Ilari answered your question, but this jumped out: On Sun, May 5, 2019, at 21:11, [email protected] wrote: > [...] both sides calculate, > PSK = [...] > and the server sends back to the client the PSK (unencrypted [...])
The PSK never gets sent. As you say, both sides can calculate the same value. > My question is what key is encrypting the session ticket (is it a > symmetric key that is generated by the webserver/SSL library for each > session? If you want a bad design choice, NSS uses RSA encryption using a key from one of its certificates to encrypt a symmetric key that we use with CBC. The symmetric key is used for all tickets once it is recovered, so the asymmetric encryption/decryption costs are paid just once when the system runs. The ways in which this design is bad are lengthy enough that I won't bother to list them. A better scheme would use a straight symmetric key with an AEAD, but there are historical deployment reasons for that design. _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
