Subject: | |
From: | |
Reply To: | Steve Dirickson (Volt) |
Date: | Tue, 2 Oct 2001 13:59:23 -0700 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
> The use of server certificates is optional in SSL/TLS, but I
> think that all
> the browsers require them as policy. I haven't been able to
> verify that,
> though.
>
> When a server certificate is used--which, in practice, it
> always is--then
> the key in the certificate is used instead of the ServerKeyExchange.
> Because the certificates can be verified from out-of-band
> data, they protect
> against active man-in-the-middle attacks. Non-certificate
> key exchanges
> only protect against passive eavesdroppers.
That isn't how I read the RFC.
F.1. Handshake protocol
The handshake protocol is responsible for selecting a CipherSpec and
generating a Master Secret, which together comprise the primary
cryptographic parameters associated with a secure session. The
handshake protocol can also optionally authenticate parties who have
certificates signed by a trusted certificate authority.
8.1. Computing the master secret
For all key exchange methods, the same algorithm is used to convert
the pre_master_secret into the master_secret. The pre_master_secret
should be deleted from memory once the master_secret has been
computed.
master_secret = PRF(pre_master_secret, "master secret",
ClientHello.random + ServerHello.random)
[0..47];
The master secret is always exactly 48 bytes in length. The length of
the premaster secret will vary depending on key exchange method.
7.4.3. Server key exchange message
When this message will be sent:
This message will be sent immediately after the server
certificate message (or the server hello message, if this is an
anonymous negotiation).
The server key exchange message is sent by the server only when
the server certificate message (if sent) does not contain enough
data to allow the client to exchange a premaster secret. This is
true for the following key exchange methods:
RSA_EXPORT (if the public key in the server certificate is
longer than 512 bits)
DHE_DSS
DHE_DSS_EXPORT
DHE_RSA
DHE_RSA_EXPORT
DH_anon
It is not legal to send the server key exchange message for the
following key exchange methods:
RSA
RSA_EXPORT (when the public key in the server certificate is
less than or equal to 512 bits in length)
DH_DSS
DH_RSA
IOW, if the certificate meets the requirements, it may be used to protect the transmission of the pre_master_secret. No matter how the pre_master_secret is conveyed, it is used to generate the master_secret, which controls all further encryption.
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
|
|
|