[openssl-users] RFC5077 KWK

Viktor Dukhovni openssl-users at dukhovni.org
Thu Apr 5 18:19:05 UTC 2018

> On Apr 5, 2018, at 2:02 PM, Henderson, Karl via openssl-users <openssl-users at openssl.org> wrote:
> Is it possible to use 5077 with a key wrapping key in a Needham-Schroeder scenario:
> 	• A is a Key Server
> 	• C is say a web server
> 	• A has a relationship with C and hence A has key KEYac
> 	• B wants to talk to C but doesn’t have a relationship with C
> 	• B has a relationship with A
> 	• B asks A for a key it can use with C
> 	• A generates a KEYbc and wraps it with KEYac giving us KEYbcac with key_name KEYac
> Is it possible to construct a 5077 style ticket with KEYbcac that can be transparently unwrapped by C so that B can speak with C using KEYbc? By transparently, I mean without modification to the server C.

You can use GSSAPI with Kerberos and TLS channel binding.  RFC5077 defines stateless server session resumption, by moving the server state to the client encrypted in the server's key.  The server key should be short-term, and should not be known to any third party (such as A).

The structure of a server session depends on internal implementation details of the server SSL library, and cannot portably be constructed by some other entity.

TLS 1.3 unifies session tickets with (external) PSKs, perhaps you should recast your approach in terms of PSKs rather than session tickets.


More information about the openssl-users mailing list