From be7de788a17cdb056708ed8012cca1ad89783b87 Mon Sep 17 00:00:00 2001 From: jmwample <8297368+jmwample@users.noreply.github.com> Date: Tue, 21 May 2024 21:52:58 -0600 Subject: [PATCH 1/3] almost done with first pass on client handshake packet --- docs/index.html | 426 +++++++----------------------------------------- 1 file changed, 57 insertions(+), 369 deletions(-) diff --git a/docs/index.html b/docs/index.html index 1fe490a..4747a57 100644 --- a/docs/index.html +++ b/docs/index.html @@ -232,417 +232,105 @@

IAT Mode The session begins with the client saying "Hello". The client provides information including the following: + While this will not typically fit in a single TCP packet, for the sake of this demonstration + it will be presented as a single packet. Also, as the elligator2 representative + is a deterministic transformation of the public key, session ephemeral keys should + never be re-used, or the client handshake messages will begin with identical byte + sequences. - Record Header - - 16 03 01 00 f8 - -
- TLS sessions are broken into the sending - and receiving of "records", which are blocks - of data with a type, a protocol version, - and a length. -
    -
  • 16 - type is 0x16 (handshake record) -
  • 03 01 - protocol version is "3,1" (also known as TLS 1.0) -
  • 00 f8 - 0xF8 (248) bytes of handshake message follows -
- Interestingly the version in this record - is "3,1" (TLS 1.0) instead of "3,4" (TLS 1.3). - This is done for interoperability with earlier - implementations. -
- - - - Handshake Header - - 01 00 00 f4 - -
- Each handshake message starts with a type and a length. -
    -
  • 01 - handshake message type 0x01 (client hello) -
  • 00 00 f4 - 0xF4 (244) bytes of client hello data follows -
-
- - - - Client Version - - 03 03 - -
- A protocol version of "3,3" (meaning TLS 1.2) - is given. Because middleboxes have been - created and widely deployed that do not - allow protocol versions that - they do not recognize, the TLS 1.3 session - must be disguised as a TLS 1.2 session. - This field is no - longer used for version negotiation and - is hardcoded to the 1.2 version. Instead, - version negotiation is performed using the - "Supported Versions" extension below. -

- The unusual version number ("3,3" representing - TLS 1.2) is due to TLS 1.0 being a minor - revision of the SSL 3.0 protocol. Therefore - TLS 1.0 is represented by "3,1", TLS 1.1 is - "3,2", and so on. -
- - - - Client Random - - 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e - 1f - -
- The client provides 32 bytes of random data. This data will be used later in the session. - In this example we've made the random data a predictable string. -
- - - - Session ID - - 20 e0 e1 e2 e3 e4 e5 e6 e7 e8 e9 ea eb ec ed ee ef f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 fa fb fc fd - fe - ff - -
- In previous versions of TLS the client could - provide an ID of a previously negotiated - session, which allows the server and client - to skip the time and cost of negotiating new keys. -

- In TLS 1.3 this "session resume" is done via the more flexible - PSK (pre-shared keys) mechanism, so this - field is no longer needed for that purpose. - Instead, a non-empty value in this field is - used to trigger "middlebox compatibility - mode" which helps TLS 1.3 sessions to be - disguised as resumed TLS 1.2 sessions. The - client has generated random data to populate - this field. -
    -
  • 20 - 0x20 (32) bytes of session ID follow -
  • e0 e1 ... fe ff - fake session ID -
-
- - - - Cipher Suites - - 00 08 13 02 13 03 13 01 00 ff - -
- The client provides an ordered list of which - cipher suites it will support for encryption. - The list is in the order preferred by the - client, with highest preference first. -

- In TLS 1.3 the list of possible cipher - suites has been greatly reduced. All the - remaining suites are AEAD algorithms which - provide stronger encryption guarantees than - many previous suites with an easier all-in-one - implementation. -
    -
  • 00 08 - 8 bytes of cipher suite data -
  • 13 02 - assigned value for TLS_AES_256_GCM_SHA384 -
  • 13 03 - assigned value for TLS_CHACHA20_POLY1305_SHA256 -
  • 13 01 - assigned value for TLS_AES_128_GCM_SHA256 -
  • 00 ff - assigned value for TLS_EMPTY_RENEGOTIATION_INFO_SCSV -
-
- - - - Compression Methods - - 01 00 - -
- Previous versions of TLS supported - compression, which was found to leak - information about the encrypted data allowing - it to be read (see CRIME). -

- TLS 1.3 no longer allows compression, so - this field is always a single entry with - the "null" compression method which performs - no change to the data. -
    -
  • 01 - 1 bytes of compression methods -
  • 00 - assigned value for "null" compression -
-
- - - - Extensions Length + Elligator2 Encoded Public Representative - 00 a3 + f4 d0 5d f7 8e c6 f6 7a c1 04 31 99 63 ca c0 97 64 ba 89 0f 89 25 28 16 9d cb bf db 16 66 a7 bd
- The client has provided a list of optional - extensions which the server can use to - take action or enable new features. -
    -
  • 00 a3 - the extensions will take 0xA3 (163) bytes of data -
- Each extension will start with two bytes - that indicate which extension it is, followed - by a two-byte content length field, followed - by the contents of the extension. + Each handshake message starts with the client's x255519 public key encoded using + the Elligator2 encoding scheme.
- Extension - Server Name + Padding - 00 00 00 18 00 16 00 00 13 65 78 61 6d 70 6c 65 2e 75 6c 66 68 65 69 6d 2e 6e 65 74 + e0 e1 e2 e3 e4 e5 e6 e7 e8 e9 ea eb ec ed ee ef f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 fa fb fc fd fe ff
- The client has provided the name of the - server it is contacting, also known as SNI - (Server Name Indication). -

- Without this extension an HTTPS server would - not be able to provide service for multiple - hostnames (virtual hosts) on a single IP address - because it couldn't know which - hostname's certificate to send until - after the TLS session was negotiated and the - HTTP request was made. + In obfs4 the client pads the handshake message with random bytes to a length between + 4096 and 8192 bytes. This padding is used to make the handshake message a non-uniform + length such that the size of the first packet would be a strong indication of the + specific protocol being used.
    -
  • 00 00 - assigned value for extension "server name" -
  • 00 18 - 0x18 (24) bytes of "server name" extension data follows -
  • 00 16 - 0x16 (22) bytes of first (and only) list entry follows -
  • 00 - list entry is type 0x00 "DNS hostname" -
  • 00 13 - 0x13 (19) bytes of hostname follows -
  • 65 78 61 ... 6e 65 74 - "example.ulfheim.net" +
  • e0 e1 ... fe ff - bytes drawn form prng source.
- Extension - EC Point Formats + Steganographic Mark - 00 0b 00 04 03 00 01 02 + 13 02 13 03 13 01 00 ff 13 02 13 03 13 01 00 ff
- The client has indicated that it supports receiving - elliptic curve data points in the following compression formats: -
    -
  • 00 0b - assigned value for extension "ec point formats" -
  • 00 04 - 4 bytes of format types follow -
  • 03 - 3 bytes of format types follow -
  • 00 - assigned value for format "uncompressed" -
  • 01 - assigned value for format "ansiX962_compressed_prime" -
  • 02 - assigned value for format "ansiX962_compressed_char2" -
-
- + As the obfs4 handshake is (ideally) indistinguishable from uniform random bytes, + the client includes a steganographic mark in the handshake message to securely + indicate that it wishes to establish a connection. The mark is an HMAC that + uses the server's public key and node ID as hte key and + the client's ephemeral public key as the message. While the HMAC-SHA256 would + usually result in 32 bytes, only the first 16 bytes are used for the mark. - - Extension - Supported Groups - - 00 0a 00 16 00 14 00 1d 00 17 00 1e 00 19 00 18 01 00 01 01 01 02 01 03 01 04 - -
- The client has indicated that it supports - elliptic curve (EC) cryptography for ten curve types. - To make this extension more generic for - other cryptography types it calls these - "supported groups" instead of "supported - curves". -

