Hi, perhaps I'm missing various somethings, but I'm having trouble figuring
out _how_ the Static Secret (SS) and Ephemeral Secret (ES) are actually
derived...
Given this chunk of -tls13-11..
###
7.1. Key Schedule
The TLS handshake establishes secret keying material which is then
used to protect traffic. This keying material is derived from the
two input secret values: Static Secret (SS) and Ephemeral Secret
(ES).
The exact source of each of these secrets depends on the operational
mode (DHE, ECDHE, PSK, etc.) and is summarized in the table below:
+-----------------+------------------------+------------------------+
| Key Exchange | Static Secret (SS) | Ephemeral Secret (ES) |
+-----------------+------------------------+------------------------+
| (EC)DHE (full | Client ephemeral w/ | Client ephemeral w/ |
| handshake) | server ephemeral | server ephemeral |
| | | |
| (EC)DHE (w/ | Client ephemeral w/ | Client ephemeral w/ |
| 0-RTT) | server static | server ephemeral |
| | | |
| PSK | Pre-Shared Key | Pre-shared key |
| | | |
| PSK + (EC)DHE | Pre-Shared Key | Client ephemeral w/ |
| | | server ephemeral |
+-----------------+------------------------+------------------------+
###
..where do "client ephemeral" & "server ephemeral" come from -- i.e., which
section(s) of the spec define their provenance? searching -tls13-11's text
for those phrases yields hits in only that thar above table :(
however, I note the following in the preceding section 6.2..
###
6.2. Handshake Protocol Overview
[...]
Ephemeral Secret (ES): A secret which is derived from fresh (EC)DHE
shares for this connection. Keying material derived from ES is
intended to be forward secret (with the exception of pre-shared key
only modes).
Static Secret (SS): A secret which may be derived from static or
semi-static keying material, such as a pre-shared key or the server's
semi-static (EC)DH share.
[...]
... If DH is in use, this will contain a
"key_share" extension with the server's ephemeral Diffie-Hellman
share which MUST be in the same group as one of the shares offered by
the client. The server's KeyShare and the client's KeyShare
corresponding to the negotiated key exchange are used together to
derive the Static Secret and Ephemeral Secret (in this mode they are
the same). [Section 6.3.2.3]
###
So, is "server ephemeral" in S 7.1 actually referring to "the server's
ephemeral Diffie-Hellman share" in S 6.2 ?
Is "client ephemeral" in S 7.1 referring to "the client's KeyShare" in S 6.2 ?
The above S 6.2 text seems to indicate that Section 6.3.2.3 defines how the
server's KeyShare and the client's KeyShare are used to derive the Static
Secret and Ephemeral Secret, but I am not able discern such a definition
(unlike the clear definitions for xSS, xES, etc in S 7.1).
thanks,
=JeffH
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
