Watson Ladd <watsonbl...@gmail.com> wrote: > For these results a > sender of 2^60 messages can tolerate 2^60 forgery attempts while the > probability of forgery is at most 1.002/2^52.
TLS only allows one forgery attempt per connection (thus per key). That is, as soon as a TLS implementation fails to verify a record's authentication tag, it must shut down the connection. Thus, it would be more useful to state the analysis as "Observing X signed records over Y bytes increases the odds of the attacker forging the next record to Z." Cheers, Brian -- https://briansmith.org/
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
