85 |
85 |
86 ClientHello |
86 ClientHello |
87 (*(7.4.1.2) |
87 (*(7.4.1.2) |
88 XA represents CLIENT_VERSION, CIPHER_SUITES and COMPRESSION_METHODS. |
88 XA represents CLIENT_VERSION, CIPHER_SUITES and COMPRESSION_METHODS. |
89 It is uninterpreted but will be confirmed in the FINISHED messages. |
89 It is uninterpreted but will be confirmed in the FINISHED messages. |
90 As an initial simplification, SESSION_ID is identified with NA |
90 NA is CLIENT RANDOM, while SID is SESSION_ID. |
91 and reuse of sessions is not supported. |
91 UNIX TIME is omitted because the protocol doesn't use it. |
92 May assume NA ~: range PRF because CLIENT RANDOM is 32 bytes |
92 May assume NA ~: range PRF because CLIENT RANDOM is 28 bytes |
93 while MASTER SECRET is 48 byptes (6.1)*) |
93 while MASTER SECRET is 48 byptes*) |
94 "[| evsCH: tls; A ~= B; Nonce NA ~: used evsCH; NA ~: range PRF |] |
94 "[| evsCH: tls; A ~= B; Nonce NA ~: used evsCH; NA ~: range PRF |] |
95 ==> Says A B {|Agent A, Nonce NA, Number XA|} # evsCH : tls" |
95 ==> Says A B {|Agent A, Nonce NA, Number SID, Number XA|} |
|
96 # evsCH : tls" |
96 |
97 |
97 ServerHello |
98 ServerHello |
98 (*7.4.1.3 of the TLS Internet-Draft |
99 (*7.4.1.3 of the TLS Internet-Draft |
99 XB represents CLIENT_VERSION, CIPHER_SUITE and COMPRESSION_METHOD. |
100 XB represents CLIENT_VERSION, CIPHER_SUITE and COMPRESSION_METHOD. |
100 NA is returned in its role as SESSION_ID. |
|
101 SERVER CERTIFICATE (7.4.2) is always present. |
101 SERVER CERTIFICATE (7.4.2) is always present. |
102 CERTIFICATE_REQUEST (7.4.4) is implied.*) |
102 CERTIFICATE_REQUEST (7.4.4) is implied.*) |
103 "[| evsSH: tls; A ~= B; Nonce NB ~: used evsSH; NB ~: range PRF; |
103 "[| evsSH: tls; A ~= B; Nonce NB ~: used evsSH; NB ~: range PRF; |
104 Says A' B {|Agent A, Nonce NA, Number XA|} : set evsSH |] |
104 Says A' B {|Agent A, Nonce NA, Number SID, Number XA|} |
105 ==> Says B A {|Nonce NA, Nonce NB, Number XB, |
105 : set evsSH |] |
|
106 ==> Says B A {|Nonce NB, Number SID, Number XB, |
106 certificate B (pubK B)|} |
107 certificate B (pubK B)|} |
107 # evsSH : tls" |
108 # evsSH : tls" |
108 |
109 |
109 ClientCertKeyEx |
110 ClientCertKeyEx |
110 (*CLIENT CERTIFICATE (7.4.6) and KEY EXCHANGE (7.4.7). |
111 (*CLIENT CERTIFICATE (7.4.6) and KEY EXCHANGE (7.4.7). |
114 and another MASTER SECRET is highly unlikely (even though |
115 and another MASTER SECRET is highly unlikely (even though |
115 both items have the same length, 48 bytes). |
116 both items have the same length, 48 bytes). |
116 The Note event records in the trace that she knows PMS |
117 The Note event records in the trace that she knows PMS |
117 (see REMARK at top).*) |
118 (see REMARK at top).*) |
118 "[| evsCX: tls; A ~= B; Nonce PMS ~: used evsCX; PMS ~: range PRF; |
119 "[| evsCX: tls; A ~= B; Nonce PMS ~: used evsCX; PMS ~: range PRF; |
119 Says B' A {|Nonce NA, Nonce NB, Number XB, certificate B KB|} |
120 Says B' A {|Nonce NB, Number SID, Number XB, certificate B KB|} |
120 : set evsCX |] |
121 : set evsCX |] |
121 ==> Says A B {|certificate A (pubK A), Crypt KB (Nonce PMS)|} |
122 ==> Says A B {|certificate A (pubK A), Crypt KB (Nonce PMS)|} |
122 # Notes A {|Agent B, Nonce PMS|} |
123 # Notes A {|Agent B, Nonce PMS|} |
123 # evsCX : tls" |
124 # evsCX : tls" |
124 |
125 |
127 specific components listed in the security analysis, F.1.1.2. |
128 specific components listed in the security analysis, F.1.1.2. |
128 It adds the pre-master-secret, which is also essential! |
129 It adds the pre-master-secret, which is also essential! |
129 Checking the signature, which is the only use of A's certificate, |
