diff --git a/doc/notebooks/tls/images/handshake_tls12.png b/doc/notebooks/tls/images/handshake_tls12.png
new file mode 100644
index 0000000000000000000000000000000000000000..ecfe61a1308e0171508890cc74ba9060ea30a881
Binary files /dev/null and b/doc/notebooks/tls/images/handshake_tls12.png differ
diff --git a/doc/notebooks/tls/images/handshake_tls13.png b/doc/notebooks/tls/images/handshake_tls13.png
new file mode 100644
index 0000000000000000000000000000000000000000..1feed39f4bb4eb847fc537b6c919ce527bd75a6d
Binary files /dev/null and b/doc/notebooks/tls/images/handshake_tls13.png differ
diff --git a/doc/notebooks/tls/notebook1_x509.ipynb b/doc/notebooks/tls/notebook1_x509.ipynb
new file mode 100644
index 0000000000000000000000000000000000000000..c9f2eacef0a0fc53e07878403d011a2e731a7ce5
--- /dev/null
+++ b/doc/notebooks/tls/notebook1_x509.ipynb
@@ -0,0 +1,310 @@
+{
+ "cells": [
+ {
+ "cell_type": "markdown",
+ "metadata": {},
+ "source": [
+ "# Notebook 1: X.509 certificates"
+ ]
+ },
+ {
+ "cell_type": "markdown",
+ "metadata": {},
+ "source": [
+ "## Jupyter notebook cheat sheet"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": false
+ },
+ "outputs": [],
+ "source": [
+ "# Use Shift+Enter to run the current cell\n",
+ "print 'Hello!'"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": false
+ },
+ "outputs": [],
+ "source": [
+ "# You may also use Alt+Enter to run the current cell, then create a new cell right below\n",
+ "from datetime import datetime\n",
+ "print 'This is the time right now: %s' % datetime.now()"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": false
+ },
+ "outputs": [],
+ "source": [
+ "# If needed, pause the cell edition with Ctrl-M.\n",
+ "# Then you can delete the current cell with D+D. You can also undo cell deletion with Z.\n",
+ "# Finally, should Jupyter become stuck in execution, use Kernel/Interrupt from the menu bar.\n",
+ "print 'Got it!'"
+ ]
+ },
+ {
+ "cell_type": "markdown",
+ "metadata": {},
+ "source": [
+ "## Data manipulation with Scapy"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": true
+ },
+ "outputs": [],
+ "source": [
+ "from scapy.all import *"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": false
+ },
+ "outputs": [],
+ "source": [
+ "keystr = open('raw_data/pki/ca_key.der', 'r').read()\n",
+ "print repr(keystr)\n",
+ "# (btw, you can hide the output of a cell by double-clicking on the left of the output)"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": false
+ },
+ "outputs": [],
+ "source": [
+ "privkey = RSAPrivateKey(keystr)\n",
+ "privkey.show()"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": false
+ },
+ "outputs": [],
+ "source": [
+ "v = privkey.version\n",
+ "print 'The \\'version\\' stripped from any ASN.1 encoding is 0x%02x.' % v.val\n",
+ "print 'The \\'version\\' field correspond to bytes %r.' % str(v)"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": false
+ },
+ "outputs": [],
+ "source": [
+ "privkey.version = ASN1_INTEGER(1)\n",
+ "privkey.modulus.val *= 2\n",
+ "privkey.show()"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": false
+ },
+ "outputs": [],
+ "source": [
+ "print 'Original data: %r...' % keystr[:13]\n",
+ "print 'New version bytes: %r' % str(privkey.version)\n",
+ "print 'New modulus bytes: %r...' % str(privkey.modulus)[:6]\n",
+ "print 'Rebuilt data: %r...' % str(privkey)[:13]"
+ ]
+ },
+ {
+ "cell_type": "markdown",
+ "metadata": {
+ "collapsed": true
+ },
+ "source": [
+ "## X.509 certificate features"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": false
+ },
+ "outputs": [],
+ "source": [
+ "# Let's reload the original key, then let's load a certificate associated with it\n",
