Ask Your Question
0

Not able to calculate the mac for client finish correctly

asked 2019-10-02 14:52:10 +0000

Dinesh Kavuru gravatar image

updated 2019-10-02 15:01:53 +0000

grahamb gravatar image

I am using TLS 1.2, both client and server using openssl

openssl s_client -tls1_2 -ciphersuites TLS_RSA_WITH_AES_256_CBC_SHA256 -connect 10.254.254.101:4444  -keylogfile dk-rsa.txt
 openssl s_server -accept 4444 -www -tls1_2 -ciphersuites TLS_RSA_WITH_AES_256_CBC_SHA256 -key rsa-priv.pem -cert cert-rsa.pem

From my Wireshark Debug file, I am able to get the secrets

ClientMacKey
mackey='18db0fb10326e5511f278e0a88edbbfaa1280e28202875ac62ed46f4d7fab273'

Client Write Key
hexkey='ccd8389905abd3b5f3daf5349ab7e62fcdbac970c0705f770b51b9d5c2fbd59c'

I am using Encrypt then Mac extension. When I look at the encrypted client finish message, I see 80 Bytes of Cipher text

Ciphertext[80]:
| 8f 77 7c 98 ae ae 89 6c b3 40 45 d3 93 a2 01 23 |.w|....l.@E....#|
| 26 2d dd 1f f7 92 9c c5 ba 40 0b 1f 47 bb 95 3a |&-.......@..G..:|
| 54 3e 0b da be 92 32 ae 54 45 90 78 a4 ec be 14 |T>....2.TE.x....|
| 5e d5 70 77 cc 59 77 bd 10 88 89 0e d3 8b 9a 35 |^.pw.Yw........5|
| a1 17 db 0b fa f2 0f 7f ff f0 d7 db c6 f1 22 26 |.............."&|

I am assuming the first 16 Bytes are IV, the next 32 Bytes are Message+Pad+Padlength and the last 32 bytes are mac. My Problem is when I try to calculate the mac , I dont get the value shown in the ciphertext: Here are my Keys from the Debug file:

Client MAC key[32]:
| 18 db 0f b1 03 26 e5 51 1f 27 8e 0a 88 ed bb fa |.....&.Q.'......|
| a1 28 0e 28 20 28 75 ac 62 ed 46 f4 d7 fa b2 73 |.(.( (u.b.F....s|
Server MAC key[32]:
| 6a 70 2f 39 af 12 53 d4 aa c6 09 b1 0d e3 65 9f |jp/9..S.......e.|
| 75 cf d0 cd cc ff 14 5d 6a 55 be 1c 5d df 86 0b |u......]jU..]...|
Client Write key[32]:
| cc d8 38 99 05 ab d3 b5 f3 da f5 34 9a b7 e6 2f |..8........4.../|
| cd ba c9 70 c0 70 5f 77 0b 51 b9 d5 c2 fb d5 9c |...p.p_w.Q......|
Server Write key[32]:
| aa c7 16 8c 9c 88 cd 0b 79 58 ce 39 80 9a de 33 |........yX.9...3|
| c5 ba b9 d2 ec 87 62 38 3a 93 e5 52 ba 6e d6 11 |......b8:..R.n..|
Client Write IV[16]:
| 14 21 f3 67 41 10 36 19 aa 64 8d fb 4e c4 90 b6 |.!.gA.6..d..N...|
Server Write IV[16]:
| b1 cb 9a e0 3e 8e 6b cd 67 08 f9 6e 32 66 49 59 |....>.k.g..n2fIY|

This is how I am checking the Hash:

#sequence='0000000000000000'
#rechdr='16 03 03'
#datalen='00 50'
#iv='8f 77 7c 98 ae ae 89 6c b3 40 45 d3 93 a2 01 23'
#echo $sequence $rechdr $datalen $iv $data | xxd -r -p   | openssl dgst -sha256 -mac HMAC -macopt hexkey:$mackey
(stdin)= 32c869452c5a4da6e718ae7a6c52e74cd3317a58c422c03a8886f06018c51205
#datalen='00 10 ...
(more)
edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-10-03 20:26:46 +0000

Dinesh Kavuru gravatar image

I finally Fixed it. The TLSCipherText.length is 48 Bytes so datalen='00 30'. The Idea is we first build the Enc where we have 16 Bytes of IV and 32 Bytes of Encrypted data, and this length of 48 Bytes goes into the Hash Calculation.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2019-10-02 14:52:10 +0000

Seen: 921 times

Last updated: Oct 03 '19