[TLS] ECH AAD for HRR

2021-09-01 Thread Stephen Farrell
(Apologies for the acronym laden subject:-) I'm more or less at the "code complete" stage of implementing draft-13 incl. HRR. (If anyone wants to try interop, for now please contact me, but I should have a server up in a few days.) I'm sure as usual I'll have gotten some details wrong, but I was

Re: [TLS] ECH AAD for HRR

2021-09-01 Thread David Benjamin
That's right. The AAD and actual CH should be exactly the same, apart from the payload being zeroed in place. You don't need to reserialize the structure as a server, or serialize ClientHelloOuter twice as a client. On Wed, Sep 1, 2021 at 1:01 PM Stephen Farrell wrote: > > (Apologies for the acr

Re: [TLS] ECH AAD for HRR

2021-09-01 Thread Christopher Patton
Yup, that was my interpretation as well. On Wed, Sep 1, 2021 at 10:14 AM David Benjamin wrote: > That's right. The AAD and actual CH should be exactly the same, apart from > the payload being zeroed in place. You don't need to reserialize the > structure as a server, or serialize ClientHelloOute

Re: [TLS] ECH AAD for HRR

2021-09-01 Thread Stephen Farrell
Great, thanks both S On 01/09/2021 19:04, Christopher Patton wrote: Yup, that was my interpretation as well. On Wed, Sep 1, 2021 at 10:14 AM David Benjamin wrote: That's right. The AAD and actual CH should be exactly the same, apart from the payload being zeroed in place. You don't need to

[TLS] Combining Secrets in Hybrid Key Exchange in TLS 1.3

2021-09-01 Thread Nimrod Aviram
(This note is also available on Github for ease of reading.) This note identifies a possible security problem in the "Hybrid key exchange in TLS 1.3" document, stemming from how cryptographic secrets are combined. In short: constructions that concatenat

Re: [TLS] Combining Secrets in Hybrid Key Exchange in TLS 1.3

2021-09-01 Thread Blumenthal, Uri - 0553 - MITLL
How does the described AOAP attack apply to TLS KDF? -- Regards, Uri There are two ways to design a system. One is to make is so simple there are obviously no deficiencies. The other is to make it so complex there are no obvious deficiencies.

Re: [TLS] ECH AAD for HRR

2021-09-01 Thread Stephen Farrell
Earlier, I said: On 01/09/2021 18:00, Stephen Farrell wrote: I should have a server up in a few days I now have an ``openssl s_server`` that thinks it speaks draft-13 running on draft-13.esni.defo.ie on port 8413 with the relevant ECHConfig published in DNS etc. It'll probably crash and burn