+ "privkey = RSAPrivateKey(keystr)\n",
+ "cert = X509_Cert(open('raw_data/pki/ca_cert.der', 'r').read())\n",
+ "cert.show()"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": false
+ },
+ "outputs": [],
+ "source": [
+ "cert.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.show()\n",
+ "cert.tbsCertificate.subject[-1].rdn[0].show()"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": false,
+ "scrolled": true
+ },
+ "outputs": [],
+ "source": [
+ "cert.tbsCertificate.subjectPublicKeyInfo.subjectPublicKey.modulus == privkey.modulus"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": false
+ },
+ "outputs": [],
+ "source": [
+ "cert.tbsCertificate.extensions[2].show()"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": false
+ },
+ "outputs": [],
+ "source": [
+ "cert.signatureAlgorithm.algorithm"
+ ]
+ },
+ {
+ "cell_type": "markdown",
+ "metadata": {},
+ "source": [
+ "## Scapy crypto tools"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": true
+ },
+ "outputs": [],
+ "source": [
+ "# Let's reload the key with Scapy's crypto-enhanced wrapper\n",
+ "privkey = PrivKey('raw_data/pki/ca_key.der')"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": false
+ },
+ "outputs": [],
+ "source": [
+ "privkey.der == keystr"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": false
+ },
+ "outputs": [],
+ "source": [
+ "print privkey.key\n",
+ "print privkey.pubkey"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": false
+ },
+ "outputs": [],
+ "source": [
+ "# We can compute the RSA signature over the part of the certificate which is to be signed\n",
+ "privkey.sign(str(cert.tbsCertificate))"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": false
+ },
+ "outputs": [],
+ "source": [
+ "cert.signatureValue"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": false
+ },
+ "outputs": [],
+ "source": [
+ "# We can quickly modify a certificate field and update the signature accordingly\n",
+ "cert.tbsCertificate.serialNumber.val = 0xdeadcafe\n",
+ "cert.tbsCertificate.subject[-1].rdn[0].value.val = 'my new deadcafe CA' \n",
+ "cert2 = privkey.resignCert(cert)\n",
+ "cert2.show()"
+ ]
+ }
+ ],
+ "metadata": {
+ "kernelspec": {
+ "display_name": "Python 2",
+ "language": "python",
+ "name": "python2"
+ },
+ "language_info": {
+ "codemirror_mode": {
+ "name": "ipython",
+ "version": 2
+ },
+ "file_extension": ".py",
+ "mimetype": "text/x-python",
+ "name": "python",
+ "nbconvert_exporter": "python",
+ "pygments_lexer": "ipython2",
+ "version": "2.7.13"
+ }
+ },
+ "nbformat": 4,
+ "nbformat_minor": 2
+}
diff --git a/doc/notebooks/tls/notebook2_tls_protected.ipynb b/doc/notebooks/tls/notebook2_tls_protected.ipynb
new file mode 100644
index 0000000000000000000000000000000000000000..726581e8048cc0ebf3956dd0ccb93c0619049987
--- /dev/null
+++ b/doc/notebooks/tls/notebook2_tls_protected.ipynb
@@ -0,0 +1,263 @@
+{
+ "cells": [
+ {
+ "cell_type": "markdown",
+ "metadata": {},
+ "source": [
+ "# TLS handshake overview\n",
+ "This is the standard, modern TLS 1.2 handshake:\n",
+ "\n",
+ "<img src=\"images/handshake_tls12.png\" alt=\"Handshake TLS 1.2\" width=\"400\"/>"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": true
+ },
+ "outputs": [],
+ "source": [
+ "# We're going to parse several successive records from the passive listening of a standard TLS handshake\n",
+ "from scapy.all import *"
+ ]
+ },
+ {
+ "cell_type": "markdown",
+ "metadata": {},
+ "source": [
+ "## (C) ---> (S) ClientHello"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": false
+ },
+ "outputs": [],
+ "source": [
+ "record1 = TLS(open('raw_data/tls_session_protected/01_cli.raw').read())\n",
