RFC Errata
RFC 8492, "Secure Password Ciphersuites for Transport Layer Security (TLS)", February 2019
Source of RFC: INDEPENDENTSee Also: RFC 8492 w/ inline errata
Errata ID: 5727
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Alexander Freiherr von Buddenbrock
Date Reported: 2019-05-21
Verifier Name: Eliot Lear
Date Verified: 2025-03-05
Section Appendix A says:
username: fred
password: barney
---- prior to running TLS-PWD ----
server generates salt:
96 3c 77 cd c1 3a 2a 8d 75 cd dd d1 e0 44 99 29
84 37 11 c2 1d 47 ce 6e 63 83 cd da 37 e4 7d a3
and a base:
6e 7c 79 82 1b 9f 8e 80 21 e9 e7 e8 26 e9 ed 28
c4 a1 8a ef c8 75 0c 72 6f 74 c7 09 61 d7 00 75
---- state derived during the TLS-PWD exchange ----
client and server agree to use brainpoolP256r1
client and server generate the PE:
PE.x:
29 b2 38 55 81 9f 9c 3f c3 71 ba e2 84 f0 93 a3
a4 fd 34 72 d4 bd 2e 9d f7 15 2d 22 ab 37 aa e6
server private and mask:
private:
21 d9 9d 34 1c 97 97 b3 ae 72 df d2 89 97 1f 1b
74 ce 9d e6 8a d4 b9 ab f5 48 88 d8 f6 c5 04 3c
mask:
0d 96 ab 62 4d 08 2c 71 25 5b e3 64 8d cd 30 3f
6a b0 ca 61 a9 50 34 a5 53 e3 30 8d 1d 37 44 e5
client private and mask:
private:
17 1d e8 ca a5 35 2d 36 ee 96 a3 99 79 b5 b7 2f
a1 89 ae 7a 6a 09 c7 7f 7b 43 8a f1 6d f4 a8 8b
mask:
4f 74 5b df c2 95 d3 b3 84 29 f7 eb 30 25 a4 88
83 72 8b 07 d8 86 05 c0 ee 20 23 16 a0 72 d1 bd
both parties generate premaster secret and master secret
premaster secret:
01 f7 a7 bd 37 9d 71 61 79 eb 80 c5 49 83 45 11
af 58 cb b6 dc 87 e0 18 1c 83 e7 01 e9 26 92 a4
master secret:
65 ce 15 50 ee ff 3d aa 2b f4 78 cb 84 29 88 a1
60 26 a4 be f2 2b 3f ab 23 96 e9 8a 7e 05 a1 0f
3d 8c ac 51 4d da 42 8d 94 be a9 23 89 18 4c ad
---- ssldump output of exchange ----
New TCP connection #1: Charlene Client <-> Sammy Server
1 1 0.0018 (0.0018) C>SV3.3(173) Handshake
ClientHello
Version 3.3
random[32]=
52 8f bf 52 17 5d e2 c8 69 84 5f db fa 83 44 f7
d7 32 71 2e bf a6 79 d8 64 3c d3 1a 88 0e 04 3d
ciphersuites
TLS_ECCPWD_WITH_AES_128_GCM_SHA256_PRIV
TLS_ECCPWD_WITH_AES_256_GCM_SHA384_PRIV
Unknown value 0xff
compression methods
NULL
extensions
TLS-PWD unprotected name[5]=
04 66 72 65 64
elliptic curve point format[4]=
03 00 01 02
elliptic curve list[58]=
00 38 00 0e 00 0d 00 1c 00 19 00 0b 00 0c 00 1b
00 18 00 09 00 0a 00 1a 00 16 00 17 00 08 00 06
00 07 00 14 00 15 00 04 00 05 00 12 00 13 00 01
00 02 00 03 00 0f 00 10 00 11
Packet data[178]=
16 03 03 00 ad 01 00 00 a9 03 03 52 8f bf 52 17
5d e2 c8 69 84 5f db fa 83 44 f7 d7 32 71 2e bf
a6 79 d8 64 3c d3 1a 88 0e 04 3d 00 00 06 ff b3
ff b4 00 ff 01 00 00 7a b8 aa 00 05 04 66 72 65
64 00 0b 00 04 03 00 01 02 00 0a 00 3a 00 38 00
0e 00 0d 00 1c 00 19 00 0b 00 0c 00 1b 00 18 00
09 00 0a 00 1a 00 16 00 17 00 08 00 06 00 07 00
14 00 15 00 04 00 05 00 12 00 13 00 01 00 02 00
03 00 0f 00 10 00 11 00 0d 00 22 00 20 06 01 06
02 06 03 05 01 05 02 05 03 04 01 04 02 04 03 03
01 03 02 03 03 02 01 02 02 02 03 01 01 00 0f 00
01 01
1 2 0.0043 (0.0024) S>CV3.3(94) Handshake
ServerHello
Version 3.3
random[32]=
52 8f bf 52 43 78 a1 b1 3b 8d 2c bd 24 70 90 72
13 69 f8 bf a3 ce eb 3c fc d8 5c bf cd d5 8e aa
session_id[32]=
ef ee 38 08 22 09 f2 c1 18 38 e2 30 33 61 e3 d6
e6 00 6d 18 0e 09 f0 73 d5 21 20 cf 9f bf 62 88
cipherSuite TLS_ECCPWD_WITH_AES_128_GCM_SHA256_PRIV
compressionMethod NULL
extensions
renegotiate[1]=
00
elliptic curve point format[4]=
03 00 01 02
heartbeat[1]=
01
Packet data[99]=
16 03 03 00 5e 02 00 00 5a 03 03 52 8f bf 52 43
78 a1 b1 3b 8d 2c bd 24 70 90 72 13 69 f8 bf a3
ce eb 3c fc d8 5c bf cd d5 8e aa 20 ef ee 38 08
22 09 f2 c1 18 38 e2 30 33 61 e3 d6 e6 00 6d 18
0e 09 f0 73 d5 21 20 cf 9f bf 62 88 ff b3 00 00
12 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 0f
00 01 01
1 3 0.0043 (0.0000) S>CV3.3(141) Handshake
ServerKeyExchange
params
salt[32]=
96 3c 77 cd c1 3a 2a 8d 75 cd dd d1 e0 44 99 29
84 37 11 c2 1d 47 ce 6e 63 83 cd da 37 e4 7d a3
EC parameters = 3
curve id = 26
element[65]=
04 22 bb d5 6b 48 1d 7f a9 0c 35 e8 d4 2f cd 06
61 8a 07 78 de 50 6b 1b c3 88 82 ab c7 31 32 ee
f3 7f 02 e1 3b d5 44 ac c1 45 bd d8 06 45 0d 43
be 34 b9 28 83 48 d0 3d 6c d9 83 24 87 b1 29 db
e1
scalar[32]=
2f 70 48 96 69 9f c4 24 d3 ce c3 37 17 64 4f 5a
df 7f 68 48 34 24 ee 51 49 2b b9 66 13 fc 49 21
Packet data[146]=
16 03 03 00 8d 0c 00 00 89 00 20 96 3c 77 cd c1
3a 2a 8d 75 cd dd d1 e0 44 99 29 84 37 11 c2 1d
47 ce 6e 63 83 cd da 37 e4 7d a3 03 00 1a 41 04
22 bb d5 6b 48 1d 7f a9 0c 35 e8 d4 2f cd 06 61
8a 07 78 de 50 6b 1b c3 88 82 ab c7 31 32 ee f3
7f 02 e1 3b d5 44 ac c1 45 bd d8 06 45 0d 43 be
34 b9 28 83 48 d0 3d 6c d9 83 24 87 b1 29 db e1
00 20 2f 70 48 96 69 9f c4 24 d3 ce c3 37 17 64
4f 5a df 7f 68 48 34 24 ee 51 49 2b b9 66 13 fc
49 21
1 4 0.0043 (0.0000) S>CV3.3(4) Handshake
ServerHelloDone
Packet data[9]=
16 03 03 00 04 0e 00 00 00
1 5 0.0086 (0.0043) C>SV3.3(104) Handshake
ClientKeyExchange
element[65]=
04 a0 c6 9b 45 0b 85 ae e3 9f 64 6b 6e 64 d3 c1
08 39 5f 4b a1 19 2d bf eb f0 de c5 b1 89 13 1f
59 5d d4 ba cd bd d6 83 8d 92 19 fd 54 29 91 b2
c0 b0 e4 c4 46 bf e5 8f 3c 03 39 f7 56 e8 9e fd
a0
scalar[32]=
66 92 44 aa 67 cb 00 ea 72 c0 9b 84 a9 db 5b b8
24 fc 39 82 42 8f cd 40 69 63 ae 08 0e 67 7a 48
Packet data[109]=
16 03 03 00 68 10 00 00 64 41 04 a0 c6 9b 45 0b
85 ae e3 9f 64 6b 6e 64 d3 c1 08 39 5f 4b a1 19
2d bf eb f0 de c5 b1 89 13 1f 59 5d d4 ba cd bd
d6 83 8d 92 19 fd 54 29 91 b2 c0 b0 e4 c4 46 bf
e5 8f 3c 03 39 f7 56 e8 9e fd a0 00 20 66 92 44
aa 67 cb 00 ea 72 c0 9b 84 a9 db 5b b8 24 fc 39
82 42 8f cd 40 69 63 ae 08 0e 67 7a 48
1 6 0.0086 (0.0000) C>SV3.3(1) ChangeCipherSpec
Packet data[6]=
14 03 03 00 01 01
1 7 0.0086 (0.0000) C>SV3.3(40) Handshake
Packet data[45]=
16 03 03 00 28 44 cd 3f 26 ed 64 9a 1b bb 07 c7
0c 6d 3e 28 af e6 32 b1 17 29 49 a1 14 8e cb 7a
0b 4b 70 f5 1f 39 c2 9c 7b 6c cc 57 20
1 8 0.0105 (0.0018) S>CV3.3(1) ChangeCipherSpec
Packet data[6]=
14 03 03 00 01 01
1 9 0.0105 (0.0000) S>CV3.3(40) Handshake
Packet data[45]=
16 03 03 00 28 fd da 3c 9e 48 0a e7 99 ba 41 8c
9f fd 47 c8 41 2c fd 22 10 77 3f 0f 78 54 5e 41
a2 21 94 90 12 72 23 18 24 21 c3 60 a4
1 10 0.0107 (0.0002) C>SV3.3(100) application_data
Packet data....
