| blob | f78c7f5ed1f702d3b882c15ba8f07c46c3538b6e |
4 Network Working Group J. Salowey
5 Internet-Draft H. Zhou
6 Expires: July 29, 2006 Cisco Systems
7 P. Eronen
8 Nokia
9 H. Tschofenig
10 Siemens
11 January 25, 2006
14 Transport Layer Security Session Resumption without Server-Side State
15 draft-salowey-tls-ticket-07.txt
17 Status of this Memo
19 By submitting this Internet-Draft, each author represents that any
20 applicable patent or other IPR claims of which he or she is aware
21 have been or will be disclosed, and any of which he or she becomes
22 aware will be disclosed, in accordance with Section 6 of BCP 79.
24 Internet-Drafts are working documents of the Internet Engineering
25 Task Force (IETF), its areas, and its working groups. Note that
26 other groups may also distribute working documents as Internet-
27 Drafts.
29 Internet-Drafts are draft documents valid for a maximum of six months
30 and may be updated, replaced, or obsoleted by other documents at any
31 time. It is inappropriate to use Internet-Drafts as reference
32 material or to cite them other than as "work in progress."
34 The list of current Internet-Drafts can be accessed at
35 http://www.ietf.org/ietf/1id-abstracts.txt.
37 The list of Internet-Draft Shadow Directories can be accessed at
38 http://www.ietf.org/shadow.html.
40 This Internet-Draft will expire on July 29, 2006.
42 Copyright Notice
44 Copyright (C) The Internet Society (2006).
46 Abstract
48 This document describes a mechanism which enables the Transport Layer
49 Security (TLS) server to resume sessions and avoid keeping per-client
50 session state. The TLS server encapsulates the session state into a
51 ticket and forwards it to the client. The client can subsequently
55 Salowey, et al. Expires July 29, 2006 [Page 1]
56 \f
57 Internet-Draft Stateless TLS Session Resumption January 2006
60 resume a session using the obtained ticket.
62 Table of Contents
64 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
65 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
66 3. Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
67 3.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . 3
68 3.2 SessionTicket TLS extension . . . . . . . . . . . . . . . 5
69 3.3 NewSessionTicket handshake message . . . . . . . . . . . . 6
70 3.4 Interaction with TLS session ID . . . . . . . . . . . . . 7
71 4. Recommended Ticket Construction . . . . . . . . . . . . . . . 8
72 5. Security Considerations . . . . . . . . . . . . . . . . . . . 9
73 5.1 Invalidating Sessions . . . . . . . . . . . . . . . . . . 10
74 5.2 Stolen Tickets . . . . . . . . . . . . . . . . . . . . . . 10
75 5.3 Forged Tickets . . . . . . . . . . . . . . . . . . . . . . 10
76 5.4 Denial of Service Attacks . . . . . . . . . . . . . . . . 10
77 5.5 Ticket Protection Key Management . . . . . . . . . . . . . 10
78 5.6 Ticket Lifetime . . . . . . . . . . . . . . . . . . . . . 11
79 5.7 Alternate Ticket Formats and Distribution Schemes . . . . 11
80 5.8 Identity Privacy, Anonymity and Unlinkability . . . . . . 11
81 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12
82 7. IANA considerations . . . . . . . . . . . . . . . . . . . . . 12
83 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12
84 8.1 Normative References . . . . . . . . . . . . . . . . . . . 12
85 8.2 Informative References . . . . . . . . . . . . . . . . . . 13
86 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 14
87 Intellectual Property and Copyright Statements . . . . . . . . 16
111 Salowey, et al. Expires July 29, 2006 [Page 2]
112 \f
113 Internet-Draft Stateless TLS Session Resumption January 2006
116 1. Introduction
118 This document defines a way to resume a Transport Layer Security
119 (TLS) session without requiring session-specific state at the TLS
120 server. This mechanism may be used with any TLS ciphersuite. This
121 document applies to both TLS 1.0 defined in [RFC2246] and TLS 1.1
122 defined in [I-D.ietf-tls-rfc2246-bis]. The mechanism makes use of
123 TLS extensions defined in [I-D.ietf-tls-rfc3546bis] and defines a new
124 TLS message type.
126 This mechanism is useful in the following types of situations:
129 1. servers that handle a large number of transactions from
130 different users
131 2. servers that desire to cache sessions for a long time
132 3. ability to load balance requests across servers
133 4. embedded servers with little memory
135 2. Terminology
137 Within this document the term 'ticket' refers to a cryptographically
138 protected data structure which is created by the server and consumed
139 by the server to rebuild session specific state.
