david wong

Hey! I'm David, a security consultant at Cryptography Services, the crypto team of NCC Group . This is my blog about cryptography and security and other related topics that I find interesting.

Distinction between the TLS PRF for the Master Key and for the Keys

posted March 2016

Last time I wrote about TLS pre-master keys and master keys.

I just realized one more thing in TLS that doesn't make sense (besides the fact that different versions of TLS have different PRFs). Here's RFC 5246 (the RFC on TLS 1.2) on how to use the PRF transform your pre-master key into a master key:

key expansion

Here's the same RFC on how to use the PRF to transform your master key into your 4 or 6 keys:

premaster key

Noticed anything?

Took me some time, the first takes the server random appended to the client random, while the second takes the client random appended to the server random. I'm willing to bet this is not to circumvent any attack but rather to confuse the implementer...

Well done! You've reached the end of my post. Now you can leave me a comment :)