Search

US-12627711-B2 - Systems and methods for determining a pre-shared key (PSK) identity for transport layer security (TLS)

US12627711B2US 12627711 B2US12627711 B2US 12627711B2US-12627711-B2

Abstract

Systems and methods for determining a pre-shared key (PSK) identity for Transport Layer Security (TLS) are described. In an illustrative, non-limiting embodiment, an Information Handling System (IHS) may include: a processor; and a memory coupled to the processor, wherein the memory comprises program instructions store thereon that, upon execution by the processor, cause the IHS to: establish a Transmission Control Protocol (TCP) connection with a another IHS; generate a TLS PSK; derive based, at least in part, on the TLS PSK, a unique PSK identity associated with the TLS PSK; and perform a TLS negotiation with the other IHS using the TLS PSK and the unique PSK identity.

Inventors

  • Claudio DeSanti
  • David L. Black

Assignees

  • DELL PRODUCTS, L.P.

Dates

Publication Date
20260512
Application Date
20230722

Claims (20)

  1. 1 . An Information Handling System (IHS), comprising: a processor; and a memory coupled to the processor, wherein the memory comprises program instructions stored thereon that, upon execution by the processor, cause the IHS to: establish a Transmission Control Protocol (TCP) connection with another IHS; generate a Transport Layer Security (TLS) pre-shared key (PSK); determine a PSK digest based, at least in part, on: a shared session key, information with regard to an identity of the IHS, and information with regard to an identity of the other IHS; derive, based, at least in part, on the TLS PSK and the PSK digest, a unique PSK identity associated with the TLS PSK, wherein the PSK digest is added to the unique PSK identity; and perform a TLS negotiation with the other IHS based, at least in part, on the TLS PSK and the unique PSK identity.
  2. 2 . The IHS of claim 1 , wherein the program instructions, upon execution by the processor, further cause the IHS to determine the PSK digest based, at least in part, on a secure hash associated with the PSK.
  3. 3 . The IHS of claim 2 , wherein to determine the PSK identity that is unique for the TLS PSK, the program instructions, upon execution by the processor, further cause the IHS to add the PSK digest to the unique PSK identity based, at least in part, on the secure hash, and wherein the PSK digest further comprises an indication of whether the PSK identity is associated with a generated PSK, or a retained PSK.
  4. 4 . The IHS of claim 2 , wherein to generate the TLS PSK, the program instructions, upon execution by the processor, further cause the IHS to: calculate the TLS PSK associated with the unique PSK identity based, at least in part, on the shared session key, and the PSK digest.
  5. 5 . The IHS of claim 1 , wherein the program instructions, upon execution by the processor, further cause the IHS to: establish a secure channel with the other IHS based, at least in part, on the TLS negotiation.
  6. 6 . The IHS of claim 1 , wherein the program instructions, upon execution by the processor, further cause the IHS to: perform a Non-Volatile Memory Express over Fabrics (NVMe-oF) authentication exchange with the other IHS; and derive a shared session key for the TCP connection with the other IHS.
  7. 7 . The IHS of claim 6 , wherein the TLS PSK and the unique PSK identity are determined based, at least in part, on the shared session key and a cryptographic one-way function.
  8. 8 . The IHS of claim 6 , wherein the shared session key comprises a generated PSK.
  9. 9 . The IHS of claim 6 , wherein the shared session key comprises a retained PSK derived from a configured PSK configured by a user or administrator.
  10. 10 . The IHS of claim 6 , wherein the IHS is a host, and wherein the other IHS is a controller.
  11. 11 . The IHS of claim 1 , wherein the TCP connection comprises a Non-Volatile Memory Express (NVMe)/TCP connection, and wherein establishing to establish the NVMe/TCP connection with the other IHS, the program instructions, upon execution by the processor, further cause the IHS to: perform a connect exchange with the other IHS; establish one or more NVMe queues; and associate the IHS as a host, and the other IHS as a controller.
  12. 12 . The IHS of claim 1 , wherein the program instructions, upon execution by the processor, further cause the IHS to: use the TLS PSK and the unique PSK identity to set up administration and I/O queues for the TCP connection.
  13. 13 . The IHS of claim 1 , wherein the program instructions, upon execution by the processor, further cause the IHS to: use the TLS PSK and the unique PSK identity to only set up queues that belong to a single association.
  14. 14 . A method, comprising: establishing, by a first Information Handling System (IHS), a Transmission Control Protocol (TCP) connection with a second IHS; calculating a Transport Layer Security (TLS) pre-shared key (PSK); determining a PSK digest based, at least in part, on: a shared session key, information with regard to an identity of the first IHS, and information with regard to an identity of the second IHS; deriving based, at least in part, on the TLS PSK and the PSK digest, a unique PSK identity for the TLS PSK, wherein the PSK digest is added to the unique PSK identity based, at least in part, on a secure hash associated with the PSK; and performing a TLS negotiation with the second IHS using the TLS PSK and the unique PSK identity.
  15. 15 . The method of claim 14 , wherein the secure hash is a cryptographic one-way function.
  16. 16 . The method of claim 14 , further comprising: establishing a secure channel with the second IHS based, at least in part, on the TLS negotiation.
  17. 17 . The method of claim 14 , further comprising: performing a Non-Volatile Memory Express over Fabrics (NVMe-oF) authentication exchange with the second IHS; and deriving the shared session key for the TCP connection with the second IHS, wherein the TLS PSK and the unique PSK identity are determined based, at least in part, on the shared session key.
  18. 18 . The method of claim 17 , wherein the shared session key comprises either a generated PSK or a retained PSK derived from a configured PSK configured by a user or administrator.
  19. 19 . One or more non-transitory computer-readable storage media configured with stored program instructions that when executed on or across one or more processors, cause the one or more processors to: establish a Transmission Control Protocol (TCP) connection with a remote Information Handling System (IHS); determine a Transport Layer Security (TLS) pre-shared key (PSK); determine a PSK digest based, at least in part, on: a shared session key, information with regard to an identity of the IHS, and information with regard to an identity of the other IHS; determine based, at least in part, on the TLS PSK and the PSK digest, a PSK identity that is unique for the TLS PSK, wherein the PSK digest is added to the unique PSK identity; and perform a TLS negotiation with the remote IHS at least in part with the TLS PSK and an associated PSK identity that is unique for the TLS PSK.
  20. 20 . The one or more non-transitory computer-readable storage media of claim 19 , wherein to determine the PSK identity that is unique for the TLS PSK, the program instructions further cause the one or more processors to derive the unique PSK identity based, at least in part, on the PSK digest; and wherein to determine the TLS PSK, the program instructions further cause the one or more processors to determine the TLS PSK associated with the unique PSK identity based, at least in part, on the shared session key, and the PSK digest.

