RE: creating Master-Key for encryption/decryption
I'm not sure you are understanding this. Both sides derive the same master
key, so there is no need to send it. After the handshake the SSL code will use
that key to generate specific encryption keys and perform encryption of further
traffic through the tunnel. If you are only using the handshake to generate
the master key to be used elsewhere (e.g. for proprietary encryption), then you
can get it from the SSL_SESSION object (not sure if there's a get method).
Erik Tkal
Juniper OAC/UAC/Pulse Development
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of krishnamurthy santhanam
Sent: Wednesday, August 24, 2011 12:51 AM
To: openssl-users@openssl.org
Subject: Re: creating Master-Key for encryption/decryption
Thanks. As per my understanding,Before sending master key to client , server
has to maintain the master key. How i can get this in server side? is there any
code sample or snippet to get this key?
Krishna
On Tue, Aug 23, 2011 at 11:54 PM, Gayathri Sundar
suraj...@gmail.commailto:suraj...@gmail.com wrote:
Master key is unique per session, and its same for both client and server,
thats the concept behind the SSL handshake. The RFC would state the information
accurately. Perhaps you can send the master secret as part of ur application
data, to the client, which can decrypt and use.
Thanks
--Gayathri
On Tue, Aug 23, 2011 at 12:41 PM, krishnamurthy santhanam
krishnamurth...@gmail.commailto:krishnamurth...@gmail.com wrote:
Thanks. I gone through the RFC 2246 and understood the Master key generation
part. The Master key is generated and able to print the client side(test C
program) using ssl strucure.
printf(session A\n);
SSL_SESSION *session = SSL_get_session(ssl);
SSL_SESSION_print(out, session);
for (i=0; i(unsigned int)session-master_key_length; i++)
{
BIO_printf(bp,%02X,session-master_key[i]) );
}
How i can get the same Master key in server side?
in my scenario, server side program is running in C. JDBC clients will
establish the connection to the server. will the same Mester key generated in
the cross platforms(JDBC client side)?
Any help will be great.
Thanks for your time,
Krishnamurthy
On Mon, Aug 22, 2011 at 9:03 PM, Gayathri Sundar
suraj...@gmail.commailto:suraj...@gmail.com wrote:
Please read the RFC, it would clearly explain how the master secret is dervied,
and from that how the read and write keys are derived. With that you can get to
know how to extract the read n write keys. Meanwhile the read and wirte keys
are available as part of the ssl object.
Check that structure out.
Thanks
--Gayathri
On Mon, Aug 22, 2011 at 10:24 AM, krishnamurthy santhanam
krishnamurth...@gmail.commailto:krishnamurth...@gmail.com wrote:
I have more than 100 clients that will connect to my server and communicate the
data. I am implementing SSL on server side to authenticate the client
certificate(X.509) and also client will authenticate the servers certificate.
Once the mutual authentication has completed I have to generate master key for
encryption and decryption. I am going to use AES for encryption and decryption.
I had generated the client and server certificates using the bellow commands
and signed by the root,
1. CLIENT CERTIFICATE:
openssl req -newkey rsa:1024 -sha1 -keyout clientkey.pem -out clientreq.pem
openssl x509 -req -in clientreq.pem -sha1 -extfile openssl.cnf -extensions
usr_cert -CA rootcert.pem -CAkey rootkey.pem -CAcreateserial -out
clientcert.pem
cat clientkey.pem clientcert.pem rootcert.pem client.pem
openssl x509 -subject -issuer -noout -in client.pem
2. SERVER CERTIFICATE:
openssl req -newkey rsa:1024 -sha1 -keyout serverkey.pem -out serverreq.pem
openssl x509 -req -in serverreq.pem -sha1 -extfile openssl.cnf -extensions usr_
cert -CA rootcert.pem -CAkey rootkey.pem -CAcreateserial -out servercert.pem
cat serverkey.pem servercert.pem rootcert.pem server.pem
openssl x509 -subject -issuer -noout -in server.pem
3. ROOT CERTIFICATE:
openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem
openssl x509 -req -in rootreq.pem -sha1 -extfile root.cnf -extensions v3_ca -sig
nkey rootkey.pem -out rootcert.pem
cat rootcert.pem rootkey.pem root.pem
openssl x509 -subject -issuer -noout -in root.pem
Initially I am writing ssl/tls programming for server and client. In this I am
able to communicate the data between client and server.
I was struck on master key generation, I have added the below LOC to programs
to get MASTER KEY,
printf(session A\n);
SSL_SESSION *session = SSL_get_session(ssl);
SSL_SESSION_print(out, session);
It is printing like this ,
session A
SSL-Session:
Protocol : TLSv1
Cipher: AES256-SHA
Session-ID: 9FCE46513DD74882D3FF0E0E84CC4A6BE12192B65C426E0B27D0FA15F81D7D5E
Session-ID-ctx:
Master-Key: 56F90B0D90DEB3430207A74793C9B6565744E06ECA191D9DFA04C29B1EE2B782
RE: creating Master-Key for encryption/decryption
I'm not sure you are understanding this. Both sides derive the same master
key, so there is no need to send it. After the handshake the SSL code will use
that key to generate specific encryption keys and perform encryption of further
traffic through the tunnel. If you are only using the handshake to generate
the master key to be used elsewhere (e.g. for proprietary encryption), then you
can get it from the SSL_SESSION object (not sure if there's a get method).
Erik Tkal
Juniper OAC/UAC/Pulse Development
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of krishnamurthy santhanam
Sent: Wednesday, August 24, 2011 12:51 AM
To: openssl-users@openssl.org
Subject: Re: creating Master-Key for encryption/decryption
Thanks. As per my understanding,Before sending master key to client , server
has to maintain the master key. How i can get this in server side? is there any
code sample or snippet to get this key?
Krishna
On Tue, Aug 23, 2011 at 11:54 PM, Gayathri Sundar
suraj...@gmail.commailto:suraj...@gmail.com wrote:
Master key is unique per session, and its same for both client and server,
thats the concept behind the SSL handshake. The RFC would state the information
accurately. Perhaps you can send the master secret as part of ur application
data, to the client, which can decrypt and use.
Thanks
--Gayathri
On Tue, Aug 23, 2011 at 12:41 PM, krishnamurthy santhanam
krishnamurth...@gmail.commailto:krishnamurth...@gmail.com wrote:
Thanks. I gone through the RFC 2246 and understood the Master key generation
part. The Master key is generated and able to print the client side(test C
program) using ssl strucure.
printf(session A\n);
SSL_SESSION *session = SSL_get_session(ssl);
SSL_SESSION_print(out, session);
for (i=0; i(unsigned int)session-master_key_length; i++)
{
BIO_printf(bp,%02X,session-master_key[i]) );
}
How i can get the same Master key in server side?
in my scenario, server side program is running in C. JDBC clients will
establish the connection to the server. will the same Mester key generated in
the cross platforms(JDBC client side)?
Any help will be great.
Thanks for your time,
Krishnamurthy
On Mon, Aug 22, 2011 at 9:03 PM, Gayathri Sundar
suraj...@gmail.commailto:suraj...@gmail.com wrote:
Please read the RFC, it would clearly explain how the master secret is dervied,
and from that how the read and write keys are derived. With that you can get to
know how to extract the read n write keys. Meanwhile the read and wirte keys
are available as part of the ssl object.
Check that structure out.
Thanks
--Gayathri
On Mon, Aug 22, 2011 at 10:24 AM, krishnamurthy santhanam
krishnamurth...@gmail.commailto:krishnamurth...@gmail.com wrote:
I have more than 100 clients that will connect to my server and communicate the
data. I am implementing SSL on server side to authenticate the client
certificate(X.509) and also client will authenticate the servers certificate.
Once the mutual authentication has completed I have to generate master key for
encryption and decryption. I am going to use AES for encryption and decryption.
I had generated the client and server certificates using the bellow commands
and signed by the root,
1. CLIENT CERTIFICATE:
openssl req -newkey rsa:1024 -sha1 -keyout clientkey.pem -out clientreq.pem
openssl x509 -req -in clientreq.pem -sha1 -extfile openssl.cnf -extensions
usr_cert -CA rootcert.pem -CAkey rootkey.pem -CAcreateserial -out
clientcert.pem
cat clientkey.pem clientcert.pem rootcert.pem client.pem
openssl x509 -subject -issuer -noout -in client.pem
2. SERVER CERTIFICATE:
openssl req -newkey rsa:1024 -sha1 -keyout serverkey.pem -out serverreq.pem
openssl x509 -req -in serverreq.pem -sha1 -extfile openssl.cnf -extensions usr_
cert -CA rootcert.pem -CAkey rootkey.pem -CAcreateserial -out servercert.pem
cat serverkey.pem servercert.pem rootcert.pem server.pem
openssl x509 -subject -issuer -noout -in server.pem
3. ROOT CERTIFICATE:
openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem
openssl x509 -req -in rootreq.pem -sha1 -extfile root.cnf -extensions v3_ca -sig
nkey rootkey.pem -out rootcert.pem
cat rootcert.pem rootkey.pem root.pem
openssl x509 -subject -issuer -noout -in root.pem
Initially I am writing ssl/tls programming for server and client. In this I am
able to communicate the data between client and server.
