In TLS / SSL, what is the purpose of setting from secrecy to secrecy and then to encrypt keys?

Why don't client and server just exchange encryption keys directly using public key encryption or DH key exchange? What is the rationale for this or what problem should be solved?

+3


source to share


4 answers


It is helpful to understand how keys are produced in modern SSL / TLS. In early versions of SSL (like SSLv2) it was a little different.

master_secret

is a shared secret shared between client and server. It is used to get session-specific keys. master_secret

outputs other parameters (discussed below).

There are 6 secrets derived from master_secret

:

  • Client encryption key
  • Server encryption key
  • Client MAC key
  • Server MAC address
  • Client IV
  • Server IV

Assuming neither eNULL

is nor is aNULL

it used, the client and server use an encryption key for privacy and an HMAC key for authenticity. Each (client and server) has its own key.

While IVs are generally considered public, SSL / TLS treats them as secret parameters.

From RFC 5246 it master_secret

is deduced as:

master_secret = PRF(pre_master_secret, "master secret",
                    ClientHello.random + ServerHello.random)
                    [0..47];

      

pre_master_secret

comes from a key agreement or key transfer. If this is consistent with the core agreement, it pre_master_secret

is the result of a Diffie-Hellman agreement. In an agreement scheme, both parties contribute to a derived secret.

If it pre_master_secret

comes from the key transfer scheme, the client encrypts the random value under the server's public key. In this scheme, only the client provides material for key entry. When only one party provides a key, it is called a key transport scheme.




What is the rationale for this or what problem should he solve?

The first stage, which is used pre_master_secret

, provides a "pluggable" architecture for key agreement or key transfer.

The second stage, which is deduced master_secret

, ensures that both the client and the server contribute material for the keys.

In addition, there is a label - the "top secret" - this helps to ensure that the derivation is unique, even if the same parameters are used for something else (assuming the other pin uses a different label). The use of labels is discussed in SP800-56 and SP800-57 (among other places).

The hash used in the second step, where inferred master_secret

, serves two functions. First, it has a mixing function. Second, it maps the items in the group used by a key exchange or key agreement to random bit patterns.

The final stage is the output of 6 keys from master_secret

. According to 6.3. Key computation, inference does not provide key independence. It just provides interoperability:

   To generate the key material, compute

      key_block = PRF(SecurityParameters.master_secret,
                      "key expansion",
                      SecurityParameters.server_random +
                      SecurityParameters.client_random);

   until enough output has been generated.  Then, the key_block is
   partitioned as follows:

      client_write_MAC_key[SecurityParameters.mac_key_length]
      server_write_MAC_key[SecurityParameters.mac_key_length]
      client_write_key[SecurityParameters.enc_key_length]
      server_write_key[SecurityParameters.enc_key_length]
      client_write_IV[SecurityParameters.fixed_iv_length]
      server_write_IV[SecurityParameters.fixed_iv_length]

      

The above steps are solid construction. However, when used in SSL / TLS, there are many devils around. For example, the above is not enough when a feature is added such as rewiring (triple handshake ftw attack!).

+9


source


I believe the reason is that if the client just picked a random number to use as a symmetric key and encrypted it using the server's public key to send to the server, there could be a potential vulnerability if regular clients used an imperfect random number generator, resulting in predictable symmetrical keys, making it much easier to disconnect.



The actual key exchange protocol ensures that the symmetric key contains randomized items from both the client and the server. This means that even if the client has an imperfect random number generator, the connections are still secure if the server's random number generator is cryptographically strong. Even if the client and server random number generators have weaknesses, attacking a combination of the two is likely to be more expensive than using only the client random number generator.

0


source


The rationale is that if the private key is never exchanged, it can never be discovered. Keyed algiorites are known to be safe. The encryption is only as secure as its key.

0


source


pre-master key to master key: one random random is not really random, but a 2-sided random number 3 times can be really random.

master key for 6 key pairs: 2 for encryption, 2 for verifying message integration, and 2 for preventing CBC attack

0


source







All Articles