48 86 F7 0D 01 09 01 16 1D 74 6C 73
   000A0:   31 32 5F 73 65 72 76 65 72 32 35 36 41 40 63 72
   000B0:   79 70 74 6F 70 72 6F 2E 72 75 31 12 30 10 06 03
   000C0:   55 04 03 13 09 53 65 72 76 65 72 32 35 36 30 66
   000D0:   30 1F 06 08 2A 85 03 07 01 01 01 01 30 13 06 07
   000E0:   2A 85 03 02 02 24 00 06 08 2A 85 03 07 01 01 02
   000F0:   02 03 43 00 04 40 9A 10 DD 60 19 C2 E7 85 DC F3
   00100:   9A C6 EC 40 56 D3 99 56 26 C7 0B DB FD 1A 2D A9
   00110:   C2 48 EB FF 23 E8 CA D6 6F 70 47 94 29 AB C4 65
   00120:   F7 EA CB C7 EE DE 9E 0B 5D 8E 11 03 1A 63 04 6F
   00130:   CF AE CD BA 0C C8 A3 43 30 41 30 1D 06 03 55 1D
   00140:   0E 04 16 04 14 68 AB F5 C4 EE D8 68 6E 9C 68 35
   00150:   22 EC 09 AA E9 D3 CF 30 10 30 0B 06 03 55 1D 0F
   00160:   04 04 03 02 03 28 30 13 06 03 55 1D 25 04 0C 30
   00170:   0A 06 08 2B 06 01 05 05 07 03 01 30 0A 06 08 2A
   00180:   85 03 07 01 01 03 02 03 41 00 88 2E 34 FB 75 8C
   00190:   FB BE 2C 42 34 14 C4 6A D4 31 C2 47 37 BE B0 FF
   001A0:   7D 29 1D 39 1E 4D 79 51 4A E2 8A C2 84 F4 51 69
   001B0:   88 6F 65 B0 08 0F 53 50 1E F7 06 01 2F BF 93 96
   001C0:   B9 76 69 11 21 3C 18 EC E1 FD

   Record layer message:
   type:                    16
   version:



Smyshlyaev, et al.       Expires April 20, 2019                [Page 36]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


     major:                 03
     minor:                 03
   length:                  01CA
   fragment:                0B0001C60001C30001C0308201BC3082
                            0169A003020102020101300A06082A85
                            0307010103023042312C302A06092A86
                                          . . .
                            FBBE2C423414C46AD431C24737BEB0FF
                            7D291D391E4D79514AE28AC284F45169
                            886F65B0080F53501EF706012FBF9396
                            B9766911213C18ECE1FD

   00000:   16 03 03 01 CA 0B 00 01 C6 00 01 C3 00 01 C0 30
   00010:   82 01 BC 30 82 01 69 A0 03 02 01 02 02 01 01 30
   00020:   0A 06 08 2A 85 03 07 01 01 03 02 30 42 31 2C 30
   00030:   2A 06 09 2A 86 48 86 F7 0D 01 09 01 16 1D 74 6C
   00040:   73 31 32 5F 73 65 72 76 65 72 32 35 36 41 40 63
   00050:   72 79 70 74 6F 70 72 6F 2E 72 75 31 12 30 10 06
   00060:   03 55 04 03 13 09 53 65 72 76 65 72 32 35 36 30
   00070:   1E 17 0D 31 37 30 35 32 35 30 39 32 32 34 37 5A
   00080:   17 0D 33 30 30 35 30 31 30 39 32 32 34 37 5A 30
   00090:   42 31 2C 30 2A 06 09 2A 86 48 86 F7 0D 01 09 01
   000A0:   16 1D 74 6C 73 31 32 5F 73 65 72 76 65 72 32 35
   000B0:   36 41 40 63 72 79 70 74 6F 70 72 6F 2E 72 75 31
   000C0:   12 30 10 06 03 55 04 03 13 09 53 65 72 76 65 72
   000D0:   32 35 36 30 66 30 1F 06 08 2A 85 03 07 01 01 01
   000E0:   01 30 13 06 07 2A 85 03 02 02 24 00 06 08 2A 85
   000F0:   03 07 01 01 02 02 03 43 00 04 40 9A 10 DD 60 19
   00100:   C2 E7 85 DC F3 9A C6 EC 40 56 D3 99 56 26 C7 0B
   00110:   DB FD 1A 2D A9 C2 48 EB FF 23 E8 CA D6 6F 70 47
   00120:   94 29 AB C4 65 F7 EA CB C7 EE DE 9E 0B 5D 8E 11
   00130:   03 1A 63 04 6F CF AE CD BA 0C C8 A3 43 30 41 30
   00140:   1D 06 03 55 1D 0E 04 16 04 14 68 AB F5 C4 EE D8
   00150:   68 6E 9C 68 35 22 EC 09 AA E9 D3 CF 30 10 30 0B
   00160:   06 03 55 1D 0F 04 04 03 02 03 28 30 13 06 03 55
   00170:   1D 25 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 01
   00180:   30 0A 06 08 2A 85 03 07 01 01 03 02 03 41 00 88
   00190:   2E 34 FB 75 8C FB BE 2C 42 34 14 C4 6A D4 31 C2
   001A0:   47 37 BE B0 FF 7D 29 1D 39 1E 4D 79 51 4A E2 8A
   001B0:   C2 84 F4 51 69 88 6F 65 B0 08 0F 53 50 1E F7 06
   001C0:   01 2F BF 93 96 B9 76 69 11 21 3C 18 EC E1 FD


   ---------------------------Server---------------------------

   ServerHelloDone message:
   msg_type:                0E
   length:                  000000



Smyshlyaev, et al.       Expires April 20, 2019                [Page 37]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   body:                    --

   00000:   0E 00 00 00

   Record layer message::
   type:                    16
   version:
     major:                 03
     minor:                 03
   length:                  0004
   fragment:                0E000000

   00000:   16 03 03 00 04 0E 00 00 00


   ---------------------------Client---------------------------

   PMS:
   00000:   A5 57 6C E7 92 4A 24 F5 81 13 80 8D BD 9E F8 56
   00010:   F5 BD C3 B1 83 CE 5D AD CA 36 A5 3A A0 77 65 1D

   Random k_EPH value:
   0xA5C77C7482373DE16CE4A6F73CCE7F78
     471493FF2C0709B8B706C9E8A25E6C1E

   Q_EPH ephemeral key:
   x = 0xA8F36D63D262A203978F1B3B6795CDBB
         F1AE7FB8EF7F47F1F18871C198E00793

   y = 0x34CA5D6B4485640EA195435993BEB1F8
         B016ED610496B5CC175AC2EA1F14F887

   HASH (r_C | r_S):
   00000:   C3 EF 04 28 D4 B7 A1 F4 C5 02 5F 2E 65 DD 2B 2E
   00010:   A5 83 AE EF DB 67 C7 F4 21 4A 6A 29 8E 99 E3 25

   Export key generation. r value:
   0xC3EF0428D4B7A1F4C5025F2E65DD2B2E

   Export key generation. UKM value:
   0xC3EF0428D4B7A1F4C5025F2E65DD2B2E

   Export keys K^Exp_MAC | K^Exp_ENC used in KExp15 algorithm:
   00000:   0E 01 38 D5 83 68 57 0B 89 F4 D2 50 71 5A E6 52
   00010:   B1 B6 D8 02 A0 60 D3 CD D7 75 C6 8C 5C 53 B9 98
   00020:   3B B7 27 99 3C D2 3A 3C 27 C1 B9 BB 44 E6 AF B7
   00030:   62 71 F9 7D 80 38 1F 3C B1 FF 6E 7E 93 B0 62 02




Smyshlyaev, et al.       Expires April 20, 2019                [Page 38]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   IV:
   00000:   21 4A 6A 29

   PMSEXP:
   00000:   9E C3 E0 76 C5 56 73 1E 3B 25 3B E5 8B 8F AD D4
   00010:   A9 0A 24 B3 42 F6 13 A5 E2 AC 13 CE 07 53 0A 00
   00020:   A9 8C 1E E2 A2 AF C0 E0


   ---------------------------Client---------------------------

   ClientKeyExchange message:
   msg_type:                10
   length:                  000095
   body:
     exchange_keys:         30819204289EC3E076C556731E3B253B
                            E58B8FADD4A90A24B342F613A5E2AC13
                            CE07530A00A98C1EE2A2AFC0E0306630
                                          . . .
                            EFB87FAEF1BBCD95673B1B8F9703A262
                            D2636DF3A887F8141FEAC25A17CCB596
                            0461ED16B0F8B1BE93594395A10E6485
                            446B5DCA34

   00000:   10 00 00 95 30 81 92 04 28 9E C3 E0 76 C5 56 73
   00010:   1E 3B 25 3B E5 8B 8F AD D4 A9 0A 24 B3 42 F6 13
   00020:   A5 E2 AC 13 CE 07 53 0A 00 A9 8C 1E E2 A2 AF C0
   00030:   E0 30 66 30 1F 06 08 2A 85 03 07 01 01 01 01 30
   00040:   13 06 07 2A 85 03 02 02 24 00 06 08 2A 85 03 07
   00050:   01 01 02 02 03 43 00 04 40 93 07 E0 98 C1 71 88
   00060:   F1 F1 47 7F EF B8 7F AE F1 BB CD 95 67 3B 1B 8F
   00070:   97 03 A2 62 D2 63 6D F3 A8 87 F8 14 1F EA C2 5A
   00080:   17 CC B5 96 04 61 ED 16 B0 F8 B1 BE 93 59 43 95
   00090:   A1 0E 64 85 44 6B 5D CA 34

   Record layer message:
   type:                    16
   version:
     major:                 03
     minor:                 03
   length:                  0099
   fragment:                1000009530819204289EC3E076C55673
                            1E3B253BE58B8FADD4A90A24B342F613
                            A5E2AC13CE07530A00A98C1EE2A2AFC0
                                          . . .
                            F1F1477FEFB87FAEF1BBCD95673B1B8F
                            9703A262D2636DF3A887F8141FEAC25A
                            17CCB5960461ED16B0F8B1BE93594395



Smyshlyaev, et al.       Expires April 20, 2019                [Page 39]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


                            A10E6485446B5DCA34

   00000:   16 03 03 00 99 10 00 00 95 30 81 92 04 28 9E C3
   00010:   E0 76 C5 56 73 1E 3B 25 3B E5 8B 8F AD D4 A9 0A
   00020:   24 B3 42 F6 13 A5 E2 AC 13 CE 07 53 0A 00 A9 8C
   00030:   1E E2 A2 AF C0 E0 30 66 30 1F 06 08 2A 85 03 07
   00040:   01 01 01 01 30 13 06 07 2A 85 03 02 02 24 00 06
   00050:   08 2A 85 03 07 01 01 02 02 03 43 00 04 40 93 07
   00060:   E0 98 C1 71 88 F1 F1 47 7F EF B8 7F AE F1 BB CD
   00070:   95 67 3B 1B 8F 97 03 A2 62 D2 63 6D F3 A8 87 F8
   00080:   14 1F EA C2 5A 17 CC B5 96 04 61 ED 16 B0 F8 B1
   00090:   BE 93 59 43 95 A1 0E 64 85 44 6B 5D CA 34


   ---------------------------Server---------------------------

   PMSEXP extracted:
   00000:   9E C3 E0 76 C5 56 73 1E 3B 25 3B E5 8B 8F AD D4
   00010:   A9 0A 24 B3 42 F6 13 A5 E2 AC 13 CE 07 53 0A 00
   00020:   A9 8C 1E E2 A2 AF C0 E0