- This list is presented in descending order - of the client's preference. -
    -
  • 00 0a - assigned value for extension "supported groups" -
  • 00 16 - 0x16 (22) bytes of "supported group" extension data follows -
  • 00 14 - 0x14 (20) bytes of data are in the curves list -
  • 00 1d - assigned value for the curve "x25519" -
  • 00 17 - assigned value for the curve "secp256r1" -
  • 00 1e - assigned value for the curve "x448" -
  • 00 19 - assigned value for the curve "secp521r1" -
  • 00 18 - assigned value for the curve "secp384r1" -
  • 01 00 - assigned value for the curve "ffdhe2048" -
  • 01 01 - assigned value for the curve "ffdhe3072" -
  • 01 02 - assigned value for the curve "ffdhe4096" -
  • 01 03 - assigned value for the curve "ffdhe6144" -
  • 01 04 - assigned value for the curve "ffdhe8192" -
-
- +


HMAC-SHA256-128(ServerPubkey | NodeID, ClientPubkey) - - Extension - Session Ticket - - 00 23 00 00 - -

- The client indicates it has no session ticket - to provide for this connection. -
    -
  • 00 23 - assigned value for extension "Session Ticket" -
  • 00 00 - 0 bytes of "Session Ticket" extension data follows -
-
- - - - Extension - Encrypt-Then-MAC - - 00 16 00 00 - -
- The client indicates it can support EtM, which prevents - certain vulnerabilities in - earlier versions of TLS. In - TLS 1.3 this mechanism is always used, so this extension - will have no effect in this session. -
    -
  • 00 16 - assigned value for extension "Encrypt Then MAC" -
  • 00 00 - 0 bytes of "Encrypt Then MAC" extension data follows -
+ + 
import hmac
+import hashlib
+hmac_key = b'' + b''
+hmac_msg = b''
+h = hmac.new( hmac_key, hmac_msg, hashlib.sha256 )
+digest = h.hexdigest()
+print( digest[:len(digest)/2] )
+
+
- Extension - Extended Master Secret + Message Authentication - 00 17 00 00 + 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
- The client indicates support for extra cryptographic operations - which prevent vulnerabilities in earlier versions of TLS (see RFC 7627 for details). - In TLS 1.3 the vulnerabilities are no longer present, so this extension - will have no effect in this session. -
    -
  • 00 17 - assigned value for extension "Extended Master Secret" -
  • 00 00 - 0 bytes of "Extended Master Secret" extension data follows -
-
- + In order to ensure that the contents of the handshake message have not been + tampered with in transit, the client includes a second HMAC value using the same + key as the steganographic mark, but covering the contents of the entire handshake + message. - - Extension - Signature Algorithms - - 00 0d 00 1e 00 1c 04 03 05 03 06 03 08 07 08 08 08 09 08 0a 08 0b 08 04 08 05 08 06 04 01 05 - 01 - 06 01 - -
- This extension indicates which signature - algorithms the client supports. This can - influence the certificate that the server - presents to the client, as well as the - signature that is sent by the server in - the CertificateVerify record. -

- This list is presented in descending order - of the client's preference. -
    -
  • 00 0d - assigned value for extension "Signature Algorithms" -
  • 00 1e - 0x1E (30) bytes of "Signature Algorithms" extension data follows -
  • 00 1c - 0x1C (28) bytes of data are in the following list of algorithms -
  • 04 03 - assigned value for ECDSA-SECP256r1-SHA256 -
  • 05 03 - assigned value for ECDSA-SECP384r1-SHA384 -
  • 06 03 - assigned value for ECDSA-SECP521r1-SHA512 -
  • 08 07 - assigned value for ED25519 -
  • 08 08 - assigned value for ED448 -
  • 08 09 - assigned value for RSA-PSS-PSS-SHA256 -
  • 08 0a - assigned value for RSA-PSS-PSS-SHA384 -
  • 08 0b - assigned value for RSA-PSS-PSS-SHA512 -
  • 08 04 - assigned value for RSA-PSS-RSAE-SHA256 -
  • 08 05 - assigned value for RSA-PSS-RSAE-SHA384 -
  • 08 06 - assigned value for RSA-PSS-RSAE-SHA512 -
  • 04 01 - assigned value for RSA-PKCS1-SHA256 -
  • 05 01 - assigned value for RSA-PKCS1-SHA384 -
  • 06 01 - assigned value for RSA-PKCS1-SHA512 -
-
- + Again the HMAC-SHA256 value is truncated to 16 bytes. - - Extension - Supported Versions - - 00 2b 00 03 02 03 04 - -
- The client indicates its support of TLS 1.3. This is the only indication in the - Client Hello record that hints the client supports TLS 1.3, since - for compatibility reasons it has otherwise pretended to be a TLS 1.2 connection - attempt. +

If ew consider the handshake so far to be [ X | PAD | MARK ] where:

    -
  • 00 2b - assigned value for extension "Supported Versions" -
  • 00 03 - 3 bytes of "Supported Versions" extension data follows -
  • 02 - 2 bytes of TLS versions follow -
  • 03 04 - assigned value for TLS 1.3 +
  • X - Elligator2 encoded public key +
  • PAD - padding bytes +
  • MARK - steganographic mark
-
- - - Extension - PSK Key Exchange Modes - - 00 2d 00 02 01 01 - -
- The client indicates the modes available - for establishing keys from pre-shared keys - (PSKs). Since we do not use PSKs in this - session, this extension has no effect. +

The message authentication is: +

HMAC-SHA256-128(serverIdentity | NodeID, X | PAD | MARK | E)

    -
  • 00 2d - assigned value for extension "PSK Key Exchange Modes" -
  • 00 02 - 2 bytes of "PSK Key Exchange Modes" extension data follows -
  • 01 - 1 bytes of exchange modes follow -
  • 01 - assigned value for "PSK with (EC)DHE key establishment" +
  • E - string representation of the number of hours since the UNIX epoch
+

The inclusion of the time stamp in the HMAC makes it so that the server only ever + accepts a given handshake message sent within a controlled number of hours. The server + can then keep a record of the client public keys and handshakes that it has seen + within that time window to prevent replay attacks.

