index.html.template

<!doctype html>
<html>

<head>
	<title>The Illustrated TLS Connection: Every Byte Explained</title>
	<meta charset="utf-8"/>
	<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"/>
	<meta name="format-detection" content="telephone=no"/>
	<meta name="title" content="The Illustrated TLS Connection"/>
	<meta name="description" content="Every byte of a TLS connection explained and reproduced"/>
	<link rel="stylesheet" href="frombootstrap.css"/>
	<link rel="stylesheet" href="illustrated.css"/>
	<script src="illustrated.js"></script>
</head>

<body class="illustrated">
<div class="container">
	<h1>The Illustrated TLS Connection</h1>

	<h3>Every byte of a TLS connection explained and reproduced.</h3>

	<div class="outerblock">
	<p>In this demonstration a client has connected to a server,
	negotiated a TLS 1.2 session, sent "ping", received "pong",
	and then terminated the session. Click below to begin
	exploring.</p>
	</div>

<div class="record client">
<div class="label">Client Hello</div>
<image class="illustration" src="images/key1.png" width="135" height="250"/>
<div class="explanation">
	The session begins with the client saying "Hello".
	The client provides the following:
	<ul>
	<li>protocol version
	<li>client random data (used later in the handshake)
	<li>an optional session id to resume
	<li>a list of cipher suites
	<li>a list of compression methods
	<li>a list of extensions
	</ul>
</div>
%file ../captures/caps/clienthello
<span class="record-data">
	<span class="string">
		<span class="label">Record Header</span>
		<span class="bytes">
%next 5
%bytes
		</span>
		<div class="explanation">
			TLS sessions are broken into the sending
			and receiving of "records", which are blocks
			of data with a type, a protocol version,
			and a length.
			<ul>
			<li><tt>%0</tt> - type is 0x16 (handshake record)
			<li><tt>%1 %2</tt> - protocol version is 3.1 (also known as TLS 1.0)
			<li><tt>%3 %4</tt> - the length of the record payload is %xx3 (%dd3) bytes
			</ul>
			Interestingly the version is 3.1 (TLS 1.0) instead
			of the expected 3.3 (TLS 1.2).  Looking through the
			golang crypto/tls library we find the following
			comment:
<pre><code>if vers == 0 {
    // Some TLS servers fail if the record version is
    // greater than TLS 1.0 for the initial ClientHello.
    vers = VersionTLS10
}</code></pre>
			All data following this header is the payload for this record.
		</div>
	</span>

	<span class="string">
		<span class="label">Handshake Header</span>
		<span class="bytes">
%next 4
%bytes
		</span>
		<div class="explanation">
			Each handshake message starts with a type and a length.
			<ul>
			<li><tt>%0</tt> - handshake message type 0x01 (client hello)
			<li><tt>%1 %2 %3</tt> - payload length of %xxx1 (%ddd1) bytes
			</ul>
			All data following this header is the payload for this message.
		</div>
	</span>

	<span class="string">
		<span class="label">Client Version</span>
		<span class="bytes">
%next 2
%bytes
		</span>
		<div class="explanation">
			The protocol version of 3.3 (meaning TLS 1.2) is given.
			<br/><br/>
			This choice of version number (3.3 rather
			than 1.2) is due to TLS 1.0 being a minor
			revision of the SSL 3.0 protocol, thus being
			assigned version 3.1.
		</div>
	</span>

	<span class="string">
		<span class="label">Client Random</span>
		<span class="bytes">
%next 32
%bytes
		</span>
		<div class="explanation">
			The client provides 32 bytes of cryptographically secure random data.
			In this example we've made the random data predictable to make it easier to recognize.
			<br/><br/>
			The TLS 1.2 spec says that the first 4 bytes
			should be the current time in seconds-since-1970
			but this is now recommended against as it enables
			fingerprinting of hosts and servers.
		</div>
	</span>

	<span class="string">
		<span class="label">Session ID</span>
		<span class="bytes">
%next 1
%bytes
		</span>
		<div class="explanation">
			The client can provide the ID of a previous
			TLS session against this server which it
			is able to resume.  For this to work both
			the server and client will have remembered
			key information from the previous connection
			in memory.  Resuming a connection saves a
			lot of computation and network round-trip
			time so it is performed whenever possible.
			<ul>
			<li><tt>%0</tt> - length of zero (no session id is provided)
			</ul>
		</div>
	</span>

	<span class="string">
		<span class="label">Cipher Suites</span>
		<span class="bytes">
%next 34
%bytes
		</span>
		<div class="explanation">
			The client provides an ordered list of which
			cryptographic methods it will support for
			key exchange, encryption with that exchanged
			key, and message authentication method.
			The list is in the order preferred by the
			client, with highest preference first.
			<ul>
			<li><tt>%0 %1</tt> - %xx0 (%dd0) bytes of cipher suite data
			<li><tt>cc a8</tt> - assigned value for <tt>ECDHE-RSA-CHACHA20-POLY1305-SHA256</tt>
			<li><tt>cc a9</tt> - assigned value for <tt>ECDHE-ECDSA-CHACHA20-POLY1305-SHA256</tt>
			<li><tt>c0 2f</tt> - assigned value for <tt>ECDHE-RSA-AES128-GCM-SHA256</tt>
			<li><tt>c0 30</tt> - assigned value for <tt>ECDHE-RSA-AES256-GCM-SHA384</tt>
			<li><tt>c0 2b</tt> - assigned value for <tt>ECDHE-ECDSA-AES128-GCM-SHA256</tt>
			<li><tt>c0 2c</tt> - assigned value for <tt>ECDHE-ECDSA-AES256-GCM-SHA384</tt>
			<li><tt>c0 13</tt> - assigned value for <tt>ECDHE-RSA-AES128-SHA</tt>
			<li><tt>c0 09</tt> - assigned value for <tt>ECDHE-ECDSA-AES128-SHA</tt>
			<li><tt>c0 14</tt> - assigned value for <tt>ECDHE-RSA-AES256-SHA</tt>
			<li><tt>c0 0a</tt> - assigned value for <tt>ECDHE-ECDSA-AES256-SHA</tt>
			<li><tt>00 9c</tt> - assigned value for <tt>RSA-AES128-GCM-SHA256</tt>
			<li><tt>00 9d</tt> - assigned value for <tt>RSA-AES256-GCM-SHA384</tt>
			<li><tt>00 2f</tt> - assigned value for <tt>RSA-AES128-SHA</tt>
			<li><tt>00 35</tt> - assigned value for <tt>RSA-AES256-SHA</tt>
			<li><tt>c0 12</tt> - assigned value for <tt>ECDHE-RSA-3DES-EDE-SHA</tt>
			<li><tt>00 0a</tt> - assigned value for <tt>RSA-3DES-EDE-SHA</tt>
			</ul>
		</div>
	</span>

	<span class="string">
		<span class="label">Compression Methods</span>
		<span class="bytes">
%next 2
%bytes
		</span>
		<div class="explanation">
			The client provides an ordered list of which
			compression methods it will support.  This
			compression would be applied before encryption
			(as properly encrypted data is usually incompressible).
			<ul>
			<li><tt>%0</tt> - %x0 (%d0) bytes of compression methods
			<li><tt>00</tt> - assigned value for no compression
			</ul>
			Compression has characteristics that can weaken
			the security of the encrypted data so this feature
			has been removed from future TLS protocols.
		</div>
	</span>

	<span class="string">
		<span class="label">Extensions Length</span>
		<span class="bytes">
%next 2
%bytes
		</span>
		<div class="explanation">
			The client has provided a list of optional
			extensions which the server can use to
			take action or enable new features.
			<ul>
			<li><tt>%0 %1</tt> - the extensions will take %xx0 (%dd0) bytes of data
			</ul>
			Each extension will start with two bytes
			that indicate which extension it is, followed
			by a two-byte content length field, followed
			by the contents of the extension.
		</div>
	</span>

	<span class="string">
		<span class="label">Extension - Server Name</span>
		<span class="bytes">
%next 28
%bytes
		</span>
		<div class="explanation">
			The client has provided the name of the
			server it is contacting, also known as SNI
			(Server Name Indication).
			<br/><br/>
			Without this extension a HTTPS server would
			not be able to provide service for multiple
			hostnames on a single IP address (virtual
			hosts) because it couldn't know which
			hostname's certificate to send until
			after the TLS session was negotiated and the
			HTTP request was made.
			<ul>
				<li><tt>00 00</tt> - assigned value for extension "server name"
				<li><tt>%2 %3</tt> - %xx2 (%dd2) bytes of extension data follows
				<li><tt>%4 %5</tt> - %xx4 (%dd4) bytes of first (and only) list entry follows
				<li><tt>%6</tt> - list entry is type 0x00 "DNS hostname"
				<li><tt>%7 %8</tt> - %xx7 (%dd7) bytes of hostname follows
				<li><tt>%9 %10 %11 ... %-3 %-2 %-1</tt> - "example.ulfheim.net"
			</ul>
		</div>
	</span>

	<span class="string">
		<span class="label">Extension - Status Request</span>
		<span class="bytes">
%next 9
%bytes
		</span>
		<div class="explanation">
			The client provides permission for the
			server to provide OCSP information in its response.
			OCSP can be used to check whether a certificate
			has been revoked.
			<br/><br/>
			This form of the client sending an empty
			extension is necessary because
			it is a fatal error for the server
			to reply with an extension that the client
			did not provide first.  Therefore the client
			sends an empty form of the extension, and
			the server replies with the extension
			populated with data.
			<ul>
				<li><tt>00 05</tt> - assigned value for extension "status request"
				<li><tt>%2 %3</tt> - %xx2 (%dd2) bytes of extension data follows
				<li><tt>01</tt> - assigned value for "certificate status type: OCSP"
				<li><tt>%5 %6</tt> - %xx5 (%dd5) bytes of responderID information
				<li><tt>%7 %8</tt> - %xx7 (%dd7) bytes of request extension information
			</ul>
		</div>
	</span>

