| blob | d66223a90c2d2ff3703ca10802a31039ff0b97d0 |
7 Network Working Group J. Salowey
8 Request for Comments: 4507 H. Zhou
9 Category: Standards Track Cisco Systems
10 P. Eronen
11 Nokia
12 H. Tschofenig
13 Siemens
14 May 2006
17 Transport Layer Security (TLS) Session
18 Resumption without Server-Side State
20 Status of This Memo
22 This document specifies an Internet standards track protocol for the
23 Internet community, and requests discussion and suggestions for
24 improvements. Please refer to the current edition of the "Internet
25 Official Protocol Standards" (STD 1) for the standardization state
26 and status of this protocol. Distribution of this memo is unlimited.
28 Copyright Notice
30 Copyright (C) The Internet Society (2006).
32 Abstract
34 This document describes a mechanism that enables the Transport Layer
35 Security (TLS) server to resume sessions and avoid keeping per-client
36 session state. The TLS server encapsulates the session state into a
37 ticket and forwards it to the client. The client can subsequently
38 resume a session using the obtained ticket.
58 Salowey, et al. Standards Track [Page 1]
59 \f
60 RFC 4507 Stateless TLS Session Resumption May 2006
63 Table of Contents
65 1. Introduction ....................................................3
66 2. Terminology .....................................................3
67 3. Protocol ........................................................3
68 3.1. Overview ...................................................4
69 3.2. SessionTicket TLS Extension ................................6
70 3.3. NewSessionTicket Handshake Message .........................7
71 3.4. Interaction with TLS Session ID ............................8
72 4. Recommended Ticket Construction .................................9
73 5. Security Considerations ........................................10
74 5.1. Invalidating Sessions .....................................11
75 5.2. Stolen Tickets ............................................11
76 5.3. Forged Tickets ............................................11
77 5.4. Denial of Service Attacks .................................11
78 5.5. Ticket Protection Key Management ..........................12
79 5.6. Ticket Lifetime ...........................................12
80 5.7. Alternate Ticket Formats and Distribution Schemes .........12
81 5.8. Identity Privacy, Anonymity, and Unlinkability ............12
82 6. Acknowledgements ...............................................13
83 7. IANA Considerations ............................................13
84 8. References .....................................................14
85 8.1. Normative References ......................................14
86 8.2. Informative References ....................................14
114 Salowey, et al. Standards Track [Page 2]
115 \f
116 RFC 4507 Stateless TLS Session Resumption May 2006
119 1. Introduction
121 This document defines a way to resume a Transport Layer Security
122 (TLS) session without requiring session-specific state at the TLS
123 server. This mechanism may be used with any TLS ciphersuite. This
124 document applies to both TLS 1.0 defined in [RFC2246] and TLS 1.1
125 defined in [RFC4346]. The mechanism makes use of TLS extensions
126 defined in [RFC4366] and defines a new TLS message type.
128 This mechanism is useful in the following situations:
130 1. servers that handle a large number of transactions from different
131 users
132 2. servers that desire to cache sessions for a long time
133 3. ability to load balance requests across servers
134 4. embedded servers with little memory
136 2. Terminology
138 Within this document, the term 'ticket' refers to a cryptographically
139 protected data structure that is created by the server and consumed
140 by the server to rebuild session-specific state.
142 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
143 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
144 document are to be interpreted as described in [RFC2119].
146 3. Protocol
148 This specification describes a mechanism to distribute encrypted
149 session-state information in the form of a ticket. The ticket is
150 created by a TLS server and sent to a TLS client. The TLS client
151 presents the ticket to the TLS server to resume a session.
152 Implementations of this specification are expected to support both
153 mechanisms. Other specifications can take advantage of the session
154 tickets, perhaps specifying alternative means for distribution or
155 selection. For example, a separate specification may describe an
156 alternate way to distribute a ticket and use the TLS extension in
157 this document to resume the session. This behavior is beyond the
158 scope of the document and would need to be described in a separate
159 specification.
