Archives May 2021

Certifications of IT How to compute a MAC IT Exams Server certificate selection Sponge construction The Certificate message

Derived secrets – Secrets and Keys in TLS 1.3

Mary Darby 0 Comment

12.2.5 Derived secrets

These are intermediate secrets that are used as salt arguments for the HKDF-Extract function (which we will shortly discuss in detail). The HKDF-Extract function, in turn, generates the Handshake Secret and the Master Secret.

12.2.6 Handshake secret

This secret is the final result of the handshake. It is either derived from the Early Secret if a PSK is in place or from the secret Alice and Bob have exchanged during a Diffie-Hellman. The Handshake Secret is used to derive the client˙handshake˙traffic˙secret for Bob and the server˙handshake˙traffic˙secret for Alice.

12.2.7 Handshake traffic secrets

Bob subsequently uses the client˙handshake˙traffic˙secret secret and Alice uses the server˙handshake˙traffic˙secret secret to generate secret keys for their handshake traffic encryption.

12.2.8 Master secret

The Master Secret is used to derive the client˙application˙traffic˙secret0 for Bob and the server˙application˙traffic˙secret0 for Alice. These secrets can be updated later during a TLS session, hence their index 0.

12.2.9 Application traffic secrets

The client˙application˙traffic˙secret0 is used by Bob and the server˙application˙traffic˙secret0 is used by Alice to generate corresponding secret keys for encryption of the application data. These keys allow Alice and Bob to establish a secure channel for the bulk application data. TLS also has an optional mechanism to update these secrets and, in turn, these keys during a TLS session.

12.2.10 Resumption master secret

This secret is used to derive the pre-shared secret key for TLS session resumption. After a successful handshake, Alice can send Bob the identity of a PSK derived during that handshake. Bob can then use this PSK identity in subsequent TLS handshakes with Alice in order to signal his desire to use the associated PSK.

We now turn to the question of how the secrets are derived from the exchanged keying material.

12.3 KDFs in TLS

TLS uses four different functions to derive secrets: HKDF-Extract, HKDF-Expand, HKDF-Expand-Label, and Derive-Secret. All these functions are based on the Hashed Message Authentication Code (HMAC)-based Extract-and-Expand Key Derivation Function (HKDF) defined in RFC 5869 [104].

We will have much more to say on hash functions, message authentication codes, and key derivation function in Chapter 11, Hash Functions and Message Authentication Codes. For now, it is sufficient to treat HKDF as an abstract function, as shown in Figure 12.2. It takes keying material as input and returns one or more secret keys as output:

Figure 12.2: High-level view of the HKDF function

HKDF follows an extract-then-expand approach consisting of two logical stages. The rationale for this two-step approach is explained nicely in the introduction of [104]: ”In many applications, the input keying material is not necessarily distributed uniformly, and the attacker may have some partial knowledge about it (for example, a Diffie-Hellman value computed by a key exchange protocol) or even partial control of it (as in some entropy-gathering applications). Thus, the goal of the extract-stage is to concentrate the possibly dispersed entropy of the input keying material into a short, but cryptographically strong, pseudorandom key. In some applications, the input may already be a good pseudorandom key; in these cases, the extract-stage is not necessary, and the ”expand” part can be used alone. The second stage expands the pseudorandom key to the desired length; the number and lengths of the output keys depend on the specific cryptographic algorithms for which the keys are needed.”

Now, let’s take a look at the extract-and-expand-functions in HKDFs.