	<span class="string">
		<span class="label">Extension - Supported Groups</span>
		<span class="bytes">
%next 14
%bytes
		</span>
		<div class="explanation">
			The client has indicated that it supports
			elliptic curve (EC) cryptography for 4 curves.
			To make this extension more generic for
			other cryptography types it now calls these
			"supported groups" instead of "supported
			curves".
			<ul>
				<li><tt>00 0a</tt> - assigned value for extension "supported groups"
				<li><tt>%2 %3</tt> - %xx2 (%dd2) bytes of extension data follows
				<li><tt>%4 %5</tt> - %xx4 (%dd4) bytes of data are in the curves list
				<li><tt>00 1d</tt> - assigned value for the curve "x25519"
				<li><tt>00 17</tt> - assigned value for the curve "secp256r1"
				<li><tt>00 18</tt> - assigned value for the curve "secp384r1"
				<li><tt>00 19</tt> - assigned value for the curve "secp521r1"
			</ul>
		</div>
	</span>

	<span class="string">
		<span class="label">Extension - EC Point Formats</span>
		<span class="bytes">
%next 6
%bytes
		</span>
		<div class="explanation">
			During elliptic curve (EC) cryptography the
			client and server will exchange information
			on the points selected, in either compressed
			or uncompressed form.  This extension
			indicates that the client can only parse
			uncompressed information from the server.
			<br/><br/>
			In the next version of TLS the ability to
			negotiate points does not exist (instead a
			single point is pre-selected for each curve),
			so this extension would not be sent.
			<ul>
				<li><tt>00 0b</tt> - assigned value for extension "EC points format"
				<li><tt>%2 %3</tt> - %xx2 (%dd2) bytes of extension data follows
				<li><tt>%4</tt> - %x4 (%d4) bytes of data are in the supported formats list
				<li><tt>00</tt> - assigned value for uncompressed form
			</ul>
		</div>
	</span>

	<span class="string">
		<span class="label">Extension - Signature Algorithms</span>
		<span class="bytes">
%next 22
%bytes
		</span>
		<div class="explanation">
			As TLS has developed it has become necessary to
			support stronger signature algorithms such
			as SHA-256 while still supporting earlier
			implementations that used MD5 and SHA1.
			This extension indicates which signature
			algorithms the client is capable
			of using.
			<ul>
				<li><tt>00 0d</tt> - assigned value for extension "Signature Algorithms"
				<li><tt>%2 %3</tt> - %xx2 (%dd2) bytes of extension data follows
				<li><tt>%4 %5</tt> - %xx4 (%dd4) bytes of data are in the following list of algorithms
				<li><tt>04 01</tt> - assigned value for RSA/PKCS1/SHA256
				<li><tt>04 03</tt> - assigned value for ECDSA/SECP256r1/SHA256
				<li><tt>05 01</tt> - assigned value for RSA/PKCS1/SHA386
				<li><tt>05 03</tt> - assigned value for ECDSA/SECP384r1/SHA384
				<li><tt>06 01</tt> - assigned value for RSA/PKCS1/SHA512
				<li><tt>06 03</tt> - assigned value for ECDSA/SECP521r1/SHA512
				<li><tt>02 01</tt> - assigned value for RSA/PKCS1/SHA1
				<li><tt>02 03</tt> - assigned value for ECDSA/SHA1
			</ul>
		</div>
	</span>

	<span class="string">
		<span class="label">Extension - Renegotiation Info</span>
		<span class="bytes">
%next 5
%bytes
		</span>
		<div class="explanation">
			The presence of this extension prevents a type of attack performed with TLS renegotiation.
			<br/><br/>
			The ability to renegotiate a connection has been removed from the next version of this
			protocol (TLS 1.3) so this will no longer be necessary.
			<ul>
				<li><tt>ff 01</tt> - assigned value for extension "Renegotiation Info"
				<li><tt>%2 %3</tt> - %xx2 (%dd2) bytes of extension data follows
				<li><tt>00</tt> - length of renegotiation data is zero, because this is a new connection
			</ul>
		</div>
	</span>

	<span class="string">
		<span class="label">Extension - SCT</span>
		<span class="bytes">
%next 4
%bytes
		</span>
		<div class="explanation">
			The client provides permission for the
			server to return a signed certificate
			timestamp.
			<br/><br/>
			This form of the client sending an empty
			extension is necessary because
			it is a fatal error for the server
			to reply with an extension that the client
			did not provide first.  Therefore the client
			sends an empty form of the extension, and
			the server replies with the extension
			populated with data.
			<ul>
				<li><tt>00 12</tt> - assigned value for extension "signed certificate timestamp"
				<li><tt>%2 %3</tt> - %xx2 (%dd2) bytes of extension data follows
			</ul>
		</div>
	</span>
</span>
</div>
%empty

<div class="record server">
<div class="label">Server Hello</div>
<image class="illustration" src="images/key2.png" width="124" height="250"/>
<div class="explanation">
	The server says "Hello" back.  The server provides the following:
	<ul>
	<li>protocol version
	<li>server random data (used later in the handshake)
	<li>a session id
	<li>a selected cipher suite
	<li>a selected compression method
	<li>a list of extensions
	</ul>
</div>
%file ../captures/caps/serverhello
<span class="record-data">
	<span class="string">
		<span class="label">Record Header</span>
		<span class="bytes">
%next 5
%bytes
		</span>
		<div class="explanation">
			TLS sessions are broken into the sending
			and receiving of "records", which are blocks
			of data with a type, a protocol version,
			and a length.
			<ul>
			<li><tt>%0</tt> - type is 0x16 (handshake record)
			<li><tt>%1 %2</tt> - protocol version is 3.3 (TLS 1.2)
			<li><tt>%3 %4</tt> - the length of the record payload is %xx3 (%dd3) bytes
			</ul>
			All data following this header is the payload for this record.
		</div>
	</span>

	<span class="string">
		<span class="label">Handshake Header</span>
		<span class="bytes">
%next 4
%bytes
		</span>
		<div class="explanation">
			Each handshake message starts with a type and a length.
			<ul>
			<li><tt>02</tt> - handshake message type 0x02 (server hello)
			<li><tt>%1 %2 %3</tt> - payload length of %xxx1 (%ddd1) bytes
			</ul>
			All data following this header is the payload for this message.
		</div>
	</span>

	<span class="string">
		<span class="label">Server Version</span>
		<span class="bytes">
%next 2
%bytes
		</span>
		<div class="explanation">
			The protocol version of 3.3 (TLS 1.2) is given.
			<br/><br/>
			The reason for this version number (3.3
			rather than 1.2) is that TLS 1.0 was a minor
			revision of the SSL 3.0 protocol created
			by Netscape, therefore it was assigned
			version 3.1.
		</div>
	</span>

	<span class="string">
		<span class="label">Server Random</span>
		<span class="bytes">
%next 32
%bytes
		</span>
		<div class="explanation">
			The server provides 32 bytes of cryptographically secure random data.
			In this example we've made the random data predictable to make it easier to recognize.
			<br/><br/>
			The TLS 1.2 spec says that the first 4 bytes
			should be the current time in seconds-since-1970
			but this is now recommended against as it enables
			fingerprinting of hosts and servers.
		</div>
	</span>

	<span class="string">
		<span class="label">Session ID</span>
		<span class="bytes">
%next 1
%bytes
		</span>
		<div class="explanation">
			The server can provide an ID for this session
			which a client can provide on a later session
			negotiation in an attempt to re-use the key
			data and skip most of the TLS negotiation
			process.  For this to work both the server
			and client will store key information from
			the previous connection in memory.  Resuming
			a connection saves a lot of computation and
			network round-trip time so it is performed
			whenever possible.
			<ul>
			<li><tt>00</tt> - length of zero (no session id is provided)
			</ul>
		</div>
	</span>

	<span class="string">
		<span class="label">Cipher Suite</span>
		<span class="bytes">
%next 2
%bytes
		</span>
		<div class="explanation">
			The server has selected cipher suite 0xC013
			(ECDHE-RSA-AES128-CBC-SHA) from the
			list of options given by the client.
		</div>
	</span>

	<span class="string">
		<span class="label">Compression Method</span>
		<span class="bytes">
%next 1
%bytes
		</span>
		<div class="explanation">
			The server has selected compression method
			0x00 ("Null", which performs no compression)
			from the list of options given by the client.
		</div>
	</span>

	<span class="string">
		<span class="label">Extensions Length</span>
		<span class="bytes">
%next 2
%bytes
		</span>
		<div class="explanation">
			The server has returned a list of extensions
			to the client.  Because the server is
			forbidden from replying with an extension
			that the client did not send in its hello
			message, the server knows that the client
			will support all extensions listed.
			<ul>
			<li><tt>%0 %1</tt> - the extensions will take %xx0 (%dd0) bytes of data
			</ul>
		</div>
	</span>

	<span class="string">
		<span class="label">Extension - Renegotiation Info</span>
		<span class="bytes">
%next 5
%bytes
		</span>
		<div class="explanation">
			The presence of this extension prevents a type of attack performed with TLS renegotiation.
			<br/><br/>
			The ability to renegotiate a connection has been removed from the next version of this
			protocol (TLS 1.3) so this will no longer be necessary.
			<ul>
				<li><tt>ff 01</tt> - assigned value for extension "Renegotiation Info"
				<li><tt>%2 %3</tt> - %xx2 (%dd2) bytes of extension data follows
				<li><tt>%4</tt> - length of renegotiation data is zero, because this is a new connection
			</ul>
		</div>
	</span>
</span>
</div>
%empty