   HASH(r_C | r_S):
   00000:   C3 EF 04 28 D4 B7 A1 F4 C5 02 5F 2E 65 DD 2B 2E
   00010:   A5 83 AE EF DB 67 C7 F4 21 4A 6A 29 8E 99 E3 25

   Export key generation. r value:
   0xC3EF0428D4B7A1F4C5025F2E65DD2B2E

   Export key generation. UKM value:
   0xC3EF0428D4B7A1F4C5025F2E65DD2B2E

   Import keys K^Imp_MAC | K^Imp_ENC used in KImp15 algorithm:
   00000:   0E 01 38 D5 83 68 57 0B 89 F4 D2 50 71 5A E6 52
   00010:   B1 B6 D8 02 A0 60 D3 CD D7 75 C6 8C 5C 53 B9 98
   00020:   3B B7 27 99 3C D2 3A 3C 27 C1 B9 BB 44 E6 AF B7
   00030:   62 71 F9 7D 80 38 1F 3C B1 FF 6E 7E 93 B0 62 02

   IV:
   00000:   21 4A 6A 29

   PMS:
   00000:   A5 57 6C E7 92 4A 24 F5 81 13 80 8D BD 9E F8 56
   00010:   F5 BD C3 B1 83 CE 5D AD CA 36 A5 3A A0 77 65 1D


   ---------------------------Client---------------------------

   HASH(HM):



Smyshlyaev, et al.       Expires April 20, 2019                [Page 40]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   00000:   F7 90 79 19 83 24 FD 49 8D FE A7 10 56 46 DE 41
   00010:   DA 87 DC 0B 0A 91 71 A2 F9 7C 65 E7 EA DA 48 92

   MS:
   00000:   ED 28 A3 02 79 AC 3E 83 A7 E3 73 22 65 96 BA D8
   00010:   DD 7F 5E C5 FE 60 BB 2F 32 4C B0 14 7D F1 F3 51
   00020:   04 EB DB 85 04 53 5C E6 9A 96 68 8C BD FE A5 6D

   Client connection key material
   K_write_MAC|K_read_MAC|K_write_ENC|K_read_ENC|IV_write|IV_read:
   00000:   50 BB E5 17 CF 2A 6E 3A 15 04 F6 91 3C 07 2B 89
   00010:   17 17 46 89 86 9E CF A4 70 AC C2 C6 1C 1A 5B 4D
   00020:   11 03 A5 C1 E5 9F 18 7B 82 6C F0 26 D8 F0 21 35
   00030:   0B 44 48 F2 FC E5 0A 51 52 F5 43 2C 2F 25 24 FE
   00040:   1D FA 50 19 2E E1 69 BC 60 A6 24 A6 98 12 08 A7
   00050:   80 D1 F0 02 20 A1 CF B3 4B 0D 2E 71 7D BE 67 7A
   00060:   62 41 A1 0E 1A 10 49 53 97 00 6F AC BF 63 96 19
   00070:   22 7C 4C 03 0A E8 E5 3F C3 6E 43 A7 17 AF FE 60
   00080:   5F 23 58 29 21 BE FE 71


   ---------------------------Server---------------------------

   HASH(HM):
   00000:   F7 90 79 19 83 24 FD 49 8D FE A7 10 56 46 DE 41
   00010:   DA 87 DC 0B 0A 91 71 A2 F9 7C 65 E7 EA DA 48 92

   MS:
   00000:   ED 28 A3 02 79 AC 3E 83 A7 E3 73 22 65 96 BA D8
   00010:   DD 7F 5E C5 FE 60 BB 2F 32 4C B0 14 7D F1 F3 51
   00020:   04 EB DB 85 04 53 5C E6 9A 96 68 8C BD FE A5 6D

   Server connection key material
   K_read_MAC|K_write_MAC|K_read_ENC|K_write_ENC|IV_read|IV_write:
   00000:   50 BB E5 17 CF 2A 6E 3A 15 04 F6 91 3C 07 2B 89
   00010:   17 17 46 89 86 9E CF A4 70 AC C2 C6 1C 1A 5B 4D
   00020:   11 03 A5 C1 E5 9F 18 7B 82 6C F0 26 D8 F0 21 35
   00030:   0B 44 48 F2 FC E5 0A 51 52 F5 43 2C 2F 25 24 FE
   00040:   1D FA 50 19 2E E1 69 BC 60 A6 24 A6 98 12 08 A7
   00050:   80 D1 F0 02 20 A1 CF B3 4B 0D 2E 71 7D BE 67 7A
   00060:   62 41 A1 0E 1A 10 49 53 97 00 6F AC BF 63 96 19
   00070:   22 7C 4C 03 0A E8 E5 3F C3 6E 43 A7 17 AF FE 60
   00080:   5F 23 58 29 21 BE FE 71


   ---------------------------Client---------------------------

   ChangeCipherSpec message:



Smyshlyaev, et al.       Expires April 20, 2019                [Page 41]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   type:                    01

   00000:   01

   Record layer message:
   type:                    14
   version:
     major:                 03
     minor:                 03
   length:                  0001
   fragment:                01

   00000:   14 03 03 00 01 01


   ---------------------------Client---------------------------

   HASH(HM):
   00000:   F7 90 79 19 83 24 FD 49 8D FE A7 10 56 46 DE 41
   00010:   DA 87 DC 0B 0A 91 71 A2 F9 7C 65 E7 EA DA 48 92

   client_verify_data:
   00000:   C5 D6 43 59 6D 0D BC C5 39 22 D6 3C A2 57 A4 D8
   00010:   83 B7 C9 02 7A 61 F4 53 E9 7C 97 1E F9 AB 78 03


   ---------------------------Client---------------------------

   Finished message:
   msg_type:                14
   length:                  000020
   body:
     verify_data:           C5D643596D0DBCC53922D63CA257A4D8
                            83B7C9027A61F453E97C971EF9AB7803

   00000:   14 00 00 20 C5 D6 43 59 6D 0D BC C5 39 22 D6 3C
   00010:   A2 57 A4 D8 83 B7 C9 02 7A 61 F4 53 E9 7C 97 1E
   00020:   F9 AB 78 03

   Record layer message:
   type:                    16
   version:
     major:                 03
     minor:                 03
   length:                  002C
   fragment:                69F034DADA4950821E59013560B9823C
                            C86AC12516C477C9811ABD6489EBC2AF
                            F291A308F18250F3938D1742



Smyshlyaev, et al.       Expires April 20, 2019                [Page 42]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   00000:   16 03 03 00 2C 69 F0 34 DA DA 49 50 82 1E 59 01
   00010:   35 60 B9 82 3C C8 6A C1 25 16 C4 77 C9 81 1A BD
   00020:   64 89 EB C2 AF F2 91 A3 08 F1 82 50 F3 93 8D 17
   00030:   42


   ---------------------------Server---------------------------

   ChangeCipherSpec message:
   type:                    01

   00000:   01

   Record layer message:
   type:                    14
   version:
     major:                 03
     minor:                 03
   length:                  0001
   fragment:                01

   00000:   14 03 03 00 01 01


   ---------------------------Server---------------------------

   HASH(HM):
   00000:   79 58 3A 49 C2 DC 4D DB B4 CA 81 02 60 AE 3A 05
   00010:   EE 01 E4 F2 2D C2 49 52 4B 28 2E 63 A1 5A FD A1

   server_verify_data:
   00000:   46 91 5D 21 6B 19 42 E8 8B 0D 78 B8 EB 66 18 84
   00010:   C3 E8 74 94 AC 48 92 08 46 48 7D A5 8D CF 7C CD


   ---------------------------Server---------------------------

   Finished message:
   msg_type:                14
   length:                  000020
   body:
     verify_data:           46915D216B1942E88B0D78B8EB661884
                            C3E87494AC48920846487DA58DCF7CCD

   00000:   14 00 00 20 46 91 5D 21 6B 19 42 E8 8B 0D 78 B8
   00010:   EB 66 18 84 C3 E8 74 94 AC 48 92 08 46 48 7D A5
   00020:   8D CF 7C CD




Smyshlyaev, et al.       Expires April 20, 2019                [Page 43]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   Record layer message:
   type:                    16
   version:
     major:                 03
     minor:                 03
   length:                  002C
   fragment:                4403C9BE3831E9E4BC71BDB3E4F3706D
                            628DC8FCF87859E572C2236DB091BAC9
                            EA0FC11A22163195563D7EC2

   00000:   16 03 03 00 2C 44 03 C9 BE 38 31 E9 E4 BC 71 BD
   00010:   B3 E4 F3 70 6D 62 8D C8 FC F8 78 59 E5 72 C2 23
   00020:   6D B0 91 BA C9 EA 0F C1 1A 22 16 31 95 56 3D 7E
   00030:   C2


   ---------------------------Client---------------------------

   Application data:
   00000:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00010:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

   Record layer message:
   type:                    17
   version:
     major:                 03
     minor:                 03
   length:                  0028
   fragment:                E2F569C4F3495C6B77C94FB94BE4FE9B
                            D94832077D05BFF0F5A4A2E667F727EF
                            8C3CFDE990FD741D
   00000:   17 03 03 00 28 E2 F5 69 C4 F3 49 5C 6B 77 C9 4F
   00010:   B9 4B E4 FE 9B D9 48 32 07 7D 05 BF F0 F5 A4 A2
   00020:   E6 67 F7 27 EF 8C 3C FD E9 90 FD 74 1D


   ---------------------------Server---------------------------

   Application data:
   00000:   FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
   00010:   FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

   Record layer message:
   type:                    17
   version:
     major:                 03
     minor:                 03
   length:                  0028



Smyshlyaev, et al.       Expires April 20, 2019                [Page 44]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   fragment:                EB8458C2C5F1EBF2E81C6550F88C4978
                            5F90566E2E1EF46741CF4F9FB6D0B5EB
                            8E98BEDB8AFB31CD

   00000:   17 03 03 00 28 EB 84 58 C2 C5 F1 EB F2 E8 1C 65
   00010:   50 F8 8C 49 78 5F 90 56 6E 2E 1E F4 67 41 CF 4F
   00020:   9F B6 D0 B5 EB 8E 98 BE DB 8A FB 31 CD


   ---------------------------Client---------------------------

   close_notify alert:
   Alert:
     level:                 01
     description:           00

   00000:   01 00

   Record layer message:
   type:                    15
   version:
     major:                 03
     minor:                 03
   length:                  000A
   fragment:                D6B17B5D426B0C7FE629

   00000:   15 03 03 00 0A D6 B1 7B 5D 42 6B 0C 7F E6 29


   ---------------------------Server---------------------------

   close_notify alert:
   Alert:
     level:                 01
     description:           00

   00000:   01 00

   Record layer message:
   type:                    15
   version:
     major:                 03
     minor:                 03
   length:                  000A
   fragment:                E20498CC0DFA0D8EC6B5

   00000:   15 03 03 00 0A E2 04 98 CC 0D FA 0D 8E C6 B5




Smyshlyaev, et al.       Expires April 20, 2019                [Page 45]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


A.1.3.2.  TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC ciphersuite



   Server certificate curve OID:
   id-tc26-gost-3410-2012-512-paramSetC, "1.2.643.7.1.2.1.2.3"

   Server public key Q_s:
   x = 0xF14589DA479AD972C66563669B3FF580
         92E6A30A288BF447CD9FF6C3133E9724
         7A9706B267703C9B4E239F0D7C7E3310
         C22D2752B35BD2E4FD39B8F11DEB833A

   y = 0xF305E95B36502D4E60A1059FB20AB30B
         FC7C95727F3A2C04B1DFDDB53B0413F2
         99F2DFE66A5E1CCB4101A7A01D612BE6
         BD78E1E3B3D567EBB16ABE587A11F4EA

