Cryptography Reference
In-Depth Information
Finally, the client checks the MAC received from the server.
ANALYSIS OF THE SIMPLE SSL HANDSHAKE PROTOCOL
We now confirm exactly how the simple SSL Handshake Protocol achieves its
three main goals:
Agreement of cryptographic algorithms
. This is achieved at the end of the second
protocol message, when the server informs the client which cipher suite has
been selected from the list provided by the client.
Entity authentication of the server
. This relies on the following argument,
assuming that the protocol run has been successful and that all checks
(including certificate validity checks) have been correctly made:
1. The entity who sent the
Server Finished
message must know the master secret
K
M
, since the final check was correct and relied on knowledge of
K
M
.
2. Any entity other than the client who knows
K
M
must also know the pre-master
secret
K
P
, since
K
M
is derived from
K
P
.
3. Any entity other than the client who knows
K
P
must know the private decryption
key corresponding to the public-key certificate sent in the message
Server
Response
, since this public key was used to encrypt
K
P
in the message
Pre-
master Secret Transfer
.
4. The only entity with the ability to use the private decryption key is the genuine
server, since the public-key certificate provided by the server in the message
Server Response
was checked and found to be valid.
5. The server is currently 'alive' because
K
M
is derived from fresh pseudorandom
values (
K
P
and
r
C
) generated by the client and thus cannot be an old value.
Key establishment
. SSL establishes several keys, as we will shortly discuss. These
are all derived from the master secret
K
M
, which is a value that is established
during the SSL Handshake Protocol. The master secret is derived from the
pre-master secret
K
P
, which is a value that only the client and the server know.
Note that the
Client Finished
and
Server Finished
messages also provide
retrospective data origin authentication of the entire message flow. This provides
assurance that none of the messages exchanged during the SSL Handshake
Protocol have been tampered with, which is particularly important since the
opening messages of the protocol have no cryptographic protection.
SSL HANDSHAKE PROTOCOL WITH CLIENT AUTHENTICATION
The simple SSL Handshake Protocol does not provide mutual entity authentica-
tion, only entity authentication of the server. This is reasonable because many
applications do not require client authentication at the network layer where SSL
is deployed. For example, when a user purchases goods from an online store, the
merchant may not care about who they are communicating with, so long as they
get paid at the end of the transaction. In this scenario, client authentication is more