<div class="record server">
<div class="label">Server Certificate</div>
<image class="illustration" src="images/key3.png" width="130" height="250"/>
<div class="explanation">
	The server provides a certificate containing the following:
	<ul>
	<li>the hostname of the server
	<li>the public key used by this server
	<li>proof from a trusted third party that the owner of this hostname holds the private key for this public key
	</ul>
	<a href="certificate.html" target="_blank">Explore the server certificate</a>.
</div>
%file ../captures/caps/servercert
<span class="record-data">
	<span class="string">
		<span class="label">Record Header</span>
		<span class="bytes">
%next 5
%bytes
		</span>
		<div class="explanation">
			TLS sessions are broken into the sending
			and receiving of "records", which are blocks
			of data with a type, a protocol version,
			and a length.
			<ul>
			<li><tt>16</tt> - type is 0x16 (handshake record)
			<li><tt>%1 %2</tt> - protocol version is 3.3 (TLS 1.2)
			<li><tt>%3 %4</tt> - the length of the record payload is %xx3 (%dd3) bytes
			</ul>
			All data following this header is the payload for this record.
		</div>
	</span>

	<span class="string">
		<span class="label">Handshake Header</span>
		<span class="bytes">
%next 4
%bytes
		</span>
		<div class="explanation">
			Each handshake message starts with a type and a length.
			<ul>
			<li><tt>0b</tt> - handshake message type 0x0B (certificate)
			<li><tt>%1 %2 %3</tt> - payload length of %xxx1 (%ddd1) bytes
			</ul>
			All data following this header is the payload for this message.
		</div>
	</span>

	<span class="string">
		<span class="label">Certificates Length</span>
		<span class="bytes">
%next 3
%bytes
		</span>
		<div class="explanation">
			The certificate message begins with the
			length of all certificate data that will follow.
			<ul>
			<li><tt>%0 %1 %2</tt> - %xxx0 (%ddd0) bytes of certificates follow
			</ul>
		</div>
	</span>

	<span class="string">
		<span class="label">Certificate Length</span>
		<span class="bytes">
%next 3
%bytes
		</span>
		<div class="explanation">
			The length of the first (and only) certificate.
			<ul>
			<li><tt>%0 %1 %2</tt> - %xxx0 (%ddd0) bytes of certificate follows
			</ul>
		</div>
	</span>

	<span class="string">
		<span class="label">Certificate</span>
		<span class="bytes">
%next 805
%bytes
		</span>
		<div class="explanation">
			The certificate is in ASN.1 DER
			encoding.  The details of this format and
			the content of this binary payload are
			documented <a href="certificate.html" target="_blank">on another page</a>.
			<a href="files/server.crt" download="server.crt">The certificate</a>
			can be converted to the binary data in this message
			at the command line:
			<codesample>
<pre><code>$ openssl x509 -outform der &lt; server.crt | hexdump

0000000 30 82 03 21 30 82 02 09 a0 03 02 01 02 02 08 15
0000010 5a 92 ad c2 04 8f 90 30 0d 06 09 2a 86 48 86 f7
... snip ...
</code></pre>
			</codesample>
		</div>
	</span>
</span>
</div>

<div class="calculation server">
<div class="label">Server Key Exchange Generation</div>
<image class="illustration" src="images/key4.png" width="106" height="250"/>
<div class="explanation">
	The server must calculate a private/public keypair for key
	exchange.  The server has chosen to use an elliptical curve
	method of key exchange, using the x25519 curve.
	<br/><br/>
	The private key is chosen by selecting an integer between
	1 and 2<sup>256</sup>-1.  It does this by generating 32 bytes of
	random data.  The
	<a href="files/server-ephemeral-private.key" download="server-ephemeral-private.key">private key</a>
	selected is:

<pre class="ind2"><tt class="longboi">909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf</tt></pre>

	The <a href="files/server-ephemeral-public.key" download="server-ephemeral-public.key">public key</a>
	is chosen by multiplying the point x=9 on the x25519 curve
	by the private key.  The public key calculated is:

<pre class="ind2"><tt class="longboi">9fd7ad6dcff4298dd3f96d5b1b2af910a0535b1488d7f8fabb349a982880b615</tt></pre>

	The public key calculation can be confirmed with command line tools:
	<codesample>
<pre><code>### requires openssl 1.1.0 or higher
$ openssl pkey -noout -text &lt; server-ephemeral-private.key

X25519 Private-Key:
priv:
    90:91:92:93:94:95:96:97:98:99:9a:9b:9c:9d:9e:
    9f:a0:a1:a2:a3:a4:a5:a6:a7:a8:a9:aa:ab:ac:ad:
    ae:af
pub:
    9f:d7:ad:6d:cf:f4:29:8d:d3:f9:6d:5b:1b:2a:f9:
    10:a0:53:5b:14:88:d7:f8:fa:bb:34:9a:98:28:80:
    b6:15
</code></pre>
	</codesample>
</div>
</div>
%empty

<div class="record server">
<div class="label">Server Key Exchange</div>
<image class="illustration" src="images/key5.png" width="138" height="250"/>
<div class="explanation">
	The server provides information for key exchange.  As part of the
	key exchange process both the server and the client will have a
	keypair of public and private keys, and will send the other party
	their public key.  The shared encryption key will then be generated
	using a combination of each party's private key and the other party's
	public key.
	<br/><br/>
	The parties had agreed on a cipher suite using ECDHE, meaning the
	keypairs will be based on a selected <b>E</b>lliptic <b>C</b>urve,
	<b>D</b>iffie-<b>H</b>ellman will be used, and the keypairs will
	be <b>E</b>phemeral rather than using the public/private key from
	the certificate.
</div>
%file ../captures/caps/serverkeyexchange
<span class="record-data">
	<span class="string">
		<span class="label">Record Header</span>
		<span class="bytes">
%next 5
%bytes
		</span>
		<div class="explanation">
			TLS sessions are broken into the sending
			and receiving of "records", which are blocks
			of data with a type, a protocol version,
			and a length.
			<ul>
			<li><tt>16</tt> - type is 0x16 (handshake record)
			<li><tt>03 03</tt> - protocol version is 3.3 (TLS 1.2)
			<li><tt>%3 %4</tt> - the length of the record payload is %xx3 (%dd3) bytes
			</ul>
			All data following this header is the payload for this record.
		</div>
	</span>

	<span class="string">
		<span class="label">Handshake Header</span>
		<span class="bytes">
%next 4
%bytes
		</span>
		<div class="explanation">
			Each handshake message starts with a type and a length.
			<ul>
			<li><tt>0c</tt> - handshake message type 0x0c (server key exchange)
			<li><tt>%1 %2 %3</tt> - payload length of %xxx1 (%ddd1) bytes
			</ul>
			All data following this header is the payload for this message.
		</div>
	</span>

	<span class="string">
		<span class="label">Curve Info</span>
		<span class="bytes">
%next 3
%bytes
		</span>
		<div class="explanation">
			The server chooses the elliptic curve that points will be calculated from.
			<ul>
			<li><tt>03</tt> - assigned value for "named_curve": the following bytes will identify a specific curve
			<li><tt>00 1d</tt> - curve 0x001d ("curve x25519")
			</ul>
		</div>
	</span>

	<span class="string">
		<span class="label">Public Key</span>
		<span class="bytes">
%next 33
%bytes
		</span>
		<div class="explanation">
			The server provides its public key.
			<ul>
			<li><tt>%0</tt> - length of %x0 (%d0) bytes
			<li><tt>%1 %2 ... %-2 %-1</tt> - public key
			</ul>
		</div>
	</span>

	<span class="string">
		<span class="label">Signature</span>
		<span class="bytes">
%next 260
%bytes
		</span>
		<div class="explanation">
			Because the server is generating ephemeral keys
			it is not using the public key provided in
			the server certificate.  To prove that the
			server owns the server certificate (giving the certificate
			validity in this TLS session), it signs the
			ephemeral public key with the certificate's
			private key.  This signature can be
			validated with the certificate's public
			key.
			<ul>
			<li><tt>04 01</tt> - reserved value for RSA signature with SHA256 hash
			<li><tt>%2 %3</tt> - length of signature (%xx2 or %dd2 bytes)
			<li><tt>%4 %5 %6 ... %-3 %-2 %-1</tt> - the
					computed signature for <tt>SHA256(client_hello_random
					+ server_hello_random + curve_info + public_key)</tt>
			</ul>
			We can compute the signature ourselves using
			the <a href="files/server.key" download="server.key">server's private key</a>,
			at the command line:
			<codesample>
<pre><code>### client random from Client Hello
$ echo -en '\x00\x01\x02\x03\x04\x05\x06\x07'  > /tmp/compute
$ echo -en '\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f' >> /tmp/compute
$ echo -en '\x10\x11\x12\x13\x14\x15\x16\x17' >> /tmp/compute
$ echo -en '\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f' >> /tmp/compute
### server random from Server Hello
$ echo -en '\x70\x71\x72\x73\x74\x75\x76\x77' >> /tmp/compute
$ echo -en '\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f' >> /tmp/compute
$ echo -en '\x80\x81\x82\x83\x84\x85\x86\x87' >> /tmp/compute
$ echo -en '\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f' >> /tmp/compute
### the curve info section from this message
$ echo -en '\x03\x00\x1d' >> /tmp/compute
### the public key sections from this msg
$ echo -en '\x20\x9f\xd7\xad\x6d\xcf\xf4\x29' >> /tmp/compute
$ echo -en '\x8d\xd3\xf9\x6d\x5b\x1b\x2a\xf9' >> /tmp/compute
$ echo -en '\x10\xa0\x53\x5b\x14\x88\xd7\xf8' >> /tmp/compute
$ echo -en '\xfa\xbb\x34\x9a\x98\x28\x80\xb6\x15' >> /tmp/compute
$ openssl dgst -sign server.key -sha256 /tmp/compute | hexdump

0000000 04 02 b6 61 f7 c1 91 ee 59 be 45 37 66 39 bd c3
... snip ...
00000f0 7d 87 dc 33 18 64 35 71 22 6c 4d d2 c2 ac 41 fb
</code></pre>
			</codesample>
		</div>
	</span>
</span>
</div>
%empty

