Pre-master secret在实现Diffie-Hellman密钥交换时不匹配。

huangapple go评论130阅读模式
英文:

Pre-master secret mistmatched when implementing Diffie-Hellman key exchange

问题

我正在尝试将DHE_DSS实现到Go的crypto/tls包中。不幸的是,我似乎无法获得相同的PreMasterSecret(Z),我的基本工作流程是:

接收服务器密钥交换消息

  • 提取P、G、Ys
  • 使用提供的数字签名进行验证

准备客户端密钥交换消息

  • 创建客户端的Xc
  • 生成Yc(Yc = G^Xc % P)
  • 生成Z(Z = Ys^Xc % P)
  • 发送回Yc,打包如下:

<!-- -->

ckx := make([]byte, len(yC)+2)
ckx[0] = byte(len(Yc)&gt;&gt;8)
ckx[1] = byte(len(Yc))
copy(ckx[2:], yBytes)

然而,当我使用gnutls-serv进行调试时,两个PreMasterSecrets(Z)是不同的。我需要对返回的Yc进行签名,或者以其他方式打包它吗?我在RFC 5246中没有看到任何建议这样做的内容。

<-- 编辑 -->

这是我更改的补丁:

https://08766345559465695203.googlegroups.com/attach/48587532c74b4348/crypto.patch?part=4&amp;view=1&amp;vt=ANaJVrHbwydqEZc3zjUWqQ5C8Q5zEkWXZLdL0w6JJG3HYntOlBurUTY7mc9xR9OTfE0bJxs4eeL5a5SGd2jj9eIfXcwJQgLvJchXOgkYKBBynbPfshY8kuQ

英文:

I am trying to implement DHE_DSS into go's crypto/tls package. Unfortunately I can not seem to get the PreMasterSecret (Z) to be the same, my basic workflow is:

Receive Server Key Exchange Message

  • Extract P, G, Ys
  • Verify using the digital signature provided

Prepare Client Key Exchange Message

  • Create client's Xc
  • Generate Yc (Yc = G^Xc % P)
  • Generate Z (Z = Ys^Xc % P)
  • Send back Yc, packed like so:

<!-- -->

ckx := make([]byte, len(yC)+2)
ckx[0] = byte(len(Yc)&gt;&gt;8)
ckx[1] = byte(len(Yc))
copy(ckx[2:], yBytes)

However, when I am debugging this with gnutls-serv the two PreMasterSecrets (Z) are different. Do I need to sign the returned Yc, or perhaps pack it in another way? I can not see anything in RFC 5246 to suggest this.

<-- EDIT -->

Here is a patch of my changes:

https://08766345559465695203.googlegroups.com/attach/48587532c74b4348/crypto.patch?part=4&amp;view=1&amp;vt=ANaJVrHbwydqEZc3zjUWqQ5C8Q5zEkWXZLdL0w6JJG3HYntOlBurUTY7mc9xR9OTfE0bJxs4eeL5a5SGd2jj9eIfXcwJQgLvJchXOgkYKBBynbPfshY8kuQ

答案1

得分: 1

客户端密钥交换将包含:

长度(2个字节)--> Y_C(明文)

我已经在Java中实现了TLS,并且遵循相同的结构,对我来说运行良好。

> 我需要对返回的Yc进行签名吗?

不需要 对客户端DH公共值进行签名,它是以明文传输的。

您可以获取一个pcap文件并检查是否在数据包中传输了相同的值。另外,如果GNU TLS有用于打印接收到的Y_C的记录器,那么您可以检查是否接收到了正确的数据。

如果您仍然得到不同的Pre-Master密钥,则可能存在生成密钥的逻辑问题。

英文:

Client key exchange will contain:

length (2 bytes) --&gt; Y_C (in plain text)

I have implemented TLS in Java and I follow the same structure and works fine for me.

> Do I need to sign the returned Yc?

No there is no need to sign the client DH public value, it is transferred in plain text.

You can take a pcap and check whether same values are being transferred in the packet. Also if GNU TLS has logger for printing the Y_C received, then you can check if proper data is being received.

If in case you still getting different Pre-Master secret then there seems to be some issue with the logic of generation of secret.

huangapple
  • 本文由 发表于 2012年9月14日 18:43:28
  • 转载请务必保留本文链接:https://go.coder-hub.com/12422908.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定