[gnutls-help] Lightweight authentication of worker connections

Nikos Mavrogiannopoulos nmav at gnutls.org
Wed Feb 5 09:59:55 CET 2014


On Wed, Feb 5, 2014 at 8:15 AM, Steven Brown <swbrown at variadic.org> wrote:
> I'm building a program where I have a control connection to a remote
> service that establishes a form of session and manages it and then
> several other worker connections for that session over its lifetime.
> I'd like to use a lightweight authentication scheme on the worker
> connections if possible as they frequently come and go and there can be
> many of them.  I figure it should be possible for the control connection
> to establish the authentication information necessary for the workers
> but I'm not sure how best to go about it, hence this question.
> From what I've read, I'm planning on SRP for the control connection and
> PSK for the worker connections.  If I'm understanding things correctly,
> PSK should be lightweight.  I can generate a random key when I create
> the client's session and share it over SRP for use with PSK, but doesn't
> SRP generate a session key as part of its negotiation?  If so, is there
> a way (and does it make sense) to use SRP's session key to do PSK
> authentication of the workers?

The best is to use a different key that can be derived from the
initial session parameters. You can do that using the gnutls_prf()
function.
http://gnutls.org/manual/html_node/Deriving-keys-for-other-applications_002fprotocols.html#Deriving-keys-for-other-applications_002fprotocols

regards,
Nikos



More information about the Gnutls-help mailing list