   Server private key k_s:
   0x12FD7A70067479A0F66C59F9A25534AD
     FBC7ABFD3CC72D79806F8B402601644B
     3005ED365A2D8989A8CCAE640D5FC08D
     D27DFBBFE137CF528E1AC6D445192E01

   Client certificate curve OID:
   id-tc26-gost-3410-2012-256-paramSetA, "1.2.643.7.1.2.1.1.1"

   Client public key Q_c:
   x = 0x0F5DB18A9E15F324B778676025BFD7B5
         DF066566EABAA1C51CD879F87B0B4975

   y = 0x9EE5BBF18361F842D3F087DEC2943939
         E0FA2BFB4EDEC25A8D10ABB22C48F386

   Client private key k_c:
   0x0918AD3F7D209ABF89F1E8505DA894CE
     E10DA09D32E72E815D9C0ADA30B5A103


   ---------------------------Client---------------------------

   ClientHello message:
   msg_type:                01
   length:                  000040
   body:
     client_version:
       major:               03
       minor:               03



Smyshlyaev, et al.       Expires April 20, 2019                [Page 46]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


     random:                933EA21EC3802A561550EC78D6ED51AC
                            2439D7E749C31BC3A3456165889684CA
     session_id:
       length:              00
       vector:              --
     cipher_suites:
       length:              0004
       vector:
         CipherSuite:       FF88
         CipherSuite:       FF89
     compression_methods:
       length:              01
       vector:
         CompressionMethod: 00
     extensions:
       length:              0013
       vector:
         Extension: /* signature_algorithms */
           extension_type:  000D
           extension_data:
             length:        0006
             vector:
               supported_signature_algorithms:
                 length:    0004
                 vector:
                   /* 1 pair of algorithms */
                   hash:    EE
                   signature:
                            EE
                   /* 2 pair of algorithms */
                   hash:    EF
                   signature:
                            EF
         Extension: /* renegotiation_info */
           extension_type:  FF01
           extension_data:
             length:        0001
             vector:
               renegotiated_connection:
                 length:    00
                 vector:    --
         Extension: /* extended_master_secret */
           extension_type:  0017
           extension_data:
             length:        0000
             vector:        --

   00000:   01 00 00 40 03 03 93 3E A2 1E C3 80 2A 56 15 50



Smyshlyaev, et al.       Expires April 20, 2019                [Page 47]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   00010:   EC 78 D6 ED 51 AC 24 39 D7 E7 49 C3 1B C3 A3 45
   00020:   61 65 88 96 84 CA 00 00 04 FF 88 FF 89 01 00 00
   00030:   13 00 0D 00 06 00 04 EE EE EF EF FF 01 00 01 00
   00040:   00 17 00 00

   Record layer message:
   type:                    16
   version:
     major:                 03
     minor:                 03
   length:                  0044
   fragment:                010000400303933EA21EC3802A561550
                            EC78D6ED51AC2439D7E749C31BC3A345
                            6165889684CA000004FF88FF89010000
                            13000D00060004EEEEEFEFFF01000100
                            00170000

   00000:   16 03 03 00 44 01 00 00 40 03 03 93 3E A2 1E C3
   00010:   80 2A 56 15 50 EC 78 D6 ED 51 AC 24 39 D7 E7 49
   00020:   C3 1B C3 A3 45 61 65 88 96 84 CA 00 00 04 FF 88
   00030:   FF 89 01 00 00 13 00 0D 00 06 00 04 EE EE EF EF
   00040:   FF 01 00 01 00 00 17 00 00


   ---------------------------Server---------------------------

   ServerHello message:
   msg_type:                02
   length:                  000041
   body:
     server_version:
       major:               03
       minor:               03
     random:                933EA21E49C31BC3A3456165889684CA
                            A5576CE7924A24F58113808DBD9EF856
     session_id:
       length:              10
       vector:              C3802A561550EC78D6ED51AC2439D7E7
     cipher_suite:
         CipherSuite:       FF89
     compression_method:
         CompressionMethod: 00
     extensions:
       length:              0009
       vector:
         Extension: /* renegotiation_info */
           extension_type:  FF01
           extension_data:



Smyshlyaev, et al.       Expires April 20, 2019                [Page 48]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


             length:        0001
             vector:
               renegotiated_connection:
                 length:    00
                 vector:    --
         Extension: /* extended_master_secret */
           extension_type:  0017
           extension_data:
             length:        0000
             vector:        --

   00000:   02 00 00 41 03 03 93 3E A2 1E 49 C3 1B C3 A3 45
   00010:   61 65 88 96 84 CA A5 57 6C E7 92 4A 24 F5 81 13
   00020:   80 8D BD 9E F8 56 10 C3 80 2A 56 15 50 EC 78 D6
   00030:   ED 51 AC 24 39 D7 E7 FF 89 00 00 09 FF 01 00 01
   00040:   00 00 17 00 00

   Record layer message:
   type:                    16
   version:
     major:                 03
     minor:                 03
   length:                  0045
   fragment:                020000410303933EA21E49C31BC3A345
                            6165889684CAA5576CE7924A24F58113
                            808DBD9EF85610C3802A561550EC78D6
                            ED51AC2439D7E7FF89000009FF010001
                            0000170000

   00000:   16 03 03 00 45 02 00 00 41 03 03 93 3E A2 1E 49
   00010:   C3 1B C3 A3 45 61 65 88 96 84 CA A5 57 6C E7 92
   00020:   4A 24 F5 81 13 80 8D BD 9E F8 56 10 C3 80 2A 56
   00030:   15 50 EC 78 D6 ED 51 AC 24 39 D7 E7 FF 89 00 00
   00040:   09 FF 01 00 01 00 00 17 00 00


   ---------------------------Server---------------------------

   Certificate message:
   msg_type:                0B
   length:                  00024C
   body:
     certificate_list:
       length:              000249
       vector:
         ASN.1Cert:
           length:          000246
           vector:          30820242308201AEA003020102020101



Smyshlyaev, et al.       Expires April 20, 2019                [Page 49]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


                            300A06082A850307010103033042312C
                            302A06092A864886F70D010901161D74
                                          . . .
                            371AF83C5BC58B366DFEFA7345D50317
                            867C177AC84AC07EE8612164629AB7BD
                            C48AA0F64A741FE7298E82C5BFCE8672
                            029F875391F7

   00000:   0B 00 02 4C 00 02 49 00 02 46 30 82 02 42 30 82
   00010:   01 AE A0 03 02 01 02 02 01 01 30 0A 06 08 2A 85
   00020:   03 07 01 01 03 03 30 42 31 2C 30 2A 06 09 2A 86
   00030:   48 86 F7 0D 01 09 01 16 1D 74 6C 73 31 32 5F 73
   00040:   65 72 76 65 72 35 31 32 43 40 63 72 79 70 74 6F
   00050:   70 72 6F 2E 72 75 31 12 30 10 06 03 55 04 03 13
   00060:   09 53 65 72 76 65 72 35 31 32 30 1E 17 0D 31 37
   00070:   30 35 32 35 30 39 32 35 31 38 5A 17 0D 33 30 30
   00080:   35 30 31 30 39 32 35 31 38 5A 30 42 31 2C 30 2A
   00090:   06 09 2A 86 48 86 F7 0D 01 09 01 16 1D 74 6C 73
   000A0:   31 32 5F 73 65 72 76 65 72 35 31 32 43 40 63 72
   000B0:   79 70 74 6F 70 72 6F 2E 72 75 31 12 30 10 06 03
   000C0:   55 04 03 13 09 53 65 72 76 65 72 35 31 32 30 81
   000D0:   AA 30 21 06 08 2A 85 03 07 01 01 01 02 30 15 06
   000E0:   09 2A 85 03 07 01 02 01 02 03 06 08 2A 85 03 07
   000F0:   01 01 02 03 03 81 84 00 04 81 80 3A 83 EB 1D F1
   00100:   B8 39 FD E4 D2 5B B3 52 27 2D C2 10 33 7E 7C 0D
   00110:   9F 23 4E 9B 3C 70 67 B2 06 97 7A 24 97 3E 13 C3
   00120:   F6 9F CD 47 F4 8B 28 0A A3 E6 92 80 F5 3F 9B 66
   00130:   63 65 C6 72 D9 9A 47 DA 89 45 F1 EA F4 11 7A 58
   00140:   BE 6A B1 EB 67 D5 B3 E3 E1 78 BD E6 2B 61 1D A0
   00150:   A7 01 41 CB 1C 5E 6A E6 DF F2 99 F2 13 04 3B B5
   00160:   DD DF B1 04 2C 3A 7F 72 95 7C FC 0B B3 0A B2 9F
   00170:   05 A1 60 4E 2D 50 36 5B E9 05 F3 A3 43 30 41 30
   00180:   1D 06 03 55 1D 0E 04 16 04 14 87 9C C6 5A 0F 4A
   00190:   89 CB 4A 58 49 DF 05 61 56 9B AA DC 11 69 30 0B
   001A0:   06 03 55 1D 0F 04 04 03 02 03 28 30 13 06 03 55
   001B0:   1D 25 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 01
   001C0:   30 0A 06 08 2A 85 03 07 01 01 03 03 03 81 81 00
   001D0:   35 BE 38 51 EC B6 E9 2D 32 40 01 81 0F 8C 89 03
   001E0:   52 42 F4 05 46 9F 4C 4E CB 05 02 7C 57 E2 71 52
   001F0:   12 AF D7 CD BB 0C ED 7A 8B 4D 33 42 CC 50 1A BD
   00200:   99 99 75 A5 8A DE 0E 58 4F CA 35 F5 2E 45 58 B7
   00210:   31 1D 49 D0 A0 51 32 79 F7 39 37 1A F8 3C 5B C5
   00220:   8B 36 6D FE FA 73 45 D5 03 17 86 7C 17 7A C8 4A
   00230:   C0 7E E8 61 21 64 62 9A B7 BD C4 8A A0 F6 4A 74
   00240:   1F E7 29 8E 82 C5 BF CE 86 72 02 9F 87 53 91 F7

   Record layer message:
   type:                    16



Smyshlyaev, et al.       Expires April 20, 2019                [Page 50]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   version:
     major:                 03
     minor:                 03
   length:                  0250
   fragment:                0B00024C000249000246308202423082
                            01AEA003020102020101300A06082A85
                            0307010103033042312C302A06092A86
                                          . . .
                            8B366DFEFA7345D50317867C177AC84A
                            C07EE8612164629AB7BDC48AA0F64A74
                            1FE7298E82C5BFCE8672029F875391F7