141 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
142 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
143 document are to be interpreted as described in [RFC2119].
145 3. Protocol
147 This specification describes a mechanism to distribute encrypted
148 session state information in the form of a ticket. The ticket is
149 created by a TLS server and sent to a TLS client. The TLS client
150 presents the ticket to the TLS server to resume a session.
151 Implementations of this specification are expected to support both
152 mechanisms. Other specifications can take advantage of the session
153 tickets, perhaps specifying alternative means for distribution or
154 selection. For example a separate specification may describe an
155 alternate way to distribute a ticket and use the TLS extension in
156 this document to resume the session. This behavior is beyond the
157 scope of the document and would need to be described in a separate
158 specification.
160 3.1 Overview
162 The client indicates that it supports this mechanism by including a
163 SessionTicket TLS extension in the ClientHello message. The
167 Salowey, et al. Expires July 29, 2006 [Page 3]
168 \f
169 Internet-Draft Stateless TLS Session Resumption January 2006
172 extension will be empty if the client does not already possess a
173 ticket for the server. The extension is described in Section 3.2
175 If the server wants to use this mechanism, it stores its session
176 state (such as ciphersuite and master secret) to a ticket that is
177 encrypted and integrity-protected by a key known only to the server.
178 The ticket is distributed to the client using the NewSessionTicket
179 TLS handshake message described in Section 3.3. This message is sent
180 during the TLS handshake before the ChangeCipherSpec message after
181 the server has successfully verified the client's Finished message.
184 Client Server
186 ClientHello -------->
187 (empty SessionTicket extension)
188 ServerHello
189 (empty SessionTicket extension)
190 Certificate*
191 ServerKeyExchange*
192 CertificateRequest*
193 <-------- ServerHelloDone
194 Certificate*
195 ClientKeyExchange
196 CertificateVerify*
197 [ChangeCipherSpec]
198 Finished -------->
199 NewSessionTicket
200 [ChangeCipherSpec]
201 <-------- Finished
202 Application Data <-------> Application Data
204 The client caches this ticket along with the master secret and other
205 parameters associated with the current session. When the client
206 wishes to resume the session, it includes the ticket in the
207 SessionTicket extension within ClientHello message. The server then
208 decrypts the received ticket, verifies that the ticket validity,
209 retrieves the session state from the contents of the ticket and uses
210 this state to resume the session. The interaction with the TLS
211 Session ID is described in Section 3.4. If the server successfully
212 verifies the client's ticket then it may renew the ticket by
213 including a NewSessionTicket handshake message after the ServerHello.
223 Salowey, et al. Expires July 29, 2006 [Page 4]
224 \f
225 Internet-Draft Stateless TLS Session Resumption January 2006
228 ClientHello
229 (SessionTicket extension) -------->
230 ServerHello
231 (empty SessionTicket extension)
232 NewSessionTicket
233 [ChangeCipherSpec]
234 <-------- Finished
235 [ChangeCipherSpec]
236 Finished -------->
237 Application Data <-------> Application Data
239 A recommended ticket format is given in Section 4.
241 If the server cannot or does not want to honor the ticket then it can
242 initiate a full handshake with the client.
244 3.2 SessionTicket TLS extension
246 The SessionTicket TLS extension is based on [I-D.ietf-tls-
247 rfc3546bis]. The format of the ticket is an opaque structure used to
248 carry session specific state information. This extension may be sent
249 in the ClientHello and ServerHello.
