On 1/18/19 8:51 PM, Gary E. Miller via devel wrote: >> The c2s/s2c pair. Generated *BY* the TLS exchange between the client >> and the NTS-KE server.
> No, generated *FOR* the key TLS exchange. This is the main source of your confusion. The client and NTS-KE server establish a TLS session. The TLS connection has its own keys created as part of the TLS negotiation. We don't care about any of those keys directly. They can be managed by the SSL library doing the encryption for the NTS-KE daemon and you never need to see them. Then, the NTS-KE daemon asks the SSL library to perform RFC 5705: twice, once for C2S and once for S2C. It passes the inputs specified in the NTS protocol. The SSL library, which knows the TLS session's PRF, master_secret, client_random, and server_random, runs the RFC 5705 algorithm and hands back a key to the NTS-KE daemon. See, for example: https://www.openssl.org/docs/man1.1.1/man3/SSL_export_keying_material.html The client and server independently run this RFC 5705 algorithm in the same way and, since it is deterministic, each arrive at the same C2S and S2C, which will be used later for NTP (not NTS-KE) traffic. The NTS-KE and NTP processes, if separate, share a--completely separate from all of the above--key "K" which is used to encrypt the cookies they issue to the client. -- Richard
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list [email protected] http://lists.ntpsec.org/mailman/listinfo/devel
