Server Key Exchange

The server key exchange message is sent after the server certificate message if it does not contain enough information for the client to exchange the pre-master secret, or after the server hello if anonymous key exchange is in use. More specifically it is used for anonymous Diffie-Hellman, Ephemeral Diffie-Hellman and Ephemeral RSA key-exchange methods.

Ephemeral and anonymous Diffie-Hellman[18] is determined by the chosen cipher suite. Ephemeral RSA is used when an RSA export cipher suite is used and the public key is longer than 512 bits. Export cipher suites[2] are designed to satisfy the requirements of now relaxed US export restrictions that amongst other things restricted RSA keys to 512 bits. The idea of Ephemeral RSA is to allow a server to have a strong key for key-exchange with non-export cipher suites, while a temporary key of 512 bits or less is used for key-exchange with export cipher suites. It also allows the server to have a certificate that is somewhat less vulnerable to attack. This certificate is used for both export and non-export cipher suites.

This message has two forms, one for RSA and one for Diffie-Hellman. Both begin with the handshake header followed by the key-exchange algorithm, RSA or Diffie-Hellman

The RSA version of this message includes the RSA modulus and exponent. The signature depends on the type of the serverís certificate and the type of key-exchange being performed. For RSA the signature consists of the concatenation of an MD5 and an SHA1 hash, signed by the serverís key. For DSS it consists of an SHA1 hash signed by the serverís key. The input for the hash is the concatenation of the client random, the server random, and the message itself from the end of the handshake to the beginning of the signature.

The signature is omitted if anonymous key exchange is being performed. It should be noted that in this case there is no way to verify the identity of the server and thus an attack involving establishing a bogus server may easily be performed.

Similarly the Diffie-Hellman version of this message includes the Diffie-Hellman prime modulus, generator and public value. It is followed by a signature.