251 If the client possesses a ticket that it wants to use to resume a
252 session then it includes the ticket in the SessionTicket extension in
253 the ClientHello. If the client does not have a ticket and it is
254 prepared to receive one in the NewSessionTicket handshake message
255 then it MUST include a zero length ticket in the SessionTicket
256 extension. If the client is not prepared to receive a ticket in the
257 NewSessionTicket handshake message then it MUST NOT include a
258 SessionTicket extension unless it is sending a non-empty ticket it
259 received through some other means from the server.
261 The server uses an zero length SessionTicket extension to indicate to
262 the client that it will send a new session ticket using the
263 NewSessionTicket handshake message described in Section 3.3. The
264 server MUST send this extension in the ServerHello if it wishes to
265 issue a new ticket to the client using the NewSessionTicket handshake
266 message. The server MUST NOT send this extension if it does not
267 receive on in the ClientHello.
269 If the server fails to verify the ticket then it falls back to
270 performing a full handshake. If the ticket is accepted by the server
271 but the handshake fails the client SHOULD delete the ticket.
273 The SessionTicket extension has been assigned the number TBD1. The
274 format of the SessionTicket extension is given at the end of this
275 section.
279 Salowey, et al. Expires July 29, 2006 [Page 5]
280 \f
281 Internet-Draft Stateless TLS Session Resumption January 2006
284 struct {
285 opaque ticket<0..2^16-1>;
286 } SessionTicket;
289 3.3 NewSessionTicket handshake message
291 This message is sent by the server during the TLS handshake before
292 the ChangeCipherSpec message. This message MUST be sent if the
293 server included a SessionTicket extension in the ServerHello. This
294 message MUST NOT be sent if the server did not include a
295 SessionTicket extension in the ServerHello. In the case of a full
296 handshake, the server MUST verify the client's Finished message
297 before sending the ticket. The client MUST NOT treat the ticket as
298 valid until it has verified the server's Finished message. If the
299 server determines that it does not want to include a ticket after it
300 has included the SessionTicket extension in the ServerHello then it
301 sends a zero length ticket in the NewSessionTicket handshake message.
303 If the server successfully verifies the client's ticket then it MAY
304 renew the ticket by including a NewSessionTicket handshake message
305 after the ServerHello in the abbreviated handshake. The client
306 should start using the new ticket as soon as possible after it
307 verifies the Server's finished message for new connections. Note
308 that since the updated ticket is issued before the handshake
309 completes it is possible that the client may not put the new ticket
310 into use before it initiates new connections. The server MUST NOT
311 assume the client actually received the updated ticket until it
312 successfully verifies the client's Finished message.
314 The NewSessionTicket handshake message has been assigned the number
315 TBD2 and its definition is given at the end of this section. The
316 ticket_lifetime_hint field contains a hint from the server about how
317 long the ticket should be stored. The value indicates the lifetime
318 in seconds as a 32 bit unsigned integer in network byte order. A
319 value of zero is reserved to indicate that the lifetime of the ticket
320 is unspecified. A client SHOULD delete the ticket and associated
321 state when the time expires. It MAY delete the ticket earlier based
322 on local policy. A server MAY treat a ticket as valid for a shorter
323 or longer period of time than what is stated in the
324 ticket_lifetime_hint.
335 Salowey, et al. Expires July 29, 2006 [Page 6]
336 \f
337 Internet-Draft Stateless TLS Session Resumption January 2006
340 struct {
341 HandshakeType msg_type;
342 uint24 length;
343 select (HandshakeType) {
344 case hello_request: HelloRequest;
345 case client_hello: ClientHello;
346 case server_hello: ServerHello;
347 case certificate: Certificate;
348 case server_key_exchange: ServerKeyExchange;
349 case certificate_request: CertificateRequest;
350 case server_hello_done: ServerHelloDone;
351 case certificate_verify: CertificateVerify;
352 case client_key_exchange: ClientKeyExchange;
353 case finished: Finished;
354 case session_ticket: NewSessionTicket; /* NEW */
355 } body;
356 } Handshake;
359 struct {
360 uint32 ticket_lifetime_hint;
361 opaque ticket<0..2^16-1>;
362 } NewSessionTicket;
