session_09_vpn__ipsec__and_tls_101908

No acknowledgment of the finished message is required

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: s (IV) required to encipher the data. VPN IPsec IKE v2 TLS M. Mogollon – 01/08 - 43 • In this phase, the client and server update the cipher_spec with the newly agreed-upon encryption algorithms, keys, and hash functions. Then, the client sends a finished message to verify that the key exchange and authentication processes were successful. The finished message is the first protected message with the just-negotiated encryption algorithms, hash functions, and symmetric encrypting keys. The finished message is hashed as follows: • MD5(master_secret || pad2 || MD5(handshake_messages || Sender || master_secret || pad1)); • SHA(master_secret || pad2 || SHA(handshake_messages || Sender || master_secret || pad1)); • Where pad1 and pad 2 are the values defined in the MAC, “handshake” refers to all handshake messages exchanged, and “sender” is a code that identifies whether the sender is a client (0x434C4E54) or a server (0x53525652). • No acknowledgment of the finished message is required and, at this point, client and server may begin sending confidential data immediately after sending the finished message. 43 VPN, IPSec and TLS Key Calculation - Pre Master Key Generation Client Web Server Method 1 RSA – 48-byte Generated by the Client Server’s Certificate Server’s Public Key Server’s Secret Key Pre Master Key Encipher Decipher RSA RSA Pre Master Key Method 2: Diffe-Hellman Diffie-Hellman Key Exchange Diffie-Hellman Key Exchange Pre Master Key Pre Master Key VPN IPsec IKE v2 TLS M. Mogollon – 01/08 - 44 • In the client key-exchange message, the client sets the pre-master key either though direct transmission of the RSA-encrypted secret, or by the transmission of the client Diffie-Hellman public key, which will allow each side to agree upon the same pre-master secret. When the keyexchange method is DH_RSA or DH_DSS, client certification has been requested, and the client is able to respond with a certificate. The Diffie-Hellman public-key parameters (group and generator) match those specified by the server in its certificate; otherwise, the client proposes its own DiffieHellman public-key parameters (group and generator). • The RSA or Diffie-Hellman parameters for the pre_master key are the f...
View Full Document

This note was uploaded on 05/26/2010 for the course TECH 6350 taught by Professor Mogollon during the Spring '10 term at University of Arkansas for Medical Sciences.

Ask a homework question - tutors are online