Re: Use of Random Bytes from Client and Server

[Bodo Moeller]

On Tue, Nov 16, 1999 at 10:42:13PM -0800, Harry Whitehouse wrote:

> As I read the SSL3 specs, I gather that random bytes from the client
> (generated as part of Client Hello) are combined with the client-generated
> pre-master secret and random bytes from the server (generated at the Server
> Hello) to yield the master secret.
> 
> I'm curious as to the rationale for using randomly generated bytes --
> particularly in the need to use random bytes from both parties.  It would
> seem, for instance, that the client is already contributing random data in
> the form of the pre-master secret (i.e., the data which is encrypted with
> the public key and sent to the server).
> 
> Can someone offer some perspectives on this design feature?

When a session is reused, you don't have client key exchange message.
Also for fixed-DH ciphersuites (which no-one uses though) client key
exchange messages are empty.  There may be more reasons.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]