It should say:
username: fred
password: barney
---- prior to running TLS-PWD ----
server generates salt:
96 3c 77 cd c1 3a 2a 8d 75 cd dd d1 e0 44 99 29
84 37 11 c2 1d 47 ce 6e 63 83 cd da 37 e4 7d a3
and a base:
6e 7c 79 82 1b 9f 8e 80 21 e9 e7 e8 26 e9 ed 28
c4 a1 8a ef c8 75 0c 72 6f 74 c7 09 61 d7 00 75
---- state derived during the TLS-PWD exchange ----
client and server agree to use brainpoolP256r1
client and server generate the PE:
PE.x:
00 68 6b 0d 3f c4 98 94 dd 62 1e c0 4f 92 5e 02
9b 2b 15 28 ed ed ca 46 00 72 54 28 1e 9a 6e dc
server private and mask:
private:
21 d9 9d 34 1c 97 97 b3 ae 72 df d2 89 97 1f 1b
74 ce 9d e6 8a d4 b9 ab f5 48 88 d8 f6 c5 04 3c
mask:
0d 96 ab 62 4d 08 2c 71 25 5b e3 64 8d cd 30 3f
6a b0 ca 61 a9 50 34 a5 53 e3 30 8d 1d 37 44 e5
client private and mask:
private:
17 1d e8 ca a5 35 2d 36 ee 96 a3 99 79 b5 b7 2f
a1 89 ae 7a 6a 09 c7 7f 7b 43 8a f1 6d f4 a8 8b
mask:
4f 74 5b df c2 95 d3 b3 84 29 f7 eb 30 25 a4 88
83 72 8b 07 d8 86 05 c0 ee 20 23 16 a0 72 d1 bd
both parties generate premaster secret and master secret
premaster secret:
a1 3e 9e a0 d3 56 ab 1d 97 55 a0 f7 33 9e f1 c1
21 b3 43 f5 2f f2 e6 7f aa 4c 35 71 3b ed af b1
master secret:
f7 73 ba 1d dc a9 89 4c 8b 71 31 48 5a f9 5f dd
06 83 5e 18 13 26 dd b7 8f 36 03 ef 78 75 67 fb
01 e9 ad ba 7d e0 d6 0e 89 28 0b 43 74 8d 2f 53
---- ssldump output of exchange ----
New TCP connection #1: Charlene Client <-> Sammy Server
1 1 0.0018 (0.0018) C>SV3.3(173) Handshake
ClientHello
Version 3.3
random[32]=
52 8f bf 52 17 5d e2 c8 69 84 5f db fa 83 44 f7
d7 32 71 2e bf a6 79 d8 64 3c d3 1a 88 0e 04 3d
ciphersuites
TLS_ECCPWD_WITH_AES_128_GCM_SHA256_PRIV
TLS_ECCPWD_WITH_AES_256_GCM_SHA384_PRIV
Unknown value 0xff
compression methods
NULL
extensions
TLS-PWD unprotected name[5]=
04 66 72 65 64
elliptic curve point format[4]=
03 00 01 02
elliptic curve list[58]=
00 38 00 0e 00 0d 00 1c 00 19 00 0b 00 0c 00 1b
00 18 00 09 00 0a 00 1a 00 16 00 17 00 08 00 06
00 07 00 14 00 15 00 04 00 05 00 12 00 13 00 01
00 02 00 03 00 0f 00 10 00 11
Packet data[178]=
16 03 03 00 ad 01 00 00 a9 03 03 52 8f bf 52 17
5d e2 c8 69 84 5f db fa 83 44 f7 d7 32 71 2e bf
a6 79 d8 64 3c d3 1a 88 0e 04 3d 00 00 06 ff b3
ff b4 00 ff 01 00 00 7a b8 aa 00 05 04 66 72 65
64 00 0b 00 04 03 00 01 02 00 0a 00 3a 00 38 00
0e 00 0d 00 1c 00 19 00 0b 00 0c 00 1b 00 18 00
09 00 0a 00 1a 00 16 00 17 00 08 00 06 00 07 00
14 00 15 00 04 00 05 00 12 00 13 00 01 00 02 00
03 00 0f 00 10 00 11 00 0d 00 22 00 20 06 01 06
02 06 03 05 01 05 02 05 03 04 01 04 02 04 03 03
01 03 02 03 03 02 01 02 02 02 03 01 01 00 0f 00
01 01
1 2 0.0043 (0.0024) S>CV3.3(94) Handshake
ServerHello
Version 3.3
random[32]=
52 8f bf 52 43 78 a1 b1 3b 8d 2c bd 24 70 90 72