   00000:   16 03 03 02 50 0B 00 02 4C 00 02 49 00 02 46 30
   00010:   82 02 42 30 82 01 AE A0 03 02 01 02 02 01 01 30
   00020:   0A 06 08 2A 85 03 07 01 01 03 03 30 42 31 2C 30
   00030:   2A 06 09 2A 86 48 86 F7 0D 01 09 01 16 1D 74 6C
   00040:   73 31 32 5F 73 65 72 76 65 72 35 31 32 43 40 63
   00050:   72 79 70 74 6F 70 72 6F 2E 72 75 31 12 30 10 06
   00060:   03 55 04 03 13 09 53 65 72 76 65 72 35 31 32 30
   00070:   1E 17 0D 31 37 30 35 32 35 30 39 32 35 31 38 5A
   00080:   17 0D 33 30 30 35 30 31 30 39 32 35 31 38 5A 30
   00090:   42 31 2C 30 2A 06 09 2A 86 48 86 F7 0D 01 09 01
   000A0:   16 1D 74 6C 73 31 32 5F 73 65 72 76 65 72 35 31
   000B0:   32 43 40 63 72 79 70 74 6F 70 72 6F 2E 72 75 31
   000C0:   12 30 10 06 03 55 04 03 13 09 53 65 72 76 65 72
   000D0:   35 31 32 30 81 AA 30 21 06 08 2A 85 03 07 01 01
   000E0:   01 02 30 15 06 09 2A 85 03 07 01 02 01 02 03 06
   000F0:   08 2A 85 03 07 01 01 02 03 03 81 84 00 04 81 80
   00100:   3A 83 EB 1D F1 B8 39 FD E4 D2 5B B3 52 27 2D C2
   00110:   10 33 7E 7C 0D 9F 23 4E 9B 3C 70 67 B2 06 97 7A
   00120:   24 97 3E 13 C3 F6 9F CD 47 F4 8B 28 0A A3 E6 92
   00130:   80 F5 3F 9B 66 63 65 C6 72 D9 9A 47 DA 89 45 F1
   00140:   EA F4 11 7A 58 BE 6A B1 EB 67 D5 B3 E3 E1 78 BD
   00150:   E6 2B 61 1D A0 A7 01 41 CB 1C 5E 6A E6 DF F2 99
   00160:   F2 13 04 3B B5 DD DF B1 04 2C 3A 7F 72 95 7C FC
   00170:   0B B3 0A B2 9F 05 A1 60 4E 2D 50 36 5B E9 05 F3
   00180:   A3 43 30 41 30 1D 06 03 55 1D 0E 04 16 04 14 87
   00190:   9C C6 5A 0F 4A 89 CB 4A 58 49 DF 05 61 56 9B AA
   001A0:   DC 11 69 30 0B 06 03 55 1D 0F 04 04 03 02 03 28
   001B0:   30 13 06 03 55 1D 25 04 0C 30 0A 06 08 2B 06 01
   001C0:   05 05 07 03 01 30 0A 06 08 2A 85 03 07 01 01 03
   001D0:   03 03 81 81 00 35 BE 38 51 EC B6 E9 2D 32 40 01
   001E0:   81 0F 8C 89 03 52 42 F4 05 46 9F 4C 4E CB 05 02
   001F0:   7C 57 E2 71 52 12 AF D7 CD BB 0C ED 7A 8B 4D 33
   00200:   42 CC 50 1A BD 99 99 75 A5 8A DE 0E 58 4F CA 35
   00210:   F5 2E 45 58 B7 31 1D 49 D0 A0 51 32 79 F7 39 37
   00220:   1A F8 3C 5B C5 8B 36 6D FE FA 73 45 D5 03 17 86
   00230:   7C 17 7A C8 4A C0 7E E8 61 21 64 62 9A B7 BD C4



Smyshlyaev, et al.       Expires April 20, 2019                [Page 51]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   00240:   8A A0 F6 4A 74 1F E7 29 8E 82 C5 BF CE 86 72 02
   00250:   9F 87 53 91 F7


   ---------------------------Server---------------------------

   CertificateRequest message:
   msg_type:                0D
   length:                  00000B
   body:
     certificate_types:
       length:              02
       vector:
         /* gostr34102012_256 */
                            EE
         /* gostr34102012_512 */
                            EF
     supported_signature_algorithms:
       length:              0004
       vector:
         /* 1 pair of algorithms */
         hash:              EE
         signature:         EE
         /* 2 pair of algorithms */
         hash:              EF
         signature:         EF
     certificate_authorities:
       length:              0000
       vector:              --

   00000:   0D 00 00 0B 02 EE EF 00 04 EE EE EF EF 00 00

   Record layer message:
   type:                    16
   version:
     major:                 03
     minor:                 03
   length:                  000F
   fragment:                0D00000B02EEEF0004EEEEEFEF0000

   00000:   16 03 03 00 0F 0D 00 00 0B 02 EE EF 00 04 EE EE
   00010:   EF EF 00 00


   ---------------------------Server---------------------------

   ServerHelloDone message:
   msg_type:                0E



Smyshlyaev, et al.       Expires April 20, 2019                [Page 52]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   length:                  000000
   body:                    --

   00000:   0E 00 00 00

   Record layer message:
   type:                    16
   version:
     major:                 03
     minor:                 03
   length:                  0004
   fragment:                0E000000

   00000:   16 03 03 00 04 0E 00 00 00


   ---------------------------Client---------------------------

   Certificate message:
   msg_type:                0B
   length:                  0001EA
   body:
     certificate_list:
       length:              0001E7
       vector:
         ASN.1Cert:
           length:          0001E4
           vector:          308201E03082018DA003020102020101
                            300A06082A850307010103023053312E
                            302C06092A864886F70D010901161F74
                                          . . .
                            C1CAB43AC01AFB0F3451BDC2DB188BBC
                            B77884251CDF6037BA830F4B31D5E96F
                            DC9BC1C95ABE658266C48402E070DE1F
                            292724E8

   00000:   0B 00 01 EA 00 01 E7 00 01 E4 30 82 01 E0 30 82
   00010:   01 8D A0 03 02 01 02 02 01 01 30 0A 06 08 2A 85
   00020:   03 07 01 01 03 02 30 53 31 2E 30 2C 06 09 2A 86
   00030:   48 86 F7 0D 01 09 01 16 1F 74 6C 73 31 32 5F 63
   00040:   6C 69 65 6E 74 32 35 36 41 5F 45 40 63 72 79 70
   00050:   74 6F 70 72 6F 2E 72 75 31 21 30 1F 06 03 55 04
   00060:   03 1E 18 00 43 00 6C 00 69 00 65 00 6E 00 74 00
   00070:   32 00 35 00 36 00 41 00 5F 00 45 30 1E 17 0D 31
   00080:   37 30 35 32 35 30 39 33 31 31 38 5A 17 0D 33 30
   00090:   30 35 30 31 30 39 33 31 31 38 5A 30 53 31 2E 30
   000A0:   2C 06 09 2A 86 48 86 F7 0D 01 09 01 16 1F 74 6C
   000B0:   73 31 32 5F 63 6C 69 65 6E 74 32 35 36 41 5F 45



Smyshlyaev, et al.       Expires April 20, 2019                [Page 53]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   000C0:   40 63 72 79 70 74 6F 70 72 6F 2E 72 75 31 21 30
   000D0:   1F 06 03 55 04 03 1E 18 00 43 00 6C 00 69 00 65
   000E0:   00 6E 00 74 00 32 00 35 00 36 00 41 00 5F 00 45
   000F0:   30 68 30 21 06 08 2A 85 03 07 01 01 01 01 30 15
   00100:   06 09 2A 85 03 07 01 02 01 01 01 06 08 2A 85 03
   00110:   07 01 01 02 02 03 43 00 04 40 75 49 0B 7B F8 79
   00120:   D8 1C C5 A1 BA EA 66 65 06 DF B5 D7 BF 25 60 67
   00130:   78 B7 24 F3 15 9E 8A B1 5D 0F 86 F3 48 2C B2 AB
   00140:   10 8D 5A C2 DE 4E FB 2B FA E0 39 39 94 C2 DE 87
   00150:   F0 D3 42 F8 61 83 F1 BB E5 9E A3 43 30 41 30 1D
   00160:   06 03 55 1D 0E 04 16 04 14 74 49 1E 77 30 D3 42
   00170:   A6 28 0E 72 A1 13 9D D9 90 8B FA F1 03 30 0B 06
   00180:   03 55 1D 0F 04 04 03 02 07 80 30 13 06 03 55 1D
   00190:   25 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 02 30
   001A0:   0A 06 08 2A 85 03 07 01 01 03 02 03 41 00 1C 2D
   001B0:   35 22 B4 11 02 D6 20 1F 23 50 C1 CA B4 3A C0 1A
   001C0:   FB 0F 34 51 BD C2 DB 18 8B BC B7 78 84 25 1C DF
   001D0:   60 37 BA 83 0F 4B 31 D5 E9 6F DC 9B C1 C9 5A BE
   001E0:   65 82 66 C4 84 02 E0 70 DE 1F 29 27 24 E8

   Record layer message:
   type:                    16
   version:
     major:                 03
     minor:                 03
   length:                  01EE
   fragment:                0B0001EA0001E70001E4308201E03082
                            018DA003020102020101300A06082A85
                            0307010103023053312E302C06092A86
                                          . . .
                            3522B41102D6201F2350C1CAB43AC01A
                            FB0F3451BDC2DB188BBCB77884251CDF
                            6037BA830F4B31D5E96FDC9BC1C95ABE
                            658266C48402E070DE1F292724E8

   00000:   16 03 03 01 EE 0B 00 01 EA 00 01 E7 00 01 E4 30
   00010:   82 01 E0 30 82 01 8D A0 03 02 01 02 02 01 01 30
   00020:   0A 06 08 2A 85 03 07 01 01 03 02 30 53 31 2E 30
   00030:   2C 06 09 2A 86 48 86 F7 0D 01 09 01 16 1F 74 6C
   00040:   73 31 32 5F 63 6C 69 65 6E 74 32 35 36 41 5F 45
   00050:   40 63 72 79 70 74 6F 70 72 6F 2E 72 75 31 21 30
   00060:   1F 06 03 55 04 03 1E 18 00 43 00 6C 00 69 00 65
   00070:   00 6E 00 74 00 32 00 35 00 36 00 41 00 5F 00 45
   00080:   30 1E 17 0D 31 37 30 35 32 35 30 39 33 31 31 38
   00090:   5A 17 0D 33 30 30 35 30 31 30 39 33 31 31 38 5A
   000A0:   30 53 31 2E 30 2C 06 09 2A 86 48 86 F7 0D 01 09
   000B0:   01 16 1F 74 6C 73 31 32 5F 63 6C 69 65 6E 74 32
   000C0:   35 36 41 5F 45 40 63 72 79 70 74 6F 70 72 6F 2E



Smyshlyaev, et al.       Expires April 20, 2019                [Page 54]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   000D0:   72 75 31 21 30 1F 06 03 55 04 03 1E 18 00 43 00
   000E0:   6C 00 69 00 65 00 6E 00 74 00 32 00 35 00 36 00
   000F0:   41 00 5F 00 45 30 68 30 21 06 08 2A 85 03 07 01
   00100:   01 01 01 30 15 06 09 2A 85 03 07 01 02 01 01 01
   00110:   06 08 2A 85 03 07 01 01 02 02 03 43 00 04 40 75
   00120:   49 0B 7B F8 79 D8 1C C5 A1 BA EA 66 65 06 DF B5
   00130:   D7 BF 25 60 67 78 B7 24 F3 15 9E 8A B1 5D 0F 86
   00140:   F3 48 2C B2 AB 10 8D 5A C2 DE 4E FB 2B FA E0 39
   00150:   39 94 C2 DE 87 F0 D3 42 F8 61 83 F1 BB E5 9E A3
   00160:   43 30 41 30 1D 06 03 55 1D 0E 04 16 04 14 74 49
   00170:   1E 77 30 D3 42 A6 28 0E 72 A1 13 9D D9 90 8B FA
   00180:   F1 03 30 0B 06 03 55 1D 0F 04 04 03 02 07 80 30
   00190:   13 06 03 55 1D 25 04 0C 30 0A 06 08 2B 06 01 05
   001A0:   05 07 03 02 30 0A 06 08 2A 85 03 07 01 01 03 02
   001B0:   03 41 00 1C 2D 35 22 B4 11 02 D6 20 1F 23 50 C1
   001C0:   CA B4 3A C0 1A FB 0F 34 51 BD C2 DB 18 8B BC B7
   001D0:   78 84 25 1C DF 60 37 BA 83 0F 4B 31 D5 E9 6F DC
   001E0:   9B C1 C9 5A BE 65 82 66 C4 84 02 E0 70 DE 1F 29
   001F0:   27 24 E8


