Network Working Group
    Internet Draft                                         N. Cam-Winget
                                                               D. McGrew
                                                              J. Salowey
                                                                 H. Zhou
    Document: draft-salowey-tls-ticket-00.txt              Cisco Systems
    Expires: October 2004                                       May 2004

           A TLS Hello Extension for Ticket Based Pre-Shared Keys

Status of this Memo

    This document is an Internet-Draft and is in full conformance with
    all provisions of Section 10 of RFC2026.

    Internet-Drafts are working documents of the Internet Engineering
    Task Force (IETF), its areas, and its working groups.  Note that
    other groups may also distribute working documents as Internet-

    Internet-Drafts are draft documents valid for a maximum of six months
    and may be updated, replaced, or obsoleted by other documents at any
    time.  It is inappropriate to use Internet-Drafts as reference
    material or to cite them other than as "work in progress."

    The list of current Internet-Drafts can be accessed at
    The list of Internet-Draft Shadow Directories can be accessed at


    This document describes a TLS extension that makes use of a pre-
    established ticket to distribute the shared secret for establishing a
    TLS session.  The mechanism uses extensions to the TLS session resume
    hello exchange.  In particular the ticket enables the client to
    maintain state so the server does not have to maintain per-client
    session state.  The use of a hello extension allows fallback to a
    full ciphersuite handshake. Considerations for the initial
    establishment of the ticket material are discussed.

Table of Contents

    1. Introduction........................................... 2
    2. Basic operation........................................ 2

Cam-Winget, et. al.    Expires - November 2004               [Page 1] =0C
                    TLS Hello Extension for Tickets           May 2004

       2.1 TLS Hello Ticket Extension......................... 3
       2.2 Generating the master secret ...................... 4
       2.3 TLS Hello Ticket extension format.................. 4
    3. Ticket Considerations.................................. 5
       3.1 Ticket Contents.................................... 5
       3.2 Ticket Issuance.................................... 5
       3.3 Ticket Format...................................... 6
    4. Security Considerations................................ 7
    Normative References...................................... 7
    Informative References.................................... 7
    Acknowledgments........................................... 8
    Author's Addresses........................................ 8

1. Introduction

    This document describes an extension to TLS that allows shared keys
    to be used similar to [TLS-SHARED-KEY] but enables one of the peers
    to be stateless.  The extension is modeled after [RFC 3546] and
    employs the session resume logic. The proposal allows for the session
    state to be stored on the client in a ticket issued by the server or
    some central authority.   This relieves the server from maintaining
    per-client session state.  This mechanism is based on work done for
    [EAP-FAST] which discusses this extension as well as a method for
    distributing the initial ticket.

    An extension to the TLS resume functionality instead of a new cipher
    suite was chosen because it allows the protocol to fall back to full
    authentication cipher suite if the ticket provided in the hello
    message is not valid. This extension can be used in conjunction with
    any TLS cipher suite including those specified in [TLS-PSK].

2. Basic operation

    The basic operation assumes that a ticket has been previously issued
    to the client.  The ticket consists of a ticket key which is known to
    the client, an opaque portion which contains information for the
    server and optional informational section which describes information
    in the ticket to the client.  A suggested format for the distribution
    of the ticket is described in section 3.3. Since the ticket contains
    secret key material it MUST be distributed by a mechanism that
    protects the integrity and the confidentiality of the ticket.  In
    addition the distribution mechanism SHOULD authenticate and authorize
    the issuer. The exact means for distributing this ticket is not
    specified in this document; however suggestions and considerations
    are discussed in section 3.2 and in [EAP-FAST].  In EAP-FAST this
    ticket is called the PAC.

Cam-Winget, et. Al.    Expires - November 2004               [Page 2] =0C
                    TLS Hello Extension for Tickets           May 2004

    The exchange for establishing a session is the same as that used by
    TLS abbreviated handshake for session resume from [RFC 2246]:

          Client                                                Server

          ClientHello                   -------->
                                        <--------             Finished
          Finished                      -------->
          Application Data              <------->     Application Data

    A new extension to the client hello is defined to contain the opaque
    part of the ticket held by the client.

2.1 TLS Hello Ticket Extension

    The TLS Hello ticket extension is an extension to the client hello
    message and is included in the client_hello_extension_list defined in
    [RFC 3546].  The extension is used as follows.