- - Extension - Key Share - - 00 33 00 26 00 24 00 1d 00 20 35 80 72 d6 36 58 80 d1 ae ea 32 9a df 91 21 38 38 51 ed 21 a2 - 8e - 3b 75 e9 65 d0 d2 cd 16 62 54 - -
- The client sends one or more ephemeral public keys - using algorithm(s) that it thinks the server - will support. This allows the - rest of the handshake after the ClientHello - and ServerHello messages to be encrypted, - unlike previous protocol versions where the - handshake was sent in the clear. -
    -
  • 00 33 - assigned value for extension "Key Share" -
  • 00 26 - 0x26 (38) bytes of "Key Share" extension data follows -
  • 00 24 - 0x24 (36) bytes of key share data follows -
  • 00 1d - assigned value for x25519 (key exchange via curve25519) -
  • 00 20 - 0x20 (32) bytes of public key follows -
  • 35 80 ... 62 54 - public key from the step "Client Key Exchange Generation" -
-
- From 8b40fe811139f1827bbe971b4a538c3eb8796503 Mon Sep 17 00:00:00 2001 From: jmwample <8297368+jmwample@users.noreply.github.com> Date: Sun, 26 May 2024 21:00:08 -0600 Subject: [PATCH 2/3] add padding expand/collapse --- docs/illustrated.css | 22 ++- docs/illustrated.js | 27 ++++ docs/index.html | 318 ++++++++++++++++++++++++------------------- 3 files changed, 225 insertions(+), 142 deletions(-) diff --git a/docs/illustrated.css b/docs/illustrated.css index 1140328..36ec527 100644 --- a/docs/illustrated.css +++ b/docs/illustrated.css @@ -19,6 +19,13 @@ --act-hov-btn9: hsl(21, 88%, 51%); --act-btn-shadow: hsl(25, 91%, 40%); --act-btn-border: hsl(33, 90%, 45%); + + --pad-btn0: hsl(205, 96%, 54%); + --pad-btn9: hsl(195, 91%, 54%); + --pad-hov-btn0: hsl(200, 94%, 52%); + --pad-hov-btn9: hsl(190, 88%, 51%); + --pad-btn-shadow: hsl(195, 91%, 40%); + --pad-btn-border: hsl(203, 90%, 45%); } /* remove focus rings for non-keyboard users */ @@ -436,13 +443,13 @@ button.annotate-toggle { font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 1em; padding: .4em 1.7em .45em; - text-shadow: 0 1px 1px var(--act-btn-shadow); border-radius: .5em; box-shadow: 1px 1px 1px rgba(0,0,0,0.3); color: #fff; - border: solid 1px var(--act-btn-border); background: linear-gradient(180deg, var(--act-btn0) 1%, var(--act-btn9) 100%); + text-shadow: 0 1px 1px var(--act-btn-shadow); + border: solid 1px var(--act-btn-border); } button.annotate-toggle:hover { text-decoration: none; @@ -458,6 +465,17 @@ button#openCloseAll { min-width: 8em; } +button#expandCollapsePadding { + padding: .4em 1.3em .45em; + background: linear-gradient(180deg, var(--pad-btn0) 1%, var(--pad-btn9) 100%); + text-shadow: 0 1px 1px var(--pad-btn-shadow); + border: solid 1px var(--pad-btn-border); +} +button#expandCollapsePadding:hover { + + background: linear-gradient(180deg, var(--pad-hov-btn0) 1%, var(--pad-hov-btn9) 100%); +} + /***** print mode *****/ .print-mode { cursor: pointer; diff --git a/docs/illustrated.js b/docs/illustrated.js index f0818f9..b04dfe4 100644 --- a/docs/illustrated.js +++ b/docs/illustrated.js @@ -175,6 +175,33 @@ }); }; + ill.expandCollapsePadding = (btn, event) => { + ill.cancel(event); + btn = btn || document.getElementById('expandCollapsePadding'); + if (!btn) return; + + // check if we are expanding or collapsing + let action = btn.dataset['lblState']; + + // toggle expanded / collapsed padding sections + [].forEach.call(document.querySelectorAll(".padding-long"), (el) => { + el.style.display = action === 'expand' ? 'block' : 'none'; + }); + [].forEach.call(document.querySelectorAll(".padding-short"), (el) => { + el.style.display = action === 'expand' ? 'none' : 'block'; + }); + + // Update button text + let newButtonState = action === 'expand' ? 'collapse' : 'expand'; + if (btn && btn.dataset['lblState'] !== newButtonState) { + // swap text w/ lbl-toggle, then swap state + let tmp = btn.textContent; + btn.textContent = btn.dataset['lblToggle']; + btn.dataset['lblToggle'] = tmp; + btn.dataset['lblState'] = newButtonState; + } + }; + /** * Open or close all elements on the page * @param {string} openOrClose - "open" or "close" diff --git a/docs/index.html b/docs/index.html index 4747a57..e0e7203 100644 --- a/docs/index.html +++ b/docs/index.html @@ -37,7 +37,7 @@

The Illustrated Obfs4 Connection

Every byte explained and reproduced

- +

In this demonstration a client connects to a server, @@ -56,13 +56,22 @@

Every byte explained and reproduced

- +
+
- +
+ + +
+ +
+ +
@@ -312,15 +335,15 @@

IAT Mode Again the HMAC-SHA256 value is truncated to 16 bytes. -

If ew consider the handshake so far to be [ X | PAD | MARK ] where: +

If we consider the handshake so far to be [ REPR | PAD | MARK ] where:

    -
  • X - Elligator2 encoded public key -
  • PAD - padding bytes -
  • MARK - steganographic mark +
  • REPR - The clients Elligator2 encoded public key representative +
  • PAD - Padding bytes +
  • MARK - Steganographic mark

The message authentication is: -

HMAC-SHA256-128(serverIdentity | NodeID, X | PAD | MARK | E) +

HMAC-SHA256-128(serverIdentity | NodeID, REPR | PAD | MARK | E)

  • E - string representation of the number of hours since the UNIX epoch
@@ -328,6 +351,9 @@

IAT Mode accepts a given handshake message sent within a controlled number of hours. The server can then keep a record of the client public keys and handshakes that it has seen within that time window to prevent replay attacks. +

To produce this hmac value in python the code block in the above Steganographic Mark + block can be used with the msg variable set to the entire handshake message + with the appended epoch string value.

