I hope I'm not annoying anyone here with this post. I sent it to openssl-users first but I guess they're all users who don't need to know SSL internals. Also, I think this is at least somewhat relevant to the developers list because I'm going to be hacking OpenSSL to work with our hardware. And the hardware is going to need to keep track of all keys. >Secrets, many secrets... > >OK, I'm studying the Netscape SSL3 spec and also >reading Thomas' SSL book. They state that each side >generates the master secret, then generates > >client write MAC secret >server write MAC secret >client write key >server write key >client write IV >server write IV > >Now help me out here if you can because I feel >a bit stupid. > >1. It's implied that both the client *and* the server >generate all (client and server) secrets/keys/IVs. > >2. If that is true, does that then imply that there >is one set of secrets for encrypting and authenticating >the outgoing traffic, and another set for decrypting >and authentication-verifying the incoming traffic? >For example, if I'm a server, I'd use the client >secrets when reading, and my (server) secrets >when writing? (((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( Tom Biggs '89 FJ1200 DoD #1146 "The whole aim of practical politics is to keep the populace alarmed - and hence clamorous to be led to safety - by menacing it with an endless series of hobgoblins, all of them imaginary." -- H.L. Mencken )))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