    When then client wants to establish a session with the server, it
    creates a TLS client hello record.  It includes the appropriate
    protocol version, new random value, acceptable cipher suites and
    compression methods just as in standard TLS [RFC 2246].  Since the
    session state is not stored on the server the Session ID SHOULD be
    set to 0.  The client includes a client hello extension which
    contains only the opaque part of the client=92s ticket.  For the
    remainder of this section the word ticket indicates only the opaque
    portion of the ticket held by the client.  It MUST NOT be feasible
    for an eavesdropper to extract valuable information, such as the
    ticket key, from the opaque portion of the ticket.

    When the server receives a client hello containing a ticket extension
    it extracts the ticket information and attempts to decode it.  The
    opaque portion of the ticket is opaque to the client, not the server. =

    If the server cannot process the ticket or the ticket is not usable
    for any reason (for example it may have expired) then it may initiate
    the normal full TLS handshake with the client.  Alternatively, if the
    server is unable to process the ticket it may send a TLS-Alert
    indicating handshake_failure.

    If it can decode the ticket then it uses the information in the
    ticket to re-generate the ticket key (this will typically require the
    server to decrypt the ticket). The server derives the TLS master
    secret from the ticket key as described in the section 2.2.  The
    server then continues with the abbreviated handshake for TLS session
    Resume. It chooses appropriate ciphersuite and compression data based

Cam-Winget, et. Al.    Expires - November 2004               [Page 3] =0C
                    TLS Hello Extension for Tickets           May 2004

    on the client request and any additional data in the ticket if any

    The server may return a session-id in the server hello message.  The
    client may then store this session-id along with the required
    cryptographic state so that session resume can be performed as in
    standard TLS.  In the case that the client wants to use the standard
    session resume it includes the session-id issued by the server in the
    client hello.

2.2 Generating the master secret

    A 48 byte TLS master secret is generated from the ticket key (TK) in
    the TLS Hello ticket as follows.

    master_secret =3D T-PRF (TK, "PAC to master secret label hash",
        server_random + client_random, 48)

    T-PRF is defined in [EAP-FAST] as

    T-PRF (Key, label, seed, OutputLength) =3D T1 + T2 + T3 + T4 + ...

    Where + denote concatenation;
    S =3D label + 0x00 + seed;


    T1 =3D HMAC-SHA1 (Key, S + OutputLength + 0x01)
    T2 =3D HMAC-SHA1 (Key, T1 + S + OutputLength + 0x02)
    T3 =3D HMAC-SHA1 (Key, T2 + S + OutputLength + 0x03)
    T4 =3D HMAC-SHA1 (Key, T3 + S + OutputLength + 0x04)

    The master secret is then used to generate the key block as described
    in [RFC 2246].

2.3 TLS Hello Ticket extension format

    The format of the TLS Hello ticket extension can be described as

    The extension type number for TLS ticket extension is 35.

    The TLS ticket extension format is defined as:

    struct {
              opaque _Hello ticket<1..2^16-1>
          } HelloTicket;

Cam-Winget, et. Al.    Expires - November 2004               [Page 4] =0C
                    TLS Hello Extension for Tickets           May 2004

3. Ticket Considerations

3.1 Ticket Contents

    The TLS Hello ticket consists of three discreet components: the
    ticket key, the ticket opaque data and the ticket informational data.

    The ticket key is a symmetric key of at least 16 bytes in length.
    This is the key that is used to derive the TLS master secret.

    The ticket opaque data is data to be processed by the server and its
    contents must be completely opaque to the client or any eavesdropper. =

    At the very least it MUST contain enough information for the TLS
    server to derive the TLS master secret.  The ticket should also
    contain information restricting its validity in time.   The ticket
    opaque data may contain additional data such as identity information,
    ciphersuite information, capabilities and authorization attributes.
    How this information is processed is up to the entities that issue
    and process the ticket.

    Ticket informational data consists of data for the client which
    provides information about the usage of the ticket.  The ticket
    information data may contain validity data such as an expiry time or
    information on which ciphersuite to use.  This information is
    optional.  If the client cannot interpret any of the data it should
    ignore the data it does not understand.

    The ticket MUST be transmitted and stored in a manner that maintains
    its confidentiality and authenticity.

    The client may maintain a cache of tickets it shares with respective
    servers.  Since these tickets contain keys access to this cache must
    be restricted to authorized entities.