@@ -528,182 +554,194 @@

IAT Mode
The server says "Hello" back. The server provides information including the following:
    -
  • server random data (used later in the handshake) -
  • a selected cipher suite -
  • a public key for key exchange -
  • the negotiated protocol version +
  • server ephemeral session public key representative +
  • obfs4 NTOR handshake authentication +
  • padding of random length between 4096 and 8192 bytes. +
  • mark indicating that the client knows the servers Node ID +
  • MAC value ensuring that the contents of the packet have not been modified. +
  • encrypted message containing prng seed for client to use for padding
- Record Header + Elligator2 Encoded Public Representative - 16 03 03 00 7a + TODO: Add Server Representative
- TLS sessions are broken into the sending - and receiving of "records", which are blocks - of data with a type, a protocol version, - and a length. -
    -
  • 16 - type is 0x16 (handshake record) -
  • 03 03 - legacy protocol version of "3,3" (TLS 1.2) -
  • 00 7a - 0x7A (122) bytes of handshake message follows -
+ Each handshake message starts with the client's x255519 public key encoded using + the Elligator2 encoding scheme.
- Handshake Header + Obfs4 NTOR Handshake Authentication - 02 00 00 76 + TODO: NTOR Authentication value from Server Secrets Calc
- Each handshake message starts with a type and a length. -
    -
  • 02 - handshake message type 0x02 (server hello) -
  • 00 00 76 - 0x76 (118) bytes of server hello data follows -
+ Each handshake message starts with the client's x255519 public key encoded using + the Elligator2 encoding scheme.
- Server Version - - 03 03 + Padding + + da 88 ..(4092B).. e4 c3 + + + da 88 54 2c e5 81 71 69 6e f7 01 74 c6 47 fb 7c b9 81 b7 b5 92 9e 29 b3 0d 00 95 d3 64 bf 49 3a c3 f2 be bf 20 5a 2d 21 e1 87 52 2a 5e fc 1d 1c 62 32 bc 03 63 75 db 43 65 4a 3b a8 a2 76 9a 65 79 75 37 e9 81 53 aa 92 d5 50 7c 78 e0 90 6d 69 aa 8e 50 f9 1b ce fc 33 2d fd bd be 46 4c 2a 20 fc 76 95 e4 5b 75 14 23 53 e0 d0 7c cb 2c d5 a0 ac c6 4b 43 ff b8 3d 4f ab c0 da 10 d9 2d cc 5e c3 43 f9 30 f0 a7 8a 34 b0 fa 6f 63 7d 82 0b 71 43 6d ed d7 5c d5 37 da 8a 9a b5 f9 45 3a c4 a5 2f 5c 15 37 4d 48 a7 81 b7 ca 02 05 08 d4 dd 73 bd 66 9a 1d b2 02 cf 50 b5 ab a3 06 7a a1 be 1b cd a5 20 2a dc 59 b4 ca 4e 43 6f 78 cb 57 9f 27 62 6c e1 6a 46 b6 c3 8c 20 9a 5b f0 b9 a8 39 90 fa 71 aa 22 c4 10 76 5b 1a 8d 67 0d 1e 31 cb 16 48 7d 21 de 3a 51 fe 3a 3c 49 ad b9 84 7d a6 69 f0 3b 08 c6 b5 f3 0f 90 48 b8 ac 4e bf e3 a1 14 fa 46 cb c3 9e b3 73 8a c3 eb 5e 17 8d 87 75 66 54 f2 37 9f bf d8 52 4f 4d d7 cb 26 0f 5a ce 56 50 08 28 68 de 30 b9 3d 5d 6a 92 0b bc 1b 0f 53 a8 03 8a 55 82 6f 23 a0 ce d3 ca 56 62 52 53 ff ac f4 5a b8 93 f1 11 db 1f 6f 76 63 c6 e4 d5 8c 37 c4 15 66 40 3d ce 98 a0 fa 22 1d 2a 81 1b b0 62 c8 b1 ce 2d d0 a8 b9 48 f8 67 0c 76 96 42 78 23 45 44 63 51 bb dc cb eb b8 28 39 70 6d e5 7f c6 35 c6 75 05 40 e6 1b 0f 7a e6 4f 13 9f b3 96 c2 ca 2e 7a 31 e1 e5 39 d5 70 a3 b6 4c 7f 79 04 70 63 ee d1 26 93 ac 8d 95 fb c3 fb da 80 0c 7e 42 84 c8 d3 ac cf c6 17 af e0 29 3d 1c 5d e2 0f b2 9f 5f 33 92 36 08 97 34 1d 63 5c e0 6a 66 d0 d1 c7 fb 40 d0 ff 81 89 d1 f2 44 1e 04 74 a4 12 bb 22 09 0a 8d dc 90 a7 bf 30 09 70 a5 0f 44 11 00 2a 91 4c d4 70 68 b7 62 e5 cd ab d6 f1 0c 3f 54 ac 80 5c d1 a6 16 2d 98 17 a3 e5 5b 4c cc 31 9f 33 28 28 c3 84 35 06 88 a4 48 8f e4 60 39 7b 5c c8 09 db 56 75 68 74 16 c8 18 38 aa b5 09 bb 22 0f 55 ad 98 2a 3e 56 f7 60 99 52 df f4 cb 57 00 89 af db a3 4b 7e 7c e0 37 9b b3 cc 0e 18 d7 37 4d 95 66 15 76 0f 6e eb dd 68 8b 91 25 be c0 f0 05 54 69 8f 18 8b 5d c2 1a 82 03 db 97 8a 62 d7 38 cc 5b da c8 21 03 81 b6 0a 30 78 dd 53 44 41 28 32 8e 15 f7 92 d1 3b 3c 90 cc e2 e5 cc 71 d0 c3 bb 54 45 71 50 6f e1 3c b6 db e5 cc 9c 3d 4d b6 07 f1 49 e9 db a6 b0 2a ab 96 4c ab a0 72 a8 8d 26 4d 58 a3 d3 60 7b e1 d6 c5 d1 5d 7c 1d 42 ed 30 9a 60 dd b8 90 0b 18 5f f6 f9 ec 7f e3 6e cf 70 fd 62 d6 87 5e e7 df eb 84 42 74 88 cd 12 48 ad 0b 18 16 e3 a1 e8 20 19 79 57 f3 64 2b cb 30 6b 89 ab 0b 14 67 37 61 9a 3e 96 45 de 6a 7b b5 78 78 18 02 9b 4e e0 93 48 34 ce 2c b2 cd 6f 4c 6b 65 10 47 cd b5 94 27 27 f2 d6 76 a5 da 7d df 7c d1 88 96 1d e2 08 29 dc 45 5e b8 09 f2 e5 b6 b6 37 f4 d6 95 99 d4 86 02 0d 7f 7e fa 6e e7 52 05 72 47 28 d9 5a bc 5f f7 d8 d7 5c 2d 13 90 cf 86 a9 07 e4 50 d7 5f ce c2 39 1f 1a 45 83 2d bb 3f 23 d8 06 e8 f3 ef 60 54 99 32 43 f9 27 78 98 02 c4 2c 70 db 60 e5 af 0e f0 f9 48 3c bd a4 4a eb 69 e9 3e 16 c9 2c 30 8b af ac 1d 90 95 75 eb 7f 7f bd a4 2c a0 ce 88 77 d3 cd 88 f6 0c a4 1c e9 39 64 38 cc 16 9e 77 29 04 62 8e 13 ea 8d 34 f7 de 02 7d 93 37 a0 9f 4b 9d f0 18 c4 dd cd 73 31 c6 1c 6f be e0 2e e1 15 8c 71 04 73 f1 eb dc e1 28 61 1d f6 6a 5f 8d ff 7e a3 70 e6 e4 d1 f0 56 a2 1e c6 05 fb 10 1a 34 e3 e7 24 1a ee 53 bb 3d 9a b7 75 80 f6 9b 1e 92 