iaik.security.ssl
Class TicketKeyBag

java.lang.Object
  iaik.security.ssl.TicketKeyBag

All Implemented Interfaces:

java.lang.Cloneable

public class TicketKeyBag
extends java.lang.Object
implements java.lang.Cloneable

This class represents a bag for cipher and MAC keys to be used for SessionTicket protection.

The session_ticket extension (RFC 4507, and its successor RFC 5077) may be used to relieve the server from storing session related information that is required for session resuming. Instead of storing session information the server packs it into a session ticket and sends it to the client. When wishing to resume a session the client sends back the session ticket. The server unpacks the ticket to get all required information for being able to resume the particular session.
To protect the confidential session information the server (AES) encrypts the session ticket before sending it to the client. Additionally a HMAC (with SHA256) protects the integrity of the data (RFC 5077):

 struct {
   opaque key_name[16];
   opaque iv[16];
   opaque encrypted_state<0..2^16-1>;
   opaque mac[32];
 } ticket;
 

This class can be used to specify the symmetric encryption key and the mac key to be used for ticket protection:

 byte[] keyName = ...;
 SecretKey cipherKey = ...;
 SecretKey macKey = ...;
 TicketKeyBag ticketKey = new TicketKeyBag(cipherKey, macKey, keyName);
 

Nested Class Summary

static class

TicketKeyBag.KeyName This class represents the key name of a TicketKeyBag.

Constructor Summary

TicketKeyBag()
Creates a ticket key bag where cipher and mac keys are generated automatically.

TicketKeyBag(javax.crypto.SecretKey cipherKey, javax.crypto.SecretKey macKey, byte[] keyName)
Creates a ticket key bag for the given cipher key and mac key.

Method Summary

java.lang.Object	clone() Gets a clone of this Object.
long	getActivationTime() Sets the activation time of this key bag.
javax.crypto.SecretKey	getCipherKey() Gets the cipher key.
TicketKeyBag.KeyName	getKeyName() Gets the key name.
javax.crypto.SecretKey	getMacKey() Gets the cipher key.
long	getValidityPeriod() Gets how long cipher and mac key of this key bag shall be used.
void	setActivationTime(long time) Sets the activation time of this key bag.
void	setValidityPeriod(long time) Specifies how long cipher and mac key of this key bag shall be used.
java.lang.String	toString() Returns a String representation of this TicketKeyBag.

Methods inherited from class java.lang.Object

equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Constructor Detail

TicketKeyBag

public TicketKeyBag(javax.crypto.SecretKey cipherKey,
                    javax.crypto.SecretKey macKey,
                    byte[] keyName)

Creates a ticket key bag for the given cipher key and mac key.

Parameters:

cipherKey - the cipher key

macKey - the mac key

keyName - the key id name

TicketKeyBag

public TicketKeyBag()
             throws java.security.NoSuchAlgorithmException

Creates a ticket key bag where cipher and mac keys are generated automatically.

Throws:

java.security.NoSuchAlgorithmException - if the keys could not be created

Method Detail

clone

public java.lang.Object clone()

Gets a clone of this Object.

Overrides:

clone in class java.lang.Object

Returns:

a clone of this object

toString

public java.lang.String toString()

Returns a String representation of this TicketKeyBag.

Overrides:

toString in class java.lang.Object

Returns:

a String representation

getCipherKey

public javax.crypto.SecretKey getCipherKey()

Gets the cipher key.

Returns:

the cipher key

getMacKey

public javax.crypto.SecretKey getMacKey()

Gets the cipher key.

Returns:

the mac key

getKeyName

public TicketKeyBag.KeyName getKeyName()

Gets the key name.

Returns:

the key name

setValidityPeriod

public void setValidityPeriod(long time)

Specifies how long cipher and mac key of this key bag shall be used.
This method may be used to tell iSaSiLk to refresh the ticket encryption and mac keys from time to time. The default ticket validity period is -1 meaning that the ticket keys are used as long as the iSaSiLk server is running. If you specify a positive value when calling this method new keys will be generated after the given time period has expired. To guarantee a smooth key transition, the old keys are still valid for the period of one ticket lifetime (or session manager resume period) after new keys have been activated (i.e. the actual validity period is validity_period + ticket_lifetime).

Parameters:

time - the time (in seconds) how long the current ticket keys shall be used; if time <= 0 the keys are used forever (as long as the server is running; default)

getValidityPeriod

public long getValidityPeriod()

Gets how long cipher and mac key of this key bag shall be used.
The default ticket validity period is -1 meaning that the ticket keys are used as long as the iSaSiLk server is running. If you have specified a positive validity period new keys will be generated after the given time period has expired. To guarantee a smooth key transition, the old keys are still valid for the period of one ticket lifetime after new keys have been activated.

Returns:

the time (in seconds) how long the current ticket keys are used; if time <= 0 the keys are used forever (as long as the server is running; default)

setActivationTime

public void setActivationTime(long time)

Sets the activation time of this key bag.

Parameters:

time - the time (in seconds) at which this key bag is activated

getActivationTime

public long getActivationTime()

Sets the activation time of this key bag.

Returns:

the time (in seconds) at which this key bag is activated