170 Salowey, et al. Standards Track [Page 3]
171 \f
172 RFC 4507 Stateless TLS Session Resumption May 2006
175 3.1. Overview
177 The client indicates that it supports this mechanism by including a
178 SessionTicket TLS extension in the ClientHello message. The
179 extension will be empty if the client does not already possess a
180 ticket for the server. The extension is described in Section 3.2.
182 If the server wants to use this mechanism, it stores its session
183 state (such as ciphersuite and master secret) to a ticket that is
184 encrypted and integrity-protected by a key known only to the server.
185 The ticket is distributed to the client using the NewSessionTicket
186 TLS handshake message described in Section 3.3. This message is sent
187 during the TLS handshake before the ChangeCipherSpec message, after
188 the server has successfully verified the client's Finished message.
190 Client Server
192 ClientHello
193 (empty SessionTicket extension)------->
194 ServerHello
195 (empty SessionTicket extension)
196 Certificate*
197 ServerKeyExchange*
198 CertificateRequest*
199 <-------- ServerHelloDone
200 Certificate*
201 ClientKeyExchange
202 CertificateVerify*
203 [ChangeCipherSpec]
204 Finished -------->
205 NewSessionTicket
206 [ChangeCipherSpec]
207 <-------- Finished
208 Application Data <-------> Application Data
210 Figure 1: Message flow for full handshake issuing new session ticket
212 The client caches this ticket along with the master secret and other
213 parameters associated with the current session. When the client
214 wishes to resume the session, it includes the ticket in the
215 SessionTicket extension within the ClientHello message. The server
216 then decrypts the received ticket, verifies the ticket's validity,
217 retrieves the session state from the contents of the ticket, and uses
218 this state to resume the session. The interaction with the TLS
219 Session ID is described in Section 3.4. If the server successfully
220 verifies the client's ticket, then it may renew the ticket by
221 including a NewSessionTicket handshake message after the ServerHello.
226 Salowey, et al. Standards Track [Page 4]
227 \f
228 RFC 4507 Stateless TLS Session Resumption May 2006
231 Client Server
233 ClientHello
234 (SessionTicket extension) -------->
235 ServerHello
236 (empty SessionTicket extension)
237 NewSessionTicket
238 [ChangeCipherSpec]
239 <-------- Finished
240 [ChangeCipherSpec]
241 Finished -------->
242 Application Data <-------> Application Data
244 Figure 2: Message flow for abbreviated handshake using new
245 session ticket
247 A recommended ticket format is given in Section 4.
249 If the server cannot or does not want to honor the ticket, then it
250 can initiate a full handshake with the client.
252 In the case that the server does not wish to issue a new ticket at
253 this time, it just completes the handshake without including a
254 SessionTicket extension or NewSessionTicket handshake message. This
255 is shown below (this flow is identical to Figure 1 in RFC 2246,
256 except for the session ticket extension in the first message):
258 Client Server
260 ClientHello
261 (SessionTicket extension) -------->
262 ServerHello
263 Certificate*
264 ServerKeyExchange*
265 CertificateRequest*
266 <-------- ServerHelloDone
267 Certificate*
268 ClientKeyExchange
269 CertificateVerify*
270 [ChangeCipherSpec]
271 Finished -------->
272 [ChangeCipherSpec]
273 <-------- Finished
274 Application Data <-------> Application Data
276 Figure 3: Message flow for server completing full handshake
277 without issuing new session ticket
282 Salowey, et al. Standards Track [Page 5]
283 \f
284 RFC 4507 Stateless TLS Session Resumption May 2006
287 If the server rejects the ticket, it may still wish to issue a new
288 ticket after performing the full handshake as shown below (this flow
289 is identical to Figure 1, except the SessionTicket extension in the
290 Client Hello is not empty):
292 Client Server
294 ClientHello
295 (SessionTicket extension) -------->
296 ServerHello
297 (empty SessionTicket extension)
298 Certificate*
299 ServerKeyExchange*
300 CertificateRequest*
301 <-------- ServerHelloDone
302 Certificate*
303 ClientKeyExchange
304 CertificateVerify*
305 [ChangeCipherSpec]
306 Finished -------->
307 NewSessionTicket
308 [ChangeCipherSpec]
