11.7.3 Hash functions in authentication-related messages

In the previous chapters, we discussed that TLS uses the following messages uniformly, that is, as a common set, for authentication, key confirmation, and handshake integrity:

• Certificate
• CertificateVerify
• Finished

Server Alice and client Bob always send these three messages as the last messages of the TLS handshake.

Recall that server Alice and client Bob compute their TLS authentication messages all uniformly by taking the following inputs:

• Their digital certificate and their private key to be used for signing
• The so-called Handshake Context that contains all handshake messages to be included in the transcript hash
• The BaseKey used to compute a MAC key

Based on the preceding inputs, the authentication messages contain the following data:

• The Certificate to be used for authentication, including any supporting certificates in the certificate chain
• The CertificateVerify signature over the value of Transcript-Hash(Handshake Context, Certificate)
• The MAC Finished, computed using the MAC key derived from from BaseKey, over the value of

Transcript-Hash(Handshake Context, Certificate, CertificateVerify)

The CertificateVerify message

Recall that Alice and Bob use the CertificateVerify message to explicitly prove that they indeed possess the private key corresponding to the public key in their certificate. In addition, CertificateVerify is used to ensure the TLS handshake’s integrity up to this point. The structure of CertificateVerify is shown in Listing 11.5.

The signature field contains the digital signature, and the algorithm field contains the signature algorithm that was used to generate the signature. Hash output of the Transcript-Hash(Handshake Context, Certificate) function is the data covered by the digital signature.

Listing 11.5: TLS 1.3 CertificateVerify message

struct {
   SignatureScheme algorithm;
   opaque signature<0..2^16-1>;
} CertificateVerify;

The Finished message

Recall that Finished is the last handshake message in the authentication block, and that this message provides authentication of the TLS handshake and authentication of the keys computed by server Alice and client Bob. The structure of the message is shown in Listing 11.6.

Listing 11.6: Structure of Finished message in TLS 1.3

struct {
   opaque verify_data[Hash.length];
} Finished;

To generate a correct Finished message, Alice and Bob use a secret key derived from the BaseKey using the HKDF-Expand-Label function:
finished_key = HKDF-Expand-Label(BaseKey, “finished”, “”, Hash.length)

Both Alice and Bob must verify the correctness of the Finished message they receive and immediately terminate the TLS session if Finished is corrupted. The verify˙data field is computed as follows:
verify_data = HMAC(finished_key, Transcript-Hash)

The Transcript-Hash is a hash value computed over c—Handshake Context—, Certificate, and CertificateVerify. The values for Certificate and CertificateVerify are included in verify˙data computation only if they were present in the TLS handshake, that is, if either server Alice or client Bob have used digital certificates to prove their identity. Now we are going to explain how Transcript-Hash is computed in detail.

11.7.4 Transcript hash

Alice and Bob use transcript hash – the hash value of the transcript of TLS handshake messages – for many cryptographic computations in TLS. The value of the transcript hash is computed by first concatenating the handshake messages and then applying a hash function to this concatenated value:

where m1,m2,…,mn are the TLS handshake messages and h is a hash function.

More precisely, the following handshake messages – but only those that were actually sent – are used in the following order as input for the transcript hash:

1. ClientHello
2. HelloRetryRequest
3. ClientHello
4. ServerHello
5. EncryptedExtensions
6. Alice’s CertificateRequest
7. Alice’s Certificate
8. Alice’s CertificateVerify
9. Alice’s Finished
10. EndOfEarlyData
11. Bob’s Certificate
12. Bob’s CertificateVerify
13. Bob’s Finished

What, in general, is the use of a transcript of a cryptographic protocol? After a protocol run is finished, the transcript allows Alice and Bob to explicitly verify that they both saw the same messages being exchanged. This, in turn, creates an additional hurdle for Mallory to mount a man-in-the-middle attack by sending Alice a message mi and Bob a different message mi′.

