[19040] in cryptography@c2.net mail archive
Re: Session Key Negotiation
daemon@ATHENA.MIT.EDU (Eric Rescorla)
Wed Nov 30 11:00:18 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: Will Morton <macavity@well.com>
Cc: cryptography@metzdowd.com
Reply-To: EKR <ekr@rtfm.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 30 Nov 2005 08:06:04 -0800
In-Reply-To: <43835A43.30607@well.com> (Will Morton's message of "Tue, 22
Nov 2005 17:49:55 +0000")
Will Morton <macavity@well.com> writes:
> I am designing a transport-layer encryption protocol, and obviously wish
> to use as much existing knowledge as possible, in particular TLS, which
> AFAICT seems to be the state of the art.
>
> In TLS/SSL, the client and the server negotiate a 'master secret' value
> which is passed through a PRNG and used to create session keys.
May I ask why you don't just use TLS?
> My question is: why does this secret need to be negotiated? Why can one
> side or another (preference for client) not just pick a secret key and
> use that?
Well, in TLS in RSA mode, the client picks the secret value (technical
term: PreMaster Secret) but both sides contribute randomness to ensure
that the Master Secret secret is unique. This is a clean way to
ensure key uniqueness and prevent replay attack.
In DH mode, of course, both sides contribute shares, but that's
just how DH works.
-Ekr
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
