3. Bootstrapping in TLS 1.3
TLS-POK は EPSK 付き certificate-based authentication を使う。EPSK は BSK public key から導出され RFC 9258 により import される。Client は BSK を raw public key として提示し ECDSA で認証する。
3.1. EPSK Derivation
epskid = HKDF-Expand(HKDF-Extract(<>, Base Key),
"tls13-bspsk-identity", L)
where:
- epskid is the EPSK External Identity
- Base Key is the DER-encoded ASN.1 subjectPublicKeyInfo
representation of the BSK public key
- L equals 32, the length in octets of the SHA-256 output
- <> is a NULL salt, which is a string of L zeros
struct {
opaque external_identity<1...2^16-1>;
opaque context<0..2^16-1>;
uint16 target_protocol;
uint16 target_kdf;
} ImportedIdentity;
external_identity = epskid, context = "tls13-bsk", target_protocol = TLS1.3(0x0304), target_kdf follows RFC 9258. The context value MUST be "tls13-bsk".
3.2. TLS 1.3 Handshake Details
ClientHello includes "tls_cert_with_extern_psk" and "client_certificate_type" with RawPublicKey. Server MUST send CertificateRequest. Client MUST NOT share the BSK public key before ServerHello processing and TLS key schedule verification. Server MUST verify that Certificate public key matches the BSK public key.
Client Server
-------- --------
ClientHello
+ cert_with_extern_psk
+ client_cert_type=RawPublicKey
+ key_share
+ pre_shared_key -------->
ServerHello
+ cert_with_extern_psk
+ client_cert_type=RawPublicKey
+ key_share
+ pre_shared_key
{EncryptedExtensions}
{CertificateRequest}
{Certificate}
{CertificateVerify}
<-------- {Finished}
{Certificate}
{CertificateVerify}
{Finished} -------->