11.7.5 Hash functions in TLS key derivation

Recall that in order to derive TLS session keys, Alice and Bob use HKDF defined in RFC 5869 (specifically, its HKDF-Extract and HKDF-Expand functions) as well as the following two functions:
HKDF-Expand-Label(Secret, Label, Context, Length) = HKDF-Expand(Secret, HkdfLabel, Length)

and
Derive-Secret(Secret, Label, Messages) = HKDF-Expand-Label(Secret, Label, Transcript-Hash(Messages), Hash.length)

The hash function used in Transcript-Hash, HKDF-Extract, and HKDF-Expand is the hash algorithm defined in the TLS cipher suite.Hash.length is the output length of that algorithm in bytes. Finally, Messages means the concatenation of the TLS handshake messages transmitted by Alice and Bob during that specific handshake session. The HkdfLabel is a data structure shown in Listing 11.7.

Listing 11.7: The HkdfLabel data structure

struct {
   uint16 length = Length;
   opaque label<7..255> = “tls13 ” + Label;
   opaque context<0..255> = Context;
} HkdfLabel;

11.8 Summary

In this chapter, we learned how hash functions and message authentication code work, what mathematical properties they have, and how to construct them. Moreover, we covered several popular mechanisms, such as HMAC and the SHA-256, SHA-384, and SHA-512 algorithms from the SHA-2 hash algorithm family. Last but not least, we looked into the application of hash functions and message authentication code in the TLS 1.3 handshake protocol.

This chapter introduced the last building block required to understand how the TLS handshake protocol works in detail. Congratulations: you now know what Alice and Bob actually do to establish a TLS session!

In the next chapter, we will wrap up TLS 1.3 handshake. To do this, we will zoom out of the cryptographic details and give a higher-level description of TLS handshake using state machines for the TLS server and TLS client, which are specified in RFC 8446. Moreover, we will show how you can use s˙client, a TLS client program from the popular OpenSSL toolkit, to conduct your own experiments with TLS.

12.1 Key establishment in TLS 1.3

Using the TLS handshake protocol, Alice and Bob negotiate the cryptographic algorithms and key sizes. They also exchange the key shares that are required to establish the master secret. Further context-specific shared secrets and keys are then derived from this master secret according to TLS 1.3’s key derivation schedule. The secure communication channel is based on a subset of these derived secret keys.

The basic principle of TLS key establishment is shown in Figure 12.1. First, Alice and Bob negotiate cryptographic algorithms, key sizes, and exchange key shares. In the second step, Alice and Bob derive a number of context-specific TLS secrets, and in particular, a shared master secret. Each secret depends on the keying material as well as the label and the context used as inputs to generate that secret.

Finally, in the third step, Alice and Bob use the TLS secrets to derive a number of keys according to TLS 1.3’s key derivation schedule. Because the derived TLS secrets are context-specific, no further labels or additional information is needed to derive the TLS keys. However, due to context-specific secrets as input for the key derivation, the secret TLS keys are also context-specific:

Figure 12.1: A high-level view of key establishment in TLS 1.3

We will cover each of the three steps shown in Figure 12.1 in detail. As we have seen, the first step, exchange of key shares and establishment of a shared master secret over an insecure channel, can only be accomplished using a good deal of math, which is explained in Chapter 7, Public-Key Cryptography. In the present chapter, we will focus on TLS 1.3’s key derivation schedule, that is, the process of deriving further, context-specific secrets and keys from an initial secret.

12.2 TLS secrets

We saw in Chapter 3, A Secret to Share, that a good cryptographic system has multiple keys so that every key is used for a single purpose only. TLS is no exception, and in this chapter, we are going to discuss in detail what cryptographic keys client Bob and server Alice need to establish a secure TLS channel.

However, before discussing the cryptographic keys, we first need to understand what TLS secrets are and how they are derived. TLS uses a three-step approach for generation of cryptographic keys, in which the keys are generated from the secrets:

1. Alice and Bob first establish a shared master secret.
2. They derive context-specific secrets from the master secret.
3. Finally, they derive context-specific keys from these derived secrets.

