Once the SecureChannelis established the Messagesare signed and encrypted with keys derived from the Noncesexchanged in the OpenSecureChannelcall. These keys are derived by passing the Noncesto a pseudo-random function which produces a sequence of bytes from a set of inputs. A pseudo-random function is represented by the following function declaration:
Byte[] PRF(
Byte[] secret,
Byte[] seed,
Int32 length,
Int32 offset)
Where lengthis the number of bytes to return and offsetis a number of bytes from the beginning of the sequence.
The lengths of the keys that need to be generated depend on the SecurityPolicyused for the channel. The following information is specified by the SecurityPolicy:
- SigningKeyLength(from the DerivedSignatureKeyLength);
- EncryptingKeyLength(implied by the SymmetricEncryptionAlgorithm);
- EncryptingBlockSize(implied by the SymmetricEncryptionAlgorithm).
The pseudo random function requires a secret and a seed. These values are derived from the Noncesexchanged in the OpenSecureChannelrequest and response. Table 48specifies how to derive the secrets and seeds when using RSA based SecurityPolicies.
Table 48– PRF inputs for RSA based SecurityPolicies
Name |
Derivation |
ClientSecret |
The value of the ClientNonceprovided in the OpenSecureChannelrequest. |
ClientSeed |
The value of the ClientNonceprovided in the OpenSecureChannelrequest. |
ServerSecret |
The value of the ServerNonceprovided in the OpenSecureChannelresponse. |
ServerSeed |
The value of the ServerNonceprovided in the OpenSecureChannelresponse. |
The parameters passed to the pseudo random function are specified in Table 49.
Table 49– Cryptography key generation parameters
Key |
Secret |
Seed |
Length |
Offset |
ClientSigningKey |
ServerSecret |
ClientSeed |
SigningKeyLength |
0 |
ClientEncryptingKey |
ServerSecret |
ClientSeed |
EncryptingKeyLength |
SigningKeyLength |
ClientInitializationVector |
ServerSecret |
ClientSeed |
EncryptingBlockSize |
SigningKeyLength+ EncryptingKeyLength |
ServerSigningKey |
ClientSecret |
ServerSeed |
SigningKeyLength |
0 |
ServerEncryptingKey |
ClientSecret |
ServerSeed |
EncryptingKeyLength |
SigningKeyLength |
ServerInitializationVector |
ClientSecret |
ServerSeed |
EncryptingBlockSize |
SigningKeyLength+ EncryptingKeyLength |
The Clientkeys are used to secure Messagessent by the Client. The Serverkeys are used to secure Messagessent by the Server.
The SSL/TLSspecification defines a pseudo random function called P_HASH which is used for this purpose. The function is iterated until it produces enough data for all of the required keys. The Offset in Table 49references to the offset from the start of the generated data.
The P_ hash algorithm is defined as follows:
P_HASH(secret, seed) = HMAC_HASH(secret, A(1) + seed) +
HMAC_HASH(secret, A(2) + seed) +
HMAC_HASH(secret, A(3) + seed) + ...
Where A(n) is defined as:
A(0) = seed
A(n) = HMAC_HASH(secret, A(n-1))
+ indicates that the results are appended to previous results.
Where ‘HASH’ is a hash function such as SHA256. The hash function to use depends on the SecurityPolicyUri.