Eric:
I looked at Hugo's message in the context of the table in Section 7.1:
Key Exchange Static Secret (SS) Ephemeral Secret (ES)
------------ ------------------ ---------------------
(EC)DHE Client ephemeral Client ephemeral
(full handshake) w/ server ephemeral w/ server ephemeral
(EC)DHE Client ephemeral Client ephemeral
(w/ 0-RTT) w/ server static w/ server ephemeral
PSK Pre-Shared Key Pre-shared key
PSK + (EC)DHE Pre-Shared Key Client ephemeral
w/ server ephemeral
If I understand Hugo's message correctly, he is saying that in the second row,
the SS must be part of the key derivation. I think we need to consider the
bottom row as well.
It seems to me that using the master_secret capture the benefits of both the SS
and the ES. This meets Hugo's requirement for the second row, and gets the
benefits of the ephemeral values for the bottom row.
Russ
On Sep 4, 2015, at 11:33 AM, Eric Rescorla wrote:
> See:
> http://www.ietf.org/mail-archive/web/tls/current/msg17184.html
>
> On Fri, Sep 4, 2015 at 8:27 AM, Russ Housley <hous...@vigilsec.com> wrote:
> In Section 7.1, the document says:
>
> 4. finished_secret = HKDF-Expand-Label(xSS,
> "finished secret",
> handshake_hash, L)
>
> 5. resumption_secret = HKDF-Expand-Label(master_secret,
> "resumption master secret"
> session_hash, L)
>
> Why don't we use the master_secret in both the finished_secret and the
> resumption_secret formula?
>
> Russ
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