Note that there is no conceptual (or cryptographic) reason to differentiate between secrets and keys. But because the TLS 1.3 specification uses this terminology and we want to provide a trustworthy guide to this specification, we felt the need to do the same differentiation here.

Table 12.1 gives an overview of secrets used in the TLS protocol and briefly explains their purpose. Don’t worry if the sheer number of TLS secrets looks overwhelming at first.

To help you, we compiled a series of graphics illustrating how the specific TLS secrets and TLS keys are interconnected. You will find the graphics at the end of the next section, Key derivation functions in TLS. In the remainder of this section, we are going to look into every TLS secret in more detail.

Secret	Purpose
Early secret	Used to generate key material if Bob and Alice use a pre-shared key (PSK) for their TLS handshake.
Binder	Establishes a binding between the PSK and current TLS handshake.
Early traffic secret	Used by Bob to encrypt early handshake traffic if the PSK is used for the TLS handshake.
Exporter secrets	Secrets that can be used outside of the TLS protocol to derive additional secret keys for higher-layer protocols or applications running on top of TLS.
Derived secrets	Intermediate secrets used as salt arguments for deriving TLS secrets.
Handshake secret	This secret is the result of the handshake. It is either derived from the early secret in case a PSK is in place or from a Diffie-Hellman key exchange between Alice and Bob. It is used as input to generate the following two TLS secrets: Bob’s handshake traffic secret and Alice’s handshake traffic secret.
Handshake traffic secrets	Used to generate TLS handshake traffic keys, one for Bob and one for Alice.
Master secret	Used as input to generate the following two TLS secrets: Bob’s application traffic secret and Alice’s application traffic secret.
Application traffic secrets	Used to generate TLS application traffic keys. Like with handshake traffic keys, one key is for Bob and one is for Alice.
Resumption master secret	Used for session resumption.

 Table 12.1: Overview of secrets used in TLS (see also [53])

12.2.1 Early secret

TLS 1.3 offers the option for Alice and Bob to use a pre-shared secret key PSK. This is a key Alice and Bob have previously agreed on independent of TLS. If Alice and Bob use a PSK for their TLS handshake, they derive the early secret from PSK and use it as input keying material (IKM) to generate binder˙key, client˙early˙traffic˙secret, and early˙exporter˙master˙secret, which will be explained later in this chapter.

12.2.2 Binder key

The binder key is used to establish a binding between Alice’s and Bob’s pre-shared secret key and their current TLS handshake as well as between the current TLS handshake and the previous TLS handshake where that PSK was generated. In other words, Bob uses the binder to prove to Alice that he indeed knows the PSK associated with the identity known to Alice.

Alice uses the PSK binder to verify that Bob actually knows the correct PSK before actually executing a PSK-based TLS handshake. If the verification fails or Bob does not present the binder to Alice, she immediately aborts the TLS handshake. This ensures that Alice does not execute a PSK-based handshake without verifying that Bob actually knows the PSK.

By binding a previous TLS session where the binder key was generated to the current TLS handshake, this mechanism also allows Alice to implicitly verify that Bob did not suffer a man-in-the-middle attack. If Mallory managed to perform a successful man-in-the-middle attack, Alice and Bob would have a different PSK and this would prevent a subsequent TLS session resumption.

12.2.3 Bob’s client early traffic secret.

If a PSK is used for the TLS handshake, client˙early˙traffic˙secret can be used to generate a key that allows Bob to encrypt early application data in the first ClientHello message of the TLS handshake. This key is only used by Bob.

12.2.4 Exporter secrets

Exporter secrets are secrets used to derive additional secret keys for use outside of the TLS protocol. Some higher-level protocols use TLS to establish a shared secret key and afterward use TLS keying material for other protocol-specific purposes. This, in turn, requires exporting keying material to higher-layer protocols or applications as well as agreeing on the context in which that keying material will be used.

For example, the DTLS-SRTP protocol first uses Datagram-TLS (DTLS) to exchange secret keys and selects the Secure Real-Time Transport Protocol (SRTP) protection suite. Subsequently, it uses DTLS master˙secret to derive SRTP keys.

