Cryptography Reference
In-Depth Information
likely to be performed at the application layer, perhaps by using a password-based
mechanism (see, for example, Section 12.4.4).
However, there are some applications of SSL, particularly in closed environ-
ments, where it may be useful to provide mutual entity authentication. In this
case the simple SSL Handshake Protocol can be modified by adding an extra
message from the client to the server after the message
Pre-master Secret Transfer
,
as follows:
Client Authentication Data
: The client sends a copy of its public-key certificate to
the server. The public key in this certificate is used as a verification key. The
certificate includes any details of the certificate chain required for verification.
In addition, the client hashes all the protocol messages so far and digitally signs
the hash using the client's signature key.
The server should now check that the client's public-key certificate (chain) is
valid. The server should also verify the client's digital signature. If these checks
are successful then the server has entity authentication assurance of the client by
the following argument:
1. The entity who sent the
Client Authentication Data
message must know the
signature key corresponding to the public key in the client's certificate, since the
digital signature verified correctly.
2. The only entity who knows the signature key is the genuine client, since the
public-key certificate provided by the client was checked and found to be
valid.
3. The client is currently 'alive' because the digital signature was computed on a
hash of some data that included the fresh pseudorandom value
r
S
generated
by the server, and thus cannot be a replay.
SSL RECORD PROTOCOL
The SSL Record Protocol is the protocol used to instantiate the secure channel
after the SSL Handshake Protocol has successfully completed. Before running
the SSL Record Protocol, both the client and the server derive the cryptographic
data that they will need to secure the session. This includes symmetric session
keys for encryption, symmetric MAC keys and any required IVs. These are
all generated using a key derivation function to compute a
key block
. This key
derivation function uses
K
M
as a key and takes as input, amongst other data,
r
C
and
r
S
. The key block is then 'chopped up' to provide the necessary cryptographic
data. In particular, the following four symmetric keys are extracted from the
key block:
•
K
ECS
for symmetric encryption from the client to the server;
•
K
ESC
for symmetric encryption from the server to the client;
•
K
MCS
for MACs from the client to the server;
•
K
MSC
for MACs from the server to the client.
