1

Look at this cipher: ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD

It uses AES-GCM for encryption and data origin authentication (according to RFC-5288), so no separate MAC is required. That is why OpenSSL reports it uses AEAD (Authenticated Encryption) for message authentication.

My question is: what does SHA256 mean here? Why do I need hash function if my MAC is already implemented as part of ENC?

user996142
  • 308
  • 1
  • 7
  • Similar question and good answer: http://security.stackexchange.com/questions/39590/whats-the-hash-for-in-ecdhe-rsa-aes-gcm-sha?rq=1 – user996142 Feb 24 '16 at 12:44

1 Answers1

3

The hash is used as part of the PRF, i.e. the function used to expand the shared secret (from the key exchange) into the encryption keys. After the handshake, it is no longer used.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
  • Thanks. So, meaning of hash part of cipher suite depends on cipher, am I right? In ancient `` RC4-MD5`` *MD5* is used for HMAC since RC4 is not AEAD, correct? – user996142 Feb 24 '16 at 12:44
  • 1
    Yes. Also, you may consider the AES-CCM cipher suites, distinct from GCM, and defined in [RFC 6655](http://tools.ietf.org/html/rfc6655). The symbolic name does not define a hash function at all (e.g. "TLS_DHE_PSK_WITH_AES_128_CCM") and yet a hash function is used for the PRF (it is SHA-256, specified at the end of section 3 of RFC 6655). – Thomas Pornin Feb 24 '16 at 14:32