To enable this, TLS offers a mechanism called Key Material Exporter, details of which are defined in RFC 5705 [145]. The exported values are referred to as Exported Keying Material (EKM). In TLS, early˙exporter˙master˙secret and exporter˙master˙secret are examples of EKM generated at different stages of the TLS handshake.

TLS exporters have the following cryptographic properties:

• They allow Bob and Alice to export the same EKM value
• For attacker Eve who does not know the master˙secret, EKM is indistinguishable from a random number
• Bob and Alice can export multiple EKM values from a single TLS connection
• Even if Eve learns one EKM value, she learns nothing about other EKM values or the master˙secret

12.2.5 Derived secrets

These are intermediate secrets that are used as salt arguments for the HKDF-Extract function (which we will shortly discuss in detail). The HKDF-Extract function, in turn, generates the Handshake Secret and the Master Secret.

12.2.6 Handshake secret

This secret is the final result of the handshake. It is either derived from the Early Secret if a PSK is in place or from the secret Alice and Bob have exchanged during a Diffie-Hellman. The Handshake Secret is used to derive the client˙handshake˙traffic˙secret for Bob and the server˙handshake˙traffic˙secret for Alice.

12.2.7 Handshake traffic secrets

Bob subsequently uses the client˙handshake˙traffic˙secret secret and Alice uses the server˙handshake˙traffic˙secret secret to generate secret keys for their handshake traffic encryption.

12.2.8 Master secret

The Master Secret is used to derive the client˙application˙traffic˙secret0 for Bob and the server˙application˙traffic˙secret0 for Alice. These secrets can be updated later during a TLS session, hence their index 0.

12.2.9 Application traffic secrets

The client˙application˙traffic˙secret0 is used by Bob and the server˙application˙traffic˙secret0 is used by Alice to generate corresponding secret keys for encryption of the application data. These keys allow Alice and Bob to establish a secure channel for the bulk application data. TLS also has an optional mechanism to update these secrets and, in turn, these keys during a TLS session.

12.2.10 Resumption master secret

This secret is used to derive the pre-shared secret key for TLS session resumption. After a successful handshake, Alice can send Bob the identity of a PSK derived during that handshake. Bob can then use this PSK identity in subsequent TLS handshakes with Alice in order to signal his desire to use the associated PSK.

We now turn to the question of how the secrets are derived from the exchanged keying material.

12.3 KDFs in TLS

TLS uses four different functions to derive secrets: HKDF-Extract, HKDF-Expand, HKDF-Expand-Label, and Derive-Secret. All these functions are based on the Hashed Message Authentication Code (HMAC)-based Extract-and-Expand Key Derivation Function (HKDF) defined in RFC 5869 [104].

We will have much more to say on hash functions, message authentication codes, and key derivation function in Chapter 11, Hash Functions and Message Authentication Codes. For now, it is sufficient to treat HKDF as an abstract function, as shown in Figure 12.2. It takes keying material as input and returns one or more secret keys as output:

Figure 12.2: High-level view of the HKDF function

HKDF follows an extract-then-expand approach consisting of two logical stages. The rationale for this two-step approach is explained nicely in the introduction of [104]: ”In many applications, the input keying material is not necessarily distributed uniformly, and the attacker may have some partial knowledge about it (for example, a Diffie-Hellman value computed by a key exchange protocol) or even partial control of it (as in some entropy-gathering applications). Thus, the goal of the extract-stage is to concentrate the possibly dispersed entropy of the input keying material into a short, but cryptographically strong, pseudorandom key. In some applications, the input may already be a good pseudorandom key; in these cases, the extract-stage is not necessary, and the ”expand” part can be used alone. The second stage expands the pseudorandom key to the desired length; the number and lengths of the output keys depend on the specific cryptographic algorithms for which the keys are needed.”

Now, let’s take a look at the extract-and-expand-functions in HKDFs.