I was struck on master key generation, I have added the below LOC to programs
to get MASTER KEY,
printf(session A\n);
SSL_SESSION *session = SSL_get_session(ssl);
SSL_SESSION_print(out, session);
It is printing like this ,
session A
SSL-Session:
Protocol : TLSv1
Cipher: AES256-SHA
Session-ID: 9FCE46513DD74882D3FF0E0E84CC4A6BE12192B65C426E0B27D0FA15F81D7D5E
Session-ID-ctx:
Master-Key: 56F90B0D90DEB3430207A74793C9B6565744E06ECA191D9DFA04C29B1EE2B782
6B602878597465F739AD69091DDF6499
Re: creating Master-Key for encryption/decryption
I think the problem this person seem to have is not finding a way to extract
the master secret on the client side, which is why I suggested he can send
it as a payload from the server as part of the app data, since its the
exactly the same. Also, krishna, pls understand that the master secret is
not used for eny/dec, its used to derive the actualy auth and enc keys using
specific methods as mentioned in the RFC. These keys are unique per
connection basis, mixed by some randoms. The master secret is unique for a
session. A session can contain many connections each represented by a SSL
OBJ, and the enc/dec keys are different for every connection, which can be
obtained from the SSL OBJ.
Please understand TLS as such from the RFC.
Thanks
--Gayathri
On Wed, Aug 24, 2011 at 9:43 AM, Erik Tkal et...@juniper.net wrote:
I’m not sure you are understanding this. Both sides derive the same
master key, so there is no need to send it. After the handshake the SSL
code will use that key to generate specific encryption keys and perform
encryption of further traffic through the tunnel. If you are only using the
handshake to generate the master key to be used elsewhere (e.g. for
proprietary encryption), then you can get it from the SSL_SESSION object
(not sure if there’s a get method).
*Erik Tkal**
*Juniper OAC/UAC/Pulse Development
** **
*From:* owner-openssl-us...@openssl.org [mailto:
owner-openssl-us...@openssl.org] *On Behalf Of *krishnamurthy santhanam
*Sent:* Wednesday, August 24, 2011 12:51 AM
*To:* openssl-users@openssl.org
*Subject:* Re: creating Master-Key for encryption/decryption
** **
Thanks. As per my understanding,Before sending master key to client ,
server has to maintain the master key. How i can get this in server side? is
there any code sample or snippet to get this key?
Krishna
On Tue, Aug 23, 2011 at 11:54 PM, Gayathri Sundar suraj...@gmail.com
wrote:
Master key is unique per session, and its same for both client and server,
thats the concept behind the SSL handshake. The RFC would state the
information accurately. Perhaps you can send the master secret as part of
ur application data, to the client, which can decrypt and use.
Thanks
--Gayathri
On Tue, Aug 23, 2011 at 12:41 PM, krishnamurthy santhanam
krishnamurth...@gmail.com wrote:
Thanks. I gone through the RFC 2246 and understood the Master key
generation part. The Master key is generated and able to print the client
side(test C program) using ssl strucure.
** **
printf(session A\n);
SSL_SESSION *session = SSL_get_session(ssl);
SSL_SESSION_print(out, session);
for (i=0; i(unsigned int)session-master_key_length; i++)
{
BIO_printf(bp,%02X,session-master_key[i]) );
}
How i can get the same Master key in server side?
in my scenario, server side program is running in C. JDBC clients will
establish the connection to the server. will the same Mester key generated
in the cross platforms(JDBC client side)?
Any help will be great.
Thanks for your time,
Krishnamurthy
** **
On Mon, Aug 22, 2011 at 9:03 PM, Gayathri Sundar suraj...@gmail.com
wrote:
Please read the RFC, it would clearly explain how the master secret is
dervied, and from that how the read and write keys are derived. With that
you can get to know how to extract the read n write keys. Meanwhile the read
and wirte keys are available as part of the ssl object.
Check that structure out.
Thanks
--Gayathri
On Mon, Aug 22, 2011 at 10:24 AM, krishnamurthy santhanam
krishnamurth...@gmail.com wrote:
I have more than 100 clients that will connect to my server and communicate
the data. I am implementing SSL on server side to authenticate the client
certificate(X.509) and also client will authenticate the servers
certificate. Once the mutual authentication has completed I have to generate
master key for encryption and decryption. I am going to use AES for
encryption and decryption.