309 <-------- Finished
310 Application Data <-------> Application Data
312 Figure 4: Message flow for server rejecting ticket, performing full
313 handshake and issuing new session ticket
315 3.2. SessionTicket TLS Extension
317 The SessionTicket TLS extension is based on [RFC4366]. The format of
318 the ticket is an opaque structure used to carry session-specific
319 state information. This extension may be sent in the ClientHello and
320 ServerHello.
322 If the client possesses a ticket that it wants to use to resume a
323 session, then it includes the ticket in the SessionTicket extension
324 in the ClientHello. If the client does not have a ticket and is
325 prepared to receive one in the NewSessionTicket handshake message,
326 then it MUST include a zero-length ticket in the SessionTicket
327 extension. If the client is not prepared to receive a ticket in the
328 NewSessionTicket handshake message then it MUST NOT include a
329 SessionTicket extension unless it is sending a non-empty ticket it
330 received through some other means from the server.
332 The server uses an zero length SessionTicket extension to indicate to
333 the client that it will send a new session ticket using the
334 NewSessionTicket handshake message described in Section 3.3. The
338 Salowey, et al. Standards Track [Page 6]
339 \f
340 RFC 4507 Stateless TLS Session Resumption May 2006
343 server MUST send this extension in the ServerHello if it wishes to
344 issue a new ticket to the client using the NewSessionTicket handshake
345 message. The server MUST NOT send this extension if it does not
346 receive one in the ClientHello.
348 If the server fails to verify the ticket, then it falls back to
349 performing a full handshake. If the ticket is accepted by the server
350 but the handshake fails, the client SHOULD delete the ticket.
352 The SessionTicket extension has been assigned the number 35. The
353 format of the SessionTicket extension is given at the end of this
354 section.
356 struct {
357 opaque ticket<0..2^16-1>;
358 } SessionTicket;
360 3.3. NewSessionTicket Handshake Message
362 This message is sent by the server during the TLS handshake before
363 the ChangeCipherSpec message. This message MUST be sent if the
364 server included a SessionTicket extension in the ServerHello. This
365 message MUST NOT be sent if the server did not include a
366 SessionTicket extension in the ServerHello. In the case of a full
367 handshake, the server MUST verify the client's Finished message
368 before sending the ticket. The client MUST NOT treat the ticket as
369 valid until it has verified the server's Finished message. If the
370 server determines that it does not want to include a ticket after it
371 has included the SessionTicket extension in the ServerHello, then it
372 sends a zero-length ticket in the NewSessionTicket handshake message.
374 If the server successfully verifies the client's ticket, then it MAY
375 renew the ticket by including a NewSessionTicket handshake message
376 after the ServerHello in the abbreviated handshake. The client
377 should start using the new ticket as soon as possible after it
378 verifies the server's Finished message for new connections. Note
379 that since the updated ticket is issued before the handshake
380 completes, it is possible that the client may not put the new ticket
381 into use before it initiates new connections. The server MUST NOT
382 assume that the client actually received the updated ticket until it
383 successfully verifies the client's Finished message.
385 The NewSessionTicket handshake message has been assigned the number 4
386 and its definition is given at the end of this section. The
387 ticket_lifetime_hint field contains a hint from the server about how
388 long the ticket should be stored. The value indicates the lifetime
389 in seconds as a 32-bit unsigned integer in network byte order. A
390 value of zero is reserved to indicate that the lifetime of the ticket
394 Salowey, et al. Standards Track [Page 7]
395 \f
396 RFC 4507 Stateless TLS Session Resumption May 2006
399 is unspecified. A client SHOULD delete the ticket and associated
400 state when the time expires. It MAY delete the ticket earlier based
401 on local policy. A server MAY treat a ticket as valid for a shorter
402 or longer period of time than what is stated in the
403 ticket_lifetime_hint.