12.3.1 HKDF-Extract

HKDF-Extract, or HE for short, implements the first stage of the HKDF, which takes the keying material as input and extracts a fixed-length pseudorandom key K from it. In particular, it is involved in the derivation of the handshake secret SH and the master secret SM (see Figure 12.9 and Figure 12.11, respectively).

HKDF-Extract is illustrated in Figure 12.3. It takes two inputs: a salt and an input keying material (IKM). The salt is a non-secret random value. If no salt is provided, HKDF-Extract takes a string of zeros of the length equal to that of the hash function output. HKDF-Extract outputs a pseudorandom key (PRK). The PRK is calculated as PRK = HMAC-Hash(salt, IKM). Since HKDF-Extract is based on the HMAC construction, which is in turn a construction template that can use different hash functions [103], HKDF-Extract can also use different cryptographic hash functions.

Figure 12.3: HKDF-Extract function used for TLS key derivation

A new TLS secret is derived using HKDF-Extract with the current TLS secret state as salt and the PSK – established out of band or derived from the resumption˙master˙secret instance of a previous TLS session – or the DHE or ECDHE based shared secret that Alice and Bob have established during the current TLS handshake as IKM.

12.3.2 HKDF-Expand

The second stage of the HKDF function expands a PRK to a pseudorandom bit string of the desired length, which can then be used to derive secret keys. HKDF-Expand is illustrated in Figure 12.4.

HKDF-Expand takes three inputs: a pseudorandom key PRK (which must have at least the length of the output of the hash function used), an optional context and application-specific information info, and the desired length in bytes of the output keying material L.

The output of HKDF-Expand is an L-byte long Output Keying Material (OKM). The OKM is calculated by first calculating the following N values, where N is the result of the ceiling function applied to (L∕HashLen):

T(0) = empty string(zero length)

T(1) = HMAC-Hash(PRK,T(0)|info|0x01)

T(2) = HMAC-Hash(PRK,T(1)|info|0x02)

 …

T(N) = HMAC-Hash(PRK,T(N − 1)|info|N)

where | denotes the bit-wise concatenation. The HMAC construction for key-dependent hash values is explained in Section 11.5, Message authentication codes. After that, the OKM is built by taking the first L octets of T = T(1)|T(2)|…|T(N).

Figure 12.4: The HKDF-Expand function HP

After each invocation of the HKDF-Extract function, the HKDF-Expand function is invoked one or more times.

Next, Alice and Bob compute the binder key kbind, client˙early˙traffic˙secret and early˙exporter˙master˙secret as shown in Figure 12.8. The binder key may be used to establish subsequent TLS sessions, and the early traffic secret and the exporter Master Secret are used to calculate the corresponding keys.

Figure 12.8: Derivation of TLS binder key, client early traffic secret and early exporter master secret

To prevent Alice and Bob from mixing up the binder keys, different labels are used for the derivation of the corresponding TLS secrets. For binder keys provisioned outside of TLS, the label ”ext binder” is used. For resumption keys provisioned as the resumption Master Secret of a previous handshake, the label ”res binder” is used.

If Alice and Bob choose to perform the TLS handshake based on a PSK, there are multiple possible values that the early secret SE can take. The actual value of SE depends on the PSK that Alice selects from those offered by Bob (using their identifiers).

As a result, Bob needs to compute the early secret for every PSK he offers to Alice. If Alice selects no PSK from those being offered by Bob, he needs to compute the early secret with a PSK being all zeros.

In the next step, illustrated in Figure 12.9, Alice and Bob compute the Handshake Secret SH and the second intermediate secret S1. The Handshake Secret is derived from the first intermediate secret S0 and the DHE or ECDHE key share that Alice and Bob exchange during the TLS handshake.

Figure 12.9: Derivation of the TLS handshake secret SH and the second derived secret S1

In the fourth step, Alice and Bob derive the client˙handshake˙traffic˙secret and server˙handshake˙traffic˙secret secrets needed to compute the corresponding handshake traffic keys. This is shown in Figure 12.10.

