[TLS] RFC5487 PSK Key Exchange Algorithm with SHA-256/384. Premaster secret if ciphersuites negotiated for TLS V1.2?
Fox Arcadia <enricarcediano@gmail.com> Sat, 20 September 2014 07:51 UTC
Return-Path: <enricarcediano@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 954701A8943 for <tls@ietfa.amsl.com>; Sat, 20 Sep 2014 00:51:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zivOBTUZwCmR for <tls@ietfa.amsl.com>; Sat, 20 Sep 2014 00:51:47 -0700 (PDT)
Received: from mail-qg0-x234.google.com (mail-qg0-x234.google.com [IPv6:2607:f8b0:400d:c04::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA19C1A8941 for <tls@ietf.org>; Sat, 20 Sep 2014 00:51:47 -0700 (PDT)
Received: by mail-qg0-f52.google.com with SMTP id j5so70278qga.39 for <tls@ietf.org>; Sat, 20 Sep 2014 00:51:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=RwjqKx958VUu5RoXhe7GKKjNQZzicZwwzjqCWg0YFcE=; b=a/ckfiWEuEZ9WsIW4wQTDvusxHYC6RAG1yQ16TmTJ6g117lHjjaga6tXYjeZskiCBq MfNSD/GEJdd18Y1yBZrROmIEX+iTADgcgZFecwEtI43YIkCS5fZGrVnYheGhTgtkT6K5 A8vavDQDth//Dr5u0zjjseUMzoF7JEeZBI2kqIVMQtI2QWC1hN6V8SNWvd3eC90ikoiX GSRDXqK5ibhSyP/3fYoCOf2zwoWj+QuPw1fXFdBpKutoFylkucsl85zqKlLGpUvZJ/E7 JvDIGIkD9n2NnXBleC4jqa8WZ6zlhh+jyJS1VCsJIbOAhbYKjSpnN3KVH9ygygUpKp3G Yxzg==
MIME-Version: 1.0
X-Received: by 10.140.48.1 with SMTP id n1mr160852qga.104.1411199506731; Sat, 20 Sep 2014 00:51:46 -0700 (PDT)
Received: by 10.140.224.199 with HTTP; Sat, 20 Sep 2014 00:51:46 -0700 (PDT)
Date: Sat, 20 Sep 2014 09:51:46 +0200
Message-ID: <CAOrsqC0AeU-yDRY2ZRXqcS_X1=+ZNuWiSAjJmFUW4WAnM1JZ0w@mail.gmail.com>
From: Fox Arcadia <enricarcediano@gmail.com>
To: tls@ietf.org
Content-Type: multipart/alternative; boundary="001a11350eac4e590805037a7d21"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/ExMDr0_0s7aCELoZQzTNH--7Z-o
X-Mailman-Approved-At: Sun, 21 Sep 2014 19:41:27 -0700
Subject: [TLS] RFC5487 PSK Key Exchange Algorithm with SHA-256/384. Premaster secret if ciphersuites negotiated for TLS V1.2?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Sep 2014 07:53:21 -0000
Hello
For the ciphersuites defined in RFC 5487
<http://tools.ietf.org/html/rfc5487> 3.1
PSK Key Exchange Algorithm with SHA-256/384
CipherSuite TLS_PSK_WITH_AES_128_CBC_SHA256 = {0x00,0xAE};
CipherSuite TLS_PSK_WITH_AES_256_CBC_SHA384 = {0x00,0xAF};
CipherSuite TLS_PSK_WITH_NULL_SHA256 = {0x00,0xB0};
CipherSuite TLS_PSK_WITH_NULL_SHA384 = {0x00,0xB1};
How is the premaster secret formed if the negotiated version is TLS 1.2?
according to RFC 4279 <http://tools.ietf.org/html/rfc4279> Pre-Shared
key ciphersuites for TLS:
The premaster secret is formed as follows: if the PSK is N octets
long, concatenate a uint16 with the value N, N zero octets, a second
uint16 with the value N, and the PSK itself.
Note 1: All the ciphersuites in this document share the same
general structure for the premaster secret, namely,
struct {
opaque other_secret<0..2^16-1>;
opaque psk<0..2^16-1>;
};
...
Note 2: Using zeroes for "other_secret" effectively means that
only the HMAC-SHA1 part (but not the HMAC-MD5 part) of the TLS PRF
is used when constructing the master secret. This was considered
more elegant from an analytical viewpoint than, for instance,
using the same key for both the HMAC-MD5 and HMAC-SHA1 parts. See
[KRAWCZYK <http://tools.ietf.org/html/rfc4279#ref-KRAWCZYK>] for
a more detailed rationale.
but if using a PRF defined in TLS V1.2, then HMAC-MD5 is not used but
the HMAC defined by the PRF.
And, in that case, part of the used premaster is zeroes.
should we in that case reuse PSK for other_secret?
Thanks
- [TLS] RFC5487 PSK Key Exchange Algorithm with SHA… Fox Arcadia
- Re: [TLS] RFC5487 PSK Key Exchange Algorithm with… Manuel Pégourié-Gonnard
- Re: [TLS] RFC5487 PSK Key Exchange Algorithm with… Fox Arcadia
- Re: [TLS] RFC5487 PSK Key Exchange Algorithm with… Salz, Rich