I think the problem this person seem to have is not finding a way to extract
the master secret on the client side, which is why I suggested he can send
it as a payload from the server as part of the app data, since its the
exactly the same. Also, krishna, pls understand that the master secret is
not used for eny/dec, its used to derive the actualy auth and enc keys using
specific methods as mentioned in the RFC. These keys are unique per
connection basis, mixed by some randoms. The master secret is unique for a
session. A session can contain many connections each represented by a SSL
OBJ, and the enc/dec keys are different for every connection, which can be
obtained from the SSL OBJ.
Please understand TLS as such from the RFC.
Thanks
--Gayathri
On Wed, Aug 24, 2011 at 9:43 AM, Erik Tkal <et...@juniper.net> wrote:
> I’m not sure you are understanding this. Both sides derive the same
> master key, so there is no need to send it. After the handshake the SSL
> code will use that key to generate specific encryption keys and perform
> encryption of further traffic through the tunnel. If you are only using the
> handshake to generate the master key to be used elsewhere (e.g. for
> proprietary encryption), then you can get it from the SSL_SESSION object
> (not sure if there’s a get method).****
>
>
> ....................................
> *Erik Tkal**
> *Juniper OAC/UAC/Pulse Development
>
> ****
>
> ** **
>
> *From:* owner-openssl-us...@openssl.org [mailto:
> owner-openssl-us...@openssl.org] *On Behalf Of *krishnamurthy santhanam
> *Sent:* Wednesday, August 24, 2011 12:51 AM
> *To:* openssl-users@openssl.org
> *Subject:* Re: creating Master-Key for encryption/decryption****
>
> ** **
>
> Thanks. As per my understanding,Before sending master key to client ,
> server has to maintain the master key. How i can get this in server side? is
> there any code sample or snippet to get this key?****
>
> ****
>
> Krishna****
>
> On Tue, Aug 23, 2011 at 11:54 PM, Gayathri Sundar <suraj...@gmail.com>
> wrote:****
>
> Master key is unique per session, and its same for both client and server,
> thats the concept behind the SSL handshake. The RFC would state the
> information accurately. Perhaps you can send the master secret as part of
> ur application data, to the client, which can decrypt and use.****
>
> Thanks****
>
> --Gayathri****
>
> ****
>
> On Tue, Aug 23, 2011 at 12:41 PM, krishnamurthy santhanam <
> krishnamurth...@gmail.com> wrote:****
>
> Thanks. I gone through the RFC 2246 and understood the Master key
> generation part. The Master key is generated and able to print the client
> side(test C program) using ssl strucure. ****
>
> ** **
>
> printf("session A\n");****
>
> SSL_SESSION *session = SSL_get_session(ssl);****
>
> SSL_SESSION_print(out, session);****
>
> for (i=0; i<(unsigned int)session->master_key_length; i++)
> {
> BIO_printf(bp,"%02X",session->master_key[i]) );
> }****
>
> How i can get the same Master key in server side? ****
>
> in my scenario, server side program is running in C. JDBC clients will
> establish the connection to the server. will the same Mester key generated
> in the cross platforms(JDBC client side)?****
>
> Any help will be great.****
>
> Thanks for your time,****
>
> Krishnamurthy****
>
> ** **
>
> On Mon, Aug 22, 2011 at 9:03 PM, Gayathri Sundar <suraj...@gmail.com>
> wrote:****
>
> Please read the RFC, it would clearly explain how the master secret is
> dervied, and from that how the read and write keys are derived. With that
> you can get to know how to extract the read n write keys. Meanwhile the read
> and wirte keys are available as part of the ssl object.****
>
> Check that structure out.****
>
> ****
>
> Thanks****
>
> --Gayathri****
>
> On Mon, Aug 22, 2011 at 10:24 AM, krishnamurthy santhanam <
> krishnamurth...@gmail.com> wrote:****
>
> I have more than 100 clients that will connect to my server and communicate
> the data. I am implementing SSL on server side to authenticate the client
> certificate(X.509) and also client will authenticate the servers
> certificate. Once the mutual authentication has completed I have to generate
> master key for encryption and decryption. I am going to use AES for
> encryption and decryption.****
>
> I had generated the client and server certificates using the bellow
> commands and signed by the root,****
>
> 1. CLIENT CERTIFICATE:****
>
> openssl req -newkey rsa:1024 -sha1 -keyout clientkey.pem -out clientreq.pem
> ****
>
> openssl x509 -req -in clientreq.pem -sha1 -extfile openssl.cnf -extensions
> usr_cert -CA rootcert.pem -CAkey rootkey.pem -CAcreateserial -out
> clientcert.pem****
>
> cat clientkey.pem clientcert.pem rootcert.pem > client.pem****
>
> openssl x509 -subject -issuer -noout -in client.pem ****
>
> 2. SERVER CERTIFICATE:****
>
> openssl req -newkey rsa:1024 -sha1 -keyout serverkey.pem -out serverreq.pem
> ****
>
> openssl x509 -req -in serverreq.pem -sha1 -extfile openssl.cnf -extensions
> usr_****
>
> cert -CA rootcert.pem -CAkey rootkey.pem -CAcreateserial -out
> servercert.pem****
>
> cat serverkey.pem servercert.pem rootcert.pem > server.pem****
>
> openssl x509 -subject -issuer -noout -in server.pem****
>
> 3. ROOT CERTIFICATE:****
>
> openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem***
> *
>
> openssl x509 -req -in rootreq.pem -sha1 -extfile root.cnf -extensions v3_ca
> -sig****
>
> nkey rootkey.pem -out rootcert.pem****
>
> cat rootcert.pem rootkey.pem > root.pem****
>
> openssl x509 -subject -issuer -noout -in root.pem****
>
> ****
>
> Initially I am writing ssl/tls programming for server and client. In this
> I am able to communicate the data between client and server. ****
>
> I was struck on master key generation, I have added the below LOC to
> programs to get MASTER KEY,****
>
> printf("session A\n");****
>
> SSL_SESSION *session = SSL_get_session(ssl);****
>
> SSL_SESSION_print(out, session);****
>
> It is printing like this ,****
>
> session A****
>
> SSL-Session:****
>
> Protocol : TLSv1****
>
> Cipher : AES256-SHA****
>
> Session-ID:
> 9FCE46513DD74882D3FF0E0E84CC4A6BE12192B65C426E0B27D0FA15F81D7D5E****
>
> Session-ID-ctx:****
>
> Master-Key:
> 56F90B0D90DEB3430207A74793C9B6565744E06ECA191D9DFA04C29B1EE2B782****
>
> 6B602878597465F739AD69091DDF6499****
>
> Key-Arg : None****
>
> Krb5 Principal: None****
>
> Compression: 1 (zlib compression)****
>
> Start Time: 1314015355****
>
> Timeout : 7200 (sec)****
>
> Is this the Master key for both the server and client? ****
>
> Is this the key that should be used for the encryption in client side and
> decryption in server side?****
>
> If this is the Master key how can I extract the key?****
>
> Please guide me if I understood anything wrong. ****
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
