[openssl-users] Session Ticket Support in Openssl TLS 1.2

Benjamin Kaduk bkaduk at akamai.com
Sat Jun 17 00:54:47 UTC 2017

On 06/16/2017 05:36 PM, Matt Caswell wrote:
>> The security properties of such "external" PSKs are substantially
>> different than the "ephemeral" PSKs used in resumption flows.
> Ben - Even external PSKs incorporate an ephemeral, per connection, ECDHE
> based secret (assuming a suitable kex_mode is used). What do you see as
> the concern?

The risk of accidentally using psk_ke instead of psk_dhe_ke is
noticeable, and in terms of concrete differences, there are additional
requirements on external PSKs that the KDF and PSK identity must remain
fixed across uses.  That, combined with the potential for insufficient
entropy during key generation (mentioned in section 2.2 of draft-20)
seem to provide more openings for cryptographic attacks than for the
full resumption flow.  It is probably fine for uses where the other
properties of external PSKs are needed, but I'm not sure that the
risk/reward balance favors using it just to get a speedup -- TLS 1.3
resumption should already be pretty fast.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170616/e18e8501/attachment-0001.html>

More information about the openssl-users mailing list