Description

FIELD This disclosure relates generally to Information Handling Systems (IHSs), and more specifically, to systems and methods for determining a pre-shared key (PSK) identity for Transport Layer Security (TLS), and for TLS concatenation. BACKGROUND As the value and use of information continues to increase, individuals and businesses seek additional ways to process and store it. One option available to users is an Information Handling System (IHS). An IHS generally processes, compiles, stores, and/or communicates information or data for business, personal, or other purposes thereby allowing users to take advantage of the value of the information. Because technology and information handling needs and requirements vary between different users or applications, IHSs may also vary regarding what information is handled, how the information is handled, how much information is processed, stored, or communicated, and how quickly and efficiently the information may be processed, stored, or communicated. Variations in IHSs allow for IHSs to be general or configured for a specific user or specific use, such as financial transaction processing, airline reservations, enterprise data storage, or global communications. In addition, IHSs may include a variety of hardware and software components that may be configured to process, store, and communicate information and may include one or more computer systems, data storage systems, and networking systems. Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, and instant messaging, but its use in securing HTTPS remains the most publicly visible. The TLS protocol aims primarily to provide security, including confidentiality, integrity, and authenticity through the use of cryptography, such as the use of certificates, between two or more communicating computer applications. It runs in the presentation layer and is itself composed of two layers: the TLS record and the TLS handshake protocols. TLS is a proposed Internet Engineering Task Force (IETF) standard, first defined in 1999, and the current version is TLS 1.3, defined in August 2018. TLS builds on the now-deprecated Secure Sockets Layer (“SSL”) specifications (1994, 1995, 1996) developed by Netscape Communications for adding the HTTPS protocol to their Navigator web browser. TLS 1.2 is strongly discouraged in favor of the modernized, more secure TLS 1.3. Older versions of TLS (e.g., 1.0, 1.1, etc.) and all versions of SSL are insecure, and hence prohibited in IETF standards. SUMMARY Systems, methods, and service frameworks for determining a pre-shared key (PSK) identity for Transport Layer Security (TLS), and for TLS concatenation, are described. In an illustrative, non-limiting embodiment, an Information Handling System (IHS) may include: a processor; and a memory coupled to the processor, where the memory includes program instructions store thereon that, upon execution by the processor, cause the IHS to: establish a Transmission Control Protocol (TCP) connection with a another IHS; generate a Transport Layer Security (TLS) pre-shared key (PSK); derive based, at least in part, on the TLS PSK, a unique PSK identity associated with the TLS PSK; and perform a TLS negotiation with the other IHS using the TLS PSK and the unique PSK identity. In some embodiments, the program instructions, upon execution by the processor, further cause the IHS to: determine a PSK digest based, at least in part, on a shared session key, information regarding an identity of the IHS, and information regarding an identity of the other IHS. In some embodiments, in order to determine the PSK identity that is unique for the TLS PSK, the program instructions, upon execution by the processor, further cause the IHS to: derive the unique PSK identity based, at least in part, on the PSK digest. In some embodiments, in order to generate the TLS PSK, the program instructions, upon execution by the processor, further cause the IHS to: calculate the TLS PSK associated with the unique PSK identity based, at least in part, on the shared session key, and the PSK digest. In some embodiments, the program instructions, upon execution by the processor, further cause the IHS to: establish a secure channel with the other IHS based, at least in part, on the TLS negotiation. In some embodiments, the program instructions, upon execution by the processor, further cause the IHS to: perform a Non-Volatile Memory Express over Fabrics (NVMe-oF) authentication exchange with the other IHS; and derive a shared session key for the TCP connection with the other IHS. In some embodiments, the TLS PSK and the unique PSK identity are determined based, at least in part, on the shared session key. In some embodiments, the shared session key includes a generated PSK. In some embodiments, the shared session key includes a retained PSK derived from a configured PS