Session Key Negotiation
Ian G
iang at systemics.com
Fri Dec 2 13:40:09 EST 2005
Will Morton wrote:
> I am designing a transport-layer encryption protocol, and obviously wish
> to use as much existing knowledge as possible, in particular TLS, which
> AFAICT seems to be the state of the art.
>
> In TLS/SSL, the client and the server negotiate a 'master secret' value
> which is passed through a PRNG and used to create session keys.
>
> My question is: why does this secret need to be negotiated? Why can one
> side or another (preference for client) not just pick a secret key and
> use that?
>
> I guess that one reason would be to give both sides some degree of
> confidence over the security in the key. Is this true, and if so is it
> the only reason?
One reason is that one side or the other might have
a screwed implementation. For example, an RNG that
spits out zeroes.
Another reason is that one side or other might have
reasons for screwing the key deliberately; a server
might for example fix its key so that it can be
listened to outside. If a simple XOR is negotiated,
then the server could always choose its part to
XOR to a certain value. This is plausible if a
server operator has "done a deal" to reveal to an
eavesdropper, but doesn't want to reveal its private
key. (I suspect the newer ciphersuites in TLS may
have been motivated by this.)
Hence, slop in lots of random from both sides, and
hash the result, so you have at least the key space
of the one side that is behaving well.
iang
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list