I had generated the client and server certificates using the bellow
commands and signed by the root,
1. CLIENT CERTIFICATE:
openssl req -newkey rsa:1024 -sha1 -keyout clientkey.pem -out clientreq.pem
openssl x509 -req -in clientreq.pem -sha1 -extfile openssl.cnf -extensions
usr_cert -CA rootcert.pem -CAkey rootkey.pem -CAcreateserial -out
clientcert.pem
cat clientkey.pem clientcert.pem rootcert.pem client.pem
openssl x509 -subject -issuer -noout -in client.pem
2. SERVER CERTIFICATE:
openssl req -newkey rsa:1024 -sha1 -keyout serverkey.pem -out serverreq.pem
openssl x509 -req -in serverreq.pem -sha1 -extfile openssl.cnf -extensions
usr_
cert -CA rootcert.pem -CAkey rootkey.pem -CAcreateserial -out
servercert.pem
cat serverkey.pem servercert.pem
RE: creating Master-Key for encryption/decryption
Hmmm, but he said he was writing both the client and server components and
assuming both are using OpenSSL (I know, when you *assume*...) the mechanism
would be the same...
Erik Tkal
Juniper OAC/UAC/Pulse Development
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Gayathri Sundar
Sent: Wednesday, August 24, 2011 2:59 PM
To: openssl-users@openssl.org
Subject: Re: creating Master-Key for encryption/decryption
I think the problem this person seem to have is not finding a way to extract
the master secret on the client side, which is why I suggested he can send it
as a payload from the server as part of the app data, since its the exactly
the same. Also, krishna, pls understand that the master secret is not used for
eny/dec, its used to derive the actualy auth and enc keys using specific
methods as mentioned in the RFC. These keys are unique per connection basis,
mixed by some randoms. The master secret is unique for a session. A session can
contain many connections each represented by a SSL OBJ, and the enc/dec keys
are different for every connection, which can be obtained from the SSL OBJ.
Please understand TLS as such from the RFC.
Thanks
--Gayathri
On Wed, Aug 24, 2011 at 9:43 AM, Erik Tkal
et...@juniper.netmailto:et...@juniper.net wrote:
I'm not sure you are understanding this. Both sides derive the same master
key, so there is no need to send it. After the handshake the SSL code will use
that key to generate specific encryption keys and perform encryption of further
traffic through the tunnel. If you are only using the handshake to generate
the master key to be used elsewhere (e.g. for proprietary encryption), then you
can get it from the SSL_SESSION object (not sure if there's a get method).
Erik Tkal
Juniper OAC/UAC/Pulse Development
From: owner-openssl-us...@openssl.orgmailto:owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.orgmailto:owner-openssl-us...@openssl.org]
On Behalf Of krishnamurthy santhanam
Sent: Wednesday, August 24, 2011 12:51 AM
To: openssl-users@openssl.orgmailto:openssl-users@openssl.org
Subject: Re: creating Master-Key for encryption/decryption
Thanks. As per my understanding,Before sending master key to client , server
has to maintain the master key. How i can get this in server side? is there any
code sample or snippet to get this key?
Krishna
On Tue, Aug 23, 2011 at 11:54 PM, Gayathri Sundar
suraj...@gmail.commailto:suraj...@gmail.com wrote:
Master key is unique per session, and its same for both client and server,
thats the concept behind the SSL handshake. The RFC would state the information
accurately. Perhaps you can send the master secret as part of ur application
data, to the client, which can decrypt and use.
Thanks
--Gayathri
On Tue, Aug 23, 2011 at 12:41 PM, krishnamurthy santhanam
krishnamurth...@gmail.commailto:krishnamurth...@gmail.com wrote:
Thanks. I gone through the RFC 2246 and understood the Master key generation
part. The Master key is generated and able to print the client side(test C
program) using ssl strucure.
printf(session A\n);
SSL_SESSION *session = SSL_get_session(ssl);
SSL_SESSION_print(out, session);
for (i=0; i(unsigned int)session-master_key_length; i++)
{
BIO_printf(bp,%02X,session-master_key[i]) );
}
How i can get the same Master key in server side?
in my scenario, server side program is running in C. JDBC clients will
establish the connection to the server. will the same Mester key generated in
the cross platforms(JDBC client side)?
Any help will be great.
Thanks for your time,
Krishnamurthy
On Mon, Aug 22, 2011 at 9:03 PM, Gayathri Sundar
suraj...@gmail.commailto:suraj...@gmail.com wrote:
Please read the RFC, it would clearly explain how the master secret is dervied,
and from that how the read and write keys are derived. With that you can get to
know how to extract the read n write keys. Meanwhile the read and wirte keys
are available as part of the ssl object.
Check that structure out.
Thanks
--Gayathri
On Mon, Aug 22, 2011 at 10:24 AM, krishnamurthy santhanam
krishnamurth...@gmail.commailto:krishnamurth...@gmail.com wrote:
I have more than 100 clients that will connect to my server and communicate the
data. I am implementing SSL on server side to authenticate the client
certificate(X.509) and also client will authenticate the servers certificate.
Once the mutual authentication has completed I have to generate master key for
encryption and decryption. I am going to use AES for encryption and decryption.