<div class="record server">
<div class="label">Server Hello Done</div>
<div class="explanation">
	The server indicates it's finished with its half of the handshake.
</div>
%file ../captures/caps/serverhellodone
<span class="record-data">
	<span class="string">
		<span class="label">Record Header</span>
		<span class="bytes">
%next 5
%bytes
		</span>
		<div class="explanation">
			TLS sessions are broken into the sending
			and receiving of "records", which are blocks
			of data with a type, a protocol version,
			and a length.
			<ul>
			<li><tt>16</tt> - type is 0x16 (handshake record)
			<li><tt>03 03</tt> - protocol version is 3.3 (TLS 1.2)
			<li><tt>%3 %4</tt> - the length of the record payload is %xx3 (%dd3) bytes
			</ul>
			All data following this header is the payload for this record.
		</div>
	</span>

	<span class="string">
		<span class="label">Handshake Header</span>
		<span class="bytes">
%next 4
%bytes
		</span>
		<div class="explanation">
			Each handshake message starts with a type and a length.
			<ul>
			<li><tt>0e</tt> - handshake message type 0x0e (server hello done)
			<li><tt>%1 %2 %3</tt> - payload length of %ddd1 bytes (no payload)
			</ul>
		</div>
	</span>
</span>
</div>
%empty

<div class="calculation client">
<div class="label">Client Key Exchange Generation</div>
<image class="illustration" src="images/key6.png" width="105" height="250"/>
<div class="explanation">
	The client must calculate a private/public keypair for key
	exchange.  It will do this for the elliptical curve
	method of key exchange, using the x25519 curve.
	<br/><br/>
	The private key is chosen by selecting an integer between
	1 and 2<sup>256</sup>-1.  It does this by generating 32 bytes of
	random data.  The
	<a href="files/client-ephemeral-private.key" download="client-ephemeral-private.key">private key</a>
	selected is:

	<pre class="ind2"><tt class="longboi">202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f</tt></pre>

	The <a href="files/client-ephemeral-public.key" download="client-ephemeral-public.key">public key</a>
	is chosen by multiplying the point x=9 on the x25519 curve
	by the private key.  The public key calculated is:

	<pre class="ind2"><tt class="longboi">358072d6365880d1aeea329adf9121383851ed21a28e3b75e965d0d2cd166254</tt></pre>

	The public key calculation can be confirmed at the command line:
	<codesample>
<pre><code>### requires openssl 1.1.0 or higher
$ openssl pkey -noout -text &lt; client-ephemeral-private.key

X25519 Private-Key:
priv:
    20:21:22:23:24:25:26:27:28:29:2a:2b:2c:2d:2e:
    2f:30:31:32:33:34:35:36:37:38:39:3a:3b:3c:3d:
    3e:3f
pub:
    35:80:72:d6:36:58:80:d1:ae:ea:32:9a:df:91:21:
    38:38:51:ed:21:a2:8e:3b:75:e9:65:d0:d2:cd:16:
    62:54
</code></pre>
	</codesample>
</div>
</div>
<div class="record client">
<div class="label">Client Key Exchange</div>
<image class="illustration" src="images/key7.png" width="116" height="250"/>
<div class="explanation">
	The client provides information for key exchange.  As part of the
	key exchange process both the server and the client will generate a
	keypair of public and private keys, and will send the other party
	their public key.  The shared encryption key will then be generated
	using a function of each party's private key and the other party's
	public key.
	<br/><br/>
	The parties had agreed on a cipher suite using ECDHE, meaning the
	keypairs will be based on a selected <b>E</b>lliptic <b>C</b>urve,
	<b>D</b>iffie-<b>H</b>ellman will be used, and the keypairs will
	be <b>E</b>phemeral rather than using a public/private key from
	the server certificate.
</div>
%file ../captures/caps/clientkeyexchange
<span class="record-data">
	<span class="string">
		<span class="label">Record Header</span>
		<span class="bytes">
%next 5
%bytes
		</span>
		<div class="explanation">
			TLS sessions are broken into the sending
			and receiving of "records", which are blocks
			of data with a type, a protocol version,
			and a length.
			<ul>
			<li><tt>16</tt> - type is 0x16 (handshake record)
			<li><tt>%1 %2</tt> - protocol version is 3.3 (TLS 1.2)
			<li><tt>%3 %4</tt> - the length of the record payload is %xx3 (%dd3) bytes
			</ul>
			All data following this header is the payload for this record.
		</div>
	</span>

	<span class="string">
		<span class="label">Handshake Header</span>
		<span class="bytes">
%next 4
%bytes
		</span>
		<div class="explanation">
			Each handshake message starts with a type and a length.
			<ul>
			<li><tt>10</tt> - handshake message type 0x10 (client key exchange)
			<li><tt>%1 %2 %3</tt> - payload length of %xxx1 (%ddd1) bytes
			</ul>
			All data following this header is the payload for this message.
		</div>
	</span>

	<span class="string">
		<span class="label">Public Key</span>
		<span class="bytes">
%next 33
%bytes
		</span>
		<div class="explanation">
			The client provides its public key.
			<ul>
			<li><tt>%0</tt> - length of %x0 (%d0) bytes
			<li><tt>%1 %2 ... %-2 %-1</tt> - public key
			</ul>
		</div>
	</span>
</span>
</div>
%empty

<div class="calculation client">
<div class="label">Client Encryption Keys Calculation</div>
<image class="illustration" src="images/key8.png" width="97" height="250"/>
<div class="explanation">
	The client now has the information to calculate the encryption
	keys that will be used by each side.  It uses the following
	information in this calculation:
	<ul>
	<li>server random (from Server Hello)
	<li>client random (from Client Hello)
	<li>server public key (from Server Key Exchange)
	<li>client private key (from Client Key Generation)
	</ul>
	The client multiplies the server's public key with the
	client's private key using the curve25519() algorithm.  The
	32-byte result is called the PreMasterSecret, and is found
	to be:
	<pre class="ind2"><tt class="longboi">df4a291baa1eb7cfa6934b29b474baad2697e29f1f920dcc77c8a0a088447624</tt></pre>

	I've provided <a href="files/curve25519-mult.c">a tool</a> to perform this calculation:
	<codesample>
<pre><code>$ gcc -o curve25519-mult curve25519-mult.c
$ ./curve25519-mult client-ephemeral-private.key \
                    server-ephemeral-public.key | hexdump

0000000 df 4a 29 1b aa 1e b7 cf a6 93 4b 29 b4 74 ba ad
0000010 26 97 e2 9f 1f 92 0d cc 77 c8 a0 a0 88 44 76 24
</code></pre>
	</codesample>

	The client then calculates 48 bytes of the MasterSecret
	from the PreMasterSecret using the following method:

	<pre class="ind1">seed = "master secret" + client_random + server_random
a0 = seed
a1 = HMAC-SHA256(key=PreMasterSecret, data=a0)
a2 = HMAC-SHA256(key=PreMasterSecret, data=a1)
p1 = HMAC-SHA256(key=PreMasterSecret, data=a1 + seed)
p2 = HMAC-SHA256(key=PreMasterSecret, data=a2 + seed)
MasterSecret = p1[all 32 bytes] + p2[first 16 bytes]</pre>

	Here we demonstrate on the command line:
	<codesample>
<pre><code>### set up our PreMasterSecret as a hex string
$ pmshex=df4a291baa1eb7cfa6934b29b474baad
$ pmshex=${pmshex}2697e29f1f920dcc77c8a0a088447624
### client random from Client Hello
$ echo -en '\x00\x01\x02\x03\x04\x05\x06\x07' >  /tmp/c_rand
$ echo -en '\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f' >> /tmp/c_rand
$ echo -en '\x10\x11\x12\x13\x14\x15\x16\x17' >> /tmp/c_rand
$ echo -en '\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f' >> /tmp/c_rand
### server random from Server Hello
$ echo -en '\x70\x71\x72\x73\x74\x75\x76\x77' >  /tmp/s_rand
$ echo -en '\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f' >> /tmp/s_rand
$ echo -en '\x80\x81\x82\x83\x84\x85\x86\x87' >> /tmp/s_rand
$ echo -en '\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f' >> /tmp/s_rand
### build the seed
$ echo -en 'master secret' > /tmp/seed
$ cat /tmp/c_rand /tmp/s_rand >> /tmp/seed
### a0 is the same as the seed
$ cat /tmp/seed > /tmp/a0
### a(n) is hmac-sha256(key=secret, data=a(n-1))
$ cat /tmp/a0 | openssl dgst -sha256 \
   -mac HMAC -macopt hexkey:$pmshex -binary > /tmp/a1
$ cat /tmp/a1 | openssl dgst -sha256 \
   -mac HMAC -macopt hexkey:$pmshex -binary > /tmp/a2
### p(n) is hmac-sha256(key=secret, data=a(n)+seed)
$ cat /tmp/a1 /tmp/seed | openssl dgst -sha256 \
   -mac HMAC -macopt hexkey:$pmshex -binary > /tmp/p1
$ cat /tmp/a2 /tmp/seed | openssl dgst -sha256 \
   -mac HMAC -macopt hexkey:$pmshex -binary > /tmp/p2
### first 48 bytes is MasterSecret
$ cat /tmp/p1 /tmp/p2 | head -c 48 > /tmp/mastersecret
$ hexdump /tmp/mastersecret

0000000 91 6a bf 9d a5 59 73 e1 36 14 ae 0a 3f 5d 3f 37
0000010 b0 23 ba 12 9a ee 02 cc 91 34 33 81 27 cd 70 49
0000020 78 1c 8e 19 fc 1e b2 a7 38 7a c0 6a e2 37 34 4c
</code></pre>
	</codesample>

	This gives us a MasterSecret of:
<pre class="ind1"><tt class="longboi">916abf9da55973e13614ae0a3f5d3f37b023ba129aee02cc9134338127cd7049781c8e19fc1eb2a7387ac06ae237344c</tt></pre>

	We then generate the final encryption keys using a key expansion:

