First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Not able to calculate the mac for client finish correctly

I am using TLS 1.2, both client and server using openssl

openssl s_client -tls1_2 -ciphersuites TLS_RSA_WITH_AES_256_CBC_SHA256 -connect 10.254.254.101:4444  -keylogfile dk-rsa.txt
 openssl s_server -accept 4444 -www -tls1_2 -ciphersuites TLS_RSA_WITH_AES_256_CBC_SHA256 -key rsa-priv.pem -cert cert-rsa.pem

From my Wireshark Debug file, I am able to get the secrets

ClientMacKey
mackey='18db0fb10326e5511f278e0a88edbbfaa1280e28202875ac62ed46f4d7fab273'

Client Write Key
hexkey='ccd8389905abd3b5f3daf5349ab7e62fcdbac970c0705f770b51b9d5c2fbd59c'

I am using Encrypt then Mac extension. When I look at the encrypted client finish message, I see 80 Bytes of Cipher text

Ciphertext[80]:
| 8f 77 7c 98 ae ae 89 6c b3 40 45 d3 93 a2 01 23 |.w|....l.@E....#|
| 26 2d dd 1f f7 92 9c c5 ba 40 0b 1f 47 bb 95 3a |&-.......@..G..:|
| 54 3e 0b da be 92 32 ae 54 45 90 78 a4 ec be 14 |T>....2.TE.x....|
| 5e d5 70 77 cc 59 77 bd 10 88 89 0e d3 8b 9a 35 |^.pw.Yw........5|
| a1 17 db 0b fa f2 0f 7f ff f0 d7 db c6 f1 22 26 |.............."&|

I am assuming the first 16 Bytes are IV, the next 32 Bytes are Message+Pad+Padlength and the last 32 bytes are mac. My Problem is when I try to calculate the mac , I dont get the value shown in the ciphertext: Here are my Keys from the Debug file:

Client MAC key[32]:
| 18 db 0f b1 03 26 e5 51 1f 27 8e 0a 88 ed bb fa |.....&.Q.'......|
| a1 28 0e 28 20 28 75 ac 62 ed 46 f4 d7 fa b2 73 |.(.( (u.b.F....s|
Server MAC key[32]:
| 6a 70 2f 39 af 12 53 d4 aa c6 09 b1 0d e3 65 9f |jp/9..S.......e.|
| 75 cf d0 cd cc ff 14 5d 6a 55 be 1c 5d df 86 0b |u......]jU..]...|
Client Write key[32]:
| cc d8 38 99 05 ab d3 b5 f3 da f5 34 9a b7 e6 2f |..8........4.../|
| cd ba c9 70 c0 70 5f 77 0b 51 b9 d5 c2 fb d5 9c |...p.p_w.Q......|
Server Write key[32]:
| aa c7 16 8c 9c 88 cd 0b 79 58 ce 39 80 9a de 33 |........yX.9...3|
| c5 ba b9 d2 ec 87 62 38 3a 93 e5 52 ba 6e d6 11 |......b8:..R.n..|
Client Write IV[16]:
| 14 21 f3 67 41 10 36 19 aa 64 8d fb 4e c4 90 b6 |.!.gA.6..d..N...|
Server Write IV[16]:
| b1 cb 9a e0 3e 8e 6b cd 67 08 f9 6e 32 66 49 59 |....>.k.g..n2fIY|

This is how I am checking the Hash:

#sequence='0000000000000000'
#rechdr='16 03 03'
#datalen='00 50'
#iv='8f 77 7c 98 ae ae 89 6c b3 40 45 d3 93 a2 01 23'
#echo $sequence $rechdr $datalen $iv $data | xxd -r -p   | openssl dgst -sha256 -mac HMAC -macopt hexkey:$mackey
(stdin)= 32c869452c5a4da6e718ae7a6c52e74cd3317a58c422c03a8886f06018c51205
#datalen='00 10 ...
(more)
Dinesh Kavuru's avatar
1
Dinesh Kavuru
asked 2019-10-02 14:52:10 +0000
grahamb's avatar
23.8k
grahamb
updated 2019-10-02 15:01:53 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

I finally Fixed it. The TLSCipherText.length is 48 Bytes so datalen='00 30'. The Idea is we first build the Enc where we have 16 Bytes of IV and 32 Bytes of Encrypted data, and this length of 48 Bytes goes into the Hash Calculation.

Dinesh Kavuru's avatar
1
Dinesh Kavuru
answered 2019-10-03 20:26:46 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer