Collaborate Disseminate
TLS allows the client certificate to be used to initialise a TLS connection to a server. However, the same can be achieved by:
Initialise the TLS connection as an anonymous client with a randomly generated private key.
The … Continue reading Why client certificate at TLS handshake at all?
I was reading MIFARE DESFire EV1 document and noticed this:
MIFARE DESFire EV1 and the reader device show in an encrypted way
that they possess the same secret which especially means the same key;
this not only confirms that both entities are permitted to perform
operations on each other but also creates a session key which can be
used to keep the further communication path secure; as the name
“session key” implicitly indicates, each time a new authentication
procedure is successfully completed a new key for further cryptographic
operations is generated
The not only part is easy to achieve. In the simplest form, ‘server’ can throw a random number at the card, and the card can reply with the hash of the secret + the random number.
The but also part, which is the establishment of a session key, is a bit hand-wavy. Since both side already have a common secret, why do you need a session key, and not just use the common secret as a session key?
Note that this question has nothing to do with public key systems or asymmetric encryption or digital signature. In this case, both sides know the same secret.