Score:0

SSLv3 ServerKeyExchange SIgnature struct mismatch

pl flag

Im playing with implementing SSLv3 in Go according to rfc6101.

I can deserialize ServerKeyExchange until ServerKeyExchange.signed_params.

The cipher suite is TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003).

The Certificate signature algo: 1.2.840.113549.1.1.5 (sha1WithRSAEncryption).

According to the RFC the structs should look like this:

        struct {
            select (KeyExchangeAlgorithm) {
                case diffie_hellman:
                    ServerDHParams params;
                    Signature signed_params;
                case rsa:
                    ServerRSAParams params;
                    Signature signed_params;
                case fortezza_kea:
                    ServerFortezzaParams params;
            };
        } ServerKeyExchange;
        digitally-signed struct {
            select(SignatureAlgorithm) {
                case anonymous: struct { };
                case rsa:
                    opaque md5_hash[16];
                    opaque sha_hash[20];
                case dsa:
                    opaque sha_hash[20];
            };
        } Signature;

but i got a different response form the server:

enter image description here

What i am missing?

Thanks!

dave_thompson_085 avatar
cn flag
**Disagree with VtC as 'programming'**; although OP is writing code, the Q is not about the code but about the protocol independent of any implementation, and does not belong on SO. It _is_ 'use' of crypto as opposed to crypto itself, and might be better on security.SX, but I'd call it borderline.
Score:0
cn flag

About 10 lines above the part you quoted, there is

        struct {
            opaque rsa_modulus<1..2^16-1>;
            opaque rsa_exponent<1..2^16-1>;
        } ServerRSAParams;

so the case=rsa (which is actually only for rsa_export) of ServerKeyExchange is really:

        ServerRSAParams:
            rsa_modulus -- opaque (really bigendian unsigned integer)
            rsa_exponent -- ditto
        Signature -- ditto 

but this structuring doesn't affect the encoding, which contains only the three 'leaf' values, and whatever decode you are looking at (Wireshark?) doesn't bother to distinguish the two levels here.

Note digitally-signed struct ... Signature does not mean the two hashes (md5 and sha1) are contained in the message; rather they are input to the applicable signature generation algorithm, in this case RSA 'block type 1' defined in PKCS1v1 (now retronymed RSASSA-PKCS1-v1_5 in PKCS1v2), and the output of the signature algorithm, for RSA a single integer encoded as bigendian unsigned fixed-length (see 'I2OSP' in any version of PKCS1), is what is placed in the message, with a 2-byte length prefix, as it if were declared opaque<?..2^16-1> although I don't see this stated in RFC6101; TLS1.0 RFC2246 et succ does state it in 4.7.

(You might want to look at more/all of RFC2246; except for the PRF and key derivation, some alert codes and ciphersuites, the addition of extensions (of which RFC5746 Secure Renegotiation became pretty much mandatory) and of course the version number, to the best of my recollection TLS1.0 is technically the same as SSL3, but the document is more thorough, probably due to going through the IETF gauntlet^Wprocess.)

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.