Hi Thijs,
On 7/19/15 12:42, Thijs van Dijk wrote:
On 19 July 2015 at 12:21, Manuel Pegourie-Gonnard <m...@elzevir.fr> wrote:
I'm probably wrong since I only thought about it for a few minutes, but it
seems to me that the PasswordVerify message would be encrypted with (keys
derived from) the handshake master secret, which would prevent offline
attacks.
What am I missing?
The key observation is the following: (I mentioned this off-list a few
weeks ago, but I guess I'll post it here as well for posterity.)
[T]he master secret will be derived from the client's and server's
respective KeyShare messages, and will therefore be known at the time the
server's PasswordVerify is sent. A malicious client could therefore perform
half a handshake (just enough to get the server to give up its PV message),
abort, and proceed with an offline attack in its own time.
Indeed. Thanks!
(And sorry for the noise, as expected.)
Manuel.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