365 3.4 Interaction with TLS session ID
367 If a server is planning on issuing a SessionTicket to a client that
368 does not present one it SHOULD include an empty Session ID in the
369 ServerHello. If the server includes a non-empty session ID then it
370 is indicating intent to use stateful session resume. If the client
371 receives a SessionTicket from the server then it discards any Session
372 ID that was sent in the ServerHello.
374 When presenting a ticket the client MAY generate and include a
375 Session ID in the TLS ClientHello. If the server accepts the ticket
376 and the Session ID is not empty then it MUST respond with the same
377 Session ID present in the ClientHello. This allows the client to
378 easily differentiate when the server is resuming a session or falling
379 back to a full handshake. Since the client generates a Session ID
380 the server MUST NOT rely upon the Session ID having a particular
381 value when validating the ticket. If a ticket is presented by the
382 client the server MUST NOT attempt to use the Session ID in the
383 ClientHello for stateful session resume. Alternatively, the client
384 MAY include an empty Session ID in the ClientHello. In this case the
385 client ignores the Session ID sent in the ServerHello and determines
386 if the server is resuming a session by the subsequent handshake
387 messages.
391 Salowey, et al. Expires July 29, 2006 [Page 7]
392 \f
393 Internet-Draft Stateless TLS Session Resumption January 2006
396 4. Recommended Ticket Construction
398 This section describes a recommended format and protection for the
399 ticket. Note that the ticket is opaque to the client so the
400 structure is not subject to interoperability concerns, so
401 implementations may diverge from this format. If implementations do
402 diverge from this format they must take security concerns seriously.
403 Clients MUST NOT examine the ticket under the assumption that it
404 complies with this document.
406 The server uses two different keys, one 128-bit key for AES [AES] in
407 CBC mode [CBC] encryption and one 128-bit key for HMAC-SHA1 [RFC2104]
408 [SHA1].
410 The ticket is structured as follows:
412 struct {
413 opaque key_name[16];
414 opaque iv[16];
415 opaque encrypted_state<0..2^16-1>;
416 opaque mac[20];
417 } ticket;
419 Here key_name serves to identify a particular set of keys used to
420 protect the ticket. It enables the server to easily recognize
421 tickets it has issued. The key_name should be randomly generated to
422 avoid collisions between servers. One possibility is to generate new
423 random keys and key_name every time the server is started.
425 The actual state information in encrypted_state is encrypted using
426 128-bit AES in CBC mode with the given IV. The MAC is calculated
427 using HMAC-SHA1 over key_name (16 octets)and IV (16 octets), followed
428 by the length of the encrypted_state field (2 octets) and its
429 contents (variable length).
447 Salowey, et al. Expires July 29, 2006 [Page 8]
448 \f
449 Internet-Draft Stateless TLS Session Resumption January 2006
452 struct {
453 ProtocolVersion protocol_version;
454 CipherSuite cipher_suite;
455 CompressionMethod compression_method;
456 opaque master_secret[48];
457 ClientIdentity client_identity;
458 uint32 timestamp;
459 } StatePlaintext;
461 enum {
462 anonymous(0),
463 certificate_based(1),
464 psk(2)
465 } ClientAuthenticationType;
467 struct {
468 ClientAuthenticationType client_authentication_type;
469 select (ClientAuthenticationType) {
470 case anonymous: struct {};
471 case certificate_based:
472 ASN.1Cert certificate_list<0..2^24-1>;
473 case psk:
474 opaque psk_identity<0..2^16-1>;
476 }
477 } ClientIdentity;
479 The structure StatePlaintext stores the TLS session state including
480 the master_secret. The timestamp within this structure allows the
481 TLS server to expire tickets. To cover the authentication and key
482 exchange protocols provided by TLS the ClientIdentity structure
483 contains the authentication type of the client used in the initial
484 exchange (see ClientAuthenticationType). To offer the TLS server
485 with the same capabilities for authentication and authorization a
486 certificate list is included in case of public key based
487 authentication. The TLS server is therefore able to inspect a number
488 of different attributes within these certificates. A specific
489 implementation might choose to store a subset of this information or
490 additional information. Other authentication mechanisms, such as
491 Kerberos [RFC2712], would require different client identity data.
493 5. Security Considerations
495 This section addresses security issues related to the usage of a
496 ticket. Tickets must be sufficiently authenticated and encrypted to
497 prevent modification or eavesdropping by an attacker. Several
498 attacks described below will be possible if this is not carefully
499 done.