I had generated the client and server certificates using the bellow commands
and signed by the root,
1. CLIENT CERTIFICATE:
openssl req -newkey rsa:1024 -sha1 -keyout clientkey.pem -out clientreq.pem
openssl x509 -req -in clientreq.pem -sha1 -extfile openssl.cnf -extensions
usr_cert -CA rootcert.pem -CAkey rootkey.pem
Re: creating Master-Key for encryption/decryption
Thanks. I gone through the RFC 2246 and understood the Master key generation
part. The Master key is generated and able to print the client side(test C
program) using ssl strucure.
printf(session A\n);
SSL_SESSION *session = SSL_get_session(ssl);
SSL_SESSION_print(out, session);
for (i=0; i(unsigned int)session-master_key_length; i++)
{
BIO_printf(bp,%02X,session-master_key[i]) );
}
How i can get the same Master key in server side?
in my scenario, server side program is running in C. JDBC clients will
establish the connection to the server. will the same Mester key generated
in the cross platforms(JDBC client side)?
Any help will be great.
Thanks for your time,
Krishnamurthy
On Mon, Aug 22, 2011 at 9:03 PM, Gayathri Sundar suraj...@gmail.com wrote:
Please read the RFC, it would clearly explain how the master secret is
dervied, and from that how the read and write keys are derived. With that
you can get to know how to extract the read n write keys. Meanwhile the read
and wirte keys are available as part of the ssl object.
Check that structure out.
Thanks
--Gayathri
On Mon, Aug 22, 2011 at 10:24 AM, krishnamurthy santhanam
krishnamurth...@gmail.com wrote:
I have more than 100 clients that will connect to my server and
communicate the data. I am implementing SSL on server side to authenticate
the client certificate(X.509) and also client will authenticate the servers
certificate. Once the mutual authentication has completed I have to generate
master key for encryption and decryption. I am going to use AES for
encryption and decryption.
I had generated the client and server certificates using the bellow
commands and signed by the root,
1. CLIENT CERTIFICATE:
openssl req -newkey rsa:1024 -sha1 -keyout clientkey.pem -out
clientreq.pem
openssl x509 -req -in clientreq.pem -sha1 -extfile openssl.cnf -extensions
usr_cert -CA rootcert.pem -CAkey rootkey.pem -CAcreateserial -out
clientcert.pem
cat clientkey.pem clientcert.pem rootcert.pem client.pem
openssl x509 -subject -issuer -noout -in client.pem
2. SERVER CERTIFICATE:
openssl req -newkey rsa:1024 -sha1 -keyout serverkey.pem -out
serverreq.pem
openssl x509 -req -in serverreq.pem -sha1 -extfile openssl.cnf -extensions
usr_
cert -CA rootcert.pem -CAkey rootkey.pem -CAcreateserial -out
servercert.pem
cat serverkey.pem servercert.pem rootcert.pem server.pem
openssl x509 -subject -issuer -noout -in server.pem
3. ROOT CERTIFICATE:
openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem
openssl x509 -req -in rootreq.pem -sha1 -extfile root.cnf -extensions
v3_ca -sig
nkey rootkey.pem -out rootcert.pem
cat rootcert.pem rootkey.pem root.pem
openssl x509 -subject -issuer -noout -in root.pem
Initially I am writing ssl/tls programming for server and client. In
this I am able to communicate the data between client and server.
I was struck on master key generation, I have added the below LOC to
programs to get MASTER KEY,
printf(session A\n);
SSL_SESSION *session = SSL_get_session(ssl);
SSL_SESSION_print(out, session);
It is printing like this ,
session A
SSL-Session:
Protocol : TLSv1
Cipher: AES256-SHA
Session-ID:
9FCE46513DD74882D3FF0E0E84CC4A6BE12192B65C426E0B27D0FA15F81D7D5E
Session-ID-ctx:
Master-Key:
56F90B0D90DEB3430207A74793C9B6565744E06ECA191D9DFA04C29B1EE2B782
6B602878597465F739AD69091DDF6499
Key-Arg : None
Krb5 Principal: None
Compression: 1 (zlib compression)
Start Time: 1314015355
Timeout : 7200 (sec)
Is this the Master key for both the server and client?
Is this the key that should be used for the encryption in client side and
decryption in server side?
If this is the Master key how can I extract the key?
Please guide me if I understood anything wrong.
Re: creating Master-Key for encryption/decryption
Master key is unique per session, and its same for both client and server,
thats the concept behind the SSL handshake. The RFC would state the
information accurately. Perhaps you can send the master secret as part of
ur application data, to the client, which can decrypt and use.
Thanks
--Gayathri
On Tue, Aug 23, 2011 at 12:41 PM, krishnamurthy santhanam
krishnamurth...@gmail.com wrote:
Thanks. I gone through the RFC 2246 and understood the Master key
generation part. The Master key is generated and able to print the client
side(test C program) using ssl strucure.
printf(session A\n);
SSL_SESSION *session = SSL_get_session(ssl);
SSL_SESSION_print(out, session);
for (i=0; i(unsigned int)session-master_key_length; i++)
{
BIO_printf(bp,%02X,session-master_key[i]) );
}
How i can get the same Master key in server side?
in my scenario, server side program is running in C. JDBC clients will
establish the connection to the server. will the same Mester key generated
in the cross platforms(JDBC client side)?
Any help will be great.
Thanks for your time,
Krishnamurthy
On Mon, Aug 22, 2011 at 9:03 PM, Gayathri Sundar suraj...@gmail.comwrote:
Please read the RFC, it would clearly explain how the master secret is
dervied, and from that how the read and write keys are derived. With that
you can get to know how to extract the read n write keys. Meanwhile the read
and wirte keys are available as part of the ssl object.
Check that structure out.
Thanks
--Gayathri
On Mon, Aug 22, 2011 at 10:24 AM, krishnamurthy santhanam
krishnamurth...@gmail.com wrote:
I have more than 100 clients that will connect to my server and
communicate the data. I am implementing SSL on server side to authenticate
the client certificate(X.509) and also client will authenticate the servers
certificate. Once the mutual authentication has completed I have to generate
master key for encryption and decryption. I am going to use AES for
encryption and decryption.
I had generated the client and server certificates using the bellow
commands and signed by the root,
1. CLIENT CERTIFICATE:
openssl req -newkey rsa:1024 -sha1 -keyout clientkey.pem -out
clientreq.pem
openssl x509 -req -in clientreq.pem -sha1 -extfile openssl.cnf -extensions
usr_cert -CA rootcert.pem -CAkey rootkey.pem -CAcreateserial -out
clientcert.pem
cat clientkey.pem clientcert.pem rootcert.pem client.pem
openssl x509 -subject -issuer -noout -in client.pem
2. SERVER CERTIFICATE:
openssl req -newkey rsa:1024 -sha1 -keyout serverkey.pem -out
serverreq.pem
openssl x509 -req -in serverreq.pem -sha1 -extfile openssl.cnf -extensions
usr_
cert -CA rootcert.pem -CAkey rootkey.pem -CAcreateserial -out
servercert.pem
cat serverkey.pem servercert.pem rootcert.pem server.pem
openssl x509 -subject -issuer -noout -in server.pem
3. ROOT CERTIFICATE:
openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem
openssl x509 -req -in rootreq.pem -sha1 -extfile root.cnf -extensions
v3_ca -sig
nkey rootkey.pem -out rootcert.pem
cat rootcert.pem rootkey.pem root.pem
openssl x509 -subject -issuer -noout -in root.pem
Initially I am writing ssl/tls programming for server and client. In
this I am able to communicate the data between client and server.
I was struck on master key generation, I have added the below LOC to
programs to get MASTER KEY,
printf(session A\n);
SSL_SESSION *session = SSL_get_session(ssl);
SSL_SESSION_print(out, session);
It is printing like this ,
session A
SSL-Session:
Protocol : TLSv1
Cipher: AES256-SHA
Session-ID:
9FCE46513DD74882D3FF0E0E84CC4A6BE12192B65C426E0B27D0FA15F81D7D5E
Session-ID-ctx:
Master-Key:
56F90B0D90DEB3430207A74793C9B6565744E06ECA191D9DFA04C29B1EE2B782
6B602878597465F739AD69091DDF6499
Key-Arg : None
Krb5 Principal: None
Compression: 1 (zlib compression)
Start Time: 1314015355
Timeout : 7200 (sec)
Is this the Master key for both the server and client?
Is this the key that should be used for the encryption in client side and
decryption in server side?
If this is the Master key how can I extract the key?
Please guide me if I understood anything wrong.
Re: creating Master-Key for encryption/decryption
Thanks. As per my understanding,Before sending master key to client , server
has to maintain the master key. How i can get this in server side? is there
any code sample or snippet to get this key?
Krishna
On Tue, Aug 23, 2011 at 11:54 PM, Gayathri Sundar suraj...@gmail.comwrote:
Master key is unique per session, and its same for both client and server,
thats the concept behind the SSL handshake. The RFC would state the
information accurately. Perhaps you can send the master secret as part of
ur application data, to the client, which can decrypt and use.