+ "record1.show()"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": false
+ },
+ "outputs": [],
+ "source": [
+ "for extension in record1.msg[0].ext:\n",
+ " print ''\n",
+ " extension.show()"
+ ]
+ },
+ {
+ "cell_type": "markdown",
+ "metadata": {},
+ "source": [
+ "## (C) <--- (S) ServerHello"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": false
+ },
+ "outputs": [],
+ "source": [
+ "record2 = TLS(open('raw_data/tls_session_protected/02_srv.raw').read())\n",
+ "record2.show()"
+ ]
+ },
+ {
+ "cell_type": "markdown",
+ "metadata": {},
+ "source": [
+ "## (C) <--- (S) Certificate"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": false
+ },
+ "outputs": [],
+ "source": [
+ "record3 = TLS(open('raw_data/tls_session_protected/03_srv.raw').read())\n",
+ "record3.show()"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": false
+ },
+ "outputs": [],
+ "source": [
+ "# The Certificate message actually contains a *chain* of certificates\n",
+ "for cert in record3.msg[0].certs:\n",
+ " print type(cert[1])\n",
+ " cert[1].show()\n",
+ " print ''"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": false
+ },
+ "outputs": [],
+ "source": [
+ "# Let's recall the domain that the client wants to access\n",
+ "record1.msg[0].ext[0].show()\n",
+ "\n",
+ "# Indeed the certificate may be used with other domains than its CN 'www.github.com'\n",
+ "x509c = record3.msg[0].certs[0][1].x509Cert\n",
+ "print type(x509c)\n",
+ "x509c.tbsCertificate.extensions[2].show()"
+ ]
+ },
+ {
+ "cell_type": "markdown",
+ "metadata": {},
+ "source": [
+ "## (C) <--- (S) CertificateStatus, ServerKeyExchange, ServerHelloDone"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": false
+ },
+ "outputs": [],
+ "source": [
+ "# Here the server sent three TLS records in the same TCP segment\n",
+ "record4 = TLS(open('raw_data/tls_session_protected/04_srv.raw').read())\n",
+ "record4.show()"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": false
+ },
+ "outputs": [],
+ "source": [
+ "# Let's verify the signature in the ServerKeyExchange\n",
+ "# First, we need to assemble the whole data being signed\n",
+ "cli_random = pkcs_i2osp(record1.msg[0].gmt_unix_time, 4) + record1.msg[0].random_bytes\n",
+ "srv_random = pkcs_i2osp(record2.msg[0].gmt_unix_time, 4) + record2.msg[0].random_bytes\n",
+ "ecdh_params = str(record4[TLSServerKeyExchange].params)\n",
+ "\n",
+ "# Then we retrieve the server's Cert and verify the signature\n",
+ "cert_srv = record3.msg[0].certs[0][1]\n",
+ "cert_srv.verify(cli_random + srv_random + ecdh_params, record4[TLSServerKeyExchange].sig.sig_val, h='sha512')"
+ ]
+ },
+ {
+ "cell_type": "markdown",
+ "metadata": {
+ "collapsed": true
+ },
+ "source": [
+ "## (C) ---> (S) ClientKeyExchange, ChangeCipherSpec, Finished"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": false
+ },
+ "outputs": [],
+ "source": [
+ "record5_str = open('raw_data/tls_session_protected/05_cli.raw').read()\n",
+ "record5 = TLS(record5_str)\n",
+ "record5.show()"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": false
+ },
+ "outputs": [],
+ "source": [
+ "# Every record has a 'tls_session' context which may enhance the parsing of later records\n",
+ "record5 = TLS(record5_str, tls_session=record2.tls_session.mirror())\n",
+ "record5.show()"
+ ]
+ },
+ {
+ "cell_type": "markdown",
+ "metadata": {},
+ "source": [
+ "## (C) <--- (S) NewSessionTicket, ChangeCipherSpec, Finished"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": false
+ },
+ "outputs": [],
+ "source": [
+ "record6_str = open('raw_data/tls_session_protected/06_srv.raw').read()\n",