503 Salowey, et al. Expires July 29, 2006 [Page 9]
504 \f
505 Internet-Draft Stateless TLS Session Resumption January 2006
508 Implementations should take care to ensure that the processing of
509 tickets does not increase the chance of denial of serve as described
510 below.
512 5.1 Invalidating Sessions
514 The TLS specification requires that TLS sessions be invalidated when
515 errors occur. [CSSC] discusses the security implications of this in
516 detail. In the analysis in this paper, failure to invalidate
517 sessions does not pose a security risk. This is because the TLS
518 handshake uses a non-reversible function to derive keys for a session
519 so information about one session does not provide an advantage to
520 attack the master secret or a different session. If a session
521 invalidation scheme is used the implementation should verify the
522 integrity of the ticket before using the contents to invalidate a
523 session to ensure an attacker cannot invalidate a chosen session.
525 5.2 Stolen Tickets
527 An eavesdropper or man-in-the-middle may obtain the ticket and
528 attempt to use the ticket to establish a session with the server,
529 however since the ticket is encrypted and the attacker does not know
530 the secret key, a stolen ticket does not help an attacker resume a
531 session. A TLS server MUST use strong encryption and integrity
532 protection for the ticket to prevent an attacker from using a brute
533 force mechanism to obtain the tickets contents.
535 5.3 Forged Tickets
537 A malicious user could forge or alter a ticket in order to resume a
538 session, to extend its lifetime, to impersonate as another user or
539 gain additional privileges. This attack is not possible if the
540 ticket is protected using a strong integrity protection algorithm
541 such as a keyed HMAC-SHA1.
543 5.4 Denial of Service Attacks
545 The key_name field defined in the recommended ticket format helps the
546 server efficiently reject tickets that it did not issue. However, an
547 adversary could store or generate a large number of tickets to send
548 to the TLS server for verification. To minimize the possibility of a
549 denial of service, the verification of the ticket should be
550 lightweight (e.g., using efficient symmetric key cryptographic
551 algorithms).
553 5.5 Ticket Protection Key Management
555 A full description of the management of the keys used to protect the
559 Salowey, et al. Expires July 29, 2006 [Page 10]
560 \f
561 Internet-Draft Stateless TLS Session Resumption January 2006
564 ticket is beyond the scope of this document. A list of RECOMMENDED
565 practices is given below.
567 o The key should be generated securely following the randomness
568 recommendations in [RFC4086]
569 o The key and cryptographic protection algorithms should be at least
570 128 bits in strength
571 o The key should not be used for any other purpose than generating
572 and verifying tickets
573 o The key should be changed regularly
574 o The key should be changed if the ticket format or cryptographic
575 protection algorithms change
577 5.6 Ticket Lifetime
579 The TLS server controls the lifetime of the ticket. Servers
580 determine the acceptable lifetime based on the operational and
581 security requirements of the environments in which they are deployed.
582 The ticket lifetime may be longer than the 24 hour lifetime
583 recommended in [RFC2246]. TLS clients may be given a hint of the
584 lifetime of the ticket. Since the lifetime of a ticket may be
585 unspecified a client has its own local policy which determines when
586 it discards tickets.
588 5.7 Alternate Ticket Formats and Distribution Schemes
590 If the ticket format or distribution scheme defined in this document
591 is not used then great care must be taken in analyzing the security
592 of the solution. In particular if a confidential information, such
593 as a secret key, is transferred to the client it MUST be done using
594 secure communication so as to prevent attackers from obtaining or
595 modifying the key. Also the ticket MUST have its integrity and
596 privacy protected with strong cryptographic techniques to prevent a
597 breach in the security of the system.
599 5.8 Identity Privacy, Anonymity and Unlinkability
601 This document mandates that the content of the ticket is
602 confidentiality protected in order to avoid leakage of its content,
603 such as user relevant information. As such, it prevents disclosure
604 of potentially sensitive information carried within the ticket.