13 69 f8 bf a3 ce eb 3c fc d8 5c bf cd d5 8e aa
session_id[32]=
ef ee 38 08 22 09 f2 c1 18 38 e2 30 33 61 e3 d6
e6 00 6d 18 0e 09 f0 73 d5 21 20 cf 9f bf 62 88
cipherSuite TLS_ECCPWD_WITH_AES_128_GCM_SHA256_PRIV
compressionMethod NULL
extensions
renegotiate[1]=
00
elliptic curve point format[4]=
03 00 01 02
heartbeat[1]=
01
Packet data[99]=
16 03 03 00 5e 02 00 00 5a 03 03 52 8f bf 52 43
78 a1 b1 3b 8d 2c bd 24 70 90 72 13 69 f8 bf a3
ce eb 3c fc d8 5c bf cd d5 8e aa 20 ef ee 38 08
22 09 f2 c1 18 38 e2 30 33 61 e3 d6 e6 00 6d 18
0e 09 f0 73 d5 21 20 cf 9f bf 62 88 ff b3 00 00
12 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 0f
00 01 01
1 3 0.0043 (0.0000) S>CV3.3(141) Handshake
ServerKeyExchange
params
salt[32]=
96 3c 77 cd c1 3a 2a 8d 75 cd dd d1 e0 44 99 29
84 37 11 c2 1d 47 ce 6e 63 83 cd da 37 e4 7d a3
EC parameters = 3
curve id = 26
element[65]=
04 7b de a7 7c 03 8e dc d5 66 16 99 81 c5 87 07
fa db a8 a8 d8 3e c9 0c 37 e3 c0 66 6a 5a 67 99
11 40 d6 85 1a 6c 81 a5 01 75 64 d5 26 b1 57 db
cd 97 a6 42 7c b0 e4 7e e5 ca a4 39 66 33 e0 51
31
scalar[32]=
2f 70 48 96 69 9f c4 24 d3 ce c3 37 17 64 4f 5a
df 7f 68 48 34 24 ee 51 49 2b b9 66 13 fc 49 21
Packet data[146]=
16 03 03 00 8d 0c 00 00 89 00 20 96 3c 77 cd c1
3a 2a 8d 75 cd dd d1 e0 44 99 29 84 37 11 c2 1d
47 ce 6e 63 83 cd da 37 e4 7d a3 03 00 1a 41 04
7b de a7 7c 03 8e dc d5 66 16 99 81 c5 87 07 fa
db a8 a8 d8 3e c9 0c 37 e3 c0 66 6a 5a 67 99 11
40 d6 85 1a 6c 81 a5 01 75 64 d5 26 b1 57 db cd
97 a6 42 7c b0 e4 7e e5 ca a4 39 66 33 e0 51 31
00 20 2f 70 48 96 69 9f c4 24 d3 ce c3 37 17 64
4f 5a df 7f 68 48 34 24 ee 51 49 2b b9 66 13 fc
49 21
1 4 0.0043 (0.0000) S>CV3.3(4) Handshake
ServerHelloDone
Packet data[9]=
16 03 03 00 04 0e 00 00 00
1 5 0.0086 (0.0043) C>SV3.3(104) Handshake
ClientKeyExchange
element[65]=
04 89 07 f2 0c a8 ff 2b ad bf a6 3e de c5 93 4d
f1 ec ff 10 75 3f 7a a4 f7 50 ba 8a 2d bd 92 63
33 3d af f9 43 a2 1c d0 79 d7 75 07 b9 27 82 ee
77 98 91 98 b9 0a d7 78 de 38 46 c3 19 c7 bc d2
45
scalar[32]=
66 92 44 aa 67 cb 00 ea 72 c0 9b 84 a9 db 5b b8
24 fc 39 82 42 8f cd 40 69 63 ae 08 0e 67 7a 48
Packet data[109]=
16 03 03 00 68 10 00 00 64 41 04 89 07 f2 0c a8
ff 2b ad bf a6 3e de c5 93 4d f1 ec ff 10 75 3f
7a a4 f7 50 ba 8a 2d bd 92 63 33 3d af f9 43 a2
1c d0 79 d7 75 07 b9 27 82 ee 77 98 91 98 b9 0a
d7 78 de 38 46 c3 19 c7 bc d2 45 00 20 66 92 44
aa 67 cb 00 ea 72 c0 9b 84 a9 db 5b b8 24 fc 39
82 42 8f cd 40 69 63 ae 08 0e 67 7a 48
1 6 0.0086 (0.0000) C>SV3.3(1) ChangeCipherSpec
Packet data[6]=
14 03 03 00 01 01
1 7 0.0086 (0.0000) C>SV3.3(40) Handshake
Packet data[45]=
16 03 03 00 28 00 00 00 00 00 00 00 00 3f c4 e5
87 f1 1c a6 1e ee f0 8f af ee c9 47 c4 9c 0e 24
4a 93 56 ab 15 3f f3 4f 0d 43 4a 16 e5
1 8 0.0105 (0.0018) S>CV3.3(1) ChangeCipherSpec