Thanks
--Gayathri
On Tue, Aug 23, 2011 at 12:41 PM, krishnamurthy santhanam
krishnamurth...@gmail.com wrote:
Thanks. I gone through the RFC 2246 and understood the Master key
generation part. The Master key is generated and able to print the client
side(test C program) using ssl strucure.
printf(session A\n);
SSL_SESSION *session = SSL_get_session(ssl);
SSL_SESSION_print(out, session);
for (i=0; i(unsigned int)session-master_key_length; i++)
{
BIO_printf(bp,%02X,session-master_key[i]) );
}
How i can get the same Master key in server side?
in my scenario, server side program is running in C. JDBC clients will
establish the connection to the server. will the same Mester key generated
in the cross platforms(JDBC client side)?
Any help will be great.
Thanks for your time,
Krishnamurthy
On Mon, Aug 22, 2011 at 9:03 PM, Gayathri Sundar suraj...@gmail.comwrote:
Please read the RFC, it would clearly explain how the master secret is
dervied, and from that how the read and write keys are derived. With that
you can get to know how to extract the read n write keys. Meanwhile the read
and wirte keys are available as part of the ssl object.
Check that structure out.
Thanks
--Gayathri
On Mon, Aug 22, 2011 at 10:24 AM, krishnamurthy santhanam
krishnamurth...@gmail.com wrote:
I have more than 100 clients that will connect to my server and
communicate the data. I am implementing SSL on server side to authenticate
the client certificate(X.509) and also client will authenticate the servers
certificate. Once the mutual authentication has completed I have to
generate
master key for encryption and decryption. I am going to use AES for
encryption and decryption.
I had generated the client and server certificates using the bellow
commands and signed by the root,
1. CLIENT CERTIFICATE:
openssl req -newkey rsa:1024 -sha1 -keyout clientkey.pem -out
clientreq.pem
openssl x509 -req -in clientreq.pem -sha1 -extfile openssl.cnf -extensions
usr_cert -CA rootcert.pem -CAkey rootkey.pem -CAcreateserial -out
clientcert.pem
cat clientkey.pem clientcert.pem rootcert.pem client.pem
openssl x509 -subject -issuer -noout -in client.pem
2. SERVER CERTIFICATE:
openssl req -newkey rsa:1024 -sha1 -keyout serverkey.pem -out
serverreq.pem
openssl x509 -req -in serverreq.pem -sha1 -extfile openssl.cnf -extensions
usr_
cert -CA rootcert.pem -CAkey rootkey.pem -CAcreateserial -out
servercert.pem
cat serverkey.pem servercert.pem rootcert.pem server.pem
openssl x509 -subject -issuer -noout -in server.pem
3. ROOT CERTIFICATE:
openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem
openssl x509 -req -in rootreq.pem -sha1 -extfile root.cnf -extensions
v3_ca -sig
nkey rootkey.pem -out rootcert.pem
cat rootcert.pem rootkey.pem root.pem
openssl x509 -subject -issuer -noout -in root.pem
Initially I am writing ssl/tls programming for server and client. In
this I am able to communicate the data between client and server.
I was struck on master key generation, I have added the below LOC to
programs to get MASTER KEY,
printf(session A\n);
SSL_SESSION *session = SSL_get_session(ssl);
SSL_SESSION_print(out, session);
It is printing like this ,
session A
SSL-Session:
Protocol : TLSv1
Cipher: AES256-SHA
Session-ID:
9FCE46513DD74882D3FF0E0E84CC4A6BE12192B65C426E0B27D0FA15F81D7D5E
Session-ID-ctx:
Master-Key:
56F90B0D90DEB3430207A74793C9B6565744E06ECA191D9DFA04C29B1EE2B782
6B602878597465F739AD69091DDF6499
Key-Arg : None
Krb5 Principal: None
Compression: 1 (zlib compression)
Start Time: 1314015355
Timeout : 7200 (sec)
Is this the Master key for both the server and client?
Is this the key that should be used for the encryption in client side
and decryption in server side?
If this is the Master key how can I extract the key?
Please guide me if I understood anything wrong.