<pre class="ind1">
seed = "key expansion" + server_random + client_random
a0 = seed
a1 = HMAC-SHA256(key=MasterSecret, data=a0)
a2 = HMAC-SHA256(key=MasterSecret, data=a1)
a3 = HMAC-SHA256(key=MasterSecret, data=a2)
a4 = ...
p1 = HMAC-SHA256(key=MasterSecret, data=a1 + seed)
p2 = HMAC-SHA256(key=MasterSecret, data=a2 + seed)
p3 = HMAC-SHA256(key=MasterSecret, data=a3 + seed)
p4 = ...
p = p1 + p2 + p3 + p4 ...
client write mac key = [first 20 bytes of p]
server write mac key = [next 20 bytes of p]
client write key = [next 16 bytes of p]
server write key = [next 16 bytes of p]
client write IV = [next 16 bytes of p]
server write IV = [next 16 bytes of p]
</pre>

	We can demonstrate this on the command line:
	<codesample>
<pre><code>### continued from above command line example
### set up our MasterSecret as a hex string
$ mshex=$(hexdump -ve '/1 "%%02x"' /tmp/mastersecret)
### build the seed
$ echo -en 'key expansion' > /tmp/seed
$ cat /tmp/s_rand /tmp/c_rand >> /tmp/seed
### a0 is the same as the seed
$ cat /tmp/seed > /tmp/a0
### a(n) is hmac-sha256(key=secret, data=a(n-1))
$ cat /tmp/a0 | openssl dgst -sha256 \
   -mac HMAC -macopt hexkey:$mshex -binary > /tmp/a1
$ cat /tmp/a1 | openssl dgst -sha256 \
   -mac HMAC -macopt hexkey:$mshex -binary > /tmp/a2
$ cat /tmp/a2 | openssl dgst -sha256 \
   -mac HMAC -macopt hexkey:$mshex -binary > /tmp/a3
$ cat /tmp/a3 | openssl dgst -sha256 \
   -mac HMAC -macopt hexkey:$mshex -binary > /tmp/a4
### p(n) is hmac-sha256(key=secret, data=a(n)+seed)
$ cat /tmp/a1 /tmp/seed | openssl dgst -sha256 \
   -mac HMAC -macopt hexkey:$mshex -binary > /tmp/p1
$ cat /tmp/a2 /tmp/seed | openssl dgst -sha256 \
   -mac HMAC -macopt hexkey:$mshex -binary > /tmp/p2
$ cat /tmp/a3 /tmp/seed | openssl dgst -sha256 \
   -mac HMAC -macopt hexkey:$mshex -binary > /tmp/p3
$ cat /tmp/a4 /tmp/seed | openssl dgst -sha256 \
   -mac HMAC -macopt hexkey:$mshex -binary > /tmp/p4
### combine them into a single stream
$ cat /tmp/p1 /tmp/p2 /tmp/p3 /tmp/p4 > /tmp/p
$ dd if=/tmp/p of=/tmp/client_mac_key bs=1 skip=0  count=20
$ dd if=/tmp/p of=/tmp/server_mac_key bs=1 skip=20 count=20
$ dd if=/tmp/p of=/tmp/client_key     bs=1 skip=40 count=16
$ dd if=/tmp/p of=/tmp/server_key     bs=1 skip=56 count=16
$ dd if=/tmp/p of=/tmp/client_iv      bs=1 skip=72 count=16
$ dd if=/tmp/p of=/tmp/server_iv      bs=1 skip=88 count=16
$ hexdump /tmp/client_mac_key
0000000 1b 7d 11 7c 7d 5f 69 0b c2 63 ca e8 ef 60 af 0f
0000010 18 78 ac c2

$ hexdump /tmp/server_mac_key
0000000 2a d8 bd d8 c6 01 a6 17 12 6f 63 54 0e b2 09 06
0000010 f7 81 fa d2

$ hexdump /tmp/client_key
0000000 f6 56 d0 37 b1 73 ef 3e 11 16 9f 27 23 1a 84 b6

$ hexdump /tmp/server_key
0000000 75 2a 18 e7 a9 fc b7 cb cd d8 f9 8d d8 f7 69 eb

$ hexdump /tmp/client_iv
0000000 a0 d2 55 0c 92 38 ee bf ef 5c 32 25 1a bb 67 d6

$ hexdump /tmp/server_iv
0000000 43 45 28 db 49 37 d5 40 d3 93 13 5e 06 a1 1b b8
</code></pre>
	</codesample>

	From this we get the following key data:
	<ul>
	<li>client MAC key: <tt class="longboi">1b7d117c7d5f690bc263cae8ef60af0f1878acc2</tt>
	<li>server MAC key: <tt class="longboi">2ad8bdd8c601a617126f63540eb20906f781fad2</tt>
	<li>client write key: <tt class="longboi">f656d037b173ef3e11169f27231a84b6</tt>
	<li>server write key: <tt class="longboi">752a18e7a9fcb7cbcdd8f98dd8f769eb</tt>
	<li>client write IV: <tt class="longboi">a0d2550c9238eebfef5c32251abb67d6</tt>
	<li>server write IV: <tt class="longboi">434528db4937d540d393135e06a11bb8</tt>
	</ul>
</div>
</div>

<div class="record client">
<div class="label">Client Change Cipher Spec</div>
<div class="explanation">
	The client indicates that it has calculated the shared
	encryption keys and that all following messages from the
	client will be encrypted with the client write key.
	<br/><br/>
	In the next version of TLS this message type has been removed because it can be inferred.
</div>
%file ../captures/caps/clientccs
<span class="record-data">
	<span class="string">
		<span class="label">Record</span>
		<span class="bytes">
%next 6
%bytes
		</span>
		<div class="explanation">
			TLS sessions are broken into the sending
			and receiving of "records", which are blocks
			of data with a type, a protocol version,
			and a length.
			<ul>
			<li><tt>14</tt> - type is 0x14 (ChangeCipherSpec record)
			<li><tt>%1 %2</tt> - protocol version is 3.3 (TLS 1.2)
			<li><tt>%3 %4</tt> - the length of the record payload is %xx3 (%dd3) bytes
			<li><tt>%5</tt> - the payload of this message is defined as the byte 0x01
			</ul>
		</div>
	</span>
</span>
</div>
%empty

<div class="record client">
<div class="label">Client Handshake Finished</div>
<div class="explanation">
	To verify that the handshake was successful and not tampered
	with, the client calculates verification data and encrypts
	it with the client write key.
	<br/><br/>
	The verification data is built from a hash of all handshake
	messages and verifies the integrity of the handshake process.
</div>
%file ../captures/caps/clientfinished
<span class="record-data">
	<span class="string">
		<span class="label">Record Header</span>
		<span class="bytes">
%next 5
%bytes
		</span>
		<div class="explanation">
			TLS sessions are broken into the sending
			and receiving of "records", which are blocks
			of data with a type, a protocol version,
			and a length.
			<ul>
			<li><tt>16</tt> - type is 0x16 (handshake record)
			<li><tt>%1 %2</tt> - protocol version is 3.3 (TLS 1.2)
			<li><tt>%3 %4</tt> - the length of the record payload is %xx3 (%dd3) bytes
			</ul>
			All data following this header is the payload for this record.
		</div>
	</span>

	<span class="string">
		<span class="label">Encryption IV</span>
		<span class="bytes">
%next 16
%bytes
		</span>
		<div class="explanation">
			The client has sent an initialization vector for decrypting this block.
			Because we have overridden the rand function it
			is a predictable sequence.
		</div>
	</span>

	<span class="string encrypted">
		<span class="label">Encrypted Data</span>
		<span class="bytes">
%next 48
%bytes
		</span>
		<div class="explanation">
			This data is encrypted with the client write
			key.  Because it contains a message
			authentication code (MAC) and padding it
			is larger than the decrypted data.
			<br/><br/>
			See below for the decrypted data.
		</div>
	</span>
%empty

	<div class="decryption">
		<div class="label">Decryption</div>
		<div class="explanation">
			This data can be decrypted using the encryption
			IV and the client write key that was generated
			in the step "Client Encryption Keys
			Calculation".
			<codesample>
<pre><code>### client key
$ hexkey=f656d037b173ef3e11169f27231a84b6
### IV for this record
$ hexiv=404142434445464748494a4b4c4d4e4f
### encrypted data
$ echo -en '\x22\x7b\xc9\xba\x81\xef\x30\xf2'  > /tmp/msg1
$ echo -en '\xa8\xa7\x8f\xf1\xdf\x50\x84\x4d' >> /tmp/msg1
$ echo -en '\x58\x04\xb7\xee\xb2\xe2\x14\xc3' >> /tmp/msg1
$ echo -en '\x2b\x68\x92\xac\xa3\xdb\x7b\x78' >> /tmp/msg1
$ echo -en '\x07\x7f\xdd\x90\x06\x7c\x51\x6b' >> /tmp/msg1
$ echo -en '\xac\xb3\xba\x90\xde\xdf\x72\x0f' >> /tmp/msg1
$ cat /tmp/msg1 | openssl enc -d -aes-128-cbc -K $hexkey -iv $hexiv | hexdump

0000000 14 00 00 0c cf 91 96 26 f1 36 0c 53 6a aa d7 3a
0000010 a5 a0 3d 23 30 56 e4 ac 6e ba 7f d9 e5 31 7f ac
0000020 2d b5 b7 0e 0b

The last 21 bytes contain a MAC and the number
of (not shown) padding bytes and can be ignored.
</code></pre>
			</codesample>
		</div>
	</div>

%file ../captures/caps/clientfinishedplain
	<span class="string decrypted">
		<span class="label">Handshake Header</span>
		<span class="bytes">
%next 4
%bytes
		</span>
		<div class="explanation">
			Each handshake message starts with a type and a length.
			<ul>
			<li><tt>14</tt> - handshake message type 0x14 (finished)
			<li><tt>%1 %2 %3</tt> - payload length of %xxx1 (%ddd1) bytes
			</ul>
			All data following this header is the payload for this message.
		</div>
	</span>

