Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 /10 Pascal URIEN, IETF 72 rd, Monday July 28 th Dublin, Ireland draft-urien-tls-keygen-00.txt TLS Key Generation

Published byAugustine Henderson Modified over 9 years ago

Similar presentations

Presentation on theme: "1 /10 Pascal URIEN, IETF 72 rd, Monday July 28 th Dublin, Ireland draft-urien-tls-keygen-00.txt TLS Key Generation"— Presentation transcript:

1

2 1 /10 Pascal URIEN, IETF 72 rd, Monday July 28 th Dublin, Ireland draft-urien-tls-keygen-00.txt TLS Key Generation Pascal.Urien@telecom-paristech.fr http://www.telecom-paristech.fr

3 2 /10 Pascal URIEN, IETF 72 rd, Monday July 28 th Dublin, Ireland Summary The TLS protocol is widely deployed and used over the Internet. Binary encoding, wide adoption There is an increasing need in the Internet to set up efficient key distribution infrastructures. This draft proposes a keying infrastructure based on the TLS protocol. Differences with the draft-ietf-tls-extractor Computed keys In draft-ietf-tls-extractor-01.txt the TLS PRF function is used In draft-urien-tls-keygen-00.txt a separate KDF function is used Pushed keys The point that is not addressed by draft-ietf-tls-extractor- 01.txt, is the case for which keys are pushed by server and not computed by both parties (client and server)

4 3 /10 Pascal URIEN, IETF 72 rd, Monday July 28 th Dublin, Ireland Full and abbreviated mode choreography Client hello Server Hello Certificate *CertificateRequest ServerHelloDone *Certificate *CertificateVerify ChangeCipherSpec (Encrypted) Finished ChangeCipherSpec (Encrypted) Finished ClientServer Client hello (Session-id) Server Hello(Session-id) ChangeCipherSpec (Encrypted) Finished ClientServer ChangeCipherSpec (Encrypted) Finished *AVP Container Keys = KDF(master-secret, client-random, server-random, label) STEP1 Pure TLS STEP2

5 4 /10 Pascal URIEN, IETF 72 rd, Monday July 28 th Dublin, Ireland Full and abbreviated mode choreography What is available at the end of STEP1. Client-random, Server-random, master-secret, negotiated cipher-suite Implicit KDF function, with an implicit label Other KDF functions MAY be negotiated via TLS-Extensions Cryptographic keys (Kc and Ki), used by encryption algorithms (Kc) and MAC procedures (Ki), are derived according to TLS specifications, but use KDF in place of the TLS PRF function. Keys = KDF(master-secret, client-random, server-random, label) What MAY be done during STEP2. Keys MAY be sent encrypted in an AVP container A new label (for the KDF function) MAY be sent in an AVP container.

6 5 /10 Pascal URIEN, IETF 72 rd, Monday July 28 th Dublin, Ireland Peer to Peer Mode ClientServer Keys = KDF(master-secret, client-random, server-random, label) Keys

7 6 /10 Pascal URIEN, IETF 72 rd, Monday July 28 th Dublin, Ireland Distributed Mode Client1Client2 Keys are sent in AVP containers Encrypted Keys Server Encrypted Keys

8 7 /10 Pascal URIEN, IETF 72 rd, Monday July 28 th Dublin, Ireland AVP Container Coding (imported from TTLS] The AVP Code is four octets Combined with the Vendor-ID field if present, identifies the attribute (i.e. the container structure) uniquely. The 'V' (Vendor-Specific) bit indicates whether the Vendor-ID field is present. The 'M' (Mandatory) bit indicates whether support of the AVP is required. The 'r' bits are unused and set to 0 by the sender. The AVP Length field is three octets, and indicates the length of this AVP including the AVP Code, AVP Length, AVP Flags, Vendor-ID (if present) and Data. Data Length is two octets and indicates the size of data without padding bytes. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |V M r r r r r r| AVP Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Vendor-ID (opt) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data Length + Data | + | | Optional padding bytes +-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