+ "record6 = TLS(record6_str, tls_session=record5.tls_session.mirror())\n",
+ "record6.show()"
+ ]
+ },
+ {
+ "cell_type": "markdown",
+ "metadata": {},
+ "source": [
+ "## (C) ---> (S) ApplicationData"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": false
+ },
+ "outputs": [],
+ "source": [
+ "record7_str = open('raw_data/tls_session_protected/07_cli.raw').read()\n",
+ "record7 = TLS(record7_str, tls_session=record6.tls_session.mirror())\n",
+ "record7.show()"
+ ]
+ }
+ ],
+ "metadata": {
+ "kernelspec": {
+ "display_name": "Python 2",
+ "language": "python",
+ "name": "python2"
+ },
+ "language_info": {
+ "codemirror_mode": {
+ "name": "ipython",
+ "version": 2
+ },
+ "file_extension": ".py",
+ "mimetype": "text/x-python",
+ "name": "python",
+ "nbconvert_exporter": "python",
+ "pygments_lexer": "ipython2",
+ "version": "2.7.13"
+ }
+ },
+ "nbformat": 4,
+ "nbformat_minor": 2
+}
diff --git a/doc/notebooks/tls/notebook3_tls_compromised.ipynb b/doc/notebooks/tls/notebook3_tls_compromised.ipynb
new file mode 100644
index 0000000000000000000000000000000000000000..4a879a3cf4b7a9c7baadd37715312df2755fe83f
--- /dev/null
+++ b/doc/notebooks/tls/notebook3_tls_compromised.ipynb
@@ -0,0 +1,123 @@
+{
+ "cells": [
+ {
+ "cell_type": "markdown",
+ "metadata": {},
+ "source": [
+ "# The lack of PFS: a danger to privacy"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": true
+ },
+ "outputs": [],
+ "source": [
+ "from scapy.all import *"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": false
+ },
+ "outputs": [],
+ "source": [
+ "record1_str = open('raw_data/tls_session_compromised/01_cli.raw').read()\n",
+ "record1 = TLS(record1_str)\n",
+ "record1.msg[0].show()"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": false,
+ "scrolled": true
+ },
+ "outputs": [],
+ "source": [
+ "record2_str = open('raw_data/tls_session_compromised/02_srv.raw').read()\n",
+ "record2 = TLS(record2_str, tls_session=record1.tls_session.mirror())\n",
+ "record2.msg[0].show()"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": true
+ },
+ "outputs": [],
+ "source": [
+ "# Suppose we possess the private key of the server\n",
+ "# Try registering it to the session\n",
+ "#key = PrivKey('raw_data/pki/srv_key.pem')\n",
+ "#record2.tls_session.server_rsa_key = key"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": false
+ },
+ "outputs": [],
+ "source": [
+ "record3_str = open('raw_data/tls_session_compromised/03_cli.raw').read()\n",
+ "record3 = TLS(record3_str, tls_session=record2.tls_session.mirror())\n",
+ "record3.show()"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": false
+ },
+ "outputs": [],
+ "source": [
+ "record4_str = open('raw_data/tls_session_compromised/04_srv.raw').read()\n",
+ "record4 = TLS(record4_str, tls_session=record3.tls_session.mirror())\n",
+ "record4.show()"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": false
+ },
+ "outputs": [],
+ "source": [
+ "record5_str = open('raw_data/tls_session_compromised/05_cli.raw').read()\n",
+ "record5 = TLS(record5_str, tls_session=record4.tls_session.mirror())\n",
+ "record5.show()"
+ ]
+ }
+ ],
+ "metadata": {
+ "kernelspec": {
+ "display_name": "Python 2",
+ "language": "python",
+ "name": "python2"
+ },
+ "language_info": {
+ "codemirror_mode": {
+ "name": "ipython",
+ "version": 2
+ },
+ "file_extension": ".py",
+ "mimetype": "text/x-python",
+ "name": "python",
+ "nbconvert_exporter": "python",
+ "pygments_lexer": "ipython2",
+ "version": "2.7.13"
+ }
+ },
+ "nbformat": 4,
+ "nbformat_minor": 2
+}
diff --git a/doc/notebooks/tls/notebook4_tls13.ipynb b/doc/notebooks/tls/notebook4_tls13.ipynb
new file mode 100644
