Passa al contenuto principale

3. Bootstrapping in TLS 1.3

TLS-POK usa certificate-based authentication con EPSK. EPSK e derivato dal BSK public key e importato con RFC 9258. Il client presenta il BSK come raw public key e si autentica con ECDSA.

3.1. EPSK Derivation

epskid = HKDF-Expand(HKDF-Extract(<>, Base Key),
"tls13-bspsk-identity", L)
where:
- epskid is the EPSK External Identity
- Base Key is the DER-encoded ASN.1 subjectPublicKeyInfo
representation of the BSK public key
- L equals 32, the length in octets of the SHA-256 output
- <> is a NULL salt, which is a string of L zeros
struct {
opaque external_identity<1...2^16-1>;
opaque context<0..2^16-1>;
uint16 target_protocol;
uint16 target_kdf;
} ImportedIdentity;

external_identity = epskid, context = "tls13-bsk", target_protocol = TLS1.3(0x0304), target_kdf follows RFC 9258. The context value MUST be "tls13-bsk".

3.2. TLS 1.3 Handshake Details

ClientHello includes "tls_cert_with_extern_psk" and "client_certificate_type" with RawPublicKey. Server MUST send CertificateRequest. Client MUST NOT share the BSK public key before ServerHello processing and TLS key schedule verification. Server MUST verify that Certificate public key matches the BSK public key.

Client                                            Server
-------- --------
ClientHello
+ cert_with_extern_psk
+ client_cert_type=RawPublicKey
+ key_share
+ pre_shared_key -------->
ServerHello
+ cert_with_extern_psk
+ client_cert_type=RawPublicKey
+ key_share
+ pre_shared_key
{EncryptedExtensions}
{CertificateRequest}
{Certificate}
{CertificateVerify}
<-------- {Finished}
{Certificate}
{CertificateVerify}
{Finished} -------->