67. Initiator Host Contains C i Proposes Security Association options Contains C i & C r Selects SA options Select random # C i : initiator’s cookie Check to see if C i already in use; If not, generate C r , responder’s cookie; Associate C r with initiator’s address Check C i & address against list; Associate (C i , C r ) with SA; record SA as “unauthenticated” Responder Host HDR, SA Cookie Request HDR, SA Cookie Response
68. Initiator Host T=g x mod p Nonce N i Initiate Diffie-Hellman exchange Check responder cookie, discard if not valid; If valid identify SA with (C i , C r ) & record as “unauthenticated” R=g y mod p Nonce N r Calculate K=(g y ) x mod p Calculate K=(g x ) y mod p Calculate secret string of bits SKEYID known only to initiator & responder Calculate secret string of bits SKEYID known only to initiator & responder Responder Host HDR, KE, N i Key Request HDR, KE, N r Key Response
69. Initiator Host Prepare signature based on SKEYID, T, R, C i , C r , the SA field, initiator ID SKEYID, T, R, C i , C r , SA, ID i Hash of info in HDR encrypted Authenticates initiator comparing decrypted hash to recalculated hash. If agree, SA declared authenticated. Prepares signature based on SKEYID, T, R, C i , C r , the SA field, responder ID r SKEYID, T, R, C i , C r , SA, ID r Hash of info in HDR Authenticate initiator. If successful, SA declared authenticated. Responder Host HDR, {ID i , Sig i } Signature Request HDR, {ID r , Sig r } Signature Request
70.
71.
72.
73.
74.
75.
76.
77.
78.
79. Request connection Includes: Version #; Time & date; Session ID (if resuming); Ciphersuite (combinations of key exchange, encryption, MAC, compression) Send ServerHello if there is acceptable Ciphersuite combination; else, send failure alert & close connection. * Optional messages Server Certificate Server part of handshake done Server part of key exchange: Diffie-Hellman, g x; ; RSA, public key ServerHello includes: Version #; Random number; Session ID ; Ciphersuite & compression selections Compute shared key May contain public key New CipherSpec pending TLS Record protocol initially specifies no compression or encryption Client Server ClientHello ServerHello Certificate * ServerKeyExchange * ServerHelloDone
80. Client’s part of key agreement: Diffie-Hellman g y ; RSA, random #s Change Cipher protocol message notifies server that subsequent records protected under new CipherSpec & keys Server changes CipherSpec Hash using new CipherSpec; allows server to verify change in Cipherspec Compute shared key Verify CipherSpec Client Server ClientKeyExchange [ChangeCipherSpec] Finished
81.
82. Server requests certificate if client needs to be authenticated Client sends suitable certificate If server finds certificate unacceptable; server can send fatal failure alert message & close connection Client prepares digital signature based on messages sent using its private key Server verifies client has private key Client Server ClientHello ServerHello Certificate* ServerKeyExchange* CertificateRequest ServerHelloDone Certificate* ClientKeyExchange CertificateVerify* [ChangeCipherSpec] Finished Application Data [ChangeCipherSpec] Finished