Why does TLS 1.2 use GCM with additional SHA hash?

Question

I am studying the cipher suites provided by TLS 1.2 and found an interesting question.

TLS 1.2 adopts GCM for encryption and SHA256 or SHA384 for hash (e.g. TLS_RSA_WITH_AES_128_GCM_SHA256). But, GCM already provides data authenticity (integrity).

So, my question is that why TLS 1.2 includes another hash functions (SHA256 or SHA384) to provide integrity. Why not just use GCM for both encryption and hash, like IPsec?

dupe of http://crypto.stackexchange.com/questions/17691/why-does-aes-gcm-need-mac-tls-ecdhe-rsa-with-aes-128-gcm-sha256 and http://crypto.stackexchange.com/questions/26410/whats-the-gcm-sha-256-of-a-tls-protocol . — dave_thompson_085, Oct 16 '15 at 05:49
I only found the second and didn't think is was close enough to be a dupe but the first is clearly the same question. — otus, Oct 16 '15 at 12:06

score 4 · Accepted Answer · edited Oct 07 '21 at 07:34

4

Those ciphersuites do use GCM for both encryption and authentication. The hash function mentioned at the end is not used for integrity, but in the pseudorandom function. The TLS PRF is used to derive valid keys for the ciphersuite from the shared secret generated in the key exchange.

edited Oct 07 '21 at 07:34

Community

1

answered Oct 15 '15 at 06:15

otus

32,132
5
70
165

Why does TLS 1.2 use GCM with additional SHA hash?

1 Answers1