Cryptography Reference
In-Depth Information
following the SSL Handshake Protocol. Key derivation is a suitable technique
for key generation because:
• it is a lightweight key generation technique, which does not impose significant
overheads;
• it allows several different session keys to be established from just one shared
secret;
• as the SSL Handshake Protocol is relatively expensive to run (it requires the use
of public-key cryptography), the shared master secret can be used to establish
several batches of session keys, should this be desirable.
However, the generation of the master secret does rely on the client being
able to randomly generate a pre-master secret. Should the client fail to do
this securely using a suitable technique (see Section 8.1) then the subsequent
generation of all the SSL session keys could be compromised.
The key lengths used in SSL are all negotiable and part of the cryptographic
algorithm agreement process defined in the SSL Handshake Protocol.
KEY ESTABLISHMENT
The most important key establishment process in SSL is the establishment of
the pre-master secret during the SSL Handshake Protocol. Probably the most
common technique for conducting this is to use RSApublic-key encryption during
the protocol message
Pre-master Secret Transfer
. However, a variant based on
Diffie-Hellman is also supported by SSL.
KEY STORAGE
Key storage is beyond the scope of SSL, but it relies on both the client and the
server securely storing relevant secret keys. The most sensitive keys to store are the
private keys, since they are relied upon across multiple SSL sessions. In contrast,
the symmetric keys negotiated during the SSL Handshake Protocol are only used
for a relatively short period of time. Nonetheless, if they are compromised then
so are any sessions that they are used to protect.
KEY USAGE
One of the interesting design aspects of SSL is how it embraces the principle of
key separation, discussed in Section 10.6.1. Separate encryption and MAC keys
are derived from the master secret, which are then used to establish the secure
channel. However, SSL takes this principle a step further by deploying separate
keys for each communication direction, which provides security against reflection
attacks (see Section 9.3.4). The cost of this is low because these separate keys are
derived from the common master secret.
However, largely for convenience, SSL also abuses the principle of key
separation. The master secret
K
M
is used not only as a key derivation key, but
also as a MAC key. This is a good example of pragmatism in adoption of the
principle of key separation. It is enforced for the vulnerable session keys that will