606 The initial handshake exchange, which was used to obtain the ticket,
607 might not provide identity confidentiality of the client based on the
608 properties of TLS. Another relevant security threat is the ability
609 for an on-path adversary to observe multiple TLS handshakes where the
610 same ticket is used and to therefore conclude that they belong to the
611 same communication endpoints. Application designers that use the
615 Salowey, et al. Expires July 29, 2006 [Page 11]
616 \f
617 Internet-Draft Stateless TLS Session Resumption January 2006
620 ticket mechanism described in this document should consider that
621 unlinkability [ANON] is not necessarily provided.
623 While a full discussion of these topics is beyond the scope of this
624 document, it should be noted that it is possible to issue a ticket
625 using a TLS renegotiation handshake that occurs after a secure tunnel
626 has been established by a previous handshake. This may help address
627 some privacy and unlinkability issues in some environments.
629 6. Acknowledgments
631 The authors would like to thank the following people for their help
632 with preparing and reviewing this document: Eric Rescorla, Mohamad
633 Badra, Tim Dierks, Nelson Bolyard, Nancy Cam-Winget, David McGrew,
634 Rob Dugal, Russ Housley, Amir Herzberg, Bernard Aboba and members of
635 the TLS working group.
637 [CSSC] describes a solution that is very similar to the one described
638 in this document and gives a detailed analysis of the security
639 considerations involved. [RFC2712] describes a mechanism for using
640 Kerberos [RFC4120] in TLS ciphersuites, which helped inspire the use
641 of tickets to avoid server state. [I-D.cam-winget-eap-fast] makes
642 use of a similar mechanism to avoid maintaining server state for the
643 cryptographic tunnel. [SC97] also investigates the concept of
644 stateless sessions.
646 7. IANA considerations
648 IANA has assigned a TLS extension number of TBD1 (the value 35 is
649 suggested) to the SessionTicket TLS extension from the TLS registry
650 of ExtensionType values defined in [I-D.ietf-tls-rfc3546bis].
652 IANA has assigned a TLS HandshakeType number TBD2 to the
653 NewSessionTicket handshake type from the TLS registry of
654 HandshakeType values defined in [I-D.ietf-tls-rfc2246-bis].
656 8. References
658 8.1 Normative References
660 [I-D.ietf-tls-rfc2246-bis]
661 Dierks, T. and E. Rescorla, "The TLS Protocol Version
662 1.1", draft-ietf-tls-rfc2246-bis-13 (work in progress),
663 June 2005.
665 [I-D.ietf-tls-rfc3546bis]
666 Blake-Wilson, S., "Transport Layer Security (TLS)
667 Extensions", draft-ietf-tls-rfc3546bis-02 (work in
671 Salowey, et al. Expires July 29, 2006 [Page 12]
672 \f
673 Internet-Draft Stateless TLS Session Resumption January 2006
676 progress), October 2005.