   ---------------------------Client---------------------------

   PMS value:
   00000:   A5 57 6C E7 92 4A 24 F5 81 13 80 8D BD 9E F8 56
   00010:   F5 BD C3 B1 83 CE 5D AD CA 36 A5 3A A0 77 65 1D

   Random k_EPH value:
   0x150ACD11B66DD695AD18418FA7A2DC63
     6B7E29DCA24536AABC826EE3175BB1FA
     DC3AA0D01D3092E120B0FCF7EB872F4B
     7E26EA17849D689222A48CF95A6E4831

   Q_EPH ephemeral key:
   x = 0xC941BE5193189B476D5A0334114A3E04
         BBE5B37C738AE40F150B334135288664
         FEBFC5622818894A07B1F7AD60E28480
         B4B637B90EA7D4BA980186B605D75BC6

   y = 0xA154F7B93E8148652011F4FD52C9A06A
         6471ADB28D0A949AE26BC786DE874153
         ABC00B35164F3214A8A83C00ECE27831
         B093528456234EFE766224FC2A7E9ABE

   HASH (r_C | r_S):
   00000:   C3 EF 04 28 D4 B7 A1 F4 C5 02 5F 2E 65 DD 2B 2E
   00010:   A5 83 AE EF DB 67 C7 F4 21 4A 6A 29 8E 99 E3 25




Smyshlyaev, et al.       Expires April 20, 2019                [Page 55]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   Export key generation. r value:
   0xC3EF0428D4B7A1F4C5025F2E65DD2B2E

   Export key generation. UKM value:
   0xC3EF0428D4B7A1F4C5025F2E65DD2B2E

   Export keys K^Exp_MAC | K^Exp_ENC used in KExp15 algorithm:
   00000:   7D AC 56 E4 8A 4D C1 70 FA A8 FC BA E2 0D B8 45
   00010:   45 0C CC C4 C6 32 8B DC 8D 01 15 7C EF A2 A5 F1
   00020:   1F 1C BA D8 86 61 66 F0 1F FA AB 01 52 E2 4B F4
   00030:   60 9D 5F 46 A5 C8 99 C7 87 90 0D 08 B9 FC AD 24

   IV:
   00000:   21 4A 6A 29 8E 99 E3 25

   PMSEXP:
   00000:   25 0D 1B 67 A2 70 AB 04 D3 F6 54 18 E1 D3 80 B4
   00010:   CB 94 5F 0A 3D CA 51 50 0C F3 A1 BE F3 7F 76 C0
   00020:   73 41 A9 83 9C CF 6C BA 71 89 DA 61 EB 67 17 6C


   ---------------------------Client---------------------------

   ClientKeyExchange message:
   msg_type:                10
   length:                  0000E2
   body:
     exchange_keys:         3081DF0430250D1B67A270AB04D3F654
                            18E1D380B4CB945F0A3DCA51500CF3A1
                            BEF37F76C07341A9839CCF6CBA7189DA
                                          . . .
                            93B03178E2EC003CA8A814324F16350B
                            C0AB534187DE86C76BE29A940A8DB2AD
                            71646AA0C952FDF411206548813EB9F7
                            54A1

   00000:   10 00 00 E2 30 81 DF 04 30 25 0D 1B 67 A2 70 AB
   00010:   04 D3 F6 54 18 E1 D3 80 B4 CB 94 5F 0A 3D CA 51
   00020:   50 0C F3 A1 BE F3 7F 76 C0 73 41 A9 83 9C CF 6C
   00030:   BA 71 89 DA 61 EB 67 17 6C 30 81 AA 30 21 06 08
   00040:   2A 85 03 07 01 01 01 02 30 15 06 09 2A 85 03 07
   00050:   01 02 01 02 03 06 08 2A 85 03 07 01 01 02 03 03
   00060:   81 84 00 04 81 80 C6 5B D7 05 B6 86 01 98 BA D4
   00070:   A7 0E B9 37 B6 B4 80 84 E2 60 AD F7 B1 07 4A 89
   00080:   18 28 62 C5 BF FE 64 86 28 35 41 33 0B 15 0F E4
   00090:   8A 73 7C B3 E5 BB 04 3E 4A 11 34 03 5A 6D 47 9B
   000A0:   18 93 51 BE 41 C9 BE 9A 7E 2A FC 24 62 76 FE 4E
   000B0:   23 56 84 52 93 B0 31 78 E2 EC 00 3C A8 A8 14 32



Smyshlyaev, et al.       Expires April 20, 2019                [Page 56]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   000C0:   4F 16 35 0B C0 AB 53 41 87 DE 86 C7 6B E2 9A 94
   000D0:   0A 8D B2 AD 71 64 6A A0 C9 52 FD F4 11 20 65 48
   000E0:   81 3E B9 F7 54 A1

   Record layer message:
   type:                    16
   version:
     major:                 03
     minor:                 03
   length:                  00E6
   fragment:                100000E23081DF0430250D1B67A270AB
                            04D3F65418E1D380B4CB945F0A3DCA51
                            500CF3A1BEF37F76C07341A9839CCF6C
                                          . . .
                            2356845293B03178E2EC003CA8A81432
                            4F16350BC0AB534187DE86C76BE29A94
                            0A8DB2AD71646AA0C952FDF411206548
                            813EB9F754A1


   00000:   16 03 03 00 E6 10 00 00 E2 30 81 DF 04 30 25 0D
   00010:   1B 67 A2 70 AB 04 D3 F6 54 18 E1 D3 80 B4 CB 94
   00020:   5F 0A 3D CA 51 50 0C F3 A1 BE F3 7F 76 C0 73 41
   00030:   A9 83 9C CF 6C BA 71 89 DA 61 EB 67 17 6C 30 81
   00040:   AA 30 21 06 08 2A 85 03 07 01 01 01 02 30 15 06
   00050:   09 2A 85 03 07 01 02 01 02 03 06 08 2A 85 03 07
   00060:   01 01 02 03 03 81 84 00 04 81 80 C6 5B D7 05 B6
   00070:   86 01 98 BA D4 A7 0E B9 37 B6 B4 80 84 E2 60 AD
   00080:   F7 B1 07 4A 89 18 28 62 C5 BF FE 64 86 28 35 41
   00090:   33 0B 15 0F E4 8A 73 7C B3 E5 BB 04 3E 4A 11 34
   000A0:   03 5A 6D 47 9B 18 93 51 BE 41 C9 BE 9A 7E 2A FC
   000B0:   24 62 76 FE 4E 23 56 84 52 93 B0 31 78 E2 EC 00
   000C0:   3C A8 A8 14 32 4F 16 35 0B C0 AB 53 41 87 DE 86
   000D0:   C7 6B E2 9A 94 0A 8D B2 AD 71 64 6A A0 C9 52 FD
   000E0:   F4 11 20 65 48 81 3E B9 F7 54 A1


   ---------------------------Server---------------------------

   PMSEXP extracted:
   00000:   25 0D 1B 67 A2 70 AB 04 D3 F6 54 18 E1 D3 80 B4
   00010:   CB 94 5F 0A 3D CA 51 50 0C F3 A1 BE F3 7F 76 C0
   00020:   73 41 A9 83 9C CF 6C BA 71 89 DA 61 EB 67 17 6C

   HASH(r_C | r_S):
   00000:   C3 EF 04 28 D4 B7 A1 F4 C5 02 5F 2E 65 DD 2B 2E
   00010:   A5 83 AE EF DB 67 C7 F4 21 4A 6A 29 8E 99 E3 25




Smyshlyaev, et al.       Expires April 20, 2019                [Page 57]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   Export key generation. r value:
   0xC3EF0428D4B7A1F4C5025F2E65DD2B2E

   Export key generation. UKM value:
   0xC3EF0428D4B7A1F4C5025F2E65DD2B2E

   Export keys K^Exp_MAC | K^Exp_ENC used in KImp15 algorithm:
   00000:   7D AC 56 E4 8A 4D C1 70 FA A8 FC BA E2 0D B8 45
   00010:   45 0C CC C4 C6 32 8B DC 8D 01 15 7C EF A2 A5 F1
   00020:   1F 1C BA D8 86 61 66 F0 1F FA AB 01 52 E2 4B F4
   00030:   60 9D 5F 46 A5 C8 99 C7 87 90 0D 08 B9 FC AD 24

   IV:
   00000:   21 4A 6A 29 8E 99 E3 25

   PMS:
   00000:   A5 57 6C E7 92 4A 24 F5 81 13 80 8D BD 9E F8 56
   00010:   F5 BD C3 B1 83 CE 5D AD CA 36 A5 3A A0 77 65 1D


   ---------------------------Client---------------------------

   Random value k used in signature generation:
   0x163962EEA268203E7C6B3F70BF8D4A36
     34CE6E2CFC424687951D70ACE0B4292A

   Signature value sgn_c = SIGN_k_c(HM):
   00000:   F7 1F 43 62 45 5B C5 5B A8 9A 8F AF 01 82 88 EC
   00010:   00 B3 27 17 48 2E 76 24 B2 57 D9 79 7C 8F F6 02
   00020:   71 B2 94 AF 3F 2D 07 51 7A F1 48 DA B3 2F E9 45
   00030:   94 85 C8 93 63 C2 F9 D8 2B 88 93 52 6A 92 D6 2E


   ---------------------------Client---------------------------

   CertificateVerify message:
   msg_type:                0F
   length:                  000044
   body:
     algorithm:
       hash:                EE
       signature:           EE
     signature:
       length:              0040
       vector:              F71F4362455BC55BA89A8FAF018288EC
                            00B32717482E7624B257D9797C8FF602
                            71B294AF3F2D07517AF148DAB32FE945
                            9485C89363C2F9D82B8893526A92D62E



Smyshlyaev, et al.       Expires April 20, 2019                [Page 58]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   00000:   0F 00 00 44 EE EE 00 40 F7 1F 43 62 45 5B C5 5B
   00010:   A8 9A 8F AF 01 82 88 EC 00 B3 27 17 48 2E 76 24
   00020:   B2 57 D9 79 7C 8F F6 02 71 B2 94 AF 3F 2D 07 51
   00030:   7A F1 48 DA B3 2F E9 45 94 85 C8 93 63 C2 F9 D8
   00040:   2B 88 93 52 6A 92 D6 2E

   Record layer message:
   type:                    16
   version:
     major:                 03
     minor:                 03
   length:                  0048
   fragment:                0F000044EEEE0040F71F4362455BC55B
                            A89A8FAF018288EC00B32717482E7624
                            B257D9797C8FF60271B294AF3F2D0751
                            7AF148DAB32FE9459485C89363C2F9D8
                            2B8893526A92D62E

   00000:   16 03 03 00 48 0F 00 00 44 EE EE 00 40 F7 1F 43
   00010:   62 45 5B C5 5B A8 9A 8F AF 01 82 88 EC 00 B3 27
   00020:   17 48 2E 76 24 B2 57 D9 79 7C 8F F6 02 71 B2 94
   00030:   AF 3F 2D 07 51 7A F1 48 DA B3 2F E9 45 94 85 C8
   00040:   93 63 C2 F9 D8 2B 88 93 52 6A 92 D6 2E


   ---------------------------Client---------------------------

   HASH(HM):
   00000:   A5 71 AD 3C A4 E8 1B 38 69 01 E1 6A 1B E7 F9 38
   00010:   CC 0A 5C 52 94 F1 34 B4 30 31 F2 40 FA EA 24 D4

   MS:
   00000:   30 17 37 13 09 D6 91 42 3B B0 E2 C6 F5 5B 9D F7
   00010:   85 21 D8 81 11 29 D8 9A 75 D9 85 1C 12 A1 55 DA
   00020:   CA 1C EC 8F F2 62 81 8D 46 F9 7D CC 1E 46 AF 26

