Cryptography Reference
In-Depth Information
Creating Reproducible, Unpredictable Symmetric Keys with
Master Secret Computation
The client selects the premaster secret and sends it to the server (or agrees on it,
in the case of DH key exchange). The premaster secret is, as the name implies,
secret — in fact, it's really the only important bit of handshake material that's
hidden from eavesdroppers. However, the premaster secret itself isn't used as
a session key; this would open the door to replay attacks. The premaster secret
is combined with the
server random
and
client random
values exchanged earlier
in the handshake and then run through the PRF to generate the
master secret
,
which is used, indirectly, as the keying material for the symmetric encryption
algorithms and MACs that actually protect the data in transit.
Given, for example, a premaster secret
030102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e
1f202122232425262728292a2b2c2d2e2f
a client random
4af0a38100000000000000000000000000000000000000000000000000000000
and a server random
4af0a3818ff72033b852b9b9c09e7d8045ab270eabc74e11d565ece018c9a5ec
you would compute the fi nal master secret from which the actual keys are
derived using — you guessed it — the PRF.
Remember that the PRF takes three parameters: a secret, a label, and a seed.
The premaster secret is the secret, the label is just the unimaginative text string
“master secret”
, and the seed is the client random and the server random
concatenated one after the other, client random fi rst.
The PRF is the XOR of the SHA-1 and the MD5 HMACs of the secret and
the label concatenated with the seed, expanded out iteratively. With the PRF
function defi ned above, master secret expansion is actually simple to code, as
in Listing 6-35.
Listing 6-35:
“tls.c” master secret computation
/**
* Turn the premaster secret into an actual master secret (the
* server side will do this concurrently) as specified in section 8.1:
* master_secret = PRF( pre_master_secret, “master secret”,
* ClientHello.random + ServerHello.random );
* ( premaster_secret, parameters );
* Note that, with DH, the master secret len is determined by the generator (p)
* value.
*/
static void compute_master_secret( const unsigned char *premaster_secret,
int premaster_secret_len,
TLSParameters *parameters )
Search WWH ::
Custom Search