678 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
679 Requirement Levels", BCP 14, RFC 2119, March 1997.
681 [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
682 RFC 2246, January 1999.
684 8.2 Informative References
686 [AES] National Institute of Standards and Technology, "Advanced
687 Encryption Standard (AES)", Federal Information
688 Processing Standards (FIPS) Publication 197,
689 November 2001.
691 [ANON] Pfitzmann, A. and M. Hansen, "Anonymity, Unlinkability,
692 Unobservability, Pseudonymity, and Identity Management - A
693 Consolidated Proposal for Terminology", http://
694 dud.inf.tu-dresden.de/literatur/
695 Anon_Terminology_v0.26-1.pdf Draft 0.26, December 2005.
697 [CBC] National Institute of Standards and Technology,
698 "Recommendation for Block Cipher Modes of Operation -
699 Methods and Techniques", NIST Special Publication 800-38A,
700 December 2001.
702 [CSSC] Shacham, H., Boneh, D., and E. Rescorla, "Client-side
703 caching for TLS", Transactions on Information and
704 System Security (TISSEC) , Volume 7, Issue 4,
705 November 2004.
707 [I-D.cam-winget-eap-fast]
708 Cam-Winget, N., McGrew, D., Salowey, J., and H. Zhou, "EAP
709 Flexible Authentication via Secure Tunneling (EAP-FAST)",
710 draft-cam-winget-eap-fast-02 (work in progress),
711 April 2005.
713 [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
714 Hashing for Message Authentication", RFC 2104,
715 February 1997.
717 [RFC2712] Medvinsky, A. and M. Hur, "Addition of Kerberos Cipher
718 Suites to Transport Layer Security (TLS)", RFC 2712,
719 October 1999.
721 [RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness
722 Requirements for Security", BCP 106, RFC 4086, June 2005.
727 Salowey, et al. Expires July 29, 2006 [Page 13]
728 \f
729 Internet-Draft Stateless TLS Session Resumption January 2006
732 [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
733 Kerberos Network Authentication Service (V5)", RFC 4120,
734 July 2005.
736 [RFC4279] Eronen, P. and H. Tschofenig, "Pre-Shared Key Ciphersuites
737 for Transport Layer Security (TLS)", RFC 4279,
738 December 2005.
740 [SC97] Aura, T. and P. Nikander, "Stateless Connections",
741 Proceedings of the First International Conference on
742 Information and Communication Security (ICICS '97) , 1997.
744 [SHA1] National Institute of Standards and Technology, "Secure
745 Hash Standard (SHS)", Federal Information Processing
746 Standards (FIPS) Publication 180-2, August 2002.
749 Authors' Addresses
751 Joseph Salowey
752 Cisco Systems
753 2901 3rd Ave
754 Seattle, WA 98121
755 US
757 Email: jsalowey@cisco.com
760 Hao Zhou
761 Cisco Systems
762 4125 Highlander Parkway
763 Richfield, OH 44286
764 US
766 Email: hzhou@cisco.com
769 Pasi Eronen
770 Nokia Research Center
771 P.O. Box 407
772 FIN-00045 Nokia Group
773 Finland
775 Email: pasi.eronen@nokia.com
783 Salowey, et al. Expires July 29, 2006 [Page 14]
784 \f
785 Internet-Draft Stateless TLS Session Resumption January 2006
788 Hannes Tschofenig
789 Siemens
790 Otto-Hahn-Ring 6
791 Munich, Bayern 81739
792 Germany
794 Email: Hannes.Tschofenig@siemens.com
839 Salowey, et al. Expires July 29, 2006 [Page 15]
840 \f
841 Internet-Draft Stateless TLS Session Resumption January 2006
844 Intellectual Property Statement
846 The IETF takes no position regarding the validity or scope of any
847 Intellectual Property Rights or other rights that might be claimed to
848 pertain to the implementation or use of the technology described in
849 this document or the extent to which any license under such rights
850 might or might not be available; nor does it represent that it has
851 made any independent effort to identify any such rights. Information
852 on the procedures with respect to rights in RFC documents can be
853 found in BCP 78 and BCP 79.
855 Copies of IPR disclosures made to the IETF Secretariat and any
856 assurances of licenses to be made available, or the result of an
857 attempt made to obtain a general license or permission for the use of
858 such proprietary rights by implementers or users of this
859 specification can be obtained from the IETF on-line IPR repository at
860 http://www.ietf.org/ipr.
862 The IETF invites any interested party to bring to its attention any
863 copyrights, patents or patent applications, or other proprietary
864 rights that may cover technology that may be required to implement
865 this standard. Please address the information to the IETF at
866 ietf-ipr@ietf.org.
869 Disclaimer of Validity
871 This document and the information contained herein are provided on an
872 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
873 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
874 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
875 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
876 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
877 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
880 Copyright Statement
882 Copyright (C) The Internet Society (2006). This document is subject
883 to the rights, licenses and restrictions contained in BCP 78, and
884 except as set forth therein, the authors retain all their rights.
887 Acknowledgment
889 Funding for the RFC Editor function is currently provided by the
890 Internet Society.
895 Salowey, et al. Expires July 29, 2006 [Page 16]
896 \f