Cryptography Reference
In-Depth Information
Dealing with Legacy Implementations: Exportable
Ciphers
Export-grade ciphers don't necessarily belong in a chapter called “advanced”
TLS; they're actually regressed. In 1999, when the TLS 1.0 specifi cation was
drafted, the U.S. government classifi ed cryptography as munitions, right along
with machine guns, hand grenades, rocket launchers, and thermonuclear
warheads. Exporting software capable of strong cryptography was subject to
the same regulations as weapons capable of killing millions of people. From the
perspective of the U.S. Department of Defense, this made a certain amount of
sense — if enemy combatants could communicate securely during wartime, it
was entirely possible that millions of American soldiers could be killed. Or at
least I assume that's what they must have been thinking.
Finally recognizing that foreign software developers could just as easily
develop and distribute secure software and that U.S. software developers were
actually being put at a global disadvantage, the U.S. government has since
relaxed its stance on export of strong cryptography. However,
export-grade
cryptography
— that is, weak cryptography — was a fi xed feature of SSL and
TLS. TLS 1.0 declares certain ciphers as
exportable
, and any software that met
U.S. export requirements at that time had to be certifi ed as only supporting
exportable cipher suites.
There's no reason to expend any signifi cant effort to support export-grade
ciphers, but you should be aware that they exist. The next two sections examine
briefl y, at a very high level, how export-grade SSL differs from domestic. If you
do happen to connect to an extremely old implementation that only supports
exportable ciphers, you may receive alert 60: export restriction. I recommend
simply refusing to connect to such a server.
Export-Grade Key Calculation
The main difference between exportable cipher suites and non-exportable — U.S.
customers only — cipher suites is in the key calculation. Remember that, in the
ordinary case, the key calculation routine fi rst fi gures out how much keying mate-
rial is needed and then runs the PRF to generate that much keying material from
the exchanged 48-byte master secret. In the case of export-grade cryptography, the
PRF was only allowed to generate fi ve bytes (!) for the read and write keys.
The initialization vectors don't come from the PRF expansion of the keying
material at all, but instead come from a PRF expansion of the text string “IV
block” and the two random values — the master secret isn't used in IV calcula-
tion at all. In code, this looks like Listing 8-34.
Search WWH ::
Custom Search