Finished message – TLS Handshake Protocol Revisited
13.3 Finished message
Bob’s Finished is the final message in the TLS handshake protocol. This message authenticates the handshake as well as the secret shared keys that Alice and Bob agreed upon.
Both Alice and Bob (when he receives Alice’s Finished message while in state WF ) verify the correctness of this message’s contents and immediately terminate the TLS handshake with decrypt˙error if the verification fails.
After Alice and Bob transmitted their Finished messages and successfully verified the received Finished message, they can send and receive application data over the secure channel established using the TLS handshake.
Alternatively, Alice and Bob may transmit data before receiving the peer’s Finished message in the following situations:
- Bob sends 0-RTT data.
- Alice sends application data after sending her first flight, that is, after her ServerHello message. However, since the TLS handshake is incomplete, she has no assurance of Bob’s identity or liveness—that is, the ClientHello message could have been replayed—and Bob does not have these guarantees regarding Alice.
The shared secret key for computing the Finished message is derived from the BaseKey using the HKDF function. More precisely, the key for the Finished message is computed as shown in Listing 13.1.
Listing 13.1: Computation of the key for the Finished message
finished_key = HKDF-Expand-Label(BaseKey, “finished”, “”, Hash.length)
The structure of the Finished message is shown in Listing 13.2. The value of verify˙data is computed as:
verify_data} = HMAC(finished_key, Transcript-Hash(Handshake Context, Certificate*, CertificateVerify*))
where Certificate and CertificateVerify are only included if they are present.
Listing 13.2: Structure of the Finished message
struct {
opaque verify_data[Hash.length];
} Finished;
Any data transmitted after the Finished message is encrypted using the corresponding application traffic shared secret key. This also includes all alert messages sent by Alice in response to Bob’s Certificate and CertificateVerify messages.
13.4 Early data
Bob has to send an EndOfEarlyData message upon receiving Alice’s Finished message if Alice sent early˙data in her EncryptedExtensions message.
If Alice did not send the early˙data in the EncryptedExtensions, then Bob does not send the EndOfEarlyData message. EndOfEarlyData indicates that all 0-RTT application˙data messages – if any were sent – were successfully transmitted and the following messages are secured using the handshake traffic keys.
13.5 Post-handshake messages
In TLS 1.3, Alice and Bob can send further messages after their main handshake. These post-handshake messages have the handshake content type and are encrypted under the corresponding application traffic key.