405 struct {
406 HandshakeType msg_type;
407 uint24 length;
408 select (HandshakeType) {
409 case hello_request: HelloRequest;
410 case client_hello: ClientHello;
411 case server_hello: ServerHello;
412 case certificate: Certificate;
413 case server_key_exchange: ServerKeyExchange;
414 case certificate_request: CertificateRequest;
415 case server_hello_done: ServerHelloDone;
416 case certificate_verify: CertificateVerify;
417 case client_key_exchange: ClientKeyExchange;
418 case finished: Finished;
419 case session_ticket: NewSessionTicket; /* NEW */
420 } body;
421 } Handshake;
424 struct {
425 uint32 ticket_lifetime_hint;
426 opaque ticket<0..2^16-1>;
427 } NewSessionTicket;
429 3.4. Interaction with TLS Session ID
431 If a server is planning on issuing a SessionTicket to a client that
432 does not present one, it SHOULD include an empty Session ID in the
433 ServerHello. If the server includes a non-empty session ID, then it
434 is indicating intent to use stateful session resume. If the client
435 receives a SessionTicket from the server, then it discards any
436 Session ID that was sent in the ServerHello.
438 When presenting a ticket, the client MAY generate and include a
439 Session ID in the TLS ClientHello. If the server accepts the ticket
440 and the Session ID is not empty, then it MUST respond with the same
441 Session ID present in the ClientHello. This allows the client to
442 easily differentiate when the server is resuming a session from when
443 it is falling back to a full handshake. Since the client generates a
444 Session ID, the server MUST NOT rely upon the Session ID having a
445 particular value when validating the ticket. If a ticket is
446 presented by the client, the server MUST NOT attempt to use the
450 Salowey, et al. Standards Track [Page 8]
451 \f
452 RFC 4507 Stateless TLS Session Resumption May 2006
455 Session ID in the ClientHello for stateful session resume.
456 Alternatively, the client MAY include an empty Session ID in the
457 ClientHello. In this case, the client ignores the Session ID sent in
458 the ServerHello and determines if the server is resuming a session by
459 the subsequent handshake messages.
461 4. Recommended Ticket Construction
463 This section describes a recommended format and protection for the
464 ticket. Note that the ticket is opaque to the client, so the
465 structure is not subject to interoperability concerns, and
466 implementations may diverge from this format. If implementations do
467 diverge from this format, they must take security concerns seriously.
468 Clients MUST NOT examine the ticket under the assumption that it
469 complies with this document.
471 The server uses two different keys: one 128-bit key for AES [AES] in
472 CBC mode [CBC] encryption and one 128-bit key for HMAC-SHA1 [RFC2104]
473 [SHA1].
475 The ticket is structured as follows:
477 struct {
478 opaque key_name[16];
479 opaque iv[16];
480 opaque encrypted_state<0..2^16-1>;
481 opaque mac[20];
482 } ticket;
484 Here, key_name serves to identify a particular set of keys used to
485 protect the ticket. It enables the server to easily recognize
486 tickets it has issued. The key_name should be randomly generated to
487 avoid collisions between servers. One possibility is to generate new
488 random keys and key_name every time the server is started.
490 The actual state information in encrypted_state is encrypted using
491 128-bit AES in CBC mode with the given IV. The MAC is calculated
492 using HMAC-SHA1 over key_name (16 octets)and IV (16 octets), followed
493 by the length of the encrypted_state field (2 octets) and its
494 contents (variable length).
506 Salowey, et al. Standards Track [Page 9]
507 \f
508 RFC 4507 Stateless TLS Session Resumption May 2006
511 struct {
512 ProtocolVersion protocol_version;
513 CipherSuite cipher_suite;
514 CompressionMethod compression_method;
515 opaque master_secret[48];
516 ClientIdentity client_identity;
517 uint32 timestamp;
518 } StatePlaintext;
520 enum {
521 anonymous(0),
522 certificate_based(1),
523 psk(2)
524 } ClientAuthenticationType;
526 struct {
527 ClientAuthenticationType client_authentication_type;
528 select (ClientAuthenticationType) {
529 case anonymous: struct {};
530 case certificate_based:
531 ASN.1Cert certificate_list<0..2^24-1>;
532 case psk:
533 opaque psk_identity<0..2^16-1>; /* from [RFC4279] */
535 }
536 } ClientIdentity;