index 0000000000000000000000000000000000000000..39dbd2d22ba0d3f78c036de7ebc1a69340f3b162
--- /dev/null
+++ b/doc/notebooks/tls/notebook4_tls13.ipynb
@@ -0,0 +1,143 @@
+{
+ "cells": [
+ {
+ "cell_type": "markdown",
+ "metadata": {},
+ "source": [
+ "# TLS 1.3 handshake overview\n",
+ "This is the basic TLS 1.3 handshake:\n",
+ "\n",
+ "<img src=\"images/handshake_tls13.png\" alt=\"Handshake TLS 1.3\" width=\"400\"/>"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": true
+ },
+ "outputs": [],
+ "source": [
+ "from scapy.all import *"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {},
+ "outputs": [],
+ "source": [
+ "record1_str = open('raw_data/tls_session_13/01_cli.raw').read()\n",
+ "record1 = TLS(record1_str)\n",
+ "sess = record1.tls_session\n",
+ "record1.show()"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {},
+ "outputs": [],
+ "source": [
+ "record2_str = open('raw_data/tls_session_13/02_srv.raw').read()\n",
+ "record2 = TLS(record2_str, tls_session=sess.mirror())\n",
+ "record2.show()"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {},
+ "outputs": [],
+ "source": [
+ "record3_str = open('raw_data/tls_session_13/03_cli.raw').read()\n",
+ "record3 = TLS(record3_str, tls_session=sess.mirror())\n",
+ "record3.show()"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "collapsed": true
+ },
+ "outputs": [],
+ "source": [
+ "# The PFS relies on the ECDH secret below being kept from observers, and deleted right after the key exchange\n",
+ "#from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePrivateNumbers\n",
+ "#from cryptography.hazmat.backends import default_backend\n",
+ "#secp256r1_client_privkey = open('raw_data/tls_session_13/cli_key.raw').read()\n",
+ "#pubnum = sess.tls13_client_pubshares[\"secp256r1\"].public_numbers()\n",
+ "#privnum = EllipticCurvePrivateNumbers(pkcs_os2ip(secp256r1_client_privkey), pubnum)\n",
+ "#privkey = privnum.private_key(default_backend())\n",
+ "#sess.tls13_client_privshares[\"secp256r1\"] = privkey"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {
+ "scrolled": true
+ },
+ "outputs": [],
+ "source": [
+ "record4_str = open('raw_data/tls_session_13/04_srv.raw').read()\n",
+ "record4 = TLS(record4_str, tls_session=sess.mirror())\n",
+ "record4.show()"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {},
+ "outputs": [],
+ "source": [
+ "record5_str = open('raw_data/tls_session_13/05_srv.raw').read()\n",
+ "record5 = TLS(record5_str, tls_session=sess)\n",
+ "record5.show()"
+ ]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "metadata": {},
+ "outputs": [],
+ "source": [
+ "record6_str = open('raw_data/tls_session_13/06_cli.raw').read()\n",
+ "record6 = TLS(record6_str, tls_session=sess.mirror())\n",
+ "record6.show()"
+ ]
+ },
+ {
+ "cell_type": "markdown",
+ "metadata": {},
+ "source": [
+ "## Observations sur TLS 1.3\n",
+ "* Certificat désormais chiffré...\n",
+ "* ...mais pas le Server Name dans le ClientHello\n",
+ "* Risques du mode 0-RTT"
+ ]
+ }
+ ],
+ "metadata": {
+ "kernelspec": {
+ "display_name": "Python 2",
+ "language": "python",
+ "name": "python2"
+ },
+ "language_info": {
+ "codemirror_mode": {
+ "name": "ipython",
+ "version": 2
+ },
+ "file_extension": ".py",
+ "mimetype": "text/x-python",
+ "name": "python",
+ "nbconvert_exporter": "python",
+ "pygments_lexer": "ipython2",
+ "version": "2.7.13"
+ }
+ },
+ "nbformat": 4,
+ "nbformat_minor": 2
+}
diff --git a/doc/notebooks/tls/raw_data/pki/ca_cert.der b/doc/notebooks/tls/raw_data/pki/ca_cert.der
new file mode 100644
index 0000000000000000000000000000000000000000..ff9ea20b33a1364e4c6d8372171bd2e6116f306b
Binary files /dev/null and b/doc/notebooks/tls/raw_data/pki/ca_cert.der differ
