[openssl-users] RFC5077 KWK
Henderson, Karl
KHenderson at verisign.com
Thu Apr 5 18:29:28 UTC 2018
Thanks,
> TLS 1.3 unifies session tickets with (external) PSKs, perhaps you should recast your approach in terms of PSKs rather than session tickets.
Is there a good implementation example of this?
On 4/5/18, 2:19 PM, "openssl-users on behalf of Viktor Dukhovni" <openssl-users-bounces at openssl.org on behalf of openssl-users at dukhovni.org> wrote:
> On Apr 5, 2018, at 2:02 PM, Henderson, Karl via openssl-users <openssl-users at openssl.org> wrote:
>
> Is it possible to use 5077 with a key wrapping key in a Needham-Schroeder scenario:
>
> • A is a Key Server
> • C is say a web server
> • A has a relationship with C and hence A has key KEYac
> • B wants to talk to C but doesn’t have a relationship with C
> • B has a relationship with A
> • B asks A for a key it can use with C
> • A generates a KEYbc and wraps it with KEYac giving us KEYbcac with key_name KEYac
>
> Is it possible to construct a 5077 style ticket with KEYbcac that can be transparently unwrapped by C so that B can speak with C using KEYbc? By transparently, I mean without modification to the server C.
You can use GSSAPI with Kerberos and TLS channel binding. RFC5077 defines stateless server session resumption, by moving the server state to the client encrypted in the server's key. The server key should be short-term, and should not be known to any third party (such as A).
The structure of a server session depends on internal implementation details of the server SSL library, and cannot portably be constructed by some other entity.
TLS 1.3 unifies session tickets with (external) PSKs, perhaps you should recast your approach in terms of PSKs rather than session tickets.
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
More information about the openssl-users
mailing list