2

I am supposed to generate tls specific keys with smartcard.

I examined for example P11TlsMasterSecretGenerator class but it requires CKM_TLS_MASTER_KEY_DERIVE_DH mechanism that smartcard to have for master key generation.

But my smartcard does not support this mechanism.

My question is if it possible to use other mechanisms such as CKM_ECDH1_DERIVE for this purpose.

Actually my concern is what CKM_TLS_MASTER_KEY_DERIVE_DH mechanism provides internally more than CKM_ECDH1_DERIVE.

If someone can link me a document or something, I really appreciate that.

Thanks.

4

1 回答 1

0

RFC5246 定义了这样的主密钥生成:

master_secret = PRF(pre_master_secret,"master secret",ClientHello.random + ServerHello.random)[0..47];

在哪里:

PRF(秘密,标签,种子)= P_hash(秘密,标签+种子);

P_hash(秘密,种子)= HMAC_hash(秘密,A(1)+种子)+ HMAC_hash(秘密,A(2)+种子)+ HMAC_hash(秘密,A(3)+种子)+ ...

A(0) = 种子 A(i) = HMAC_hash(secret, A(i-1));

因此可以通过在智能卡上使用 HMAC 来实现这一算法。但这并不能解决我希望在卡中生成 master_secret 而不能从智能卡中提取的问题。HMAC 函数总是按预期输出一个字节数组作为结果。

于 2012-06-22T07:24:47.917 回答