RFC 5077 ticket key derivation

Alan DeKok aland at deployingradius.com
Tue Mar 31 19:35:25 CEST 2015

On Mar 31, 2015, at 1:19 PM, Sam Hartman <hartmans at mit.edu> wrote:
> wait. What?
> I'm not parsing what you're trying to do there, and it's triggering my
> security spidy sense.
> Why do you ever want to hash a signature to get an encryption key?

  The problem is that the SSL session tickets are encrypted with a key known only to the server.  This is a good idea, because it means that the client can't impersonate the server.

  However... if you have two servers, they must both know the key.  They can communicate via a DB, which means the benefit of session tickets go away.  Or, they can derive the key from some secret data known only to the servers.

  The method Arran came up with is to sign the various user-identifiying fields with the servers private key.  Then hash that to get a key which is unique to the user, and known only to the server.

  If there's a simpler way to do this, I'd be happy to know it.

  Alan DeKok.

More information about the Freeradius-Devel mailing list