538 The structure StatePlaintext stores the TLS session state including
539 the master_secret. The timestamp within this structure allows the
540 TLS server to expire tickets. To cover the authentication and key
541 exchange protocols provided by TLS, the ClientIdentity structure
542 contains the authentication type of the client used in the initial
543 exchange (see ClientAuthenticationType). To offer the TLS server
544 with the same capabilities for authentication and authorization, a
545 certificate list is included in case of public-key-based
546 authentication. The TLS server is therefore able to inspect a number
547 of different attributes within these certificates. A specific
548 implementation might choose to store a subset of this information or
549 additional information. Other authentication mechanisms, such as
550 Kerberos [RFC2712], would require different client identity data.
552 5. Security Considerations
554 This section addresses security issues related to the usage of a
555 ticket. Tickets must be authenticated and encrypted to prevent
556 modification or eavesdropping by an attacker. Several attacks
557 described below will be possible if this is not carefully done.
562 Salowey, et al. Standards Track [Page 10]
563 \f
564 RFC 4507 Stateless TLS Session Resumption May 2006
567 Implementations should take care to ensure that the processing of
568 tickets does not increase the chance of denial of service as
569 described below.
571 5.1. Invalidating Sessions
573 The TLS specification requires that TLS sessions be invalidated when
574 errors occur. [CSSC] discusses the security implications of this in
575 detail. In the analysis in this paper, failure to invalidate
576 sessions does not pose a security risk. This is because the TLS
577 handshake uses a non-reversible function to derive keys for a session
578 so information about one session does not provide an advantage to
579 attack the master secret or a different session. If a session
580 invalidation scheme is used, the implementation should verify the
581 integrity of the ticket before using the contents to invalidate a
582 session to ensure that an attacker cannot invalidate a chosen
583 session.
585 5.2. Stolen Tickets
587 An eavesdropper or man-in-the-middle may obtain the ticket and
588 attempt to use the ticket to establish a session with the server;
589 however, since the ticket is encrypted and the attacker does not know
590 the secret key, a stolen ticket does not help an attacker resume a
591 session. A TLS server MUST use strong encryption and integrity
592 protection for the ticket to prevent an attacker from using a brute
593 force mechanism to obtain the ticket's contents.
595 5.3. Forged Tickets
597 A malicious user could forge or alter a ticket in order to resume a
598 session, to extend its lifetime, to impersonate as another user, or
599 to gain additional privileges. This attack is not possible if the
600 ticket is protected using a strong integrity protection algorithm
601 such as a keyed HMAC-SHA1.
603 5.4. Denial of Service Attacks
605 The key_name field defined in the recommended ticket format helps the
606 server efficiently reject tickets that it did not issue. However, an
607 adversary could store or generate a large number of tickets to send
608 to the TLS server for verification. To minimize the possibility of a
609 denial of service, the verification of the ticket should be
610 lightweight (e.g., using efficient symmetric key cryptographic
611 algorithms).
618 Salowey, et al. Standards Track [Page 11]
619 \f
620 RFC 4507 Stateless TLS Session Resumption May 2006
623 5.5. Ticket Protection Key Management
625 A full description of the management of the keys used to protect the
626 ticket is beyond the scope of this document. A list of RECOMMENDED
627 practices is given below.
629 o The keys should be generated securely following the randomness
630 recommendations in [RFC4086].
631 o The keys and cryptographic protection algorithms should be at
632 least 128 bits in strength.
633 o The keys should not be used for any other purpose than generating
634 and verifying tickets.
635 o The keys should be changed regularly.
636 o The keys should be changed if the ticket format or cryptographic
637 protection algorithms change.
639 5.6. Ticket Lifetime
641 The TLS server controls the lifetime of the ticket. Servers
642 determine the acceptable lifetime based on the operational and
643 security requirements of the environments in which they are deployed.
644 The ticket lifetime may be longer than the 24-hour lifetime
645 recommended in [RFC2246]. TLS clients may be given a hint of the
646 lifetime of the ticket. Since the lifetime of a ticket may be
647 unspecified, a client has its own local policy that determines when
648 it discards tickets.
