[gnutls-devel] GnuTLS | Do not use HMAC-SHA1 for session ticket authentication algorithm (#1482)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Wed May 17 16:04:11 CEST 2023

Hubert Kario (@mention me if you need reply) commented: https://gitlab.com/gnutls/gnutls/-/issues/1482#note_1394350288

There is a benefit for the individual tickets, as even if the attacker gets a key for a particular ticket, they can't use it to decrypt previous or future tickets.
The problem is that this is not ephemeral in the same way that DHE or ECDHE is, there still is a long-term secret kept in GnuTLS memory that can be used to decrypt all tickets past and future. So yes, it's rather questionable why it's used in the first place. Using two keys (current active one, not older than 24h or so) and the previously used one would be much more secure overall, as then a heartbleed-like issue can't expose keys for tickets from few days ago: they don't exist any more.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1482#note_1394350288
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20230517/13100356/attachment.html>

More information about the Gnutls-devel mailing list