Open xnuter opened 5 years ago
s2n_hkdf cost: ~5us per operation so it shouldn't be a problem to derive STEK during a handshake.
Any reason not to derive the keys on s2n_config_add_ticket_crypto_key
/s2n_config_add_cert_chain_and_key
calls and avoid any additional cost during the handshake? Or cache the derived STEK during handshake?
s2n_hkdf cost: ~5us per operation so it shouldn't be a problem to derive STEK during a handshake.
Any reason not to derive the keys on
s2n_config_add_ticket_crypto_key
/s2n_config_add_cert_chain_and_key
calls and avoid any additional cost during the handshake? Or cache the derived STEK during handshake?
For SNI use-cases there could be thousands of certs we need to pre-compute and store. We can definitely use lazy compute and cache (if we decide 5 µs per connection is worth creating this machinery).
Problem:
Currently STEKs are provided to
s2n
during configuration phase withs2n_config_add_ticket_crypto_key
method on perstruct s2n_config
basis.However, in context of multiple certificates (e.g., SNI) we'll have to either change the ticket structure, or have a separate
s2n_config
for each certificate (which might be impractical), or:Proposed Solution:
Derive a STEK from a secret (which is regularly rotated), and the certificate and the private key which would either are used (during the initial handshake) or would have been used (during session resumption) during handshake time.
For example:
s2n_config_add_cert_chain_and_key
call calculate a fingerprint (e.g.HMAC_SHA256
) for the cert/pk pair.s2n_config_add_ticket_crypto_key
) and the fingerprint.In this case, we have the following benefits:
s2n
users won't have to generate different STEKs for different certificates.s2n_config_add_ticket_crypto_key
become "rumors" (i.e., could be distributed openly, makes it easier for customers to keep TLS resumption more secure).But what about the performance?
s2n_hkdf
cost:~5us
per operation so it shouldn't be a problem to derive STEK during a handshake.The benchmarked code: