Example1 ex1 = {1, 4}; /* assigns f1 = 1, f2 = 4 */
5. HMAC and the pseudorandom function
A number of operations in the TLS record and handshake layer required
a keyed MAC; this is a secure digest of some data protected by a
secret. Forging the MAC is infeasible without knowledge of the MAC
secret. The construction we use for this operation is known as HMAC,
described in [HMAC].
HMAC can be used with a variety of different hash algorithms. TLS
uses it in the handshake with two different algorithms: MD5 and SHA-
1, denoting these as HMAC_MD5(secret, data) and HMAC_SHA(secret,
RFC 2246 The TLS Protocol Version 1.0 January 1999
data). Additional hash algorithms can be defined by cipher suites and
used to protect record data, but MD5 and SHA-1 are hard coded into
the description of the handshaking for this version of the protocol.
In addition, a construction is required to do expansion of secrets
into blocks of data for the purposes of key generation or validation.
This pseudo-random function (PRF) takes as input a secret, a seed,
and an identifying label and produces an output of arbitrary length.
In order to make the PRF as secure as possible, it uses two hash
algorithms in a way which should guarantee its security if either
algorithm remains secure.
First, we define a data expansion function, P_hash(secret, data)
which uses a single hash function to expand a secret and seed into an
arbitrary quantity of output:
P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
HMAC_hash(secret, A(2) + seed) +
HMAC_hash(secret, A(3) + seed) + ...
Where + indicates concatenation.
A() is defined as:
A(0) = seed
A(i) = HMAC_hash(secret, A(i-1))
P_hash can be iterated as many times as is necessary to produce the
required quantity of data. For example, if P_SHA-1 was being used to
create 64 bytes of data, it would have to be iterated 4 times
(through A(4)), creating 80 bytes of output data; the last 16 bytes
of the final iteration would then be discarded, leaving 64 bytes of
output data.
TLS's PRF is created by splitting the secret into two halves and
using one half to generate data with P_MD5 and the other half to
generate data with P_SHA-1, then exclusive-or'ing the outputs of
these two expansion functions together.
S1 and S2 are the two halves of the secret and each is the same
length. S1 is taken from the first half of the secret, S2 from the
second half. Their length is created by rounding up the length of the
overall secret divided by two; thus, if the original secret is an odd
number of bytes long, the last byte of S1 will be the same as the
first byte of S2.
L_S = length in bytes of secret;
L_S1 = L_S2 = ceil(L_S / 2);
RFC 2246 The TLS Protocol Version 1.0 January 1999
The secret is partitioned into two halves (with the possibility of
one shared byte) as described above, S1 taking the first L_S1 bytes
and S2 the last L_S2 bytes.
The PRF is then defined as the result of mixing the two pseudorandom
streams by exclusive-or'ing them together.
PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR
P_SHA-1(S2, label + seed);
The label is an ASCII string. It should be included in the exact form
it is given without a length byte or trailing null character. For
example, the label "slithy toves" would be processed by hashing the
following bytes:
73 6C 69 74 68 79 20 74 6F 76 65 73
Note that because MD5 produces 16 byte outputs and SHA-1 produces 20
byte outputs, the boundaries of their internal iterations will not be
aligned; to generate a 80 byte output will involve P_MD5 being
iterated through A(5), while P_SHA-1 will only iterate through A(4).
=7= |
