LDAPWiki: ServerKeyExchange

Overview#

ServerKeyExchange describes a Step within the TLS Handshake process.

ServerKeyExchange has been removed in TLS 1.3

In TLS 1.0, The server sends ServerKeyExchange message is sent after the server Certificate message if it does not contain enough information for the client to exchange the Premaster Secret, or after the server hello if anonymous Key-Exchange is in use.

More specifically it is used for anonymous Diffie-Hellman, Diffie-Hellman Ephemeral and Ephemeral RSA Key-Exchange methods.

The ServerKeyExchange message will be sent immediately after the ServerCertificate message or the ServerHello message if this is an anonymous negotiation.

The ServerKeyExchange message is sent by the server only when the ServerCertificate message (if sent) does not contain enough data to allow the user-agent to exchange a premaster secret. This is true for the following key exchange methods:

RSA_EXPORT (if the public key in the server certificate is longer than 512 bits)
DHE_DSS
DHE_DSS_EXPORT
DHE_RSA
DHE_RSA_EXPORT
DH_anon

It is not legal to send the server key exchange message for the following key exchange methods:

RSA
RSA_EXPORT (when the public key in the server certificate is less than or equal to 512 bits in length)
DH_DSS
DH_RSA

The ServerKeyExchange message conveys cryptographic information to allow the user-agent to communicate the premaster Secret with which the client can complete a ClientKeyExchange with the result containing the premaster Secret.

As additional Cipher Suites are defined for TLS which include new key-Exchange algorithms, the ServerKeyExchange message will be sent if and only if the certificate type associated with the key exchange algorithm does not provide enough information for the client to exchange a premaster Secret.

The Structure of ServerKeyExchange message:

enum { rsa, diffie_hellman } KeyExchangeAlgorithm;
    struct {
        opaque rsa_modulus<1..2^16-1>;
        opaque rsa_exponent<1..2^16-1>;
    } ServerRSAParams;

    struct {
        opaque dh_p<1..2^16-1>;
        opaque dh_g<1..2^16-1>;
        opaque dh_Ys<1..2^16-1>;
    } ServerDHParams;     /* Ephemeral DH parameters */    struct {
        select (KeyExchangeAlgorithm) {
            case diffie_hellman:
                ServerDHParams params;
                Signature signed_params;
            case rsa:
                ServerRSAParams params;
                Signature signed_params;
        };
    } ServerKeyExchange;

    enum { anonymous, rsa, dsa } SignatureAlgorithm;

    select (SignatureAlgorithm)
    {   
        case anonymous: struct { };
            case rsa:
                digitally-signed struct {
                    opaque md5_hash[16];
                    opaque sha_hash[20];
                };
            case dsa:
                digitally-signed struct {
                    opaque sha_hash[20];
                };
    } Signature;
}

Where:

rsa_modulus - The modulus of the server's temporary RSA key.
rsa_exponent - The public exponent of the server's temporary RSA key.
dh_p - The prime modulus used for the Diffie-Hellman operation.
dh_g - The generator used for the Diffie-Hellman operation.
dh_Ys - The server's Diffie-Hellman public value (g^X mod p).
params - The server's key exchange parameters.
signed_params - For non-anonymous key exchanges, a hash of the corresponding params value, with the signature appropriate to that hash applied.
md5_hash - MD5(ClientHello.random + ServerHello.random + ServerParams);
sha_hash - SHA(ClientHello.random + ServerHello.random + ServerParams);

More Information#

There might be more information for this subject on one of the following: