1

The RFC gives the formula 

PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR
                          P_SHA-1(S2, label + seed);

for doing this.P_hash in turn has the following formula:

P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
                          HMAC_hash(secret, A(2) + seed) +
                          HMAC_hash(secret, A(3) + seed) + ...

The RFC also says

P_hash can be iterated as many times as is necessary to produce the required quantity of data. For example, if P_SHA-1 was being used to create 64 bytes of data, it would have to be iterated 4 times (through A(4)), creating 80 bytes of output data; the last 16 bytes of the final iteration would then be discarded, leaving 64 bytes of output data.

I find "P_hash can be iterated as many times as is necessary to produce the required quantity of data" confusing.Just how many times is necessary?Is there a threshold after which it doesn't matter how much it is? If so, what is this threshold?

automaton
  • 1,091
  • 1
  • 9
  • 23
  • 'As many times as are required to produce the required quantity of data' seems perfectly clear to me. I wouldn't have used the word 'iterated', however. What is really happening is that *as many terms of the expression* as required are used. – user207421 May 02 '14 at 12:44
  • So how much data is required? I have scoured the RFC and it says nothing about the amount of data. Since the master key is always 48 bytes long, is it perhaps 48 bytes? – automaton May 02 '14 at 12:50
  • 1
    If I remember correctly this is used in more than one place, so the required amount of data depends on context. – user207421 May 02 '14 at 19:13
  • Ah yes.that explains it.besides, the amount of data generated by this operation is of similar length to the key finally derived. – automaton May 02 '14 at 21:53
  • Possible duplicate of http://stackoverflow.com/questions/13324785/openssl-prf-function – Noam Rathaus Dec 30 '14 at 07:31

1 Answers1

0

I'm pretty sure that in TLS 1.0, the premaster secret and the master secret are always 48bytes long, but then when you create your key block further down the line, it can be longer than 48 bytes. i.e. if your cipher uses sha1 and aes256, you will need 136 bytes.

chadianscot
  • 145
  • 10