d0 6a f6 a7 a5 17 7e db 7c 92 d9 93 45 e4 f4 39 33 a5 f9 22 b6 16 82 0b ac 21 dc 23 9f 1a ca 16 a7 bd ba ec a6 32 f1 20 b4 7b c6 79 55 85 30 e5 7c ba ae d5 bf 4c 9d 7c c2 36 45 14 4e a6 64 44 f8 f6 c4 8a d8 1e f6 13 df 35 03 f4 ee d3 28 ab 52 a4 06 cf f0 e0 0a 9b 9c 45 93 7f f1 79 13 76 49 2f 1e 02 7c a5 95 8f 17 93 2d 02 36 9b 63 2e f2 66 83 2a 4a 2e 1e 90 8d 45 ea ff ed bc c7 07 04 d5 0c 39 15 0b ac 88 9c 15 27 32 dc a3 7b 87 50 7b 06 af f2 36 38 1b 93 e3 7c 6c e4 5a be aa e8 ab 05 95 d8 99 d5 b0 6c 40 ad 23 91 07 15 e4 30 4d 4a 38 9d 2e 2f 06 e1 a2 42 9f 24 78 35 b1 e5 65 65 39 48 c2 ab 8f 54 f8 54 78 dd 63 ec e0 4a 13 d8 75 de 91 3f fb d7 a9 9f 70 13 5f f5 7c d3 9d ca 76 9c 81 14 d9 34 ee cd 7a 3f df ee 59 c4 e2 4d 5b 88 d5 2e f3 8e 88 dd f1 3e 6a c4 39 cb 7d d9 e6 97 85 9a b4 08 b4 df ed 66 fd 02 64 86 c9 3e 7c 8b db 70 93 6b 40 74 75 06 b4 a4 7e 10 8b 62 2b 35 cc 79 66 9e ac 94 1c 4f 5d 60 a4 f6 b1 e5 86 3b 49 7c 81 73 02 6a 6c c7 eb 86 d5 dc a9 e1 bf 84 0b 38 d7 cf aa d0 1d eb 51 2b 0d 58 38 e4 8b 15 9c a5 df 7b 57 5d 4a 95 d6 00 ea a8 28 d0 f9 68 9d de 95 61 7b 50 8c 4e 8f 68 d7 1e e4 db 85 9e 6a 9d 19 4d 70 30 6e 10 3f 55 04 66 10 dd e9 5f a0 eb 79 a9 77 ad 42 27 92 3a 98 f5 d2 6d ff 1f 85 59 02 3c 97 8e 8f 80 d2 9d ff 6c 9a 72 e5 e1 fc 4a 0d 30 d3 bd 21 c2 f4 25 a2 75 5e 07 0d cc 7d 8a 4f 16 eb aa c6 7a 5f 23 90 c3 39 9b f1 1c 17 8b fd 04 64 0b a8 93 5a 00 e6 59 6b 38 89 d3 c2 47 3d cb 7a 22 0f 59 e0 ba 97 13 26 d9 f8 d8 58 bd cc 0c dc 9c 92 ac de f6 10 18 4c 56 ec 2a d0 98 e5 0e 02 26 11 9b ad 0f fd 61 d8 ba a0 19 f1 67 73 53 92 bb 48 f6 d5 bc f4 0d e7 1a bd 53 f4 57 c1 2d c6 55 00 ec d7 46 19 9b a0 0e eb e7 a7 7d f8 5c 81 9b 25 1c 6d 78 c4 fc 35 e2 68 a1 bf c0 1b 94 60 09 11 d2 dc e2 af 06 24 7f d1 4f ba 65 37 e0 7e 0f 01 3a 59 72 c4 2b 7d 4d 6d 8b 5c ba cc 41 2f 9c df b7 7b 0f f9 3c 27 1e 49 5e 50 4d 3b 9d 0c 8c 96 5b cd ef aa eb dd a9 27 1b 1b 5f 34 9a e6 91 a5 75 43 9a e3 32 8b da b5 1d 08 ab 41 db fb 08 11 b7 8d 20 22 ce ef 1f 85 b6 8b a3 3f 86 45 06 76 5f c6 8b 1f 29 00 dd 0a 81 6a 99 0f e4 90 bc 37 61 30 4e fb a9 2d f2 16 67 76 c7 a0 4d b7 d0 8f 8f 38 ff 9e 24 81 f3 f0 5e 9a c4 1f 0d 70 d9 f5 17 bc 1b 2e f9 e9 24 35 34 51 a0 93 41 99 eb 0b 00 f5 fd 4a e3 df 76 c5 d7 92 07 37 9b b3 c5 65 c1 62 15 94 a1 16 45 88 f4 c3 18 28 91 c0 50 c9 06 b6 a0 fe 67 13 92 41 12 e6 41 b1 1c e6 c6 a5 06 d5 a8 e2 c8 15 a6 53 f6 42 ca 6c 01 43 83 31 b2 92 97 ee dc 1d 82 50 9f 92 db 11 12 61 24 0b 9c 24 f1 04 eb 73 a2 3f 5d 04 72 ea d5 23 93 f2 d7 da bc 0f a1 95 02 93 0b 75 3f cc c3 55 5b b9 3c d5 e9 e1 9a d6 e6 92 32 1e 30 1f 1a 95 f9 7b 80 f3 40 86 2d 10 68 29 3c 47 dc 93 40 fd 28 8a 1d 79 e8 88 6e 25 0b 13 6a 1b 63 35 b5 b8 eb bd 70 7d 20 66 a5 3b 3a 81 18 52 81 bb ea e7 80 5d ca da 9f a9 1b a5 56 e6 55 82 15 d8 a3 aa a0 da c7 ac 7a 8d 2d 28 1a de ac 11 22 15 ca a1 25 91 13 4f 75 af c9 f5 10 2f 1c 6c 4d 6c de 17 53 83 ff c0 eb e5 60 b4 e1 4a 4c d5 b9 68 83 b0 fb 75 d0 e1 29 c2 d1 75 0c c1 d1 96 cf 1a 2e 35 c2 fc 82 01 7e d8 83 e0 08 d7 dc a2 46 9c 82 bc da af 3b 42 9e 1d 97 41 a8 f5 0d 18 a8 96 34 0f a1 4f 33 a0 ad 6c 56 25 ae 64 a3 51 b0 12 df c1 cb cd a7 7a b8 d6 92 e9 7f 56 7d 83 3f c8 53 16 73 eb fd 6f 78 c9 91 05 3c 51 a4 b1 28 b4 ae a7 ee ce b6 3d 2f ea dc b4 2e f9 06 5d 73 5d 33 12 ce 1b ed 8d ec 23 5f 4b c3 97 31 c7 c5 d6 8f fa b9 38 15 43 c3 b5 58 10 a3 2e fd c4 5d cc c4 42 59 f3 fe 2d b8 69 72 43 86 b4 6d cc ae b2 3d 9f 1b 21 0c a2 23 c7 61 1e a9 59 7a 8e e3 6c 9d 1e 2d 1d 0d fb f3 37 0c b4 be da cc 38 cd 69 4b a2 0b 69 c4 0d b1 82 c1 5c 5f 7f c6 9a 37 22 df 5b d8 04 91 93 28 4f db 22 06 ba fc f1 f2 71 40 55 f5 64 3a ce 2c 6f 9d 2b bc c6 dd 95 0b 01 10 98 19 3a 9b 3f da 0f d8 c0 41 40 7e be 6a 8b bd 02 a6 92 d5 a6 b2 57 dc 22 59 43 00 53 09 58 a6 e6 5c 52 90 65 d5 36 26 d0 c6 81 5c 57 b8 7a 20 45 f9 1d 83 72 bd 63 46 e1 8c 33 d0 df 98 3d 2b bb 99 34 e5 e2 29 4c d4 c1 73 20 8a 77 e1 d0 33 fb 9c b1 82 d0 87 7c ea c9 fc 24 e9 82 c7 b9 42 a6 2d fa 1b e2 62 d7 eb c3 cf 71 04 52 e7 c2 d9 81 08 9c d4 b6 d6 0a 4d 24 bd 45 83 19 65 10 2c 8f b3 6e f8 80 b5 17 98 b9 68 41 0b 7b 9e 72 b9 87 d2 ea c0 5e fa 48 07 9e 12 af ee 42 b9 88 08 13 b4 42 54 8b dc 24 55 b9 64 b7 60 94 db 8a 9a 7f 9a 86 01 b3 21 34 26 c1 03 87 2e 53 9b 8a 85 a3 95 42 06 aa c7 57 77 e4 e5 bf e1 3c d8 5d 7d 96 22 7d e6 2b cb 74 1b 70 77 ed 4c 69 3b 6b 1e 5a 2a 67 48 06 9e 99 7c 8a 18 da 4e fa 74 e3 53 d2 5e 84 15 51 35 77 70 f4 b9 0c 58 b0 0f 93 4a 28 55 28 ae 11 b1 2c f9 c6 10 57 58 e0 e3 a1 4c 3a b4 c2 81 03 d5 a0 72 db a2 cc 36 d0 66 48 8e 6a b8 c5 b9 d9 db 4d f6 25 a5 33 5c 1f 86 10 54 15 5c b3 07 9e 6d 27 8b 25 7d a0 a3 10 19 94 17 13 2b 61 f2 bc 6c d7 28 19 04 c1 61 ab d8 5a 31 e9 9e 6a 52 4e da 39 d2 15 85 a2 f8 8f 6c fc 4b d2 ca b6 2b 15 b6 92 ee cc b4 f8 54 5d 57 51 28 58 31 78 0a bc f7 2e 3d 46 6a 44 c2 9d ee a4 ae 92 9a a4 dc ec 2e 6c 9f 72 82 e7 