9 8 /10 Pascal URIEN, IETF 72 rd, Monday July 28 th Dublin, Ireland KDF Consideration Based on the work Krawczyk, H, "On Extract-then-Expand Key Derivation Functions and an HMAC-based KDF", http://www.ee.technion.ac.il/~hugo/kdf/, March 2008 Already use in IKEV2 For Transform Type 2 (Pseudo-random Function), defined Transform IDs are: Keying material is generated according to the selected prf prf+ (K, S) = T1 | T2 | T3|..., where T1 = prf (K, S | 0x01), T2 = prf (K, T1 | S | 0x02), T3 = prf (K, T2 | S | 0x03) SKEYSEED = prf (Ni | Nr, g^ir), SK_d = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr ) KEYMAT = prf+ (SK_d, Ni | Nr) or KEYMAT = prf+ (SK_d, g^ir | Ni | Nr ) Name Number Defined In PRF_HMAC_SHA1 2 RFC 2104 PRF_HMAC_TIGER 3 RFC 2104 PRF_AES128_XCBC 4 RFC 3664

10 9 /10 Pascal URIEN, IETF 72 rd, Monday July 28 th Dublin, Ireland Proposed default KDF Notations. The first argument to a keyed function denotes the key, the value K is the key to PRF and x its input. The symbol || denotes concatenation. Given two numbers N and n the symbol N:n represents the value N written as n-bit integer. L is the length in bits, of this output value delivers by the HMAC procedure (L=160 for SHA1) Pseudo Random Key PRK = HMAC (client-random || server-random, master-secret) Keying material, whose length in bits is D, required D/L operations. First is expressed as K(1) = HMAC(PRK, 0:L || KeyLabel || 0:32), Further operations (whose number is i) are computed according to K(i+1) = HMAC(PRK, K(i) || KeyLabel || i:32) where KeyLabel is an ASCII string set to "key expansion".

11 10 /10 Pascal URIEN, IETF 72 rd, Monday July 28 th Dublin, Ireland Questions ?

Download ppt "1 /10 Pascal URIEN, IETF 72 rd, Monday July 28 th Dublin, Ireland draft-urien-tls-keygen-00.txt TLS Key Generation"

Similar presentations

Cryptography and Network Security Chapter 16

Cryptography and Network Security Chapter 16
Web security: SSL and TLS

Web security: SSL and TLS
1 Lecture 12 SSL/TLS (Secure Sockets Layer / Transport Layer Security) CIS 4362 - CIS 5357 Network Security.

1 Lecture 12 SSL/TLS (Secure Sockets Layer / Transport Layer Security) CIS CIS 5357 Network Security.
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Secure Socket Layer.

Secure Socket Layer.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
1 Information System Security AABFS-Jordan Summer 2006 Web security: SSL and TLS Prepared by : Mohammed tarawneh Presented to: Dr. Lo’ai Tawalebeh.

1 Information System Security AABFS-Jordan Summer 2006 Web security: SSL and TLS Prepared by : Mohammed tarawneh Presented to: Dr. Lo’ai Tawalebeh.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.

17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Transport Layer Security (TLS) Bill Burr November 2, 2001.

Transport Layer Security (TLS) Bill Burr November 2, 2001.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Web Security (SSL / TLS)

Web Security (SSL / TLS)
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
ITA, 2.11.2011, 8-TLS.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA) 8 Transport.

ITA, , 8-TLS.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA) 8 Transport.
Information Security Principles & Applications Topic 4: Message Authentication 虞慧群

Information Security Principles & Applications Topic 4: Message Authentication 虞慧群
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 9 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 9 Wenbing Zhao Department of Electrical and Computer Engineering.
0 SSL3.0 / TLS1.0 Secure Communication over Insecure Line.

0 SSL3.0 / TLS1.0 Secure Communication over Insecure Line.
IKE message flow IKE message flow always consists of a request followed by a response. It is the responsibility of the requester to ensure reliability.

IKE message flow IKE message flow always consists of a request followed by a response. It is the responsibility of the requester to ensure reliability.

Similar presentations

Ads by Google