   Client connection key material
   K_write_MAC|K_read_MAC|K_write_ENC|K_read_ENC|IV_write|IV_read:
   00000:   DC 78 65 3E F5 45 8F 54 02 70 6B 35 AA CC 15 8C
   00010:   C4 20 8C 51 7D 4F 1F 76 35 AD 7E B0 B5 5D 35 D1
   00020:   DF DA 05 F6 77 7A B7 24 A3 F5 FC 1D E9 43 64 C4
   00030:   10 C9 D3 88 ED 9C 4B 6E CA C6 18 60 6B 23 4A 47
   00040:   19 F6 C5 37 3B 2D D7 34 A2 A0 8D 0B 09 47 56 84
   00050:   B6 88 34 63 70 AA 7B 9E 22 6B 99 1B 7F FE 96 D0
   00060:   B0 DA EF 30 98 13 85 2C 8E 90 D9 A6 F2 96 EF 84
   00070:   F5 0F 2A CD 13 BE 46 44 4D BD 5F CA 38 48 EC 74
   00080:   A3 85 90 95 6E F0 BD 0C BA 36 E9 8A 0E 42 C2 62




Smyshlyaev, et al.       Expires April 20, 2019                [Page 59]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   ---------------------------Server---------------------------

   HASH(HM):
   00000:   A5 71 AD 3C A4 E8 1B 38 69 01 E1 6A 1B E7 F9 38
   00010:   CC 0A 5C 52 94 F1 34 B4 30 31 F2 40 FA EA 24 D4

   MS:
   00000:   30 17 37 13 09 D6 91 42 3B B0 E2 C6 F5 5B 9D F7
   00010:   85 21 D8 81 11 29 D8 9A 75 D9 85 1C 12 A1 55 DA
   00020:   CA 1C EC 8F F2 62 81 8D 46 F9 7D CC 1E 46 AF 26

   Server connection key material
   K_read_MAC|K_write_MAC|K_read_ENC|K_write_ENC|IV_read|IV_write:
   00000:   DC 78 65 3E F5 45 8F 54 02 70 6B 35 AA CC 15 8C
   00010:   C4 20 8C 51 7D 4F 1F 76 35 AD 7E B0 B5 5D 35 D1
   00020:   DF DA 05 F6 77 7A B7 24 A3 F5 FC 1D E9 43 64 C4
   00030:   10 C9 D3 88 ED 9C 4B 6E CA C6 18 60 6B 23 4A 47
   00040:   19 F6 C5 37 3B 2D D7 34 A2 A0 8D 0B 09 47 56 84
   00050:   B6 88 34 63 70 AA 7B 9E 22 6B 99 1B 7F FE 96 D0
   00060:   B0 DA EF 30 98 13 85 2C 8E 90 D9 A6 F2 96 EF 84
   00070:   F5 0F 2A CD 13 BE 46 44 4D BD 5F CA 38 48 EC 74
   00080:   A3 85 90 95 6E F0 BD 0C BA 36 E9 8A 0E 42 C2 62


   ---------------------------Client---------------------------

   ChangeCipherSpec message:
   type:                    01

   00000:   01

   Record layer message:
   type:                    14
   version:
     major:                 03
     minor:                 03
   length:                  0001
   fragment:                01

   00000:   14 03 03 00 01 01


   ---------------------------Client---------------------------

   HASH(HM):
   00000:   A5 71 AD 3C A4 E8 1B 38 69 01 E1 6A 1B E7 F9 38
   00010:   CC 0A 5C 52 94 F1 34 B4 30 31 F2 40 FA EA 24 D4




Smyshlyaev, et al.       Expires April 20, 2019                [Page 60]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   client_verify_data:
   00000:   5A 96 F3 54 37 5E 7F 05 CC E8 29 63 CB 06 74 DE
   00010:   B2 E2 DD 50 5F 57 94 7E 2A 92 C5 26 B3 8B 5F BC


   ---------------------------Client---------------------------

   Finished message:
   msg_type:                14
   length:                  000020
   body:
     verify_data:           5A96F354375E7F05CCE82963CB0674DE
                            B2E2DD505F57947E2A92C526B38B5FBC

   00000:   14 00 00 20 5A 96 F3 54 37 5E 7F 05 CC E8 29 63
   00010:   CB 06 74 DE B2 E2 DD 50 5F 57 94 7E 2A 92 C5 26
   00020:   B3 8B 5F BC

   Record layer message:
   type:                    16
   version:
     major:                 03
     minor:                 03
   length:                  0034
   fragment:                CA97257884E730D5AC1FB76D6526899B
                            8840C07A057E1DCBEC3B1D20C7CD7FD4
                            16BA78B87DC0CD49F9718F87D7C2F81F
                            27C8BA8B

   00000:   16 03 03 00 34 CA 97 25 78 84 E7 30 D5 AC 1F B7
   00010:   6D 65 26 89 9B 88 40 C0 7A 05 7E 1D CB EC 3B 1D
   00020:   20 C7 CD 7F D4 16 BA 78 B8 7D C0 CD 49 F9 71 8F
   00030:   87 D7 C2 F8 1F 27 C8 BA 8B


   ---------------------------Server---------------------------

   ChangeCipherSpec message:
   type:                    01

   00000:   01

   Record layer message:
   type:                    14
   version:
     major:                 03
     minor:                 03
   length:                  0001



Smyshlyaev, et al.       Expires April 20, 2019                [Page 61]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   fragment:                01

   00000:   14 03 03 00 01 01


   ---------------------------Server---------------------------

   HASH(HM):
   00000:   A1 0A B7 4A DC BC EB DF D3 20 79 3E 5D 3E 90 90
   00010:   CE 30 E3 AE 93 5F 6F E0 30 01 DB 03 D5 0D 5D 1B

   server_verify_data:
   00000:   A2 03 08 F0 17 39 63 EE DD AE 6E 1E 12 76 8F A3
   00010:   91 C8 4E B5 48 41 C3 7B DB A3 2D 27 5A 17 88 66


   ---------------------------Server---------------------------

   Finished message:
   msg_type:                14
   length:                  000020
   body:
     verify_data:           A20308F0173963EEDDAE6E1E12768FA3
                            91C84EB54841C37BDBA32D275A178866

   00000:   14 00 00 20 A2 03 08 F0 17 39 63 EE DD AE 6E 1E
   00010:   12 76 8F A3 91 C8 4E B5 48 41 C3 7B DB A3 2D 27
   00020:   5A 17 88 66

   Record layer message:
   type:                    16
   version:
     major:                 03
     minor:                 03
   length:                  0034
   fragment:                F3DBAB6EA0562B3F71A879D3D6750FDA
                            269DA9A8FF8686C8E229D8F542500743
                            B44A13BA7737325AC0E617AA5BFFA4A4
                            E48FA7E8

   00000:   16 03 03 00 34 F3 DB AB 6E A0 56 2B 3F 71 A8 79
   00010:   D3 D6 75 0F DA 26 9D A9 A8 FF 86 86 C8 E2 29 D8
   00020:   F5 42 50 07 43 B4 4A 13 BA 77 37 32 5A C0 E6 17
   00030:   AA 5B FF A4 A4 E4 8F A7 E8


   ---------------------------Client---------------------------




Smyshlyaev, et al.       Expires April 20, 2019                [Page 62]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   Application data:
   00000:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00010:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

   Record layer message:
   type:                    17
   version:
     major:                 03
     minor:                 03
   length:                  0030
   fragment:                E01DFE3155F02E164284F359D3E811BB
                            CEAA9F24EA9BCEB26C1D1DA80996F72A
                            9D097430398FE2A414BE9B97C8603E97

   00000:   17 03 03 00 30 E0 1D FE 31 55 F0 2E 16 42 84 F3
   00010:   59 D3 E8 11 BB CE AA 9F 24 EA 9B CE B2 6C 1D 1D
   00020:   A8 09 96 F7 2A 9D 09 74 30 39 8F E2 A4 14 BE 9B
   00030:   97 C8 60 3E 97


   ---------------------------Server---------------------------

   Application data:
   00000:   FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
   00010:   FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

   Record layer message:
   type:                    17
   version:
     major:                 03
     minor:                 03
   length:                  0030
   fragment:                F7F5A29767A3C0DC2B070A61C97BFB0A
                            E94BB6126D0DD745C1FB8361C7146AE6
                            4966244F4D142A724F6E141549BA1201

   00000:   17 03 03 00 30 F7 F5 A2 97 67 A3 C0 DC 2B 07 0A
   00010:   61 C9 7B FB 0A E9 4B B6 12 6D 0D D7 45 C1 FB 83
   00020:   61 C7 14 6A E6 49 66 24 4F 4D 14 2A 72 4F 6E 14
   00030:   15 49 BA 12 01


   ---------------------------Client---------------------------

   close_notify alert:
   Alert:
     level:                 01
     description:           00



Smyshlyaev, et al.       Expires April 20, 2019                [Page 63]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   00000:   01 00

   Record layer message:
   type:                    15
   version:
     major:                 03
     minor:                 03
   length:                  0012
   fragment:                B9B550F9458C7E0CD60038C979662CAD
                            EE16

   00000:   15 03 03 00 12 B9 B5 50 F9 45 8C 7E 0C D6 00 38
   00010:   C9 79 66 2C AD EE 16


   ---------------------------Server---------------------------

   close_notify alert:
   Alert:
     level:                 01
     description:           00

   00000:   01 00

   Record layer message:
   type:                    15
   version:
     major:                 03
     minor:                 03
   length:                  0012
   fragment:                453DF39A53D9A0F33CDDE9F1E0476BA7
                            F10C

   00000:   15 03 03 00 12 45 3D F3 9A 53 D9 A0 F3 3C DD E9
   00010:   F1 E0 47 6B A7 F1 0C


A.2.  Test Examples for CNT_IMIT cipher suites

A.2.1.  Record Examples


   It is assumed that during Handshake following keys were established:

   - MAC key:
   00000:   ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
   00010:   ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
   - Encryption key:



Smyshlyaev, et al.       Expires April 20, 2019                [Page 64]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   00000:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00010:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   - IV:
   00000:   00 00 00 00 00 00 00 00

   ---------------------------------------------------------
   seqnum = 0

   Application data:
   00000:   00 00 00 00 00 00 00

   Plaintext:
   00000:   17 03 03 00 07 00 00 00 00 00 00 00

   MAC:
   00000:   30 01 34 a1

   Ciphertext:
   00000:   17 03 03 00 0b 86 71 cd bf 3c 1a ae 0f 62 4b 04

   ---------------------------------------------------------
   seqnum = 1

   Application data:

   00000:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00010:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     ....
   007f0:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

   Plaintext:
   00000:   17 03 03 08 00 00 00 00 00 00 00 00 00 00 00 00
   00010:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     ....
   007f0:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00804:   00 00 00 00 00

   MAC:
   00000:   f7 c3 8b 8a

   Ciphertext:
   00000:   17 03 03 08 04 cf aa 0c b4 2f a5 a4 7a 13 3d 73
   00010:   b9 f2 c0 b0 4f 8c a2 55 52 f8 56 bc be 6a 58 fa
     ....
   007f0:   3e e2 c7 6f a2 30 a0 44 be 21 dc 8e 1a 96 f9 a8
   00804:   88 1f ad 83 45 96 96 84 47





Smyshlyaev, et al.       Expires April 20, 2019                [Page 65]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


A.2.2.  Handshake Examples


client -> server

0000   16 03 03 00 3e 01 00 00 3a 03 03 61 53 80 49 30
0010   e2 cf d2 ac 10 97 5d b1 66 ae 9f df f9 e7 3b 7a
0020   47 68 27 f0 6e 37 10 e9 24 5a 3c 00 00 02 ff 85
0030   01 00 00 0f 00 0d 00 06 00 04 ef ef ee ee ff 01
0040   00 01 00

