3. Bootstrapping in TLS 1.3
TLS-POK nutzt certificate-based authentication mit EPSK. Das EPSK wird aus dem BSK public key abgeleitet und gemaess RFC 9258 importiert. Der client praesentiert den BSK als raw public key und authentifiziert mit ECDSA.
3.1. EPSK Derivation
epskid = HKDF-Expand(HKDF-Extract(<>, Base Key),
"tls13-bspsk-identity", L)
where:
- epskid is the EPSK External Identity
- Base Key is the DER-encoded ASN.1 subjectPublicKeyInfo
representation of the BSK public key
- L equals 32, the length in octets of the SHA-256 output
- <> is a NULL salt, which is a string of L zeros
struct {
opaque external_identity<1...2^16-1>;
opaque context<0..2^16-1>;
uint16 target_protocol;
uint16 target_kdf;
} ImportedIdentity;
external_identity = epskid, context = "tls13-bsk", target_protocol = TLS1.3(0x0304), target_kdf follows RFC 9258. The context value MUST be "tls13-bsk".
3.2. TLS 1.3 Handshake Details
ClientHello includes "tls_cert_with_extern_psk" and "client_certificate_type" with RawPublicKey. Server MUST send CertificateRequest. Client MUST NOT share the BSK public key before ServerHello processing and TLS key schedule verification. Server MUST verify that Certificate public key matches the BSK public key.
Client Server
-------- --------
ClientHello
+ cert_with_extern_psk
+ client_cert_type=RawPublicKey
+ key_share
+ pre_shared_key -------->
ServerHello
+ cert_with_extern_psk
+ client_cert_type=RawPublicKey
+ key_share
+ pre_shared_key
{EncryptedExtensions}
{CertificateRequest}
{Certificate}
{CertificateVerify}
<-------- {Finished}
{Certificate}
{CertificateVerify}
{Finished} -------->