Category: Pseudorandom permutations
Updating TLS secrets – Secrets and Keys in TLS 1.3
12.4 Updating TLS secrets At any time after a successful handshake, Alice and Bob can update their application traffic keys using the KeyUpdate message. They accomplish this by first deriving new secrets server˙application˙traffic˙secret˙N+1 and client˙application˙traffic˙secret˙N+1 using the HKDF-Expand-Label function HEL as shown in Figure 12.13. After that, new application traffic keys are computed using a…
Read MoreCryptographic negotiation – Secrets and Keys in TLS 1.3
12.6.1 Cryptographic negotiation Bob, the client, starts cryptographic negotiation by sending the ClientHello message to Alice, the server. This message contains the information about Bob’s crytographic capabilities. The first piece of information in ClientHello is a list of Authenticated Encryption with Associated Data (AEAD) algorithms and HKDFs that Bob can compute. We will have more…
Read MoreClientHello 2 – Secrets and Keys in TLS 1.3
Listing 12.2: ClientHello message structure uint16 ProtocolVersion;opaque Random[32];uint8 CipherSuite[2]; /* Cryptographic suite selector */struct { ProtocolVersion legacy_version = 0x0303; /* TLS v1.2 */ Random random; opaque legacy_session_id<0..32>; CipherSuite cipher_suites<2..2^16-2>; opaque legacy_compression_methods<1..2^8-1>; Extension extensions<8..2^16-1>;} ClientHello; In turned out, however, that the implementation of TLS version negotiation was flawed in many TLS servers. As a result, servers would reject a well-formed ClientHello message…
Read MoreTLS client state machine – TLS Handshake Protocol Revisited
13.1 TLS client state machine Appendix A of RFC 8446, the IETF specification of TLS 1.3, summarizes valid states and state transitions for TLS 1.3 server and client. The client state machine is shown in Figure 13.1. Labels in square brackets indicate actions the client performs only under specific circumstances. Label k = x indicates…
Read MoreThe NewSessionTicket message – TLS Handshake Protocol Revisited
13.5.1 The NewSessionTicket message Any time after receiving Bob’s Finished message, Alice can send a NewSessionTicket message. NewSessionTicket creates a unique link between the value of the ticket and the secret pre-shared key that is derived from resumption˙master˙secret (see Section 12.2, TLS secrets, in Chapter 12, Secrets and Keys in TLS 1.3, for more details).…
Read MoreUsing openssl-s_client – TLS Handshake Protocol Revisited
13.6.2 Using openssl-s_client Now that we have a working OpenSSL installation, let’s look at selected openssl-s˙client options for performing basic TLS operations with this tool. Connecting to a TLS server is done by executing the following command: # openssl s_client -connect servername:443 As an example, to connect to the Packt web server using TLS, you…
Read MoreTLS experiments with openssl-s_client – TLS Handshake Protocol Revisited
13.6.3 TLS experiments with openssl-s_client So, what kind of experiments can we do using openssl-s˙client to better understand how TLS works under the hood? Well, we could start by looking into the protocol messages of an actual TLS session. As an example, we could perform a TLS handshake with the Packt web server: # openssl…
Read MoreGeneral principles – Block Ciphers and Their Modes of Operation
14.2 General principles A block cipher is an encryption function eK that maps plaintext blocks of fixed size b onto ciphertext blocks of the same size b: As indicated by the subscript k, a block cipher is a symmetric algorithm, taking a shared key k ∈𝒦 as a parameter, where 𝒦 is the keyspace (see…
Read MoreSubstitution-permutation networks and Feistel networks – Block Ciphers and Their Modes of Operation
14.2.5 Substitution-permutation networks and Feistel networks Modern block ciphers are often constructed as iterated functions, where a so-called round function fk : {0,1}b →{0,1}b is repeatedly applied on the plaintext m, with varying round keys k1,k2,…,kr. More formally, we can write this process as or even where ○ stands for the composition of functions. Figure…
Read MoreNothing-up-my-sleeves numbers – Block Ciphers and Their Modes of Operation
14.2.8 Nothing-up-my-sleeves numbers To avoid the risk of backdoors, cryptographers prefer so-called Nothing-up-My-Sleeves (NUMS) numbers to be used as constants or initialization values. Simply put, a NUMS number is any number whose origin is easy to explain. That is, it is easy to explain how the number was chosen. Figuratively, the NUMS concept is analogous…
Read More