650 5.7. Alternate Ticket Formats and Distribution Schemes
652 If the ticket format or distribution scheme defined in this document
653 is not used, then great care must be taken in analyzing the security
654 of the solution. In particular, if confidential information, such as
655 a secret key, is transferred to the client, it MUST be done using
656 secure communication so as to prevent attackers from obtaining or
657 modifying the key. Also, the ticket MUST have its integrity and
658 confidentiality protected with strong cryptographic techniques to
659 prevent a breach in the security of the system.
661 5.8. Identity Privacy, Anonymity, and Unlinkability
663 This document mandates that the content of the ticket is
664 confidentiality protected in order to avoid leakage of its content,
665 such as user-relevant information. As such, it prevents disclosure
666 of potentially sensitive information carried within the ticket.
668 The initial handshake exchange, which was used to obtain the ticket,
669 might not provide identity confidentiality of the client based on the
670 properties of TLS. Another relevant security threat is the ability
674 Salowey, et al. Standards Track [Page 12]
675 \f
676 RFC 4507 Stateless TLS Session Resumption May 2006
679 for an on-path adversary to observe multiple TLS handshakes where the
680 same ticket is used and therefore to conclude that they belong to the
681 same communication endpoints. Application designers that use the
682 ticket mechanism described in this document should consider that
683 unlinkability [ANON] is not necessarily provided.
685 While a full discussion of these topics is beyond the scope of this
686 document, it should be noted that it is possible to issue a ticket
687 using a TLS renegotiation handshake that occurs after a secure tunnel
688 has been established by a previous handshake. This may help address
689 some privacy and unlinkability issues in some environments.
691 6. Acknowledgements
693 The authors would like to thank the following people for their help
694 with preparing and reviewing this document: Eric Rescorla, Mohamad
695 Badra, Tim Dierks, Nelson Bolyard, Nancy Cam-Winget, David McGrew,
696 Rob Dugal, Russ Housley, Amir Herzberg, Bernard Aboba, and members of
697 the TLS working group.
699 [CSSC] describes a solution that is very similar to the one described
700 in this document and gives a detailed analysis of the security
701 considerations involved. [RFC2712] describes a mechanism for using
702 Kerberos [RFC4120] in TLS ciphersuites, which helped inspire the use
703 of tickets to avoid server state. [EAP-FAST] makes use of a similar
704 mechanism to avoid maintaining server state for the cryptographic
705 tunnel. [SC97] also investigates the concept of stateless sessions.
707 7. IANA Considerations
709 IANA has assigned a TLS extension number of 35 to the SessionTicket
710 TLS extension from the TLS registry of ExtensionType values defined
711 in [RFC4366].
713 IANA has assigned a TLS HandshakeType number 4 to the
714 NewSessionTicket handshake type from the TLS registry of
715 HandshakeType values defined in [RFC4346].
730 Salowey, et al. Standards Track [Page 13]
731 \f
732 RFC 4507 Stateless TLS Session Resumption May 2006
735 8. References
737 8.1. Normative References
739 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
740 Requirement Levels", BCP 14, RFC 2119, March 1997.
742 [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
743 RFC 2246, January 1999.
745 [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security
746 (TLS) Protocol Version 1.1", RFC 4346, April 2006.
748 [RFC4366] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen,
749 J., and T. Wright, "Transport Layer Security (TLS)
750 Extensions", RFC 4366, April 2006.
752 8.2. Informative References
754 [AES] National Institute of Standards and Technology, "Advanced
755 Encryption Standard (AES)", Federal Information
756 Processing Standards (FIPS) Publication 197,
757 November 2001.
759 [ANON] Pfitzmann, A. and M. Hansen, "Anonymity, Unlinkability,
760 Unobservability, Pseudonymity, and Identity Management -
761 A Consolidated Proposal for Terminology",
762 http://dud.inf.tu-dresden.de/literatur/
763 Anon_Terminology_v0.26-1.pdf, Draft 0.26, December 2005.
765 [CBC] National Institute of Standards and Technology,
766 "Recommendation for Block Cipher Modes of Operation -
767 Methods and Techniques", NIST Special Publication 800-
768 38A, December 2001.
