pierrelf.com
Phase 6: TLS 1.3 Key Schedule#
Implement the TLS 1.3 key schedule for deriving encryption keys from shared secrets.
Requirements#
- Key schedule (RFC 8446 §7.1):
- Early Secret: HKDF-Extract(PSK or zero, 0)
- Handshake Secret: HKDF-Extract(early_secret, ECDHE shared secret)
- Master Secret: HKDF-Extract(handshake_secret, 0)
- Derive-Secret function using HKDF-Expand-Label
- HKDF-Expand-Label (RFC 8446 §7.1):
HKDF-Expand-Label(Secret, Label, Context, Length)- Label prefix: "tls13 "
- Context: transcript hash
- Traffic key derivation (RFC 8446 §7.3):
- client_handshake_traffic_secret
- server_handshake_traffic_secret
- client_application_traffic_secret_0
- server_application_traffic_secret_0
- From each traffic secret: derive
keyandivusing HKDF-Expand-Label
- Transcript hash: running SHA-256 or SHA-384 hash of handshake messages
- Supported cipher suites:
- TLS_AES_128_GCM_SHA256 (0x1301)
- TLS_AES_256_GCM_SHA384 (0x1302)
- TLS_CHACHA20_POLY1305_SHA256 (0x1303)
- Finished key/verify data computation (RFC 8446 §4.4.4)
Dependencies#
we-cryptocrate: HKDF, HMAC, SHA-256, SHA-384
Acceptance Criteria#
- Derive Early Secret, Handshake Secret, Master Secret
- HKDF-Expand-Label with correct TLS 1.3 label format
- Derive traffic secrets from handshake and master secrets
- Derive encryption keys and IVs from traffic secrets
- Compute Finished verify data
- Test vectors from RFC 8446 Appendix A (if available) or constructed test cases
- Tests (15+ tests)
-
cargo clippyandcargo fmtclean