Re: [TLS] Empty ClientKeyExchange

Mohamad Badra <> Wed, 31 May 2006 16:52 UTC

Received: from [] ( by with esmtp (Exim 4.43) id 1FlTvu-0000AV-Cf; Wed, 31 May 2006 12:52:34 -0400
Received: from [] ( by with esmtp (Exim 4.43) id 1FlTvt-00005g-1J for; Wed, 31 May 2006 12:52:33 -0400
Received: from ([]) by with esmtp (Exim 4.43) id 1FlTvr-0008S5-Ja for; Wed, 31 May 2006 12:52:33 -0400
Received: from ( []) by (Postfix) with ESMTP id B57162252D; Wed, 31 May 2006 18:52:30 +0200 (CEST)
Message-ID: <>
Date: Wed, 31 May 2006 18:52:18 +0200
From: Mohamad Badra <>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr-FR; rv:1.0.2) Gecko/20030208 Netscape/7.02
X-Accept-Language: fr-fr, fr
MIME-Version: 1.0
Subject: Re: [TLS] Empty ClientKeyExchange
References: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 0fa76816851382eb71b0a882ccdc29ac
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

Hi Pasi, a écrit:
> Hi Mohamad,
> Since you're presumably negotiating this identity protection feature
> with TLS extensions, you could negotiate different syntax for
> ClientKeyExchange as well (along the lines "if the identity protection
> feature is used with DH_DSS/DH_RSA ciphersuites, the ClientKeyExchange
> message always contains explicit Diffie-Hellman public value").

I agree. This is what I tried to say in my last mail.

> (However, in the case of DH_DSS/DH_RSA ciphersuites with client
> authentication, Yc is a permanent identifier for the client, so while
> it's not human-readable, an eavesdropper could still correlate
> sessions by the same client.)

That's correcte. Identity protection must not be used in this case. But 
it can be used if the client and the server agree on using signed 
ephemeral Yc (DHE_RSA or DHE_DSS).

Best regards,

> Best regards, 
> Pasi
>>-----Original Message-----
>>From: ext Mohamad Badra [] 
>>Sent: 31 May, 2006 16:05
>>To: Eronen Pasi (Nokia-NRC/Helsinki)
>>Subject: Re: [TLS] Empty ClientKeyExchange
>>Dear Pasi,
>>Sorry for the late reply, my mail server had some problems...
>>In fact, Urien and I wrote a document (will be published by IETF
>>secretariat) providing the client's identity protection. To do that,
>>we propose to encrypt the certificate using a "symmetric key"
>>derived from the master_secret [1] (please keep in mind the EAP-TLS
>>handshake). Thus, if the client uses a DH_DSS or DH_RSA, the server
>>will not be able to compute the premaster secret and the
>>If the Yc will be sent again, it will break the TLS specs. Hence, I 
>>think sending the Yc in an TLS extension when identity protection is 
>>Finally, I don't know any implementation of TLS1.0 that sends Yc again
>>in ClientKeyExchange.
>>Best regards,
>>[1] we sent a draft to the IETF secretariat, and it is disponible at
> ection-00.txt
> _______________________________________________
> TLS mailing list

TLS mailing list