diff --git a/doc/notebooks/tls/raw_data/pki/ca_key.der b/doc/notebooks/tls/raw_data/pki/ca_key.der
new file mode 100644
index 0000000000000000000000000000000000000000..675124e9cd231adc79362bba7e21632240ad780d
Binary files /dev/null and b/doc/notebooks/tls/raw_data/pki/ca_key.der differ
diff --git a/doc/notebooks/tls/raw_data/pki/srv_cert.pem b/doc/notebooks/tls/raw_data/pki/srv_cert.pem
new file mode 100644
index 0000000000000000000000000000000000000000..e559f326c9002c52b00263b16acc4bafb72dd194
--- /dev/null
+++ b/doc/notebooks/tls/raw_data/pki/srv_cert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDnjCCAoagAwIBAgIJAP4EVw3HJ+n2MA0GCSqGSIb3DQEBCwUAMFQxCzAJBgNV
+BAYTAk1OMRQwEgYDVQQHDAtVbGFhbmJhYXRhcjEXMBUGA1UECwwOU2NhcHkgVGVz
+dCBQS0kxFjAUBgNVBAMMDVNjYXB5IFRlc3QgQ0EwHhcNMTYwOTE2MTAyODExWhcN
+MjYwOTE1MTAyODExWjBYMQswCQYDVQQGEwJNTjEUMBIGA1UEBwwLVWxhYW5iYWF0
+YXIxFzAVBgNVBAsMDlNjYXB5IFRlc3QgUEtJMRowGAYDVQQDDBFTY2FweSBUZXN0
+IFNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMzx8ZtgLWCu
+8pgNJynZwAlZTA9KMKhS3+WxIZ9Pwz1Wk91fxvez9lWL55Li3vKFSbShLPT9dqhn
+ygQgYBEYpvKptqYd2arl2duv5q9VV5//Uoll5oBigCGUvM+BG8tnwp21BXcEpseI
+GIB4aJU23pcbtmGHQhp1mEWC6z4yEcibhkI5jU0St1gbGfOdK6GYgsrXOyT7CTmw
+vMKVz4IpdRYpP0IgFytNQIxWbK26DzSFsX9AeXF4t6UEu5T3tUGV7nzrjQx5aFnv
+y7P6Pnge7mdMet3gme/a5++yCV2+gCAhBYMsRNtdKnYppbAjiHQHVCLWKXqS9W8t
+nuf4JiucWGUCAwEAAaNvMG0wCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwHQYDVR0O
+BBYEFKErIHDSa4DlZbzrAw+In3St3fYTMB8GA1UdIwQYMBaAFGZTlPQV0b1naLBR
+NzI14aSq3gd8MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IB
+AQCBiJJza5PnldbdQe6OHr2jSFinQTU/e33QN5gOuCyUd8hRNkCtWQkoyFbW6lus
+tNg/aLdmyuFWN6kAZepRyeyyaUld+ePA7WFUyRKfxrAKc1XoVTVg7xw28NrRkHdW
+BLirOO73CcWlmJAj6h/bFX8yKIGrm4UCS5XnN1F7G0gu+z5Sow20RqmSOhwf1woe
+WEr6LlGPKcYeuA4xDnPxJ4gXyshpDPqDzbN5DhSwuJsvOi0J4/wG8Dpu/TY7KxoJ
+KuirX4xA5IGyvPeDZxFuTpPqIq//o5p3V3bQCzis+IqUNY7X1GHMAf8ktI9hI7qI
+11nk6boqTrUVD5zQ6gaR2d6r
+-----END CERTIFICATE-----
diff --git a/doc/notebooks/tls/raw_data/pki/srv_key.pem b/doc/notebooks/tls/raw_data/pki/srv_key.pem
new file mode 100644
index 0000000000000000000000000000000000000000..62248e3e46310d661e486f585d706630308f7df1
--- /dev/null
+++ b/doc/notebooks/tls/raw_data/pki/srv_key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDM8fGbYC1grvKY
+DScp2cAJWUwPSjCoUt/lsSGfT8M9VpPdX8b3s/ZVi+eS4t7yhUm0oSz0/XaoZ8oE
+IGARGKbyqbamHdmq5dnbr+avVVef/1KJZeaAYoAhlLzPgRvLZ8KdtQV3BKbHiBiA
+eGiVNt6XG7Zhh0IadZhFgus+MhHIm4ZCOY1NErdYGxnznSuhmILK1zsk+wk5sLzC
+lc+CKXUWKT9CIBcrTUCMVmytug80hbF/QHlxeLelBLuU97VBle58640MeWhZ78uz
++j54Hu5nTHrd4Jnv2ufvsgldvoAgIQWDLETbXSp2KaWwI4h0B1Qi1il6kvVvLZ7n
++CYrnFhlAgMBAAECggEAIPA9uZAimuhjOwbaJYLGt3nvnIF7AoKXU449biJeqawR
+hcHP852r2KHsrRHjbSz45JwG4rUd7gEIWdNuPTEuG9Ak99vSUQIyGnnR5JodxCw/
+8q869aVfHIaQNfV1JyLdB4XBhBhuSaFY9sTjYh/4dGbS0Cfx+titiXZ6InvfmdMD
+eLd/ZO35/BwtWN3J2ntRziTTREKLeEYFEe7FtXKGwDGIsvVn7egckefKMnflhMFA
+SuoPn2VvTqmhiwSuATdx1TP4XOVdVzuL2wT7brS7qHvabRDBKdVOfrNGOoMdnnua
+ursIQjQindNT8kVK8EGxws9eFr/dooYYFR72IusTfQKBgQDuQBzzKEtt86uRCbZX
+Y3lu0MJnR5OOodfGBBYF9Ue+W3OJTd9EvXLSgLBLvwirB7lsNXgXf8LHCTQOtF3H
+lnB8jE5OFSDGeSKWmUwZS+KVzq8vy7Qylp9i6x4pElwGUeba6AqeZZ+jUUn/HzdB
+s2pO8YWqyOp/Zo/m8P+vPZN4fwKBgQDcNqJ4Dutt/i60E9kaktGQVQODRNMhYCEq
+E5fhwJiZ0E9FBeuKPKjo7dGIux3KPQPBv3T0zjmB+M5QERVe5/ID8iytgbHGlnsg
+916iTN9rvi1Gk518vyFPsYjX9pPiQIayRBQKOXSYIkY+6rj2384XPRlZrN8D9n3Q
++An1JXfdGwKBgDs3YjqpnD3i35S4BkMoLUl2x6rl5m4AGeJUp6ipc0CD+G57FXA/
+aieZ5rec7qmbzOFxVLz6e03/Ipo5CEoQQTsjoF7V74SFHSyzQ2/SJao4aeCGT+52
+83yhlah9sLO9bZShMep2tbvg+3RWrOQ+lMC0VRXCxE4QDtpGsjY7Jsk/AoGAPstV
+iOa4O6U/rBn8zpcPKxkS51u42MuQqW7s4HMLENFVyVjm0YR6pfEqztKMrB6584Wk
+1Cn6PBW2vx4f+fAqEvX7x340M2y1r7DaS22gSBjy0C1Hu0rFNPRrESo/AUVlI3BG