	<span class="string decrypted">
		<span class="label">Verify Data</span>
		<span class="bytes">
%next 12
%bytes
		</span>
		<div class="explanation">
			The verify_data is built from the master secret and the
			hash of the payload of all handshake records (type=0x16) previous to this one.
			<br/><br/>
			The SHA256 of all handshake messages before this one
			is <tt class="longboi">061dda04b3c2217ff73bd79b9cf88a2bb6ec505404aac8722db03ef417b54cb4</tt>.
			<br/><br/>
			The calculation for verify_data is as follows:
<pre class="ind1">
seed = "client finished" + SHA256(all handshake messages)
a0 = seed
a1 = HMAC-SHA256(key=MasterSecret, data=a0)
p1 = HMAC-SHA256(key=MasterSecret, data=a1 + seed)
verify_data = p1[first 12 bytes]
</pre>
			The verify data calculated from this hash is <tt class="longboi">a0744dd49a212f152b3c060d</tt>.
			We can show this on the command line:
			<codesample>
<pre><code>### set up our MasterSecret as a hex string
$ mshex=$(hexdump -ve '/1 "%%02x"' /tmp/mastersecret)
### build the seed
$ echo -en 'client finished' > /tmp/seed
### add SHA256(all_messages) to seed
$ echo -en '\x06\x1d\xda\x04\xb3\xc2\x21\x7f' >> /tmp/seed
$ echo -en '\xf7\x3b\xd7\x9b\x9c\xf8\x8a\x2b' >> /tmp/seed
$ echo -en '\xb6\xec\x50\x54\x04\xaa\xc8\x72' >> /tmp/seed
$ echo -en '\x2d\xb0\x3e\xf4\x17\xb5\x4c\xb4' >> /tmp/seed
### a0 is the same as the seed
$ cat /tmp/seed > /tmp/a0
### a(n) is hmac-sha256(key=secret, data=a(n-1))
$ cat /tmp/a0 | openssl dgst -sha256 \
   -mac HMAC -macopt hexkey:$mshex -binary > /tmp/a1
### p(n) is hmac-sha256(key=secret, data=a(n)+seed)
$ cat /tmp/a1 /tmp/seed | openssl dgst -sha256 \
   -mac HMAC -macopt hexkey:$mshex -binary > /tmp/p1
$ head -c 12 /tmp/p1 > /tmp/verify_data
$ hexdump /tmp/verify_data

0000000 cf 91 96 26 f1 36 0c 53 6a aa d7 3a
</code></pre>
			</codesample>
		</div>
	</span>
</span>
</div>

<div class="calculation server">
<div class="label">Server Encryption Keys Calculation</div>
<image class="illustration" src="images/key9.png" width="97" height="250"/>
<div class="explanation">
	The server now has the information to calculate the encryption
	keys that will be used by each side.  It uses the following
	information in this calculation:
	<ul>
	<li>server random (from Server Hello)
	<li>client random (from Client Hello)
	<li>client public key (from Client Key Exchange)
	<li>server private key (from Server Key Generation)
	</ul>
	The server multiplies the client's public key with the
	server's private key using the curve25519() algorithm.  The
	32-byte result is called the PreMasterSecret, and is found
	to be:
	<pre class="ind2"><tt class="longboi">df4a291baa1eb7cfa6934b29b474baad2697e29f1f920dcc77c8a0a088447624</tt></pre>

	I've provided <a href="files/curve25519-mult.c">a tool</a> to perform this calculation:
	<codesample>
<pre><code>$ gcc -o curve25519-mult curve25519-mult.c
$ ./curve25519-mult server-ephemeral-private.key \
                    client-ephemeral-public.key | hexdump

0000000 df 4a 29 1b aa 1e b7 cf a6 93 4b 29 b4 74 ba ad
0000010 26 97 e2 9f 1f 92 0d cc 77 c8 a0 a0 88 44 76 24
</code></pre>
	</codesample>
	This is identical to the PreMasterSecret found by the client,
	therefore the following calculations will be identical.
	<br/><br/>
	The server then calculates 48 bytes of the MasterSecret
	from the PreMasterSecret using the following method:

	<pre class="ind1">seed = "master secret" + client_random + server_random
a0 = seed
a1 = HMAC-SHA256(key=PreMasterSecret, data=a0)
a2 = HMAC-SHA256(key=PreMasterSecret, data=a1)
p1 = HMAC-SHA256(key=PreMasterSecret, data=a1 + seed)
p2 = HMAC-SHA256(key=PreMasterSecret, data=a2 + seed)
MasterSecret = p1[all 32 bytes] + p2[first 16 bytes]</pre>

	Here we demonstrate on the command line:
	<codesample>
<pre><code>### set up our PreMasterSecret as a hex string
$ pmshex=df4a291baa1eb7cfa6934b29b474baad
$ pmshex=${pmshex}2697e29f1f920dcc77c8a0a088447624
### client random from Client Hello
$ echo -en '\x00\x01\x02\x03\x04\x05\x06\x07' >  /tmp/c_rand
$ echo -en '\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f' >> /tmp/c_rand
$ echo -en '\x10\x11\x12\x13\x14\x15\x16\x17' >> /tmp/c_rand
$ echo -en '\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f' >> /tmp/c_rand
### server random from Server Hello
$ echo -en '\x70\x71\x72\x73\x74\x75\x76\x77' >  /tmp/s_rand
$ echo -en '\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f' >> /tmp/s_rand
$ echo -en '\x80\x81\x82\x83\x84\x85\x86\x87' >> /tmp/s_rand
$ echo -en '\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f' >> /tmp/s_rand
### build the seed
$ echo -en 'master secret' > /tmp/seed
$ cat /tmp/c_rand /tmp/s_rand >> /tmp/seed
### a0 is the same as the seed
$ cat /tmp/seed > /tmp/a0
### a(n) is hmac-sha256(key=secret, data=a(n-1))
$ cat /tmp/a0 | openssl dgst -sha256 \
   -mac HMAC -macopt hexkey:$pmshex -binary > /tmp/a1
$ cat /tmp/a1 | openssl dgst -sha256 \
   -mac HMAC -macopt hexkey:$pmshex -binary > /tmp/a2
### p(n) is hmac-sha256(key=secret, data=a(n)+seed)
$ cat /tmp/a1 /tmp/seed | openssl dgst -sha256 \
   -mac HMAC -macopt hexkey:$pmshex -binary > /tmp/p1
$ cat /tmp/a2 /tmp/seed | openssl dgst -sha256 \
   -mac HMAC -macopt hexkey:$pmshex -binary > /tmp/p2
### first 48 bytes is MasterSecret
$ cat /tmp/p1 /tmp/p2 | head -c 48 > /tmp/mastersecret
$ hexdump /tmp/mastersecret

0000000 91 6a bf 9d a5 59 73 e1 36 14 ae 0a 3f 5d 3f 37
0000010 b0 23 ba 12 9a ee 02 cc 91 34 33 81 27 cd 70 49
0000020 78 1c 8e 19 fc 1e b2 a7 38 7a c0 6a e2 37 34 4c
</code></pre>
	</codesample>

	This gives us a MasterSecret of:
<pre class="ind1"><tt class="longboi">916abf9da55973e13614ae0a3f5d3f37b023ba129aee02cc9134338127cd7049781c8e19fc1eb2a7387ac06ae237344c</tt></pre>

	We then generate the final encryption keys using a key expansion:

<pre class="ind1">
seed = "key expansion" + server_random + client_random
a0 = seed
a1 = HMAC-SHA256(key=MasterSecret, data=a0)
a2 = HMAC-SHA256(key=MasterSecret, data=a1)
a3 = HMAC-SHA256(key=MasterSecret, data=a2)
a4 = ...
p1 = HMAC-SHA256(key=MasterSecret, data=a1 + seed)
p2 = HMAC-SHA256(key=MasterSecret, data=a2 + seed)
p3 = HMAC-SHA256(key=MasterSecret, data=a3 + seed)
p4 = ...
p = p1 + p2 + p3 + p4 ...
client write mac key = [first 20 bytes of p]
server write mac key = [next 20 bytes of p]
client write key = [next 16 bytes of p]
server write key = [next 16 bytes of p]
client write IV = [next 16 bytes of p]
server write IV = [next 16 bytes of p]
</pre>

	We can demonstrate this on the command line:
	<codesample>
<pre><code>### continued from above command line example
### set up our MasterSecret as a hex string
$ mshex=$(hexdump -ve '/1 "%%02x"' /tmp/mastersecret)
### build the seed
$ echo -en 'key expansion' > /tmp/seed
$ cat /tmp/s_rand /tmp/c_rand >> /tmp/seed
### a0 is the same as the seed
$ cat /tmp/seed > /tmp/a0
### a(n) is hmac-sha256(key=secret, data=a(n-1))
$ cat /tmp/a0 | openssl dgst -sha256 \
   -mac HMAC -macopt hexkey:$mshex -binary > /tmp/a1
$ cat /tmp/a1 | openssl dgst -sha256 \
   -mac HMAC -macopt hexkey:$mshex -binary > /tmp/a2
$ cat /tmp/a2 | openssl dgst -sha256 \
   -mac HMAC -macopt hexkey:$mshex -binary > /tmp/a3
$ cat /tmp/a3 | openssl dgst -sha256 \
   -mac HMAC -macopt hexkey:$mshex -binary > /tmp/a4
### p(n) is hmac-sha256(key=secret, data=a(n)+seed)
$ cat /tmp/a1 /tmp/seed | openssl dgst -sha256 \
   -mac HMAC -macopt hexkey:$mshex -binary > /tmp/p1
$ cat /tmp/a2 /tmp/seed | openssl dgst -sha256 \
   -mac HMAC -macopt hexkey:$mshex -binary > /tmp/p2
$ cat /tmp/a3 /tmp/seed | openssl dgst -sha256 \
   -mac HMAC -macopt hexkey:$mshex -binary > /tmp/p3
$ cat /tmp/a4 /tmp/seed | openssl dgst -sha256 \
   -mac HMAC -macopt hexkey:$mshex -binary > /tmp/p4
$ cat /tmp/p1 /tmp/p2 /tmp/p3 /tmp/p4 > /tmp/p
$ dd if=/tmp/p of=/tmp/client_mac_key bs=1 skip=0  count=20
$ dd if=/tmp/p of=/tmp/server_mac_key bs=1 skip=20 count=20
$ dd if=/tmp/p of=/tmp/client_key     bs=1 skip=40 count=16
$ dd if=/tmp/p of=/tmp/server_key     bs=1 skip=56 count=16
$ dd if=/tmp/p of=/tmp/client_iv      bs=1 skip=72 count=16
$ dd if=/tmp/p of=/tmp/server_iv      bs=1 skip=88 count=16
$ hexdump /tmp/client_mac_key
0000000 1b 7d 11 7c 7d 5f 69 0b c2 63 ca e8 ef 60 af 0f
0000010 18 78 ac c2

