Category: HelloRetryRequest
Updating TLS secrets – Secrets and Keys in TLS 1.3
12.4 Updating TLS secrets At any time after a successful handshake, Alice and Bob can update their application traffic keys using the KeyUpdate message. They accomplish this by first deriving new secrets server˙application˙traffic˙secret˙N+1 and client˙application˙traffic˙secret˙N+1 using the HKDF-Expand-Label function HEL as shown in Figure 12.13. After that, new application traffic keys are computed using a…
Read MoreKey update – Secrets and Keys in TLS 1.3
12.5.3 Key update After the TLS handshake, both Alice and Bob can update their traffic keys at any point in time by sending the KeyUpdate message. Alice’s new traffic key is generated by deriving server˙application˙traffic˙secret˙N+1 from server˙application˙traffic˙secret˙N as follows:server_application_traffic_secret_N+1 = HKDF-Expand-Label(server_application_traffic_secret_N, “traffic upd”, “”, Hash.length) After that, the new traffic key is computed using the…
Read MoreHelloRetryRequest – Secrets and Keys in TLS 1.3
12.6.4 HelloRetryRequest If Alice receives a ClientHello message from Bob with a set of cryptographic parameters that Alice does not support or does not want to use, she responds with a HelloRetryRequest message. HelloRetryRequest has the same format as the ServerHello message, and the legacy˙version, legacy˙session˙id˙echo, cipher˙suite, legacy˙compression˙method message fields have the same meaning. Alice’s…
Read MoreThe NewSessionTicket message – TLS Handshake Protocol Revisited
13.5.1 The NewSessionTicket message Any time after receiving Bob’s Finished message, Alice can send a NewSessionTicket message. NewSessionTicket creates a unique link between the value of the ticket and the secret pre-shared key that is derived from resumption˙master˙secret (see Section 12.2, TLS secrets, in Chapter 12, Secrets and Keys in TLS 1.3, for more details).…
Read MorePost-handshake authentication – TLS Handshake Protocol Revisited
13.5.2 Post-handshake authentication If Bob sent the post˙handshake˙auth extension, Alice can ask Bob to authenticate himself any time after their handshake by sending Bob a CertificateRequest message. In that case, Bob must reply with the corresponding authentication messages: If Bob receives a CertificateRequest message without having sent the post˙handshake˙auth extension, Bob terminates the TLS session…
Read MoreOpenSSL s_client – TLS Handshake Protocol Revisited
13.6 OpenSSL s_client OpenSSL is an open source project implementing the OpenSSL software, a commercial-grade, feature-rich toolkit for cryptography and TLS [137]. OpenSSL’s technical decision making is governed by the OpenSSL Technical Committee (OTC) and the software is published under an Apache-style license, making it suitable for both non-commercial and commercial purposes. At the time…
Read MoreGeneral principles – Block Ciphers and Their Modes of Operation
14.2 General principles A block cipher is an encryption function eK that maps plaintext blocks of fixed size b onto ciphertext blocks of the same size b: As indicated by the subscript k, a block cipher is a symmetric algorithm, taking a shared key k ∈𝒦 as a parameter, where 𝒦 is the keyspace (see…
Read MoreConfusion and diffusion – Block Ciphers and Their Modes of Operation
14.2.2 Confusion and diffusion What makes a good block cipher? Claude Shannon was perhaps the first to try and answer this question in a systematic way [162]. He defined two methods for frustrating a statistical analysis: A good block cipher will contain both components. In order to not give any hints about the plaintext statistics,…
Read MorePseudorandom permutations – Block Ciphers and Their Modes of Operation
14.2.4 Pseudorandom permutations Simply put, a permutation is a function that rearranges the order of elements in a set. A random permutation is a permutation that is randomly chosen from all possible permutations for a given set. A pseudorandom permutation looks like a random permutation to any polynomial-time observer, but is actually a deterministic algorithm.…
Read MoreNothing-up-my-sleeves numbers – Block Ciphers and Their Modes of Operation
14.2.8 Nothing-up-my-sleeves numbers To avoid the risk of backdoors, cryptographers prefer so-called Nothing-up-My-Sleeves (NUMS) numbers to be used as constants or initialization values. Simply put, a NUMS number is any number whose origin is easy to explain. That is, it is easy to explain how the number was chosen. Figuratively, the NUMS concept is analogous…
Read More