Note how – in addition to using the handshake secret SH itself – the handshake traffic secrets are derived using not only the ”c hs traffic” and c—”s hs traffic”— labels but also the transcript transCHSH of all TLS handshakes starting with ClientHello up until and including the ServerHello message.

Figure 12.10: Derivation of TLS handshake traffic secrets

Next, as shown in Figure 12.11, Alice and Bob derive the master secret SM. This secret will be used for the calculation of the application traffic keys for protecting the bulk application data Alice and Bob want to transmit over the secure TLS channel.

Figure 12.11: Derivation of the TLS master secret

While the early secret, handshake secret, and master secret (as well as the two intermediate derived secrets) can be viewed as raw entropy without any context, traffic secrets and exporter secrets include the TLS handshake context and, as a result, can be used to derive cryptographic keys without any additional context information.

Moreover, multiple invocations of the Derive-Secret function DS take the same TLS secret as input but return different outputs because they take different messages as additional input argument.

Finally, the master secret SM, the corresponding labels and the TLS handshake transcript transCHSF are used to derive the first application traffic secrets, the exporter master secret and the resumption master secret (see Figure 12.12). Transcript transCHSF includes all handshake messages starting from ClientHello up until including the Alice’s Finished message.

Figure 12.12: Derivation of the TLS application traffic secrets, exporter master secret and resumption master secret

This step concludes the derivation of TLS secrets from the keying material. However, the secrets may be updated without having to exchange new key material.

12.3.3 HKDF-Expand-Label

HKDF-Expand-Label (or HEL for short) is a pseudorandom function as shown in Figure 12.5. Recall this means that it can be efficiently computed for any given input, but it cannot be efficiently distinguished from a uniformly random function [37].

HKDF-Expand-Label takes a secret, the desired length of the output L, and an HKDF-Label as input, and expands them to OKM.

Figure 12.5: The HKDF-Expand-Label function HEL

The HkdfLabel data structure is defined as in Listing 12.1. It essentially consists of a label and a context. All labels used in TLS 1.3 are strings. The context might have zero length.

Listing 12.1: HkdfLabel data structure

struct {
   uint16 length = Length;
   opaque label<7..255> = “tls13 ” + Label;
   opaque context<0..255> = Context;
} HkdfLabel;

HKDF-Expand-Label illustrates a cryptographic good practice where keying material and, in turn, keys are derived for a specific purpose using a label and a context as inputs to the KDF.

12.3.4 Derive-Secret

Finally, the TLS 1.3 Derive-Secret function DS is defined as shown in Figure 12.6. It takes a secret, a label, and TLS messages as input, and outputs one of the TLS secrets listed in Table 12.1. In the subsequent step, these secrets will be used to derive the TLS keys.

As a result, multiple calls to Derive-Secret can be used to derive keying material for different secret keys even with the same secret as input as long as different messages are used to compute the transcript hash.

Figure 12.6: The Derive-Secret function DS

Derive-Secret implements a clever way to bind the keying material to previous messages exchanged during a specific execution of a cryptographic protocol. This is desirable from a cryptography perspective because it causes Alice and Bob to derive completely different secret keys and, as a result, leads to a failure of the cryptographic protocol since Alice cannot understand what Bob encrypted or authenticated, and vice versa.

This approach implements an implicit protection against man-in-the-middle attacks. Even if Mallory manages to intercept and manipulate messages exchanged by Alice and Bob, she cannot trick them into deriving an identical secret key because Alice’s message transcript will be different from Bob’s message transcript.

As illustrated in Figure 12.7, Alice and Bob start by deriving the Early Secret SE and an intermediate secret S0 (which will be used for further computations). Eventually, Alice and Bob will establish a secure TLS channel by deriving the shared cryptographic keys from these secrets.

Figure 12.7: Derivation of the TLS early secret and first derived secret S0

If a specific TLS secret is not available, a zero value – a string of 0-valued bytes – is taken as input. As an example, if the pre-shared key PSK is not used, the early secret will be computed as follows:
Early_Secret = HKDF-Extract(0, 0)