0d bc 77 00 85 6f 2e 0d 4f 8e 74 80 05 f9 c3 62 04 1e 98 22 b3 bc d3 e7 6c fa c5 84 56 b2 fe aa aa 06 91 53 93 c2 2e ac 6e 41 6d 97 e3 7a 0c 1c 2f 1e a8 31 50 ca 10 bb 8d fb 08 43 0e 2b 9f 3c b1 36 13 da 00 73 ac a1 7b b2 b4 8d f3 10 db ed 80 61 de 8a f9 4a b3 3c 2c 76 05 87 b6 ae 76 5e a7 b2 f6 fd df 73 b0 e2 0f 33 dd 32 49 d7 03 c4 40 a4 72 56 8b 3e 22 8f c6 fb 54 32 5d f3 09 00 83 38 fc bc 1e 16 df 17 e6 5a d1 8f 68 3a aa c3 2c 9c af 6d cf 84 19 5b 91 d6 40 cd d4 67 32 4f 65 b5 22 99 23 5c 81 6e 9e f9 82 71 7e 83 11 31 cd 2a 0c e4 d6 9d 74 c7 b0 03 3a c2 96 10 fa 49 83 c4 b2 c7 19 88 5b 35 67 21 41 28 5d 58 06 f7 ff 5e 27 7b c4 aa 82 ba 75 f6 1e d7 5f a1 88 cb e6 26 ed 65 ca 0d 21 8f 31 69 5e 14 cb 77 98 4e 3f 71 f2 bb ac fa 17 3b 0f 6d 7b 7a 03 74 49 60 a8 3e 58 dd aa 92 6d 66 09 a2 fe 4b 27 30 30 48 98 66 73 bd 6d 68 f2 1c f0 84 97 a3 10 de 86 2d 26 06 61 8c fe 23 e1 98 90 00 26 e7 88 86 0a 6c 63 2f 40 7c 45 ff c4 05 12 4b 52 30 e9 6f 20 80 d6 c7 c4 cf d2 98 2e d6 6a fa 91 e9 90 63 ce 21 ba ea 70 03 40 32 62 53 04 a7 4e 35 7c b5 4b 47 27 b4 83 94 61 17 10 75 09 34 86 5b fa 1d 34 68 df 5b ae 21 09 cb 84 12 fd 96 54 58 87 52 aa ad 00 df d7 07 45 2e 4e 4c 78 8e 16 f6 93 6f 4d 7a 9e 01 01 4b ba 30 30 ea 9c 98 f6 7f 20 f9 ae 07 63 6f 42 dc 06 2b ec 51 be f0 d4 8d 24 ca 11 45 7e a6 60 e9 09 f6 49 10 a4 59 10 1d f8 d2 b9 ee bd e4 11 8f e3 17 eb ae 0a ae 28 83 b5 96 a5 d0 87 13 df 81 db 1f 52 8f 57 c5 e7 42 ec 2a 65 ab 8f 98 c8 f5 fd ee d6 db 61 20 0b 41 27 9a c1 94 f5 8b da 1d 52 d0 bb 37 e2 39 79 54 35 33 8b 24 15 97 cb c0 f1 75 b8 18 d8 f6 69 b8 3c 49 7e 8c e0 2f bc 04 79 58 76 90 8a ee ac 52 87 f1 39 ef 21 9b 78 7d a2 60 c6 32 33 9c 2d 5f 2f 0d 0a f4 e0 c1 7d d7 83 1f 36 ee 98 3f 4c 71 b5 ee 95 66 4e 7b 61 8c e7 c8 ca de 87 2f 66 f1 06 31 62 8b b9 7e 3d 22 c4 c6 58 9e 3e ec a3 f0 3b ea b6 ce 36 c8 ab 81 1e 8a dd 28 cd d6 33 1f d4 30 b0 4c e5 c4 07 57 ab ec 3b 66 61 e3 34 3f ee 46 81 80 5b 90 89 49 d0 49 19 f2 b1 20 1a 62 5c 2d 6c 42 6f 31 a2 d1 60 b3 25 c4 db c8 69 2f 21 62 95 4c 4c 4b 6d 3f ea 74 3a 02 1c 3d 40 39 7a e0 30 6c 14 02 67 50 04 90 d1 b7 2c fc ba d5 15 d8 e6 4c dc 89 1d 08 2a 18 07 9e a7 a6 a0 a9 05 d3 ea 02 0c ae c1 1e cf 3e 85 7c 04 cd 31 a3 b0 67 78 b3 c2 66 17 d1 ea e8 a7 57 a4 75 65 9a bd 01 b7 db 2b 73 d0 37 ed 3b ee 36 89 3f 01 68 97 9b 89 83 25 b0 56 10 1d bb 76 1a 16 9e 3a a5 40 6a 08 de a9 73 cf 8b c3 77 f9 72 7d 74 5b b6 62 df ef c9 59 01 d8 c4 14 71 ad e3 00 4c a5 7c 87 d4 b7 78 f0 c2 00 04 26 55 55 cb be 15 0a 60 21 5a 4c 1b 52 c0 97 6d 49 9f 4b 2a c6 ab 52 74 bb e5 ef e1 47 f6 ee ac 49 05 27 d6 e2 d3 1e a8 c3 49 36 6c d4 a4 c7 f4 ed d6 ba 25 cd 19 e4 6f c8 31 c1 58 9e 90 2b 77 66 e6 08 1f f7 09 fc 7d a6 f6 13 49 38 aa 58 aa b3 6c 01 1d a6 66 29 c8 f9 32 02 35 40 f7 7a 99 de f4 6c d6 f4 93 39 e2 98 76 23 d3 81 4b 71 72 e4 19 c0 56 ff 31 47 39 89 71 92 2b 96 44 11 d2 0e 4f 77 c2 09 4c b0 4b bb 8c c7 eb ea 70 e8 64 cb f7 80 80 a7 00 1a bc c7 3a da 64 b9 28 2e f8 3e 02 03 20 5e dd 4f a2 23 4b 37 ac 3b 1a 68 7e c7 f2 b6 91 83 17 9a 45 87 5b 7b e8 85 00 ca 7e 23 88 02 a4 8f 88 37 a9 c4 ed 55 20 a1 7d cf 95 97 92 92 93 19 63 ab e1 ac 4e 7b 87 ca ec a3 0d 6e dc 90 76 16 1d 8d 67 04 b9 23 b5 02 e0 4d ff 87 06 2b f0 7f 51 58 91 94 38 9c 54 45 0f 82 0d 54 68 f7 39 f1 cf 0c f2 e0 c7 3f b6 50 79 19 1a 66 e7 5d e4 a7 25 a2 a7 ef 14 d9 7e 10 3f 8d 25 ab 4c 76 9e 83 d8 f7 d1 37 87 d9 70 3b 1e 02 2c 96 dd 87 e9 c5 57 84 de ab 44 d7 19 8d a8 29 55 d6 32 4c 16 9e 85 38 a9 94 77 92 f3 bd 7a e8 24 fa 3d c4 d6 89 01 77 99 7f a0 ea db 03 13 45 fe 40 e4 6c 23 59 35 32 f8 5b 0d 82 9e 94 0e 21 75 05 23 e1 d6 85 47 47 cf f3 ae f5 7c 4c ad bf 10 0c e2 a8 d0 06 cc 20 6d 98 3b 60 f7 71 a2 11 a8 76 1c 51 ef 99 8c aa b9 6d d9 88 45 22 fd d9 6f 97 53 53 b0 7e a8 12 22 4b 49 6a 5a 02 ea ee a6 35 17 9d 80 de 8d a3 2e ba e7 ae a4 b9 5b 34 92 13 72 b0 3e 0c e9 2f 49 92 d8 18 d0 a6 ec 33 e5 1a bc d0 3e 39 77 ed 46 38 f1 ca b7 99 c2 93 94 e6 e9 09 97 d3 7e eb fa f0 20 ab 30 e8 86 81 84 93 4f c6 19 06 7d e2 8b b9 4b 1e b7 da 0b 62 41 e9 46 a4 21 f2 34 12 91 99 65 b8 b5 5e 5a 13 bf 17 c2 3c 36 c5 c3 db 9f 78 a9 06 87 84 a3 ae 2a 90 30 d6 f3 b6 08 a6 9a 47 4f 77 02 b0 7a 87 cd c8 97 53 99 5b d3 75 a2 02 12 b8 2a bd 9f 98 b5 ca a9 c3 c3 f8 31 87 5a 26 51 2b 2d d6 7f 09 ac 71 f9 8e 23 60 6e fd 67 85 49 af 94 0a 4c a3 73 af 32 32 af 57 86 7b 22 9e b3 90 46 0f 5c bf 90 17 b1 25 b2 2d dd b9 a7 07 61 de e4 c3
- A protocol version of "3,3" (meaning TLS 1.2) - is given. Because middleboxes have been - created and widely deployed that do not - allow protocol versions that - they do not recognize, the TLS 1.3 session - must be disguised as a TLS 1.2 session. - This field is no - longer used for version negotiation and - is hardcoded to the 1.2 version. Instead, - version negotiation is performed using the - "Supported Versions" extension below. -

- The unusual version number ("3,3" representing - TLS 1.2) is due to TLS 1.0 being a minor - revision of the SSL 3.0 protocol. Therefore - TLS 1.0 is represented by "3,1", TLS 1.1 is - "3,2", and so on. + In obfs4 the client pads the handshake message with random bytes to a length between + 4096 and 8192 bytes. This padding is used to make the handshake message a non-uniform + length such that the size of the first packet would be a strong indication of the + specific protocol being used. +
    +
  • da 88 ... e4 c3 - bytes drawn form prng source. +
- Server Random + Steganographic Mark - 70 71 72 73 74 75 76 77 78 79 7a 7b 7c 7d 7e 7f 80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e - 8f + TODO: compute mark
- The server provides 32 bytes of random data. This data will be used later in the session. - In this example we've made the random data a predictable string. + As the obfs4 handshake is (ideally) indistinguishable from uniform random bytes, + the client includes a steganographic mark in the handshake message to securely + indicate that it wishes to establish a connection. The mark is an HMAC that + uses the server's public key and node ID as hte key and + the client's ephemeral public key as the message. While the HMAC-SHA256 would + usually result in 32 bytes, only the first 16 bytes are used for the mark. + +


HMAC-SHA256-128(ServerPubkey | NodeID, REPR) + +

where: +

    +
  • ServerPubkey - The obfs4 servers 32 byte public x25519 identity key +
  • NodeID - The obfs4 servers 20 byte identifier value +
  • REPR - The clients Elligator2 encoded public key representative +
+ + +

