On Monday, July 20, 2015 01:31:15 pm Hugo Krawczyk wrote: > Your question boils down to: Why is finished_secret derived from SS only > and not from ES? > > First note that the issue only arises in the known_configuration case since > in other cases ES and SS are the same. > For the known_configuration case there are two important reasons > to build on SS and not on ES: > > 1. Only SS can authenticate the handshake as it is the only element to > involve the server's (semi) static private key. > 2. One of the main elements to be authenticated by the server (via the > Finished message) is the ServerKeyShare, thus deriving the key for the > Finished message (i.e. finished_secret) from ES (calculated using > ServerKeyShare) would create a circularity issue in the logic of the > derivation. > > Note that the derivation of application keys (and other key material > remaining after the end of the handshake) do involve both SS and ES, but in > that case involving ES is crucial to achieve forward secrecy.
Thanks for the explanation. Using the master secret could work, but adding the ES isn't productive so using the SS directly makes more sense than mixing SS+ES first. Dave _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
