Session Key Negotiation
Eric Rescorla
ekr at rtfm.com
Wed Nov 30 11:06:04 EST 2005
Will Morton <macavity at well.com> writes:
> I am designing a transport-layer encryption protocol, and obviously wish
> to use as much existing knowledge as possible, in particular TLS, which
> AFAICT seems to be the state of the art.
>
> In TLS/SSL, the client and the server negotiate a 'master secret' value
> which is passed through a PRNG and used to create session keys.
May I ask why you don't just use TLS?
> My question is: why does this secret need to be negotiated? Why can one
> side or another (preference for client) not just pick a secret key and
> use that?
Well, in TLS in RSA mode, the client picks the secret value (technical
term: PreMaster Secret) but both sides contribute randomness to ensure
that the Master Secret secret is unique. This is a clean way to
ensure key uniqueness and prevent replay attack.
In DH mode, of course, both sides contribute shares, but that's
just how DH works.
-Ekr
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list