Packet data[6]=
14 03 03 00 01 01
1 9 0.0105 (0.0000) S>CV3.3(40) Handshake
Packet data[45]=
16 03 03 00 28 00 00 00 00 00 00 00 00 f6 73 c4
4f f1 62 61 cf d6 a0 e6 46 b0 7f 98 1a 6d 81 37
24 86 99 42 ec 42 0d a3 76 30 53 c1 92
1 10 0.0107 (0.0002) C>SV3.3(100) application_data
Packet data....
Notes:
There is an error regarding the Password Element used in
the example in the appendix.
Curve used in the example: brainpoolP256r1
PE.x used in the example:
29 b2 38 55 81 9f 9c 3f c3 71 ba e2 84 f0 93 a3
a4 fd 34 72 d4 bd 2e 9d f7 15 2d 22 ab 37 aa e6
This is not a valid point on the given curve. Using
Magma (http://magma.maths.usyd.edu.au/calc/) and the values for
brainpool from https://tools.ietf.org/html/rfc5639#section-3.4 gives a
Legendre Symbol of -1, indicating that y^2 is not a quadratic residue
and therefore that PE.x is not a valid point on the curve. Code used:
a :=
56698187605326110043627228396178346077120614539475214109386828188763884139993;
b :=
17577232497321838841075697789794520262950426058923084567046852300633325438902;
x :=
18859714372486306827330584431184663996963158272766618598705097205657493809894;
p :=
76884956397045344220809746629001649093037950200943055203735601445031516197751;
y2 := (x*x*x + a*x + b) mod p;
ls := LegendreSymbol(y2, p);
print ls;
The PE.x in the example seems to be the PRF output in the third round in
the algorithm in 4.4.1 of the RFC.
In older revisions this value was used directly as the X-Coordinate.
However a) This has changed in newer revisions and
b) The output of the first round is already a valid point and should
therefore be used instead.
The client and server seem to use a different point than the given PE.x on the curve for
their key exchange. The actual value used can be calculated from the
given mask:
PE = (-element) * (mask^-1 mod q)
Actual PE.x:
A7 EE 9B 10 90 C5 DE AF AD FE A2 EC 93 50 1F B8
9E A4 CC 40 2D D5 CE 03 AF 59 FB 4C D1 9B 86 9B
Doing this for the client Element as well gives the same PE.
Using this PE and the given private values also results in the same
premaster secret in the example.
However, the PRF output of the first round (using the base in the
example) is:
AE 80 44 FE 9A 02 7F A3 26 0C B2 4D 26 FB EC FB
0C D3 1A 28 E0 08 79 98 47 6F 48 24 84 28 AA 1B
A1 4C 25 3C E3 00 CF E5
Resulting X-Coordinate ((pwd-tmp mod (p - 1)) + 1)):
00 68 6B 0D 3F C4 98 94 DD 62 1E C0 4F 92 5E 02
9B 2B 15 28 ED ED CA 46 00 72 54 28 1E 9A 6E DC
In decimal:
184490938790914521010164124495537968992184466437601025180409064591686528732
This gives us a Legendre Symbol of 1. This should be the correct PE to
use for the key exchange. The element of the server and client as well
as the premaster and master secret have been adjusted accordingly.