3.1.3.1.1 Encryption Example

The following is an example of the process to convert an unencrypted message to an encrypted message.

Unencrypted Message


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

Signature = 0x30, 0x30

MessageLength = 45 bytes                                       

0x00, 0x2D

Version = 0x03

MessageType = Connect

0x02

MessageFlags = None                                    

0x00, 0x00

SequenceNumber = 0                                                                                                                    

0x00, 0x00, 0x00, 0x00

RequestID = 0

0x00, 0x00, 0x00, 0x00                                                                                                                

0x00, 0x00, 0x00, 0x00

FragmentIndex = 0                                     

0x00, 0x00

FragmentCount = 1                                        

0x00, 0x01

SessionID=

0x00, 0x00, 0x00, 0x01                                                                                                                    

0x00, 0x00, 0x00, 0x01

ChannelID = 0

0x00, 0x00, 0x00, 0x00                                                                                                                   

0x00, 0x00, 0x00, 0x00

EndAdditionalHeaders = 0x00, 0x00

ConnectionMode = Proximal                               

0x00, 0x01

MessageType = AuthDoneRequest                             

0x06

Encrypt, using AES 128-bit algorithm in CBC mode with the IV key as described above, the concatenated values of the SessionId, SequenceNumber, FragmentIndex, and FragmentCount.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

SessionID =                                                                                                                                    

0x00, 0x00, 0x00, 0x01                                                                                                                     

0x00, 0x00, 0x00, 0x01

SequenceNumber = 0                                                                                                                

0x00, 0x00, 0x00, 0x00

FragmentIndex = 0                                     

0x00, 0x00

FragmentCount = 1                                        

0x00, 0x01

The output of this encryption will be referred to as the initialization vector.

Before encrypting the message payload, the unencrypted payload size is prepended to the payload, and then padded to a length that is a multiple of AES 128-bit CBC's block size (16 bytes). The padding is appended to the new payload and padding value is the difference between the intermediate payload size and the final payload size. Changes from the previous message are marked with bold.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

Signature = 0x30, 0x30

MessageLength = 58 bytes                              

0x00, 0x3A

Version = 0x03

MessageType = Connect

0x02

MessageFlags = None                                    

0x00, 0x00

SequenceNumber = 0                                                                                                                

0x00, 0x00, 0x00, 0x00

RequestID = 0                                                                                                                             

0x00, 0x00, 0x00, 0x00                                                                                                               

0x00, 0x00, 0x00, 0x00

FragmentIndex = 0                                     

0x00, 0x00

FragmentCount = 1                                         

0x00, 0x01

SessionID =                                                                                                                                    

0x00, 0x00, 0x00, 0x01                                                                                                                     

0x00, 0x00, 0x00, 0x01

ChannelID = 0                                                                                                                                

0x00, 0x00, 0x00, 0x00                                                                                                                   

0x00, 0x00, 0x00, 0x00

EndAdditionalHeaders = 0x00, 0x00

PayloadSize =                                                                                                                              

0x00, 0x00, 0x00, 0x03

ConnectionMode = Proximal                             

0x00, 0x01

MessageType = AuthDoneRequest

Padding = 7 

0x07

Padding = 7 

0x07

Padding = 7 

0x07

Padding = 7 

0x07

Padding = 7 

0x07

Padding = 7 

0x07

Padding = 7 

0x07

This new payload is then encrypted by using AES 128-bit CBC using the encryption key and the aforementioned initialization vector (an input of the algorithm). The changes are in bold.

Encrypted Message


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

Signature = 0x30, 0x30

MessageLength = 58 bytes                              

0x00, 0x3A

Version = 0x03

MessageType = Connect

0x02

MessageFlags = None                                    

0x00, 0x00

SequenceNumber = 0                                                                                                                

0x00, 0x00, 0x00, 0x00

RequestID = 0                                                                                                                             

0x00, 0x00, 0x00, 0x00                                                                                                                

0x00, 0x00, 0x00, 0x00

FragmentIndex = 0                                     

0x00, 0x00

FragmentCount = 1                                        

0x00, 0x01

SessionID =                                                                                                                                    

0x00, 0x00, 0x00, 0x01                                                                                                                     

0x00, 0x00, 0x00, 0x01

ChannelID = 0                                                                                                                                

0x00, 0x00, 0x00, 0x00                                                                                                                   

0x00, 0x00, 0x00, 0x00

EndAdditionalHeaders = 0x00, 0x00

Encrypted

Encrypted

Encrypted

Encrypted

Encrypted

Encrypted

Encrypted

Encrypted

Encrypted

Encrypted

Encrypted

Encrypted

Encrypted

Encrypted

Finally, the entire message is hashed with a SHA-256 HMAC algorithm, where the secret key comes from the aforementioned secret exchange. This hash is then appended to the message and the message size is updated accordingly. The changes are in bold.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

Signature = 0x30, 0x30

MessageLength = 90 bytes                              

0x00, 0x5A

Version = 0x03

MessageType = Connect

0x02

MessageFlags = None                                    

0x00, 0x00

SequenceNumber = 0                                                                                                                

0x00, 0x00, 0x00, 0x00

RequestID = 0                                                                                                                              

0x00, 0x00, 0x00, 0x00                                                                                                               

0x00, 0x00, 0x00, 0x00

FragmentIndex = 0                                     

0x00, 0x00

FragmentCount = 1                                        

0x00, 0x01

SessionID =                                                                                                                                    

0x00, 0x00, 0x00, 0x01                                                                                                                    

0x00, 0x00, 0x00, 0x01

ChannelID = 0                                                                                                                                 

0x00, 0x00, 0x00, 0x00                                                                                                                   

0x00, 0x00, 0x00, 0x00

EndAdditionalHeaders = 0x00, 0x00

Encrypted

Encrypted

Encrypted

Encrypted

Encrypted

Encrypted

Encrypted

Encrypted

Encrypted

Encrypted

Encrypted

Encrypted

Encrypted

Encrypted

SHA 256 Hash (32 bytes)