$ hexdump /tmp/server_mac_key
0000000 2a d8 bd d8 c6 01 a6 17 12 6f 63 54 0e b2 09 06
0000010 f7 81 fa d2

$ hexdump /tmp/client_key
0000000 f6 56 d0 37 b1 73 ef 3e 11 16 9f 27 23 1a 84 b6

$ hexdump /tmp/server_key
0000000 75 2a 18 e7 a9 fc b7 cb cd d8 f9 8d d8 f7 69 eb

$ hexdump /tmp/client_iv
0000000 a0 d2 55 0c 92 38 ee bf ef 5c 32 25 1a bb 67 d6

$ hexdump /tmp/server_iv
0000000 43 45 28 db 49 37 d5 40 d3 93 13 5e 06 a1 1b b8
</code></pre>
	</codesample>

	From this we get the following key data:
	<ul>
	<li>client MAC key: <tt class="longboi">1b7d117c7d5f690bc263cae8ef60af0f1878acc2</tt>
	<li>server MAC key: <tt class="longboi">2ad8bdd8c601a617126f63540eb20906f781fad2</tt>
	<li>client write key: <tt class="longboi">f656d037b173ef3e11169f27231a84b6</tt>
	<li>server write key: <tt class="longboi">752a18e7a9fcb7cbcdd8f98dd8f769eb</tt>
	<li>client write IV: <tt class="longboi">a0d2550c9238eebfef5c32251abb67d6</tt>
	<li>server write IV: <tt class="longboi">434528db4937d540d393135e06a11bb8</tt>
	</ul>
</div>
</div>

<div class="record server">
<div class="label">Server Change Cipher Spec</div>
<div class="explanation">
	The server indicates that it has calculated the shared
	encryption keys and that all following messages from the
	server will be encrypted with the server write key.
	<br/><br/>
	In the next version of TLS this message type has been removed because it can be inferred.
</div>
%file ../captures/caps/serverccs
<span class="record-data">
	<span class="string">
		<span class="label">Record</span>
		<span class="bytes">
%next 6
%bytes
		</span>
		<div class="explanation">
			TLS sessions are broken into the sending
			and receiving of "records", which are blocks
			of data with a type, a protocol version,
			and a length.
			<ul>
			<li><tt>14</tt> - type is 0x14 (ChangeCipherSpec record)
			<li><tt>%1 %2</tt> - protocol version is 3.3 (TLS 1.2)
			<li><tt>%3 %4</tt> - the length of the record payload is %xx3 (%dd3) bytes
			<li><tt>%5</tt> - the payload of this message is defined as the byte 0x01
			</ul>
		</div>
	</span>
</span>
</div>
%empty

<div class="record server">
<div class="label">Server Handshake Finished</div>
<div class="explanation">
	To verify that the handshake was successful and not tampered
	with, the server calculates verification data and encrypts
	it with the server write key.
	<br/><br/>
	The verification data is built from a hash of all handshake
	messages and verifies the integrity of the handshake process.
</div>
%file ../captures/caps/serverfinished
<span class="record-data">
	<span class="string">
		<span class="label">Record Header</span>
		<span class="bytes">
%next 5
%bytes
		</span>
		<div class="explanation">
			TLS sessions are broken into the sending
			and receiving of "records", which are blocks
			of data with a type, a protocol version,
			and a length.
			<ul>
			<li><tt>16</tt> - type is 0x16 (handshake record)
			<li><tt>%1 %2</tt> - protocol version is 3.3 (TLS 1.2)
			<li><tt>%3 %4</tt> - the length of the record payload is %xx3 (%dd3) bytes
			</ul>
			All data following this header is the payload for this record.
		</div>
	</span>

	<span class="string">
		<span class="label">Encryption IV</span>
		<span class="bytes">
%next 16
%bytes
		</span>
		<div class="explanation">
			The server has sent an initialization vector for decrypting this block.
			Because we have overridden the rand function it
			is a predictable sequence.
		</div>
	</span>

	<span class="string encrypted">
		<span class="label">Encrypted Data</span>
		<span class="bytes">
%next 48
%bytes
		</span>
		<div class="explanation">
			This data is encrypted with the server write
			key.  Because it contains a message
			authentication code (MAC) and padding it
			is larger than the decrypted data.
			<br/><br/>
			See below for the decrypted data.
		</div>
	</span>
%empty

	<div class="decryption">
		<div class="label">Decryption</div>
		<div class="explanation">
			This data can be decrypted using the encryption
			IV and the server write key that was generated
			in the step "Server Encryption Keys
			Calculation".
			<codesample>
<pre><code>### server key
$ hexkey=752a18e7a9fcb7cbcdd8f98dd8f769eb
### IV for this record
$ hexiv=5152535455565758595a5b5c5d5e5f60
### encrypted data
$ echo -en '\x18\xe0\x75\x31\x7b\x10\x03\x15'  > /tmp/msg1
$ echo -en '\xf6\x08\x1f\xcb\xf3\x13\x78\x1a' >> /tmp/msg1
$ echo -en '\xac\x73\xef\xe1\x9f\xe2\x5b\xa1' >> /tmp/msg1
$ echo -en '\xaf\x59\xc2\x0b\xe9\x4f\xc0\x1b' >> /tmp/msg1
$ echo -en '\xda\x2d\x68\x00\x29\x8b\x73\xa7' >> /tmp/msg1
$ echo -en '\xe8\x49\xd7\x4b\xd4\x94\xcf\x7d' >> /tmp/msg1
$ cat /tmp/msg1 | openssl enc -d -aes-128-cbc -K $hexkey -iv $hexiv | hexdump

0000000 14 00 00 0c 84 4d 3c 10 74 6d d7 22 f9 2f 0c 7e
0000010 20 c4 97 46 d2 a3 0f 23 57 39 90 58 07 53 52 43
0000020 af f2 bf e0 0b

The last 21 bytes contain a MAC and the number
of (not shown) padding bytes and can be ignored.
</code></pre>
			</codesample>
		</div>
	</div>

%file ../captures/caps/serverfinishedplain
	<span class="string decrypted">
		<span class="label">Handshake Header</span>
		<span class="bytes">
%next 4
%bytes
		</span>
		<div class="explanation">
			Each handshake message starts with a type and a length.
			<ul>
			<li><tt>14</tt> - handshake message type 0x14 (finished)
			<li><tt>%1 %2 %3</tt> - payload length of %xxx1 (%ddd1) bytes
			</ul>
			All data following this header is the payload for this message.
		</div>
	</span>

	<span class="string decrypted">
		<span class="label">Verify Data</span>
		<span class="bytes">
%next 12
%bytes
		</span>
		<div class="explanation">
			The verify_data is built from the master secret and the
			hash of the payload of all handshake records (type=0x16) previous to this one.
			<br/><br/>
			The SHA256 of all handshake messages before this one
			is <tt class="longboi">b2017ba28d0e27f03ae327456b6ff00b4d5bbf0ef7cda83ce1029b521c3e7c35</tt>.
			<br/><br/>
			The calculation for verify_data is as follows:
<pre class="ind1">
seed = "server finished" + SHA256(all handshake messages)
a0 = seed
a1 = HMAC-SHA256(key=MasterSecret, data=a0)
p1 = HMAC-SHA256(key=MasterSecret, data=a1 + seed)
verify_data = p1[first 12 bytes]
</pre>
			The verify data calculated from this hash is <tt class="longboi">a0744dd49a212f152b3c060d</tt>.
			We can show this on the command line:
			<codesample>
			<pre><code>### set up our MasterSecret as a hex string
$ mshex=$(hexdump -ve '/1 "%%02x"' /tmp/mastersecret)
### build the seed
$ echo -en 'server finished' > /tmp/seed
### add SHA256(all_messages) to seed
$ echo -en '\xb2\x01\x7b\xa2\x8d\x0e\x27\xf0' >> /tmp/seed
$ echo -en '\x3a\xe3\x27\x45\x6b\x6f\xf0\x0b' >> /tmp/seed
$ echo -en '\x4d\x5b\xbf\x0e\xf7\xcd\xa8\x3c' >> /tmp/seed
$ echo -en '\xe1\x02\x9b\x52\x1c\x3e\x7c\x35' >> /tmp/seed
### a0 is the same as the seed
$ cat /tmp/seed > /tmp/a0
### a(n) is hmac-sha256(key=secret, data=a(n-1))
$ cat /tmp/a0 | openssl dgst -sha256 \
   -mac HMAC -macopt hexkey:$mshex -binary > /tmp/a1
### p(n) is hmac-sha256(key=secret, data=a(n)+seed)
$ cat /tmp/a1 /tmp/seed | openssl dgst -sha256 \
   -mac HMAC -macopt hexkey:$mshex -binary > /tmp/p1
$ head -c 12 /tmp/p1 > /tmp/verify_data
$ hexdump /tmp/verify_data

0000000 84 4d 3c 10 74 6d d7 22 f9 2f 0c 7e
</code></pre>
			</codesample>
		</div>
	</span>
</span>
</div>

<div class="record client">
<div class="label">Client Application Data</div>
<div class="explanation">
	The client sends the data "ping".
</div>
%file ../captures/caps/clientdata
<span class="record-data">
	<span class="string">
		<span class="label">Record Header</span>
		<span class="bytes">
%next 5
%bytes
		</span>
		<div class="explanation">
			TLS sessions are broken into the sending
			and receiving of "records", which are blocks
			of data with a type, a protocol version,
			and a length.
			<ul>
			<li><tt>17</tt> - type is 0x17 (application data)
			<li><tt>%1 %2</tt> - protocol version is 3.3 (TLS 1.2)
			<li><tt>%3 %4</tt> - the length of the record payload is %xx3 (%dd3) bytes
			</ul>
			All data following this header is the payload for this record.
		</div>
	</span>

