On Fri, Mar 18, 2016 at 4:20 PM, Ruediger Pluem <[email protected]> wrote: > On 03/18/2016 04:09 PM, Rainer Jung wrote: >> >> Any idea about a scheme how to renew the keys between nodes in a farm in a >> synced way? Finding a common point in time to >> renew would not be the problem (assuming synced clocks), but how the >> regenerate keys deterministically starting from one >> common secret (the SSLSessionTicketKeyFile) without ending with keys which >> are too weak? > > My idea would be at high level to leverage approaches that are used for one > time passwords here. > But I need to admit that I don't know how feasible that is at all and how > usable these approaches are for generating > a (strong) key.
Maybe something like the following could work, and maybe also it could be secure (any contradictory opinion is of course very welcome :) Say each instance starts with the same configured passphrase and salt (same too, but random and large enough, say 128bit). At startup we generate a master key (MK) from this passphrase/salt (using PDKF2, maybe with some reasonable #iterations), and we'll use a derived key (DK) for session tickets. To derive the MK into DKs (at startup or when the current DK timeouts), let's again run PDKF2 but now with the current time as salt (and a single iteration). This scheme makes the DK deterministic at any time, hence provided clocks are synchronized, each httpd instance should use the same key. Since session tickets also need a HMAC key, we would do the same for it (from another passphrase and salt). I may be opportunistic about the security of this scheme, though, please experts ring the bell :p Regards, Yann.
