Hi,
Valery Smyslov wrote:
>No, they include only hash (GOSTR341112) and AEAD cipher (MAGMA_MGM or
>KUZNYECHIK_MGM).
>Their order in the names is unusual (hash first, cipher second).
Yes, my misunderstanding based on the weird naming order. So nothing weird
technically.
Ilari Liusvaara wrote:
Hi John,
two more clarifications regarding GOST suites.
First, the rekeying is not per-packet, but per n packets,
where n depends on the suite and varies from 1 to 8192
(as per table 1, Section 4.1, RFC 9367, constant C_3).
And second, the packet protection key
depends only on the co
Hi Valery,
>First, the rekeying is not per-packet, but per n packets,
>where n depends on the suite and varies from 1 to 8192
>(as per table 1, Section 4.1, RFC 9367, constant C_3).
Thanks for the clarification. So, if I understand correctly, the rekeying
frequency is 2^64 – C_3 and is fixed per
>And second, the packet protection key
>depends only on the corresponding application traffic secret
>and on the packet number, it can always be calculated
>if the packet number is known. Both DTLS and QUIC
>bear sequence numbers in packets, so
>there seem to be no major obstacles for using
Hi,
A comment on the draft that should be updated in the next version:
OLD: ”Quantum computers, once available, will have a huge impact on TLS.”
A lot of people already have small, error prone, and currently quite useless
quantum computers. I suggest changing to Cryptographically Relevant Quant
Hi Russ,
Russ Housley wrote:
> Appendix E.6 of [RFC8446] discusses identity-exposure attacks on
> PSKs. Also, Appendix C.4 of [I-D.ietf-tls-rfc8446bis] discusses
> tracking prevention. The guidance in these sections remain relevant.
>
> If an external PSK identity is used for multiple co
>An unhelpful answer is that the key exporter interface was already set by
>prior versions of TLS and any TLS 1.3 key exporter needs to >remain analogous.
>:-)
I think the opposite is true :) In TLS 1.2 rekeying (with renegotiation) does
change the value returned by the key exporter, at least t
* NEW2: ” Cryptographically relevant quantum computers, once available,
will have a huge impact on RSA, FFDH, ECC which are currently used in TLS.”
Good point. https://github.com/richsalz/tls12-frozen/pull/12 has the change.
I’ll wait until/if this is adopted by the WG to merge it.
__
John:
Thanks for you thoughtful review.
> Russ Housley wrote:
> > Appendix E.6 of [RFC8446] discusses identity-exposure attacks on
> > PSKs. Also, Appendix C.4 of [I-D.ietf-tls-rfc8446bis] discusses
> > tracking prevention. The guidance in these sections remain relevant.
> >
> > If an
On 12/8/2023 6:57 AM, John Mattsson wrote:
That seems like a good start. I think it would be good the TLS WG came
up with additional guidelines/mechanisms/requirements for doing External
PSK in a secure way that does not enable tracking. Using the same
External PSK identifier for a long time sh
10 matches
Mail list logo