TLSv1.2 Record Layer: Handshake Protocol: Client Hello
    Content Type: Handshake (22)
    Version: TLS 1.2 (0x0303)
    Length: 62
    Handshake Protocol: Client Hello
        Handshake Type: Client Hello (1)
        Length: 58
        Version: TLS 1.2 (0x0303)
        Random: 6153804930e2cfd2ac10975db166ae9fdff9e73b7a476827f06e3710e9245a3c
        Session ID Length: 0
        Cipher Suites Length: 2
        Cipher Suites (1 suite)
            Cipher Suite: TLS_GOSTR341112_256_WITH_28147_CNT_IMIT (0xff85)
        Compression Methods Length: 1
        Compression Methods (1 method)
        Extensions Length: 15
        Extension: signature_algorithms (len=6)
            Type: signature_algorithms (13)
            Length: 6
            Signature Hash Algorithms Length: 4
            Signature Hash Algorithms (2 algorithms)
                Signature Algorithm: gostr34102012_512 gostr34102012_512 (0xefef)
                    Signature Hash Algorithm Hash: gostr34102012_512 (239)
                    Signature Hash Algorithm Signature: gostr34102012_512 (239)
                Signature Algorithm: gostr34102012_256 gostr34102012_256 (0xeeee)
                    Signature Hash Algorithm Hash: gostr34102012_256 (238)
                    Signature Hash Algorithm Signature: gostr34102012_256 (238)
        Extension: renegotiation_info (len=1)
            Type: renegotiation_info (65281)
            Length: 1
            Renegotiation Info extension
                Renegotiation info extension length: 0

---------------------------------------------------------

server -> client




Smyshlyaev, et al.       Expires April 20, 2019                [Page 66]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


0000   16 03 03 00 51 02 00 00 4d 03 03 e6 bd 34 dd 03
0010   26 e6 75 1d 8d 45 e5 81 05 b0 a9 5f 0e 12 88 a2
0020   cf 9b 7b 44 4f 57 4e 47 52 44 01 20 5f d4 61 e1
0030   ff 8d 62 1c 02 99 24 0c 6c c9 f6 7a b2 4d d7 ff
0040   e4 e4 e5 f4 28 ee 6e bd 6d 9c a2 4a ff 85 00 00
0050   05 ff 01 00 01 00

TLSv1.2 Record Layer: Handshake Protocol: Server Hello
    Content Type: Handshake (22)
    Version: TLS 1.2 (0x0303)
    Length: 81
    Handshake Protocol: Server Hello
        Handshake Type: Server Hello (2)
        Length: 77
        Version: TLS 1.2 (0x0303)
        Random: e6bd34dd0326e6751d8d45e58105b0a95f0e1288a2cf9b7b444f574e47524401
        Session ID Length: 32
        Session ID: 5fd461e1ff8d621c0299240c6cc9f67ab24dd7ffe4e4e5f428ee6ebd6d9ca24a
        Cipher Suite: TLS_GOSTR341112_256_WITH_28147_CNT_IMIT (0xff85)
        Compression Method: null (0)
        Extensions Length: 5
        Extension: renegotiation_info (len=1)
            Type: renegotiation_info (65281)
            Length: 1
            Renegotiation Info extension
                Renegotiation info extension length: 0

---------------------------------------------------------

server -> client

0000   16 03 03 02 6a 0b 00 02 66 00 02 63 00 02 60 30
0010   82 02 5c 30 82 01 c8 a0 03 02 01 02 02 14 78 94
0020   dc 9d 92 09 77 80 91 91 64 2f 1d ae dc 26 ba 3b
0030   51 04 30 0a 06 08 2a 85 03 07 01 01 03 03 30 19
0040   31 17 30 15 06 03 55 04 03 13 0e 43 41 20 43 65
0050   72 74 69 66 69 63 61 74 65 30 1e 17 0d 31 38 30
0060   31 30 32 30 30 30 30 31 31 5a 17 0d 32 32 30 31
0070   30 32 30 30 30 30 32 31 5a 30 21 31 1f 30 1d 06
0080   03 55 04 03 13 16 53 65 72 76 65 72 20 35 31 32
0090   20 43 65 72 74 69 66 69 63 61 74 65 30 81 aa 30
00a0   21 06 08 2a 85 03 07 01 01 01 02 30 15 06 09 2a
00b0   85 03 07 01 02 01 02 01 06 08 2a 85 03 07 01 01
00c0   02 03 03 81 84 00 04 81 80 95 67 94 9f 6a bf a3
00d0   d9 89 1c 70 21 f2 89 fd 24 14 1b 84 e3 23 29 24
00e0   b8 58 91 38 55 46 79 54 e0 7a 9b 2e 9d 85 ac 2e
00f0   0b 99 3e 43 d5 13 6a f3 97 6d 23 24 48 99 43 41
0100   20 c8 8a 27 c0 66 05 db 16 cf d4 0f a0 c4 77 20



Smyshlyaev, et al.       Expires April 20, 2019                [Page 67]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


0110   08 6d a0 15 16 76 44 04 22 82 32 f7 f7 f2 26 98
0120   62 80 da ff aa 99 bb 6f 7d 5a e6 4a 5a 28 cb 02
0130   fd b8 4f e2 0d d5 7a ae a5 35 16 bb 2b f1 85 6b
0140   bc c8 23 bd c5 de 80 1e d0 a3 81 93 30 81 90 30
0150   0c 06 03 55 1d 13 01 01 ff 04 02 30 00 30 1a 06
0160   03 55 1d 11 04 13 30 11 82 09 6c 6f 63 61 6c 68
0170   6f 73 74 87 04 7f 00 00 01 30 13 06 03 55 1d 25
0180   04 0c 30 0a 06 08 2b 06 01 05 05 07 03 01 30 0f
0190   06 03 55 1d 0f 01 01 ff 04 05 03 03 07 b0 00 30
01a0   1d 06 03 55 1d 0e 04 16 04 14 ae 46 41 1b fd b3
01b0   08 c3 39 03 47 57 57 2b 0f bf a3 6f 9a 99 30 1f
01c0   06 03 55 1d 23 04 18 30 16 80 14 7f 7b 7a 15 61
01d0   a6 f2 18 a2 e3 48 3b c6 39 d9 7f 42 db 6d af 30
01e0   0a 06 08 2a 85 03 07 01 01 03 03 03 81 81 00 9c
01f0   49 78 f7 1b ab 54 8a 25 6d 2a 18 7c a8 4d 72 4f
0200   e1 ef a7 e5 36 67 2e 79 1f 8a 0c b6 74 1e b1 63
0210   e2 96 37 8c 5b 82 83 ee da b4 1b a4 22 1e bc e2
0220   05 f6 f8 79 cf eb f0 ad e9 36 07 0f b2 40 e5 0d
0230   04 37 03 7f 2a ec 99 c7 cd 23 9f 6f 20 25 a8 6c
0240   12 d5 1f 99 c9 8a 4a 99 04 f0 ea 54 86 fe d7 ff
0250   66 ab 8e b2 42 5e 1a ce ae 8a 75 8b df 84 3b e1
0260   a8 f6 fe bf 67 30 15 fe d7 ab 86 53 3d bf 20

TLSv1.2 Record Layer: Handshake Protocol: Certificate
    Content Type: Handshake (22)
    Version: TLS 1.2 (0x0303)
    Length: 618
    Handshake Protocol: Certificate
        Handshake Type: Certificate (11)
        Length: 614
        Certificates Length: 611
        Certificates (611 bytes)
            Certificate Length: 608
            Certificate: 3082025c308201c8a00302010202147894dc9d9209778091...

---------------------------------------------------------

server -> client

0000   16 03 03 00 2f 0d 00 00 2b 05 01 02 40 ee ef 00
0010   04 ef ef ee ee 00 1d 00 1b 30 19 31 17 30 15 06
0020   03 55 04 03 13 0e 43 41 20 43 65 72 74 69 66 69
0030   63 61 74 65

TLSv1.2 Record Layer: Handshake Protocol: Certificate Request
    Content Type: Handshake (22)
    Version: TLS 1.2 (0x0303)
    Length: 47



Smyshlyaev, et al.       Expires April 20, 2019                [Page 68]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


    Handshake Protocol: Certificate Request
        Handshake Type: Certificate Request (13)
        Length: 43
        Certificate types count: 5
        Certificate types (5 types)
            Certificate type: RSA Sign (1)
            Certificate type: DSS Sign (2)
            Certificate type: ECDSA Sign (64)
            Certificate type: Unknown (238)
            Certificate type: Unknown (239)
        Signature Hash Algorithms Length: 4
        Signature Hash Algorithms (2 algorithms)
                Signature Algorithm: gostr34102012_512 gostr34102012_512 (0xefef)
                    Signature Hash Algorithm Hash: gostr34102012_512 (239)
                    Signature Hash Algorithm Signature: gostr34102012_512 (239)
                Signature Algorithm: gostr34102012_256 gostr34102012_256 (0xeeee)
                    Signature Hash Algorithm Hash: gostr34102012_256 (238)
                    Signature Hash Algorithm Signature: gostr34102012_256 (238)
        Distinguished Names Length: 29
        Distinguished Names (29 bytes)
---------------------------------------------------------

server -> client

0000   16 03 03 00 04 0e 00 00 00

TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done
    Content Type: Handshake (22)
    Version: TLS 1.2 (0x0303)
    Length: 4
    Handshake Protocol: Server Hello Done
        Handshake Type: Server Hello Done (14)
        Length: 0

---------------------------------------------------------

client -> server

0000   16 03 03 02 07 0b 00 02 03 00 02 00 00 01 fd 30
0010   82 01 f9 30 82 01 65 a0 03 02 01 02 02 14 47 07
0020   04 a6 c5 d9 ed 65 1a 66 4d f8 f3 68 2d c3 59 8f
0030   9f 3e 30 0a 06 08 2a 85 03 07 01 01 03 03 30 19
0040   31 17 30 15 06 03 55 04 03 13 0e 43 41 20 43 65
0050   72 74 69 66 69 63 61 74 65 30 1e 17 0d 31 38 30
0060   31 30 32 30 30 30 30 31 32 5a 17 0d 32 32 30 31
0070   30 32 30 30 30 30 33 32 5a 30 21 31 1f 30 1d 06
0080   03 55 04 03 13 16 43 6c 69 65 6e 74 20 32 35 36
0090   20 43 65 72 74 69 66 69 63 61 74 65 30 66 30 1f



Smyshlyaev, et al.       Expires April 20, 2019                [Page 69]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


