Hi, I don't understand the finish message of handshake protocol for TLS 1.0. 1. Is finish message encrypted with new cipher spec (including MAC and Encryption) ?
Yes. The Finish message is the first message sent after the Change_Cipher_Spec record. All records after the CSS record are MACed and encrypted in the new cipher spec's MAC and cipher. So, the Finish message is in a record that gets MACed and encrypted with the new cipher spec. In that respect, it's the same as SSL 3.0.
More specifically, the record protocol payload is as follows
Encryption(type (1 byte) + length (3 bytes) + finish message (12
bytes) + MAC (20 or 16 bytes)).
Is this wrong ?
The handshake record contains - the record header (1 byte type, 2 byte version, 2 byte length) - the record "fragment", which consists of - the "compressed" record content (some or all of one or more handshake message) - the MAC (zero or 16 or 20 bytes) - the padding (for block ciphers only)
The "fragment" is the part that is encrypted. Any and all handshake
messages may be broken up into several pieces and sent in several records. Also, more than one message may be sent in a single record. Each record
gets its own MAC and (if used) padding. The MAC and padding are
considered part of the record, not part of the message.
The handshake message contains: - the message header (1 byte type, 3 byte length) - the message body (for finished, this is 12 bytes).
2. The function calculating the finish message
Is its input (handshake message) all handshake messages in both side
(client and server) or each side itself (client or server) ?
The "handshake_messages" that are fed into the SHA1 and MD5 hashes include the handshake messages (not records) in both directions, beginning with the client hello message in this handshake, up to but not including the message whose contents you're computing.
The key here is that the content is only messages, not records. So, you don't include MACs or any padding or any other stuff that's part of the record (as opposed to part of the message).
TLS typically uses only NULL compression, which is no compression. All records have MACs, but some records have "NULL" macs, which are zero length. There is also NULL encryption, which is no encyption. The only TLS records that use NULL MACs and NULL encryption are the records sent priot to the first ChangeCipherSpec record in each direction on the TCP connection.
It is possible to have a second handshake on a connection that has already completed one handshake. In that case, the records are MACed and encrypted using the first negotiated cipher spec until the ChangeCipherSpec record is sent in the second handshake. The first record after the ChangeCipherSpec record is MACed and encrypted using the freshly negotiated cipherspec.
/Nelson B
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
