1

I have a question regarding the TLS handshake. As of my reading I came to know that master_secret will be derived from pre_master_secret shared by client as follows:

  • master_secret = PRF(pre_master_secret, "master secret", lientHello.random + ServerHello.random)

  • From this master_secret the below session keys are derived.

  • On client side:

    client_write_MAC_secret[SecurityParameters.hash_size]
client_write_key[SecurityParameters.key_material_length]
client_write_IV[SecurityParameters.IV_size]

  • On server side:

    server_write_MAC_secret[SecurityParameters.hash_size]
server_write_key[SecurityParameters.key_material_length]
server_write_IV[SecurityParameters.IV_size]

Wwhen these session keys are generated separately on the client and the server and never exchanged and transmitted between them, how does the server decrypt the client's encrypted message and vice-versa?

Or all the 6 session keys are created on both client and server individually and hope they are similar. If this is true then both the client and the server can decrypt each others encrypted messages.

Anders
  • 64,406
  • 24
  • 178
  • 215
Srinivas M
  • 13
  • 3

1 Answers1

0

Look at RFC 5246 Section 6.3. On both sides, bytes are generated using the PRF from the same arguments, so the generated bytes are the same. Those generated bytes are used the following way: The first "mac_key_length" bytes (e.g. 20 bytes) are the client's MAC key and the next "mac_key_length" are the server's. Then the next "enc_key_length" (e.g. 16 bytes) are the client's cipher (e.g. AEs) key and the next are the server's, etc.

Each sides knows whether it's the client or the server, so they choose the right MAC/key/IV when reading and the other MAC/key/IV when writing.

Community
  • 1
Z.T.
  • 7,768
  • 1
  • 20
  • 35