RFC 5077 ticket key derivation

Arran Cudbard-Bell a.cudbardb at freeradius.org
Tue Mar 31 19:36:13 CEST 2015

> On 31 Mar 2015, at 13:19, Sam Hartman <hartmans at mit.edu> wrote:
> *
> * Signs the administrator configured key, using the private key associated with the
> * SSL context, then hashes the signature to get a key of an appropriate length,
> * which is fed to the hmac and encryption contexts for the session ticket.
> wait. What?
> I'm not parsing what you're trying to do there, and it's triggering my
> security spidy sense.


- A cluster of servers need to derive the same session ticket key without
  communicating with each other.

- The key should be derived from something the administrator configures,
  and the private key set for the SSL context. So if administrators
  choose simple keys, they don't open themselves up to session ticket

- The derived key must be a fixed length.

> Why do you ever want to hash a signature to get an encryption key?

To get a fixed length key. Different certificate types will generate signatures
of differing sizes.

If there's a better way to generate a key of a fixed length, using an
administrator provided key string, and a private key then i'd definitely be open
to it.

Using the private key to sign the administrator configured key was a trick from
the original NGINX implementation of RFC 5077 session resumption. There they
just took the first 48 bytes of the signature.

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20150331/f4432a48/attachment.sig>

More information about the Freeradius-Devel mailing list