session_09_vpn__ipsec__and_tls_101908

Mogollon 0108 45 the record protocol requires an

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: ollowing: o RSA: A 48-byte pre_master_secret key, enciphered with the public key from the server's certificate or the temporary RSA key provided in a server key_exchange message. This pre_master_secret key is used to derive the master_secret key. o Diffie-Hellman: The client’s Diffie-Hellman public value (gX mod p). If Diffie-Hellman is used, both client and server perform the Diffie-Hellman calculation to create a pre_master key. 44 VPN, IPSec and TLS Key Calculation – Key and MAC Secrets Client Web Server Exchange (wrap / transport ) or agree on (Diffie-Hellman) a pre-master key. Pre_Master_ Key Pre_Master_ Key Master_Key Generation Master_Key Generation Key_Block prf Expansion Key_Block prf Expansion Client MAC Server MAC Client Key, IV Server Key, IV Symmetric Block Encryption Encipher VPN Client MAC Server MAC Integrity IPsec Confidentiality Symmetric Block Encryption Client Key, IV Server Key, IV Decipher IKE v2 TLS M. Mogollon – 01/08 - 45 • The record protocol requires an algorithm to generate keys and MAC secrets from the security parameters provided by the Handshake Protocol. As stated before, the master_secret generated during the Authentication and Key Exchange is used as an entropy source to generate keys and MAC secrets. The key material is generated as follows: key_block = PRF (SecurityParameters.master_secret, "key expansion", SecurityParameters.server_random || SecurityParameters.client_random) until enough key material is generated for the following four items: client write MAC secret, server write MAC secret, client write key, and server write key. • The master secret is a 48-byte secret shared between the two peers in the connection. The client random is a 32-byte value provided by the client, and the server random is a 32-byte value provided by the server. • The pseudorandom function (PRF) is used to expand secrets into blocks of data for the purposes of key generation or validation. The PRF takes as input a secret, a seed, and an iden...
View Full Document

Ask a homework question - tutors are online