Re: Obtaining a TLS session key

Wed, 30 Jan 2013 10:16:27 -0800 

On Wed, Jan 30, 2013 at 07:03:09PM +0100, Jakob Bohm wrote:

> >You don't, but, you shold instead obtain the "tls-unique" channel
> >binding data ( https://tools.ietf.org/html/rfc5929#section-3 ) and
> >run the result through a KDF (HKDF should work well) on both ends
> >to obtain a suitable key for a symmetric algorithm of your choice.
> >
> 
> Sorry, not such a good idea.
> 
> As I read RFC5929 and the TLS 1.2 RFC, it seems that despite some
> vaguely promising language in RFC5929, the tls-unique value is *not*
> suitable as the basis of an encryption key for the following
> reasons:
> 
> 1. It is quite vague (underspecified) if and when the form of the
> finished message used as the tls-unique value is A) sent in the clear
> B) The already encrypted form of the message as sent over the
> network or C) The plaintext passed to the TLS encryption mechanism
> before transmission.  In interpretation A and B the value is known
> to any attackers, while in interpretation C it is known to attackers
> only if the negotiated TLS encryption is NULL or weak.

The finished message is always sent (by both parties) after
ChangeCipherSpec, and thus always encrypted, provided the handshake
did not negotiate an eNULL bulk cipher. This is explicitly stated
the TLS RFCs.

> 2. The TLS 1.2 RFC seems clear that the raw input tls-unique value
> will often be only 12 bytes (96 bits) which is not enough input to
> generate a 128 bit or stronger encryption key, no matter how clever
> the KDF.

This is fair, the tls-unique value is in practice only 96 bits. And
indeed its intended use is channel-binding with GSSAPI, ...

If 96-bits is not enough, one needs to get at the master secret
on both sides, and run that through a KDF together with client
and server random plus a suitable application-specific salt.

Does OpenSSL provide a public interface for getting at the master
secret or otherwise generating application-specific derived keys?

-- 
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to