What is the size of key material required for generating MAC keys, encryption keys and IV when use TLS_DHE_RSA_WITH_AES_256_CBC_SHA ? How to calculate it?
Asked
Active
Viewed 584 times
1
-
I think you need to be more specific. There are master secrets and other intermediate key material involved. If it is just for the message handling then you would simply get to 256 (obviously, for AES) and 160 bits for a HMAC-SHA1 key for message authentication, and double that to handle both incoming and outgoing messages. That would be 832 bit if I'm not mistaken. The IV is not considered "key material" at all and should definitely not be part of it. – Maarten Bodewes Sep 05 '19 at 20:45
1 Answers
1
TLS_DHE_RSA_WITH_AES_256_CBC_SHA is
- 256-bit AES encryption
- SHA-1 message authentication
- Ephemeral Diffie-Hellman key exchange
- Signed with an RSA certificate
We can find the answer in rfc5246
Key IV Block
Cipher Type Material Size Size
------------ ------ -------- ---- -----
NULL Stream 0 0 N/A
RC4_128 Stream 16 0 N/A
3DES_EDE_CBC Block 24 8 8
AES_128_CBC Block 16 16 16
AES_256_CBC Block 32 16 16
MAC Algorithm mac_length mac_key_length
NULL N/A 0 0
MD5 HMAC-MD5 16 16
SHA HMAC-SHA1 20 20
SHA256 HMAC-SHA256 32 32
- Note 1: the values in bytes.
- Note 2: This mode is archaic and exist in TLS since TLS1.0. You should stick to TLS 1.3 which has huge cleanup and has only 5 cipher suites and all use Authenticated Encryption with Associated Data (AEAD).
-
1Note in TLS1.0 (and SSL3) the first IV (the initial initial vector!) is generated by the PRF, but in 1.1 and 1.2 it is chosen separately and not stored, so it doesn't affect most measures of key material. (And as you say in 1.3 CBC is gone altogether.) – dave_thompson_085 Sep 05 '19 at 01:44
-
Is this the key material in one direction or in two directions? That seems to be missing in the answer (and it is even in my initial comment!). – Maarten Bodewes Sep 09 '19 at 09:32
-
@MaartenBodewes Are you talking about the key size for DHE? Well, that key size changed a lot since defined. – kelalaka Sep 09 '19 at 09:43
-
No, I'm asking if separate symmetric keys are used for sender & receiver... – Maarten Bodewes Sep 09 '19 at 09:51