Python sample code to produce the hmac value: + + 

import hmac
+import hashlib
+
+server_pubkey = b'\x9f\xd7\xad\x6d\xcf\xf4\x29\x8d\xd3\xf9\x6d\x5b\x1b\x2a\xf9\x10\xa0\x53\x5b\x14\x88\xd7\xf8\xfa\xbb\x34\x9a\x98\x28\x80\xb6\x15'
+node_id = b''
+hmac_key = server_pubkey + node_id
+msg = b''
+h = hmac.new( hmac_key, msg, hashlib.sha256 )
+digest = h.hexdigest()
+print( digest[:len(digest)/2] )
+
 - Session ID + Message Authentication - 20 e0 e1 e2 e3 e4 e5 e6 e7 e8 e9 ea eb ec ed ee ef f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 fa fb fc fd - fe - ff + TODO: Compute MAC
- This legacy field is no longer used to - identify and re-use sessions. Instead, the - server echos the session ID provided by the - client, if any. + In order to ensure that the contents of the handshake message have not been + tampered with in transit, the client includes a second HMAC value using the same + key as the steganographic mark, but covering the contents of the entire handshake + message. + + Again the HMAC-SHA256 value is truncated to 16 bytes. + +

If we consider the handshake so far to be [ REPR | PAD | MARK ] where:

    -
  • 20 - 0x20 (32) bytes of session ID follow -
  • e0 e1 ... fe ff - session ID copied from Client Hello +
  • REPR - The clients Elligator2 encoded public key representative +
  • PAD - Padding bytes +
  • MARK - Steganographic mark
-
- - - Cipher Suite - - 13 02 - -
- The server has selected cipher suite 0x1302 - (TLS_AES_256_GCM_SHA384) from the list of options given by the client. +

The message authentication is: +

HMAC-SHA256-128(serverIdentity | NodeID, REPR | PAD | MARK | E) +

    +
  • E - string representation of the number of hours since the UNIX epoch +
+

The inclusion of the time stamp in the HMAC makes it so that the server only ever + accepts a given handshake message sent within a controlled number of hours. The server + can then keep a record of the client public keys and handshakes that it has seen + within that time window to prevent replay attacks. +

To produce this hmac value in python the code block in the above Steganographic Mark + block can be used with the msg variable set to the entire handshake message + with the appended epoch string value.

- - Compression Method + + Encrypted Data - 00 + 5c 71 16 0c da 85 f1 44
- The server has selected compression method - 0x00 ("Null", which performs no compression) - from the list of options given by the client. + This data is encrypted with the server application key. +

+ See below for the decrypted data.
- - Extensions Length - - 00 2e - +
+
Decryption
- The server has returned a list of extensions - to the client. Because the server is - forbidden from replying with an extension - that the client did not send in its hello - message, the server knows that the client - will understand and support all extensions listed. -
    -
  • 00 2e - the extensions will take 0x2E (46) bytes of data -
-
- + This data is encrypted using the client + application key and the client application IV that were + generated during the "Client Application Keys + Calc" step. The IV will be modified + by XOR'ing it by the count of records that + have already been encrypted with this key, + which in this case is 0. The process also + takes as input the 5-byte record header + that this record begins with, as authenticated + data that must match for the decryption to + succeed. +

+ Because the openssl command line + tool does not yet support AEAD ciphers, + I've written command line tools to both + decrypt + and encrypt + this data. + + 
### from the "Client Application Keys Calc" step
+    $ key=de2f4c7672723a692319873e5c227606691a32d1c59d8b9f51dbb9352e9ca9cc
+    $ iv=bb007956f474b25de902432f
+    ### from this record
+    $ recdata=1703030015
+    $ authtag=73aaabf5b82fbf9a2961bcde10038a32
+    $ recordnum=0
+    ### may need to add -I and -L flags for include and lib dirs
+    $ cc -o aes_256_gcm_decrypt aes_256_gcm_decrypt.c -lssl -lcrypto
+    $ echo "82 81 39 cb 7b" | xxd -r -p > /tmp/msg3
+    $ cat /tmp/msg3 \
+      | ./aes_256_gcm_decrypt $iv $recordnum $key $recdata $authtag \
+      | hexdump -C
 
-                    
-                        Extension - Supported Versions
-                        
-                            00 2b 00 02 03 04
-                        
-                        

-                            The server indicates the negotiated TLS version of 1.3.
-                            
    
-                                
  • 00 2b - assigned value for extension "Supported Versions"
-                                
  • 00 02 - 2 bytes of "Supported Versions" extension data follows
-                                
  • 03 04 - assigned value for TLS 1.3
-                            

+    00000000  70 69 6e 67 17                                    |ping.|
+
+
- +

- - Extension - Key Share + + PRNG Seed Message - 00 33 00 24 00 1d 00 20 9f d7 ad 6d cf f4 29 8d d3 f9 6d 5b 1b 2a f9 10 a0 53 5b 14 88 d7 f8 - fa - bb 34 9a 98 28 80 b6 15 + 01 00 18 f6 de 0e a1 f2 61 c8 1f bf e8 54 5b 23 91 60 9c 7d 2b fe bc be 45 9e 34
- The server sends a public key using the algorithm - of the public key sent by the client. Once this is sent - encryption keys can be calculated and the rest of the - handshake will be encrypted, - unlike previous protocol versions where the - handshake was sent in the clear. -
    -
  • 00 33 - assigned value for extension "Key Share" -
  • 00 24 - 0x24 (36) bytes of "Key Share" extension data follows -
  • 00 1d - assigned value for x25519 (key exchange via curve25519) -
  • 00 20 - 0x20 (32) bytes of public key follows -
  • 9f d7 ... b6 15 - public key from the step "Server Key Exchange Generation" -
+ This message is explained in its own section below.
- + From feb1965368814699c2cd1a4d6613cdaaa6e96ada Mon Sep 17 00:00:00 2001 From: jmwample <8297368+jmwample@users.noreply.github.com> Date: Sun, 26 May 2024 22:49:53 -0600 Subject: [PATCH 3/3] fix padding expand and codesample block --- docs/illustrated.js | 4 ++-- docs/index.html | 14 +++++++------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/docs/illustrated.js b/docs/illustrated.js index b04dfe4..6461f60 100644 --- a/docs/illustrated.js +++ b/docs/illustrated.js @@ -185,10 +185,10 @@ // toggle expanded / collapsed padding sections [].forEach.call(document.querySelectorAll(".padding-long"), (el) => { - el.style.display = action === 'expand' ? 'block' : 'none'; + el.style.display = action === 'expand' ? '' : 'none'; }); [].forEach.call(document.querySelectorAll(".padding-short"), (el) => { - el.style.display = action === 'expand' ? 'none' : 'block'; + el.style.display = action === 'expand' ? 'none' : ''; }); // Update button text diff --git a/docs/index.html b/docs/index.html index e0e7203..2ecab97 100644 --- a/docs/index.html +++ b/docs/index.html @@ -166,8 +166,7 @@

IAT Mode - -
+
Client Key Exchange Generation
@@ -232,8 +231,7 @@

IAT Mode

- -
+
Client Handshake
@@ -269,7 +267,7 @@

IAT Mode da 88 ..(4092B).. e4 c3 - +
@@ -306,8 +304,9 @@

IAT Mode -

Python sample code to produce the hmac value: +

Python sample code to produce the hmac value:

+ 
import hmac
 import hashlib
 
@@ -319,6 +318,7 @@ 
IAT Mode
 digest = h.hexdigest()
 print( digest[:len(digest)/2] )
+

@@ -590,7 +590,7 @@

IAT Mode da 88 ..(4092B).. e4 c3 - +