+RqQbm0YqwcYs+DjZi8bgc7HX5kljlzMjo8QLagECgYA1DHAWv4WVrHt4I8V4ZCth
+9DZEtEOFpYjuoFh/xSIMZLsnvWRuyYVWcQwAqmK0Ew4m5opHFsQzABeGLVsK5aHX
+zmbYiRUuZGVpyc7c5XXomw50X8ajfQ+P21OPPc33h96cdHi2qbJIejZPia6A6ThU
+u13D93hAM6bzH6Ds5FPUQw==
+-----END PRIVATE KEY-----
diff --git a/doc/notebooks/tls/raw_data/tls_session_13/01_cli.raw b/doc/notebooks/tls/raw_data/tls_session_13/01_cli.raw
new file mode 100644
index 0000000000000000000000000000000000000000..720269449ed53a57e3be98b3537bfca234f41849
Binary files /dev/null and b/doc/notebooks/tls/raw_data/tls_session_13/01_cli.raw differ
diff --git a/doc/notebooks/tls/raw_data/tls_session_13/02_srv.raw b/doc/notebooks/tls/raw_data/tls_session_13/02_srv.raw
new file mode 100644
index 0000000000000000000000000000000000000000..3c119721eb9aee2f65a4f1821acebad8bc381574
Binary files /dev/null and b/doc/notebooks/tls/raw_data/tls_session_13/02_srv.raw differ
diff --git a/doc/notebooks/tls/raw_data/tls_session_13/03_cli.raw b/doc/notebooks/tls/raw_data/tls_session_13/03_cli.raw
new file mode 100644
index 0000000000000000000000000000000000000000..b526cd708ef94f7f4bd08f1c7f5bcd3244e2e17a
Binary files /dev/null and b/doc/notebooks/tls/raw_data/tls_session_13/03_cli.raw differ
diff --git a/doc/notebooks/tls/raw_data/tls_session_13/04_srv.raw b/doc/notebooks/tls/raw_data/tls_session_13/04_srv.raw
new file mode 100644
index 0000000000000000000000000000000000000000..469e99d5d40558da0eb73c05841969fe1e86281c
Binary files /dev/null and b/doc/notebooks/tls/raw_data/tls_session_13/04_srv.raw differ
diff --git a/doc/notebooks/tls/raw_data/tls_session_13/05_srv.raw b/doc/notebooks/tls/raw_data/tls_session_13/05_srv.raw
new file mode 100644
index 0000000000000000000000000000000000000000..03253fcc3471d91403780324d5a60004632ed19f
Binary files /dev/null and b/doc/notebooks/tls/raw_data/tls_session_13/05_srv.raw differ
diff --git a/doc/notebooks/tls/raw_data/tls_session_13/06_cli.raw b/doc/notebooks/tls/raw_data/tls_session_13/06_cli.raw
new file mode 100644
index 0000000000000000000000000000000000000000..127631c031d78de9099c6e835267547a187f237a
Binary files /dev/null and b/doc/notebooks/tls/raw_data/tls_session_13/06_cli.raw differ
diff --git a/doc/notebooks/tls/raw_data/tls_session_13/07_srv.raw b/doc/notebooks/tls/raw_data/tls_session_13/07_srv.raw
new file mode 100644
index 0000000000000000000000000000000000000000..99f5f8dd12ef4bb5b70936cbc7de5c0f1a4f0d22
Binary files /dev/null and b/doc/notebooks/tls/raw_data/tls_session_13/07_srv.raw differ
diff --git a/doc/notebooks/tls/raw_data/tls_session_13/08_cli.raw b/doc/notebooks/tls/raw_data/tls_session_13/08_cli.raw
new file mode 100644
index 0000000000000000000000000000000000000000..7d2a14f107e444f3ab2bd5d8682635a05476e709
Binary files /dev/null and b/doc/notebooks/tls/raw_data/tls_session_13/08_cli.raw differ
diff --git a/doc/notebooks/tls/raw_data/tls_session_13/cli_key.raw b/doc/notebooks/tls/raw_data/tls_session_13/cli_key.raw
new file mode 100644
index 0000000000000000000000000000000000000000..46873d5457bd7a39dc16999f7840c89b391d6a17
--- /dev/null
+++ b/doc/notebooks/tls/raw_data/tls_session_13/cli_key.raw
@@ -0,0 +1 @@
+�úHÑSÉ�ÿØÿ���`¡6&]9Ÿ©ñ�-vmB¦ÈN
\ No newline at end of file
diff --git a/doc/notebooks/tls/raw_data/tls_session_compromised/01_cli.raw b/doc/notebooks/tls/raw_data/tls_session_compromised/01_cli.raw
new file mode 100644
index 0000000000000000000000000000000000000000..1b7959217c4e5640cfeb6177020a855149dd1ba8
Binary files /dev/null and b/doc/notebooks/tls/raw_data/tls_session_compromised/01_cli.raw differ
diff --git a/doc/notebooks/tls/raw_data/tls_session_compromised/02_srv.raw b/doc/notebooks/tls/raw_data/tls_session_compromised/02_srv.raw