	<span class="string">
		<span class="label">Encryption IV</span>
		<span class="bytes">
%next 16
%bytes
		</span>
		<div class="explanation">
			The client has sent an initialization vector for decrypting this block.
			Because we have overridden the rand function it
			is a predictable sequence.
		</div>
	</span>

	<span class="string encrypted">
		<span class="label">Encrypted Data</span>
		<span class="bytes">
%next 32
%bytes
		</span>
		<div class="explanation">
			This data is encrypted with the client write
			key.  Because it contains a message
			authentication code (MAC) and padding it
			is larger than the decrypted data.
			<br/><br/>
			See below for the decrypted data.
		</div>
	</span>
%empty

	<div class="decryption">
		<div class="label">Decryption</div>
		<div class="explanation">
			This data can be decrypted using the encryption
			IV and the client write key that was generated
			in the step "Client Encryption Keys
			Calculation".
			<codesample>
<pre><code>### client key
$ hexkey=f656d037b173ef3e11169f27231a84b6
### IV for this record
$ hexiv=000102030405060708090a0b0c0d0e0f
### encrypted data
$ echo -en '\x6c\x42\x1c\x71\xc4\x2b\x18\x3b' >  /tmp/msg1
$ echo -en '\xfa\x06\x19\x5d\x13\x3d\x0a\x09' >> /tmp/msg1
$ echo -en '\xd0\x0f\xc7\xcb\x4e\x0f\x5d\x1c' >> /tmp/msg1
$ echo -en '\xda\x59\xd1\x47\xec\x79\x0c\x99' >> /tmp/msg1
$ cat /tmp/msg1 | openssl enc -d -aes-128-cbc -K $hexkey -iv $hexiv | hexdump

0000000 70 69 6e 67 60 10 12 49 f7 4a 03 77 c9 ca cf 63
0000010 09 75 13 70 d8 0c fc aa 07

The last 21 bytes contain a MAC and the number
of (not shown) padding bytes and can be ignored.
</code></pre>
			</codesample>
		</div>
	</div>

%file ../captures/caps/clientdataplain
	<span class="string decrypted">
		<span class="label">Application Data</span>
		<span class="bytes">
%next 4
%bytes
		</span>
		<div class="explanation">
			The bytes "ping".
		</div>
	</span>
</span>
</div>

<div class="record server">
<div class="label">Server Application Data</div>
<div class="explanation">
	The server replies with the data "pong".
</div>
%file ../captures/caps/serverdata
<span class="record-data">
	<span class="string">
		<span class="label">Record Header</span>
		<span class="bytes">
%next 5
%bytes
		</span>
		<div class="explanation">
			TLS sessions are broken into the sending
			and receiving of "records", which are blocks
			of data with a type, a protocol version,
			and a length.
			<ul>
			<li><tt>17</tt> - type is 0x17 (application data)
			<li><tt>%1 %2</tt> - protocol version is 3.3 (TLS 1.2)
			<li><tt>%3 %4</tt> - the length of the record payload is %xx3 (%dd3) bytes
			</ul>
			All data following this header is the payload for this record.
		</div>
	</span>

	<span class="string">
		<span class="label">Encryption IV</span>
		<span class="bytes">
%next 16
%bytes
		</span>
		<div class="explanation">
			The server has sent an initialization vector for decrypting this block.
			Because we have overridden the rand function it
			is a predictable sequence.
		</div>
	</span>

	<span class="string encrypted">
		<span class="label">Encrypted Data</span>
		<span class="bytes">
%next 32
%bytes
		</span>
		<div class="explanation">
			This data is encrypted with the client write
			key.  Because it contains a message
			authentication code (MAC) and padding it
			is larger than the decrypted data.
			<br/><br/>
			See below for the decrypted data.
		</div>
	</span>
%empty

	<div class="decryption">
		<div class="label">Decryption</div>
		<div class="explanation">
			This data can be decrypted using the encryption
			IV and the client write key that was generated
			in the step "Server Encryption Keys
			Calculation".
			<codesample>
<pre><code>### server key
$ hexkey=752a18e7a9fcb7cbcdd8f98dd8f769eb
### IV for this record
$ hexiv=6162636465666768696a6b6c6d6e6f70
### encrypted data
$ echo -en '\x97\x83\x48\x8a\xf5\xfa\x20\xbf' >  /tmp/msg1
$ echo -en '\x7a\x2e\xf6\x9d\xeb\xb5\x34\xdb' >> /tmp/msg1
$ echo -en '\x9f\xb0\x7a\x8c\x27\x21\xde\xe5' >> /tmp/msg1
$ echo -en '\x40\x9f\x77\xaf\x0c\x3d\xde\x56' >> /tmp/msg1
$ cat /tmp/msg1 | openssl enc -d -aes-128-cbc -K $hexkey -iv $hexiv | hexdump

0000000 70 6f 6e 67 5a c7 99 dc cf dc 0f af 95 2b dc 91
0000010 18 af 20 0e e3 1c 51 05 07                     

The last 21 bytes contain a MAC and the number
of (not shown) padding bytes and can be ignored.
</code></pre>
			</codesample>
		</div>
	</div>

%file ../captures/caps/serverdataplain
	<span class="string decrypted">
		<span class="label">Application Data</span>
		<span class="bytes">
%next 4
%bytes
		</span>
		<div class="explanation">
			The bytes "pong".
		</div>
	</span>
</span>
</div>

<div class="record client">
<div class="label">Client Close Notify</div>
<div class="explanation">
	The client sends an alert that it is closing the connection.
</div>
%file ../captures/caps/clientalert
<span class="record-data">
	<span class="string">
		<span class="label">Record Header</span>
		<span class="bytes">
%next 5
%bytes
		</span>
		<div class="explanation">
			TLS sessions are broken into the sending
			and receiving of "records", which are blocks
			of data with a type, a protocol version,
			and a length.
			<ul>
			<li><tt>15</tt> - type is 0x15 (alert record)
			<li><tt>%1 %2</tt> - protocol version is 3.3 (TLS 1.2)
			<li><tt>%3 %4</tt> - the length of the record payload is %xx3 (%dd3) bytes
			</ul>
			All data following this header is the payload for this record.
		</div>
	</span>

	<span class="string">
		<span class="label">Encryption IV</span>
		<span class="bytes">
%next 16
%bytes
		</span>
		<div class="explanation">
			The client has sent an initialization vector for decrypting this block.
			Because we have overridden the rand function it
			is a predictable sequence.
		</div>
	</span>

	<span class="string encrypted">
		<span class="label">Encrypted Data</span>
		<span class="bytes">
%next 32
%bytes
		</span>
		<div class="explanation">
			This data is encrypted with the client write
			key.  Because it contains a message
			authentication code (MAC) and padding it
			is larger than the decrypted data.
			<br/><br/>
			See below for the decrypted data.
		</div>
	</span>
%empty

	<div class="decryption">
		<div class="label">Decryption</div>
		<div class="explanation">
			This data can be decrypted using the encryption
			IV and the client write key that was generated
			in the step "Client Encryption Keys
			Calculation".
			<codesample>
<pre><code>### client key
$ hexkey=f656d037b173ef3e11169f27231a84b6
### IV for this record
$ hexiv=101112131415161718191a1b1c1d1e1f
### encrypted data
$ echo -en '\x0d\x83\xf9\x79\x04\x75\x0d\xd8' >  /tmp/msg1
$ echo -en '\xfd\x8a\xa1\x30\x21\x86\x32\x63' >> /tmp/msg1
$ echo -en '\x4f\xd0\x65\xe4\x62\x83\x79\xb8' >> /tmp/msg1
$ echo -en '\x8b\xbf\x9e\xfd\x12\x87\xa6\x2d' >> /tmp/msg1
$ cat /tmp/msg1 | openssl enc -d -aes-128-cbc -K $hexkey -iv $hexiv | hexdump

0000000 01 00 92 79 9c ba 81 9f 31 07 44 c5 59 62 2b e4
0000010 2b ce 3d 6a 41 fb 09

The last 21 bytes contain a MAC and the number
of (not shown) padding bytes and can be ignored.
</code></pre>
			</codesample>
		</div>
	</div>

%file ../captures/caps/clientalertplain
	<span class="string decrypted">
		<span class="label">Alert Level</span>
		<span class="bytes">
%next 1
%bytes
		</span>
		<div class="explanation">
			<ul>
			<li><tt>01</tt> - assigned value for "Warning"
			</ul>
			A "Warning" alert is informational.
		</div>
	</span>

	<span class="string decrypted">
		<span class="label">Alert Type</span>
		<span class="bytes">
%next 1
%bytes
		</span>
		<div class="explanation">
			<ul>
			<li><tt>00</tt> - assigned value for "Close Notify"
			</ul>
			This message notifies the recipient that
			the sender will not send any more messages on this connection.
		</div>
	</span>
</span>
</div>

	<div class="outerblock">
	<p>The code for this project can be found
	<a href="https://github.com/syncsynchalt/illustrated-tls">on GitHub</a>.</p>
	</div>

	<div class="outerblock">
	<p>If you found this page useful or interesting let me know via Twitter
	<a href="https://twitter.com/xargsnotbombs">@XargsNotBombs</a>.</p>
	</div>

</div>

<div id="templates" style="display: none">
	<div id="closeBtnTmpl">
		<span class="close" onclick="ill.unselectAllStrings()">×</span>
	</div>
	<div id="showCodeTmpl">
		<button class="show-code" onclick="ill.showCode(this, event)">Show Code</button>
	</div>
	<button id="annotateTmpl" class="annotate-toggle"
		onclick="ill.toggleAnnotate(this.parentElement, event)">Annotations</button>
</div>

<a class="print-mode" href="#print" onclick="ill.printMode()">
	[print]
</a>
</body>
</html>