Category: TLS server state machine
Updating TLS secrets – Secrets and Keys in TLS 1.3
12.4 Updating TLS secrets At any time after a successful handshake, Alice and Bob can update their application traffic keys using the KeyUpdate message. They accomplish this by first deriving new secrets server˙application˙traffic˙secret˙N+1 and client˙application˙traffic˙secret˙N+1 using the HKDF-Expand-Label function HEL as shown in Figure 12.13. After that, new application traffic keys are computed using a…
Read MoreClientHello – Secrets and Keys in TLS 1.3
12.6.2 ClientHello According to TLS specification, ClientHello must be the first message Bob sends to Alice. Bob must also send ClientHello if Alice has responded with HelloRetryRequest message because of a mismatch in their cryptographic parameters. In the latter case, Bob must respond with the same ClientHello message, altering only specific parameter values. If HelloRetryRequest…
Read MoreTLS server state machine – TLS Handshake Protocol Revisited
13.2 TLS server state machine The server state machine is shown in Figure 13.2. Like with the client state machine, labels in square brackets indicate actions that the server performs only under specific circumstances. Figure 13.2: State machine and state transitions of a TLS 1.3 server For server Alice, the TLS handshake is triggered by…
Read MorePost-handshake authentication – TLS Handshake Protocol Revisited
13.5.2 Post-handshake authentication If Bob sent the post˙handshake˙auth extension, Alice can ask Bob to authenticate himself any time after their handshake by sending Bob a CertificateRequest message. In that case, Bob must reply with the corresponding authentication messages: If Bob receives a CertificateRequest message without having sent the post˙handshake˙auth extension, Bob terminates the TLS session…
Read MoreUsing openssl-s_client – TLS Handshake Protocol Revisited
13.6.2 Using openssl-s_client Now that we have a working OpenSSL installation, let’s look at selected openssl-s˙client options for performing basic TLS operations with this tool. Connecting to a TLS server is done by executing the following command: # openssl s_client -connect servername:443 As an example, to connect to the Packt web server using TLS, you…
Read MoreThe big picture – Block Ciphers and Their Modes of Operation
14.1 The big picture In the last part of the book, we covered in detail the TLS Handshake protocol and the cryptography needed to implement the main security objectives of the TLS Handshake protocol, namely entity authentication and key agreement. For the latter of these goals, public-key cryptography was needed, for the former, we used…
Read MoreConfusion and diffusion – Block Ciphers and Their Modes of Operation
14.2.2 Confusion and diffusion What makes a good block cipher? Claude Shannon was perhaps the first to try and answer this question in a systematic way [162]. He defined two methods for frustrating a statistical analysis: A good block cipher will contain both components. In order to not give any hints about the plaintext statistics,…
Read MoreSubstitution-permutation networks and Feistel networks – Block Ciphers and Their Modes of Operation
14.2.5 Substitution-permutation networks and Feistel networks Modern block ciphers are often constructed as iterated functions, where a so-called round function fk : {0,1}b →{0,1}b is repeatedly applied on the plaintext m, with varying round keys k1,k2,…,kr. More formally, we can write this process as or even where ○ stands for the composition of functions. Figure…
Read MoreConstants in cryptographic algorithms – Block Ciphers and Their Modes of Operation
14.2.6 Constants in cryptographic algorithms Specifications of cryptographic algorithms often contain constants. As an example, the SHA-2 family of hash functions specified in the FIPS 180-4 standard must set the initial hash value H(0) before the computation of the SHA algorithm begins. The initial hash value for the SHA-224 function is composed of these eight…
Read MoreNothing-up-my-sleeves numbers – Block Ciphers and Their Modes of Operation
14.2.8 Nothing-up-my-sleeves numbers To avoid the risk of backdoors, cryptographers prefer so-called Nothing-up-My-Sleeves (NUMS) numbers to be used as constants or initialization values. Simply put, a NUMS number is any number whose origin is easy to explain. That is, it is easy to explain how the number was chosen. Figuratively, the NUMS concept is analogous…
Read More