Category: Confusion and diffusion
Updating TLS secrets – Secrets and Keys in TLS 1.3
12.4 Updating TLS secrets At any time after a successful handshake, Alice and Bob can update their application traffic keys using the KeyUpdate message. They accomplish this by first deriving new secrets server˙application˙traffic˙secret˙N+1 and client˙application˙traffic˙secret˙N+1 using the HKDF-Expand-Label function HEL as shown in Figure 12.13. After that, new application traffic keys are computed using a…
Read MoreExporter values – Secrets and Keys in TLS 1.3
12.5.1 Exporter values Exporter values are computed using the Derive-Secret DS and the HKDF-Expand-Label HEL functions as shown in Figure 12.15. The input secret can be either early˙exporter˙master˙secret or exporter˙master˙secret. Bob and Alice use early˙exporter˙master˙secret when they need an exporter for 0-RTT data. For all other cases, the TLS 1.3 standard requires them to use…
Read MoreHelloRetryRequest – Secrets and Keys in TLS 1.3
12.6.4 HelloRetryRequest If Alice receives a ClientHello message from Bob with a set of cryptographic parameters that Alice does not support or does not want to use, she responds with a HelloRetryRequest message. HelloRetryRequest has the same format as the ServerHello message, and the legacy˙version, legacy˙session˙id˙echo, cipher˙suite, legacy˙compression˙method message fields have the same meaning. Alice’s…
Read MoreTLS client state machine – TLS Handshake Protocol Revisited
13.1 TLS client state machine Appendix A of RFC 8446, the IETF specification of TLS 1.3, summarizes valid states and state transitions for TLS 1.3 server and client. The client state machine is shown in Figure 13.1. Labels in square brackets indicate actions the client performs only under specific circumstances. Label k = x indicates…
Read MoreTLS server state machine – TLS Handshake Protocol Revisited
13.2 TLS server state machine The server state machine is shown in Figure 13.2. Like with the client state machine, labels in square brackets indicate actions that the server performs only under specific circumstances. Figure 13.2: State machine and state transitions of a TLS 1.3 server For server Alice, the TLS handshake is triggered by…
Read MoreGeneral principles – Block Ciphers and Their Modes of Operation
14.2 General principles A block cipher is an encryption function eK that maps plaintext blocks of fixed size b onto ciphertext blocks of the same size b: As indicated by the subscript k, a block cipher is a symmetric algorithm, taking a shared key k ∈𝒦 as a parameter, where 𝒦 is the keyspace (see…
Read MoreConfusion and diffusion – Block Ciphers and Their Modes of Operation
14.2.2 Confusion and diffusion What makes a good block cipher? Claude Shannon was perhaps the first to try and answer this question in a systematic way [162]. He defined two methods for frustrating a statistical analysis: A good block cipher will contain both components. In order to not give any hints about the plaintext statistics,…
Read MorePseudorandom permutations – Block Ciphers and Their Modes of Operation
14.2.4 Pseudorandom permutations Simply put, a permutation is a function that rearranges the order of elements in a set. A random permutation is a permutation that is randomly chosen from all possible permutations for a given set. A pseudorandom permutation looks like a random permutation to any polynomial-time observer, but is actually a deterministic algorithm.…
Read MoreSubstitution-permutation networks and Feistel networks – Block Ciphers and Their Modes of Operation
14.2.5 Substitution-permutation networks and Feistel networks Modern block ciphers are often constructed as iterated functions, where a so-called round function fk : {0,1}b →{0,1}b is repeatedly applied on the plaintext m, with varying round keys k1,k2,…,kr. More formally, we can write this process as or even where ○ stands for the composition of functions. Figure…
Read MoreConstants in cryptographic algorithms – Block Ciphers and Their Modes of Operation
14.2.6 Constants in cryptographic algorithms Specifications of cryptographic algorithms often contain constants. As an example, the SHA-2 family of hash functions specified in the FIPS 180-4 standard must set the initial hash value H(0) before the computation of the SHA algorithm begins. The initial hash value for the SHA-224 function is composed of these eight…
Read More