new file mode 100644
index 0000000000000000000000000000000000000000..229cb52be866fa6775151b6466d9a9ad71e395bb
Binary files /dev/null and b/doc/notebooks/tls/raw_data/tls_session_compromised/02_srv.raw differ
diff --git a/doc/notebooks/tls/raw_data/tls_session_compromised/03_cli.raw b/doc/notebooks/tls/raw_data/tls_session_compromised/03_cli.raw
new file mode 100644
index 0000000000000000000000000000000000000000..ef4ce6902257758a5ae9f3b9311e9041cfa1d11d
Binary files /dev/null and b/doc/notebooks/tls/raw_data/tls_session_compromised/03_cli.raw differ
diff --git a/doc/notebooks/tls/raw_data/tls_session_compromised/04_srv.raw b/doc/notebooks/tls/raw_data/tls_session_compromised/04_srv.raw
new file mode 100644
index 0000000000000000000000000000000000000000..f79895556e75889b37e193041afbed76922118bb
Binary files /dev/null and b/doc/notebooks/tls/raw_data/tls_session_compromised/04_srv.raw differ
diff --git a/doc/notebooks/tls/raw_data/tls_session_compromised/05_cli.raw b/doc/notebooks/tls/raw_data/tls_session_compromised/05_cli.raw
new file mode 100644
index 0000000000000000000000000000000000000000..5093c28c63c276867dab0ac59eff575cb9ab24f6
Binary files /dev/null and b/doc/notebooks/tls/raw_data/tls_session_compromised/05_cli.raw differ
diff --git a/doc/notebooks/tls/raw_data/tls_session_protected/01_cli.raw b/doc/notebooks/tls/raw_data/tls_session_protected/01_cli.raw
new file mode 100644
index 0000000000000000000000000000000000000000..a9080e84312596711aaecdfc96d439cce2b757d1
Binary files /dev/null and b/doc/notebooks/tls/raw_data/tls_session_protected/01_cli.raw differ
diff --git a/doc/notebooks/tls/raw_data/tls_session_protected/02_srv.raw b/doc/notebooks/tls/raw_data/tls_session_protected/02_srv.raw
new file mode 100644
index 0000000000000000000000000000000000000000..54191d0b71f789f3c7ee2248162bfebe4809af77
Binary files /dev/null and b/doc/notebooks/tls/raw_data/tls_session_protected/02_srv.raw differ
diff --git a/doc/notebooks/tls/raw_data/tls_session_protected/03_srv.raw b/doc/notebooks/tls/raw_data/tls_session_protected/03_srv.raw
new file mode 100644
index 0000000000000000000000000000000000000000..282b5884e22a06bd76987d8e6abf2cd0f8deb4da
Binary files /dev/null and b/doc/notebooks/tls/raw_data/tls_session_protected/03_srv.raw differ
diff --git a/doc/notebooks/tls/raw_data/tls_session_protected/04_srv.raw b/doc/notebooks/tls/raw_data/tls_session_protected/04_srv.raw
new file mode 100644
index 0000000000000000000000000000000000000000..3af6ae2e34d7f69f3e1241ce87ada9b35756edc6
Binary files /dev/null and b/doc/notebooks/tls/raw_data/tls_session_protected/04_srv.raw differ
diff --git a/doc/notebooks/tls/raw_data/tls_session_protected/05_cli.raw b/doc/notebooks/tls/raw_data/tls_session_protected/05_cli.raw
new file mode 100644
index 0000000000000000000000000000000000000000..8033eecc5738acb53b132c0016fe2e668b5a1cf2
Binary files /dev/null and b/doc/notebooks/tls/raw_data/tls_session_protected/05_cli.raw differ
diff --git a/doc/notebooks/tls/raw_data/tls_session_protected/06_srv.raw b/doc/notebooks/tls/raw_data/tls_session_protected/06_srv.raw
new file mode 100644
index 0000000000000000000000000000000000000000..0578729857509b62657c08daec09bbe2739d47ef
Binary files /dev/null and b/doc/notebooks/tls/raw_data/tls_session_protected/06_srv.raw differ
diff --git a/doc/notebooks/tls/raw_data/tls_session_protected/07_cli.raw b/doc/notebooks/tls/raw_data/tls_session_protected/07_cli.raw
new file mode 100644
index 0000000000000000000000000000000000000000..133d484b61b06373c1fb02ebab50d8a761f001b9
Binary files /dev/null and b/doc/notebooks/tls/raw_data/tls_session_protected/07_cli.raw differ