3.2 Ticket Issuance

    The client may obtain a ticket in many different ways.  It may be
    issued by the same server that processes the ticket or it may be
    issued by a trusted third party.  How this is done is beyond the
    scope of this document.  In [EAP-FAST] the TLS Hello ticket is
    distributed within an established TLS tunnel after user
    authentication is performed.

    As stated above the ticket MUST be transmitted in a manner that
    maintains its confidentiality and authenticity.  In addition if the
    ticket is meant to convey identity or authorization then the system

Cam-Winget, et. Al.    Expires - November 2004               [Page 5] =0C
                    TLS Hello Extension for Tickets           May 2004

    must ensure that only the intended party can obtain the ticket.  In
    this case the ticket must only be issued after appropriate
    authentication and authorization has taken place.

3.3 Ticket Format

    In order to promote interoperable implementation the PAC format from
    EAP-FAST is used when transporting the ticket.  The format MUST be
    used with a security mechanism to protect the ticket key.

    The basic format consists of a series type-length-value (TLV)
    structures.  A TLV is defined as follows:

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     |R|R|            TLV Type       |            Length             |
     |                              Value...

       R  Reserved
             The first two bytes are reserved and set to 0

       TLV Type
          Enumerated type value

          Two byte length value in network byte order

          Variable length value

    The ticket key (PAC-key) has a TLV type of 1 and a length of at least
    16 bytes.  The value contains the key used to derive the TLS Master

    The ticket opaque data (PAC-Opaque) has a TLV type of 2 and a length
    of at least 16 bytes.  The value contains the opaque data which is
    treated as opaque data by the client.

    The ticket lifetime (CRED_LIFETIME) has a TLV type of 3 and a length
    of 4 bytes.  The value contains the expiration time of the credential
    in UNIX UTC time.
    The ticket issuer ID (A-ID) has a TLV type of 4 and a variable
    length. The value contains a name used to identify the issuer of the

Cam-Winget, et. Al.    Expires - November 2004               [Page 6] =0C
                    TLS Hello Extension for Tickets           May 2004

    Values 5-9 are defined in [EAP-FAST].

4. Security Considerations

    The ticket opaque is transmitted in the clear during the TLS
    handshake; therefore it MUST NOT reveal sensitive information to an

    The master secret key in the ticket is used to derive the TLS master
    secret.  It should be generated in a way that ensures that it has
    sufficient entropy.  It SHOULD NOT be derived directly from a
    password, however the ticket may be issued as a result of password
    based authentication.

    When the ticket is cached it MUST be stored so that access to the
    cache is restricted to only allow authorized parties.

    If the ticket contains authorization information then it should only
    be issued after successful authentication and authorization have
    occurred.  Various aspects of credentials management such as
    revocation, expiry and renewal need to be considered when placing
    identity and authorization information in a ticket.

Normative References

    [RFC 2246]
            Dierks, Tim and Allen, Christopher, "The TLS Protocol", RFC
            2246, January 1999.

    [RFC 3546]
            Blake-Wilson, S., Nystrom, M., Hopwwod, D., Mikkelsen, J.
            and Wright, T., "Transport Layer Security (TLS) Extensions",
            RFC 3546, June 2003

Informative References

            Cam-Winget, N., McGrew, D., Salowey, J., Zhou, H., "EAP
            Flexible Authentication via Secure Tunneling (EAP-FAST)",
            draft-cam-winget-eap-fast-00 (work in progress), February

Cam-Winget, et. Al.    Expires - November 2004               [Page 7] =0C
                    TLS Hello Extension for Tickets           May 2004

            Gutmann, P., "Use of Shared Keys in the TLS Protocol",
            draft-ietf-tls-sharedkeys-02 (work in progress), October

            Eronen, P., and Tschofenig, H. "Pre-Shared Key Ciphersuites
            for Transport Layer Security (TLS)", draft-eronen-tls-psk-
            00.txt (work in progress), February 2004


Author's Addresses

        Nancy Cam-Winget
        Cisco Systems
        3625 Cisco Way
        San Jose, CA 95134
        Phone: +1 408 853 0532

        David McGrew
        Cisco Systems
        San Jose, CA 95134

        Joseph Salowey
        Cisco Systems
        2901 3rd Ave
        Seattle, WA 98121

        Hao Zhou
        Cisco Systems
        4125 Highlander Parkway
        Richfield, OH 44286
        Phone : +1 330 523 2132

Cam-Winget, et. Al.    Expires - November 2004               [Page 8] =0C