5.3.5.1 Non-FIPS

  • Article

The client and server random values are used to create a 384-bit Pre-Master Secret by concatenating the first 192 bits of the Client Random with the first 192 bits of the Server Random. 

 PreMasterSecret = First192Bits(ClientRandom) + First192Bits(ServerRandom)

A 384-bit Master Secret is generated using the Pre-Master Secret, the client and server random values, and the MD5 hash and SHA-1 hash functions.

 MasterSecret = PreMasterHash(0x41) + PreMasterHash(0x4242) + PreMasterHash(0x434343)

Here, the PreMasterHash function is defined as follows.

 PreMasterHash(I) = SaltedHash(PremasterSecret, I)

The SaltedHash function is defined as follows.

 SaltedHash(S, I) = MD5(S + SHA(I + S + ClientRandom + ServerRandom))

A 384-bit session key blob is generated as follows.

 SessionKeyBlob = MasterHash(0x58) + MasterHash(0x5959) + MasterHash(0x5A5A5A)

Here, the MasterHash function is defined as follows.

 MasterHash(I) = SaltedHash(MasterSecret, I)

From the session key blob the actual session keys which will be used are derived. Both client and server extract the same key data for generating MAC signatures.

 MACKey128 = First128Bits(SessionKeyBlob)

The initial encryption and decryption keys are generated next (these keys are updated at a later point in the protocol, per section 5.3.6.1). The server generates its encryption and decryption keys as follows.

 InitialServerEncryptKey128 = FinalHash(Second128Bits(SessionKeyBlob))
 InitialServerDecryptKey128 = FinalHash(Third128Bits(SessionKeyBlob))

Here, the FinalHash function is defined as follows.

 FinalHash(K) = MD5(K + ClientRandom + ServerRandom)

The client constructs its initial decryption key with the bytes that the server uses to construct its initial encryption key. Similarly, the client forms its initial encryption key with the bytes that the server uses to form its initial decryption key.

 InitialClientDecryptKey128 = FinalHash(Second128Bits(SessionKeyBlob))
 InitialClientEncryptKey128 = FinalHash(Third128Bits(SessionKeyBlob))

This means that the client will use its encryption key to encrypt data and the server will use its decryption key to decrypt the same data. Similarly, the server will use its encryption key to encrypt data and the client will use its decryption key to decrypt the same data. In effect, there are two streams of data (client-to-server and server-to-client) encrypted with different session keys which are updated at different intervals.

To reduce the entropy of the keys to either 40 or 56 bits, the 128-bit client and server keys are salted appropriately to produce 64-bit versions with the required strength. The salt values to reduce key entropy are shown in the following table:

 Negotiated key length

 Salt length

 Salt values

 RC4 key length

40 bits

3 bytes

0xD1, 0x26, 0x9E

8 bytes

56 bits

1 byte

0xD1

8 bytes

128 bits

0 bytes

N/A

16 bytes

Table 1: Salt values to reduce key entropy

Using the salt values, the 40-bit keys are generated as follows.

 MACKey40 = 0xD1269E + Last40Bits(First64Bits(MACKey128))
  
 InitialServerEncryptKey40 = 0xD1269E + Last40Bits(First64Bits(InitialServerEncryptKey128))
 InitialServerDecryptKey40 = 0xD1269E + Last40Bits(First64Bits(InitialServerDecryptKey128))
  
 InitialClientEncryptKey40 = 0xD1269E + Last40Bits(First64Bits(InitialClientEncryptKey128))
 InitialClientDecryptKey40 = 0xD1269E + Last40Bits(First64Bits(InitialClientDecryptKey128))

The 56-bit keys are generated as follows.

 MACKey56 = 0xD1 + Last56Bits(First64Bits(MACKey128))
  
 InitialServerEncryptKey56 = 0xD1 + Last56Bits(First64Bits(InitialServerEncryptKey128))
 InitialServerDecryptKey56 = 0xD1 + Last56Bits(First64Bits(InitialServerDecryptKey128))
  
 InitialClientEncryptKey56 = 0xD1 + Last56Bits(First64Bits(InitialClientEncryptKey128))
 InitialClientDecryptKey56 = 0xD1 + Last56Bits(First64Bits(InitialClientDecryptKey128))

After any necessary salting has been applied, the generated encryption and decryption keys are used to initialize RC4 substitution tables which can then be used to encrypt and decrypt data.

At the end of this process the client and server will each possess three symmetric keys to use with the RC4 stream cipher: a MAC key, an encryption key, and a decryption key. The MAC key is used to initialize the RC4 substitution table that is used to generate Message Authentication Codes, the encryption key is used to initialize the RC4 substitution table that is used to perform encryption, and the decryption key is used to initialize the RC4 substitution table that is used to perform decryption (for more information on RC4 substitution table initialization, see [[SCHNEIER]] section 17.1).