creating Master-Key for encryption/decryption
I have more than 100 clients that will connect to my server and communicate the data. I am implementing SSL on server side to authenticate the client certificate(X.509) and also client will authenticate the servers certificate. Once the mutual authentication has completed I have to generate master key for encryption and decryption. I am going to use AES for encryption and decryption. I had generated the client and server certificates using the bellow commands and signed by the root, 1. CLIENT CERTIFICATE: openssl req -newkey rsa:1024 -sha1 -keyout clientkey.pem -out clientreq.pem openssl x509 -req -in clientreq.pem -sha1 -extfile openssl.cnf -extensions usr_cert -CA rootcert.pem -CAkey rootkey.pem -CAcreateserial -out clientcert.pem cat clientkey.pem clientcert.pem rootcert.pem client.pem openssl x509 -subject -issuer -noout -in client.pem 2. SERVER CERTIFICATE: openssl req -newkey rsa:1024 -sha1 -keyout serverkey.pem -out serverreq.pem openssl x509 -req -in serverreq.pem -sha1 -extfile openssl.cnf -extensions usr_ cert -CA rootcert.pem -CAkey rootkey.pem -CAcreateserial -out servercert.pem cat serverkey.pem servercert.pem rootcert.pem server.pem openssl x509 -subject -issuer -noout -in server.pem 3. ROOT CERTIFICATE: openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem openssl x509 -req -in rootreq.pem -sha1 -extfile root.cnf -extensions v3_ca -sig nkey rootkey.pem -out rootcert.pem cat rootcert.pem rootkey.pem root.pem openssl x509 -subject -issuer -noout -in root.pem Initially I am writing ssl/tls programming for server and client. In this I am able to communicate the data between client and server. I was struck on master key generation, I have added the below LOC to programs to get MASTER KEY, printf(session A\n); SSL_SESSION *session = SSL_get_session(ssl); SSL_SESSION_print(out, session); It is printing like this , session A SSL-Session: Protocol : TLSv1 Cipher: AES256-SHA Session-ID: 9FCE46513DD74882D3FF0E0E84CC4A6BE12192B65C426E0B27D0FA15F81D7D5E Session-ID-ctx: Master-Key: 56F90B0D90DEB3430207A74793C9B6565744E06ECA191D9DFA04C29B1EE2B782 6B602878597465F739AD69091DDF6499 Key-Arg : None Krb5 Principal: None Compression: 1 (zlib compression) Start Time: 1314015355 Timeout : 7200 (sec) Is this the Master key for both the server and client? Is this the key that should be used for the encryption in client side and decryption in server side? If this is the Master key how can I extract the key? Please guide me if I understood anything wrong.
Re: creating Master-Key for encryption/decryption
Please read the RFC, it would clearly explain how the master secret is dervied, and from that how the read and write keys are derived. With that you can get to know how to extract the read n write keys. Meanwhile the read and wirte keys are available as part of the ssl object. Check that structure out. Thanks --Gayathri On Mon, Aug 22, 2011 at 10:24 AM, krishnamurthy santhanam krishnamurth...@gmail.com wrote: I have more than 100 clients that will connect to my server and communicate the data. I am implementing SSL on server side to authenticate the client certificate(X.509) and also client will authenticate the servers certificate. Once the mutual authentication has completed I have to generate master key for encryption and decryption. I am going to use AES for encryption and decryption. I had generated the client and server certificates using the bellow commands and signed by the root, 1. CLIENT CERTIFICATE: openssl req -newkey rsa:1024 -sha1 -keyout clientkey.pem -out clientreq.pem openssl x509 -req -in clientreq.pem -sha1 -extfile openssl.cnf -extensions usr_cert -CA rootcert.pem -CAkey rootkey.pem -CAcreateserial -out clientcert.pem cat clientkey.pem clientcert.pem rootcert.pem client.pem openssl x509 -subject -issuer -noout -in client.pem 2. SERVER CERTIFICATE: openssl req -newkey rsa:1024 -sha1 -keyout serverkey.pem -out serverreq.pem openssl x509 -req -in serverreq.pem -sha1 -extfile openssl.cnf -extensions usr_ cert -CA rootcert.pem -CAkey rootkey.pem -CAcreateserial -out servercert.pem cat serverkey.pem servercert.pem rootcert.pem server.pem openssl x509 -subject -issuer -noout -in server.pem 3. ROOT CERTIFICATE: openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem openssl x509 -req -in rootreq.pem -sha1 -extfile root.cnf -extensions v3_ca -sig nkey rootkey.pem -out rootcert.pem cat rootcert.pem rootkey.pem root.pem openssl x509 -subject -issuer -noout -in root.pem Initially I am writing ssl/tls programming for server and client. In this I am able to communicate the data between client and server. I was struck on master key generation, I have added the below LOC to programs to get MASTER KEY, printf(session A\n); SSL_SESSION *session = SSL_get_session(ssl); SSL_SESSION_print(out, session); It is printing like this , session A SSL-Session: Protocol : TLSv1 Cipher: AES256-SHA Session-ID: 9FCE46513DD74882D3FF0E0E84CC4A6BE12192B65C426E0B27D0FA15F81D7D5E Session-ID-ctx: Master-Key: 56F90B0D90DEB3430207A74793C9B6565744E06ECA191D9DFA04C29B1EE2B782 6B602878597465F739AD69091DDF6499 Key-Arg : None Krb5 Principal: None Compression: 1 (zlib compression) Start Time: 1314015355 Timeout : 7200 (sec) Is this the Master key for both the server and client? Is this the key that should be used for the encryption in client side and decryption in server side? If this is the Master key how can I extract the key? Please guide me if I understood anything wrong.
