I am looking at packet captures of perfect forward secrecy for cipher "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256". Per definition of PFS, after initial client and server hellos exchanged, both sides must come up with public-private key pairs and they share the new public keys. In packet capture, i am seeing client is sending its public key in very next message (under "EC-Diffie-Hellman Client Params" header) but server doesn't (instead server is sending new session ticket). How does server sends its new public key to client?
Asked
Active
Viewed 747 times
1
-
Server sends its ephemeral key (and parameter info, usually a small number for one of the standard "named" curves) in ServerKeyExchange *after* (Server)Cert and *before* ServerHelloDone and thus *before* (Client)Cert or ClientKeyExchange. Look at your capture again; some capture display formats don't have room for details of multiple TLS messages contained in one frame, or frame group, especially if they are also combined in one TLS *record*. Make sure you look at each record *and* each message. See http://security.stackexchange.com/questions/20803/how-does-ssl-tls-work for many details. – dave_thompson_085 Jan 26 '15 at 07:26
1 Answers
1
From RFC 4492, section 2.2:
The server sends its ephemeral ECDH public key and a specification of the corresponding curve in the ServerKeyExchange message. These parameters MUST be signed with ECDSA using the private key corresponding to the public key in the server's Certificate.
The client generates an ECDH key pair on the same curve as the server's ephemeral ECDH key and sends its public key in the ClientKeyExchange message.
Further, in sections 5.4 and 5.7 you can find their structure.
-
Hi Dave and Zakjan, thanks for your responses. I looked again at my pcaps and yes in Server Key exchange message (before server hello done), i can see something with length of 329 bytes but i don't see it with label like key etc (the way i am seeing it in client key exchange message). Is this expected? Do i have to enable/disable something in Wireshark so it interpret it correctly? (By the way i am checking by going to https://mail.google.com). Thanks – user2896215 Jan 27 '15 at 04:05
-
I can see ECDH server params in Wireshark, with no special setting necessary. Check if you have the latest version. http://imgur.com/tWPunSo – zakjan Jan 27 '15 at 07:33