Cryptography Reference
In-Depth Information
Now the only thing left to do is to turn the master secret into a set of keys.
The amount, and even the type, of keying material needed depends on the
cipher suite. If the cipher suite uses SHA-1 HMAC, the MAC requires a 20-byte
key; if MD5, it requires a 16-byte key. If the cipher suite uses DES, it requires an
8-byte key; if AES-256, it requires a 32-byte key. If the encryption algorithm uses
CBC, initialization vectors are needed; if the algorithm is a stream algorithm,
no initialization vector is involved.
Rather than build an enormous switch/case statement for each possibility,
defi ne a
CipherSuite
structure as in Listing 6-39.
Listing 6-39:
“tls.h” CipherSuite structure
typedef struct
{
CipherSuiteIdentifier id;
int block_size;
int IV_size;
int key_size;
int hash_size;
void (*bulk_encrypt)( const unsigned char *plaintext,
const int plaintext_len,
unsigned char ciphertext[],
void *iv,
const unsigned char *key );
void (*bulk_decrypt)( const unsigned char *ciphertext,
const int ciphertext_len,
unsigned char plaintext[],
void *iv,
const unsigned char *key );
void (*new_digest)( digest_ctx *context );
}
CipherSuite;
This includes everything you need to know about a cipher suite; by now,
the utility of declaring the encrypt, decrypt, and hash functions with identical
signatures in the previous chapters should be clear. Now, for each supported
cipher suite, you need to generate a
CipherSuite
instance and index it as shown
in Listing 6-40.
Listing 6-40:
“tls.c” cipher suites list
static CipherSuite suites[] =
{
{ TLS_NULL_WITH_NULL_NULL, 0, 0, 0, 0, NULL, NULL, NULL },
{ TLS_RSA_WITH_NULL_MD5, 0, 0, 0, MD5_BYTE_SIZE, NULL, NULL, new_md5_digest },
{ TLS_RSA_WITH_NULL_SHA, 0, 0, 0, SHA1_BYTE_SIZE, NULL, NULL, new_sha1_digest },
{ TLS_RSA_EXPORT_WITH_RC4_40_MD5, 0, 0, 5, MD5_BYTE_SIZE, rc4_40_encrypt,
Search WWH ::
Custom Search