130 Checking the signature, which is the only use of A's certificate, |
130 assures B of A's presence*) |
131 assures B of A's presence*) |
131 "[| evsCV: tls; A ~= B; |
132 "[| evsCV: tls; A ~= B; |
132 Says B' A {|Nonce NA, Nonce NB, Number XB, certificate B KB|} |
133 Says B' A {|Nonce NB, Number SID, Number XB, certificate B KB|} |
133 : set evsCV; |
134 : set evsCV; |
134 Notes A {|Agent B, Nonce PMS|} : set evsCV |] |
135 Notes A {|Agent B, Nonce PMS|} : set evsCV |] |
135 ==> Says A B (Crypt (priK A) |
136 ==> Says A B (Crypt (priK A) |
136 (Hash{|Nonce NB, certificate B KB, Nonce PMS|})) |
137 (Hash{|Nonce NB, certificate B KB, Nonce PMS|})) |
137 # evsCV : tls" |
138 # evsCV : tls" |
138 |
139 |
139 (*Finally come the FINISHED messages (7.4.8), confirming XA and XB |
140 (*Finally come the FINISHED messages (7.4.8), confirming XA and XB |
140 among other things. The master-secret is PRF(PMS,NA,NB). |
141 among other things. The master-secret is PRF(PMS,NA,NB). |
141 Either party may sent its message first.*) |
142 Either party may sent its message first.*) |
142 |
143 |
146 Spy does not know PMS and could not sent CLIENT FINISHED. One |
147 Spy does not know PMS and could not sent CLIENT FINISHED. One |
147 could simply put A~=Spy into the rule, but one should not |
148 could simply put A~=Spy into the rule, but one should not |
148 expect the spy to be well-behaved.*) |
149 expect the spy to be well-behaved.*) |
149 ClientFinished |
150 ClientFinished |
150 "[| evsCF: tls; |
151 "[| evsCF: tls; |
151 Says A B {|Agent A, Nonce NA, Number XA|} : set evsCF; |
152 Says A B {|Agent A, Nonce NA, Number SID, Number XA|} |
152 Says B' A {|Nonce NA, Nonce NB, Number XB, certificate B KB|} |
153 : set evsCF; |
|
154 Says B' A {|Nonce NB, Number SID, Number XB, certificate B KB|} |
153 : set evsCF; |
155 : set evsCF; |
154 Notes A {|Agent B, Nonce PMS|} : set evsCF; |
156 Notes A {|Agent B, Nonce PMS|} : set evsCF; |
155 M = PRF(PMS,NA,NB) |] |
157 M = PRF(PMS,NA,NB) |] |
156 ==> Says A B (Crypt (clientK(NA,NB,M)) |
158 ==> Says A B (Crypt (clientK(NA,NB,M)) |
157 (Hash{|Nonce M, |
159 (Hash{|Nonce M, Number SID, |
158 Nonce NA, Number XA, Agent A, |
160 Nonce NA, Number XA, Agent A, |
159 Nonce NB, Number XB, Agent B|})) |
161 Nonce NB, Number XB, Agent B|})) |
160 # evsCF : tls" |
162 # evsCF : tls" |
161 |
163 |
162 (*Keeping A' and A'' distinct means B cannot even check that the |
164 (*Keeping A' and A'' distinct means B cannot even check that the |
163 two messages originate from the same source. *) |
165 two messages originate from the same source. *) |
164 ServerFinished |
166 ServerFinished |
165 "[| evsSF: tls; |
167 "[| evsSF: tls; |
166 Says A' B {|Agent A, Nonce NA, Number XA|} : set evsSF; |
168 Says A' B {|Agent A, Nonce NA, Number SID, Number XA|} |
167 Says B A {|Nonce NA, Nonce NB, Number XB, |
169 : set evsSF; |
|
170 Says B A {|Nonce NB, Number SID, Number XB, |
168 certificate B (pubK B)|} |
171 certificate B (pubK B)|} |
169 : set evsSF; |
172 : set evsSF; |
170 Says A'' B {|certificate A KA, Crypt (pubK B) (Nonce PMS)|} |
173 Says A'' B {|certificate A KA, Crypt (pubK B) (Nonce PMS)|} |
171 : set evsSF; |
174 : set evsSF; |
172 M = PRF(PMS,NA,NB) |] |
175 M = PRF(PMS,NA,NB) |] |
173 ==> Says B A (Crypt (serverK(NA,NB,M)) |
176 ==> Says B A (Crypt (serverK(NA,NB,M)) |
174 (Hash{|Nonce M, |
177 (Hash{|Nonce M, Number SID, |
175 Nonce NA, Number XA, Agent A, |
178 Nonce NA, Number XA, Agent A, |
176 Nonce NB, Number XB, Agent B|})) |
179 Nonce NB, Number XB, Agent B|})) |
177 # evsSF : tls" |
180 # evsSF : tls" |
178 |
181 |
179 (**Oops message??**) |
182 (**Oops message??**) |
180 |
183 |
181 end |
184 end |