Preprint Article Version 1 Preserved in Portico This version is not peer-reviewed

Stateless One-time Authenticated Session Resumption in TLS Handshake Using Paired Token

Version 1 : Received: 2 February 2021 / Approved: 3 February 2021 / Online: 3 February 2021 (09:53:50 CET)

How to cite: Lee, B. Stateless One-time Authenticated Session Resumption in TLS Handshake Using Paired Token. Preprints 2021, 2021020102 (doi: 10.20944/preprints202102.0102.v1). Lee, B. Stateless One-time Authenticated Session Resumption in TLS Handshake Using Paired Token. Preprints 2021, 2021020102 (doi: 10.20944/preprints202102.0102.v1).

Abstract

Transport Layer Security (TLS) is a cryptographic protocol that provides communications security between two peers and it is widely used in many applications. To reduce the latency in TLS handshake session resumption using pre-shared key (PSK) had been used. But current methods in PSK mode handshake uses a fixed session key multiple times for the lifetime of session ticket. Reuse of fixed session key should be very careful in the point of communications security. It is vulnerable to replay attacks and there is a possibility of tracking users. Paired token (PT) is a new secondary credential scheme that provides pre-shared key in stateless way in client-server environment. Server issues paired token (public token and secret token) to authenticated client. Public token represents signed identity of client and secret token is a kind of shared secret between client and server. Once client is equipped with PT, it can be used for many symmetric key based cryptographic applications such as authentication, authorization, key establishment, etc. It was also shown that it can be used for one-time authenticated key establishment using the time-based one-time password (TOTP) approach. In this paper we apply the PT and TOTP approach to TLS to achieve stateless one-time authenticated session resumption. Server executes full handshake of TLS 1.3 and issues PT to authenticated client. Then client and server can execute one-time authenticated session resumption using PT in stateless way in server side. In every runs of session resumption distinct session keys are established that the same PT can be used safely for longer lifetime. If anonymous PT is used with renewal issuing, user privacy, untraceability and forward security can be achieved easily. It will provide a huge performance gain in large-scale distributed services.

Subject Areas

Transport Layer Security; Handshake; Session resumption; Paired token; Stateless; One-time authenticated session resumption; Privacy; Untraceability

Comments (0)

We encourage comments and feedback from a broad range of readers. See criteria for comments and our diversity statement.

Leave a public comment
Send a private comment to the author(s)
Views 0
Downloads 0
Comments 0
Metrics 0


×
Alerts
Notify me about updates to this article or when a peer-reviewed version is published.
We use cookies on our website to ensure you get the best experience.
Read more about our cookies here.