TLS-PSK

Transport Layer Security pre-shared key ciphersuites (TLS-PSK) is a set of cryptographic protocols that provide secure communication based on pre-shared keys (PSKs). These pre-shared keys are symmetric keys shared in advance among the communicating parties.

There are several cipher suites: The first set of ciphersuites use only symmetric key operations for authentication. The second set use a Diffie–Hellman key exchange authenticated with a pre-shared key. The third set combine public key authentication of the server with pre-shared key authentication of the client.

Usually, Transport Layer Security (TLS) uses public key certificates or Kerberos for authentication. TLS-PSK uses symmetric keys, shared in advance among the communicating parties, to establish a TLS connection. There are several reasons to use PSKs:

• Using pre-shared keys can, depending on the ciphersuite, avoid the need for public key operations. This is useful if TLS is used in performance-constrained environments with limited CPU power.
• Pre-shared keys may be more convenient from a key management point of view. For instance, in closed environments where the connections are mostly configured manually in advance, it may be easier to configure a PSK than to use certificates. Another case is when the parties already have a mechanism for setting up a shared secret key, and that mechanism could be used to “bootstrap” a key for authenticating a TLS connection.

Standards

• RFC 4279: "Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)".
• RFC 4785: "Pre-Shared Key (PSK) Ciphersuites with NULL Encryption for Transport Layer Security (TLS)".
• RFC 5487: "Pre-Shared Key Cipher Suites for TLS with SHA-256/384 and AES Galois Counter Mode".
• RFC 5489: "ECDHE_PSK Cipher Suites for Transport Layer Security (TLS)".

See also

• Transport layer security Secure Remote Password (TLS-SRP)
• AES Galois Counter Mode (GCM)
• Elliptic curve Diffie–Hellman (ECDHE)
• Null encryption
• SHA-256

References