00a0   06 08 2a 85 03 07 01 01 01 01 30 13 06 07 2a 85
00b0   03 02 02 23 01 06 08 2a 85 03 07 01 01 02 02 03
00c0   43 00 04 40 57 e4 a2 be 86 1d e8 72 2d c5 d0 b2
00d0   1b 21 57 0b ee 43 d9 07 40 ee db 6c ee 04 99 0f
00e0   58 b3 f0 0f 66 f3 21 44 46 4d cc e8 b0 0d 72 c5
00f0   89 21 da 05 3a 4b c7 f4 eb a5 25 68 ae 79 e8 23
0100   29 4e 0c 56 a3 76 30 74 30 0c 06 03 55 1d 13 01
0110   01 ff 04 02 30 00 30 13 06 03 55 1d 25 04 0c 30
0120   0a 06 08 2b 06 01 05 05 07 03 02 30 0f 06 03 55
0130   1d 0f 01 01 ff 04 05 03 03 07 b0 00 30 1d 06 03
0140   55 1d 0e 04 16 04 14 0f 6d b6 a1 e3 a2 6f 52 ab
0150   a7 39 d1 39 c2 51 bf 25 4d a2 aa 30 1f 06 03 55
0160   1d 23 04 18 30 16 80 14 7f 7b 7a 15 61 a6 f2 18
0170   a2 e3 48 3b c6 39 d9 7f 42 db 6d af 30 0a 06 08
0180   2a 85 03 07 01 01 03 03 03 81 81 00 b2 83 3d db
0190   7f 5a 80 54 d3 b4 42 cb 0b 61 7c 99 d6 27 36 d7
01a0   2c 13 04 f5 28 22 89 f9 34 9a 1e 0f 8c db da f4
01b0   7d 11 cd fa b9 f1 02 b4 a0 8f 3c 35 01 f3 1b 8f
01c0   60 4a 64 c8 f7 16 01 cb 6f e1 55 c3 8f 76 d2 d9
01d0   50 b7 55 74 10 a7 0d c5 d7 70 52 d2 bd 14 57 81
01e0   7c 05 2f 21 03 3f 84 7b 7e 23 b1 ce 1b a7 cd 4a
01f0   1f 7f 83 cc 43 75 e0 0b fe 7b 6a 14 21 76 ba 21
0200   49 f5 88 51 a1 30 0a 04 b7 1c 95 d4

TLSv1.2 Record Layer: Handshake Protocol: Certificate
    Content Type: Handshake (22)
    Version: TLS 1.2 (0x0303)
    Length: 519
    Handshake Protocol: Certificate
        Handshake Type: Certificate (11)
        Length: 515
        Certificates Length: 512
        Certificates (512 bytes)

---------------------------------------------------------
VKO PRIVATE KEY[64]:
d46a655f4fc7a0d419be74539761c99d5911061778c35bcdeb83e25ddeca331
88dc3b5cd01bb119628c0b844a8c4b30e743576bb3222f959b9e8d0da377592
---------------------------------------------------------

client -> server

0000   16 03 03 00 f9 10 00 00 f5 30 81 f2 30 81 ef 30
0010   28 04 20 de b2 79 5a a9 14 a7 e6 0b b1 6b c4 b5
0020   ee 44 47 93 a9 37 e3 b1 fa 4b e6 80 1a 9c 12 04
0030   93 bc 49 04 04 7a 70 60 69 a0 81 c2 06 09 2a 85
0040   03 07 01 02 05 01 01 a0 81 aa 30 21 06 08 2a 85
0050   03 07 01 01 01 02 30 15 06 09 2a 85 03 07 01 02



Smyshlyaev, et al.       Expires April 20, 2019                [Page 70]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


0060   01 02 01 06 08 2a 85 03 07 01 01 02 03 03 81 84
0070   00 04 81 80 6a 28 2e f5 e0 63 8b 93 35 09 b2 a0
0080   91 5c 89 85 60 c0 9d ee 8c 14 35 d4 d7 8a ba 75
0090   27 4c e1 9a 1a 0b a4 ba c9 6e 7a dd 83 9d 5a 2c
00a0   14 49 ae 12 2e 82 3d 7e d3 bb 67 a5 4a 21 0c 74
00b0   ff 56 1f 20 5c 12 44 7c 58 72 6c c9 c0 eb 8c 67
00c0   62 4a 79 6a e3 5a 30 bd 89 98 12 e5 0e e8 a5 e5
00d0   30 ed 50 1e fd f4 43 7d 55 79 fa de 34 73 66 7d
00e0   ba 65 ba 56 61 29 fc 60 50 c3 a6 d9 d0 b5 0e 80
00f0   c7 a2 a8 1b 04 08 c4 5e d2 ee bd 69 e3 c9

TLSv1.2 Record Layer: Handshake Protocol: Client Key Exchange
    Content Type: Handshake (22)
    Version: TLS 1.2 (0x0303)
    Length: 249
    Handshake Protocol: Client Key Exchange
        Handshake Type: Client Key Exchange (16)
        Length: 245


---------------------------------------------------------

client -> server

0000   16 03 03 00 48 0f 00 00 44 ee ee 00 40 19 a9 05
0010   4a c3 76 92 c5 60 02 bc 40 3f 62 6a 8b bc 25 e2
0020   52 f9 f0 72 68 d4 70 da 72 6a ce 8a bb a5 83 53
0030   d7 3c 4b 34 48 a7 2c bb 82 93 a6 4d 9e fc 36 98
0040   18 e7 c8 04 c2 7e 9f ea ce ac 65 79 25

TLSv1.2 Record Layer: Handshake Protocol: Certificate Verify
    Content Type: Handshake (22)
    Version: TLS 1.2 (0x0303)
    Length: 72
    Handshake Protocol: Certificate Verify
        Handshake Type: Certificate Verify (15)
        Length: 68
        Signature Algorithm: gostr34102012_256 gostr34102012_256 (0xeeee)
            Signature Hash Algorithm Hash: gostr34102012_256 (238)
            Signature Hash Algorithm Signature: gostr34102012_256 (238)
        Signature length: 64
        Signature: 19a9054ac37692c56002bc403f626a8bbc25e252f9f07268d470da726ace8abb
                   a58353d73c4b3448a72cbb8293a64d9efc369818e7c804c27e9feaceac657925

---------------------------------------------------------

client -> server




Smyshlyaev, et al.       Expires April 20, 2019                [Page 71]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


0000   14 03 03 00 01 01

TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
    Content Type: Change Cipher Spec (20)
    Version: TLS 1.2 (0x0303)
    Length: 1
    Change Cipher Spec Message

---------------------------------------------------------
PREMASTER SECRET[32]: fadd834d5d887253e33580b399b36a41ee42faf179a44c95885ddaaacdfd28c8
CLIENT RANDOM[32]: 6153804930e2cfd2ac10975db166ae9fdff9e73b7a476827f06e3710e9245a3c
SERVER RANDOM[32]: e6bd34dd0326e6751d8d45e58105b0a95f0e1288a2cf9b7b444f574e47524401
MASTER SECRET[48]: 6fbf770be54c718da1a1875cbcc948722588ba2a374d5b496fbb270452a8f408c9
                   5e1c28883b7524af2afa63cd2bbd2f
CLIENT MAC KEY [32]: c9ffcd14ca3150732d1ee30c8c5acfa8fc43e813a8090407095c4870fef82f4d
SERVER MAC KEY [32]: fe1c675405dc40e73c29274192126cb10c33afa09f7c009a49da6a9fded490b1
CLIENT WRITE KEY [32]: abb7919a60ac828f001ba7fc824dfbc0a6ffc88818c4cc75cacb917049b4423d
SERVER WRITE KEY [32]: c521c75efe65c17d2bb1e2a8e577e44b3dcf7dcc3e2a3b25c4f01bf24d9147b9
CLIENT WRITE IV [8]: fd9ef69d6e246e7d
SERVER WRITE IV [8]: 133088402844ae73
---------------------------------------------------------

client -> server

0000   16 03 03 00 14 5d 3d c6 48 44 3c 17 b6 95 90 e5
0010   0b 7f 9a 86 eb 7e 08 db 78

TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
    Content Type: Handshake (22)
    Version: TLS 1.2 (0x0303)
    Length: 20
    Handshake Protocol: Encrypted Handshake Message

Decrypted data:
0000   14 00 00 0c 74 72 15 6e f1 d4 20 08 0b 52 18 39
0010   c9 a0 cb 55

SeqNo: 0
Plaintext: 1400000c7472156ef1d420080b521839
MAC: c9a0cb55

---------------------------------------------------------

server -> client

0000   14 03 03 00 01 01

TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec



Smyshlyaev, et al.       Expires April 20, 2019                [Page 72]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


    Content Type: Change Cipher Spec (20)
    Version: TLS 1.2 (0x0303)
    Length: 1
    Change Cipher Spec Message

---------------------------------------------------------

server -> client

0000   16 03 03 00 14 1e 8d 8a 90 51 11 49 b0 0a c0 5b
0010   3f a1 01 91 a7 7d d3 08 61

TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
    Content Type: Handshake (22)
    Version: TLS 1.2 (0x0303)
    Length: 20
    Handshake Protocol: Encrypted Handshake Message

Decrypted data:

0000   14 00 00 0c 5f 9a a2 91 63 73 c5 76 00 24 7d 89
0010   2e bc 23 74

SeqNo: 0
Plaintext: 1400000c5f9aa2916373c57600247d89
MAC: 2ebc2374

---------------------------------------------------------

client -> server

0000   17 03 03 00 0a 03 67 5c d5 b3 9c 42 af c7 79

TLSv1.2 Record Layer: Application Data Protocol: Application Data
    Content Type: Application Data (23)
    Version: TLS 1.2 (0x0303)
    Length: 10
    Encrypted Application Data: 03675cd5b39c42afc779

Decrypted data:

0000   68 65 6c 6c 6f 0a a3 22 93 9c

SeqNo: 1
Plaintext: 68656c6c6f0a
MAC: a322939c

---------------------------------------------------------



Smyshlyaev, et al.       Expires April 20, 2019                [Page 73]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


server -> client

0000   17 03 03 00 0a 17 fe 1c 80 18 55 3c a3 9f 72

TLSv1.2 Record Layer: Application Data Protocol: Application Data
    Content Type: Application Data (23)
    Version: TLS 1.2 (0x0303)
    Length: 10
    Encrypted Application Data: 17fe1c8018553ca39f72

Decrypted data:

0000   68 65 6c 6c 6f 0a e9 f1 be f7

SeqNo: 1
Plaintext: 68656c6c6f0a
MAC: e9f1bef7

---------------------------------------------------------

client -> server

0000   15 03 03 00 06 d2 85 f8 5e 11 40

TLSv1.2 Record Layer: Encrypted Alert
    Content Type: Alert (21)
    Version: TLS 1.2 (0x0303)
    Length: 6
    Alert Message: Encrypted Alert

Decrypted data:

0000   01 00 18 8c fe 58

SeqNo: 2
Plaintext: 0100
MAC: 188cfe58

---------------------------------------------------------

server -> client

0000   15 03 03 00 06 ca 7d 8b 03 21 04

TLSv1.2 Record Layer: Encrypted Alert
    Content Type: Alert (21)
    Version: TLS 1.2 (0x0303)
    Length: 6



Smyshlyaev, et al.       Expires April 20, 2019                [Page 74]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


    Alert Message: Encrypted Alert

Decrypted data:

0000   01 00 be b9 f9 c2

SeqNo: 2
Plaintext: 0100
MAC: beb9f9c2




Appendix B.  Contributors

   o  Evgeny Alekseev
      CryptoPro
      alekseev@cryptopro.ru

   o  Ekaterina Smyshlyaeva
      CryptoPro
      ess@cryptopro.ru

   o  Grigory Sedov
      CryptoPro
      sedovgk@cryptopro.ru

   o  Dmitry Eremin-Solenikov
      Auriga
      dbaryshkov@gmail.com

Appendix C.  Acknowledgments

Authors' Addresses

   Stanislav Smyshlyaev (editor)
   CryptoPro
   18, Suschevsky val
   Moscow  127018
   Russian Federation

   Phone: +7 (495) 995-48-20
   Email: svs@cryptopro.ru








Smyshlyaev, et al.       Expires April 20, 2019                [Page 75]


Internet-Draft       GOST Cipher Suites for TLS 1.2         October 2018


   Dmitry Belyavsky
   Cryptocom
   14/2 Kedrova st
   Moscow  117218
   Russian Federation

   Email: beldmit@gmail.com


   Markku-Juhani O. Saarinen
   Independent Consultant

   Email: mjos@iki.fi






































Smyshlyaev, et al.       Expires April 20, 2019                [Page 76]


Html markup produced by rfcmarkup 1.129d, available from https://tools.ietf.org/tools/rfcmarkup/