6.7.5 Deriving keys

Once the SecureChannel is established the Messages are signed and encrypted with keys derived from the Nonces exchanged in the OpenSecureChannel call. These keys are derived by passing the Nonces to a pseudo-random function (PRF) which produces a sequence of bytes from a set of inputs. A pseudo-random function is represented by the following function declaration:

Byte[] PRF(
Byte[] secret,
Byte[] seed,
Int32 length,
Int32 offset)


Where length is the number of bytes to return and offset is a number of bytes from the beginning of the sequence.

The lengths of the keys that need to be generated depend on the SecurityPolicy used for the channel. The following information is specified by the SecurityPolicy:

1. SigningKeyLength (from the DerivedSignatureKeyLength);
2. EncryptingKeyLength (implied by the SymmetricEncryptionAlgorithm);
3. IntializationVectorLength (from by the IntializationVectorLength).

The pseudo random function requires a secret and a seed. These values are derived from the Nonces exchanged in the OpenSecureChannel request and response. Table 58 specifies how to derive the secrets and seeds when using RSA based SecurityPolicies.

Table 58 – PRF inputs for RSA based SecurityPolicies

Name Derivation
ClientSecret The value of the ClientNonce provided in the OpenSecureChannel request.
ClientSeed The value of the ClientNonce provided in the OpenSecureChannel request.
ServerSecret The value of the ServerNonce provided in the OpenSecureChannel response.
ServerSeed The value of the ServerNonce provided in the OpenSecureChannel response.

The parameters passed to the pseudo random function are specified in Table 59.

Table 59 – Cryptography key generation parameters

Key Secret Seed Length Offset
ClientSigningKey ServerSecret ClientSeed SigningKeyLength 0
ClientEncryptingKey ServerSecret ClientSeed EncryptingKeyLength SigningKeyLength
ClientInitializationVector ServerSecret ClientSeed IntializationVectorLength SigningKeyLength+EncryptingKeyLength
ServerSigningKey ClientSecret ServerSeed SigningKeyLength 0
ServerEncryptingKey ClientSecret ServerSeed EncryptingKeyLength SigningKeyLength
ServerInitializationVector ClientSecret ServerSeed IntializationVectorLength SigningKeyLength+EncryptingKeyLength

The Client keys are used to secure Messages sent by the Client. The Server keys are used to secure Messages sent by the Server.

The SSL/TLS specification defines a pseudo random function called P_HASH which is used for this purpose. The function is iterated until it produces enough data for all of the required keys. The Offset in Table 59 references to the offset from the start of the generated data.

The P_ hash algorithm is defined as follows:

P_HASH(secret, seed) = HMAC_HASH(secret, A(1) + seed) +
HMAC_HASH(secret, A(2) + seed) +
HMAC_HASH(secret, A(3) + seed) + ...
Where A(n) is defined as:
A(0) = seed
A(n) = HMAC_HASH(secret, A(n-1))
+ indicates that the results are appended to previous results.


Where ‘HASH’ is a hash function such as SHA256. The hash function to use depends on the SecurityPolicyUri.