770 [CSSC] Shacham, H., Boneh, D., and E. Rescorla, "Client-side
771 caching for TLS", Transactions on Information and System
772 Security (TISSEC) , Volume 7, Issue 4, November 2004.
774 [EAP-FAST] Cam-Winget, N., McGrew, D., Salowey, J., and H. Zhou,
775 "EAP Flexible Authentication via Secure Tunneling (EAP-
776 FAST)", Work in Progress, April 2005.
778 [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
779 Hashing for Message Authentication", RFC 2104,
780 February 1997.
786 Salowey, et al. Standards Track [Page 14]
787 \f
788 RFC 4507 Stateless TLS Session Resumption May 2006
791 [RFC2712] Medvinsky, A. and M. Hur, "Addition of Kerberos Cipher
792 Suites to Transport Layer Security (TLS)", RFC 2712,
793 October 1999.
795 [RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness
796 Requirements for Security", BCP 106, RFC 4086, June 2005.
798 [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
799 Kerberos Network Authentication Service (V5)", RFC 4120,
800 July 2005.
802 [RFC4279] Eronen, P. and H. Tschofenig, "Pre-Shared Key
803 Ciphersuites for Transport Layer Security (TLS)",
804 RFC 4279, December 2005.
806 [SC97] Aura, T. and P. Nikander, "Stateless Connections",
807 Proceedings of the First International Conference on
808 Information and Communication Security (ICICS '97), 1997.
810 [SHA1] National Institute of Standards and Technology, "Secure
811 Hash Standard (SHS)", Federal Information Processing
812 Standards (FIPS) Publication 180-2, August 2002.
842 Salowey, et al. Standards Track [Page 15]
843 \f
844 RFC 4507 Stateless TLS Session Resumption May 2006
847 Authors' Addresses
849 Joseph Salowey
850 Cisco Systems
851 2901 3rd Ave
852 Seattle, WA 98121
853 US
855 EMail: jsalowey@cisco.com
858 Hao Zhou
859 Cisco Systems
860 4125 Highlander Parkway
861 Richfield, OH 44286
862 US
864 EMail: hzhou@cisco.com
867 Pasi Eronen
868 Nokia Research Center
869 P.O. Box 407
870 FIN-00045 Nokia Group
871 Finland
873 EMail: pasi.eronen@nokia.com
876 Hannes Tschofenig
877 Siemens
878 Otto-Hahn-Ring 6
879 Munich, Bayern 81739
880 Germany
882 EMail: Hannes.Tschofenig@siemens.com
898 Salowey, et al. Standards Track [Page 16]
899 \f
900 RFC 4507 Stateless TLS Session Resumption May 2006
903 Full Copyright Statement
905 Copyright (C) The Internet Society (2006).
907 This document is subject to the rights, licenses and restrictions
908 contained in BCP 78, and except as set forth therein, the authors
909 retain all their rights.
911 This document and the information contained herein are provided on an
912 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
913 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
914 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
915 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
916 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
917 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
919 Intellectual Property
921 The IETF takes no position regarding the validity or scope of any
922 Intellectual Property Rights or other rights that might be claimed to
923 pertain to the implementation or use of the technology described in
924 this document or the extent to which any license under such rights
925 might or might not be available; nor does it represent that it has
926 made any independent effort to identify any such rights. Information
927 on the procedures with respect to rights in RFC documents can be
928 found in BCP 78 and BCP 79.
930 Copies of IPR disclosures made to the IETF Secretariat and any
931 assurances of licenses to be made available, or the result of an
932 attempt made to obtain a general license or permission for the use of
933 such proprietary rights by implementers or users of this
934 specification can be obtained from the IETF on-line IPR repository at
935 http://www.ietf.org/ipr.
937 The IETF invites any interested party to bring to its attention any
938 copyrights, patents or patent applications, or other proprietary
939 rights that may cover technology that may be required to implement
940 this standard. Please address the information to the IETF at
941 ietf-ipr@ietf.org.
943 Acknowledgement
945 Funding for the RFC Editor function is provided by the IETF
946 Administrative Support Activity (IASA).
954 Salowey, et al. Standards Track [Page 17]
955 \f