On 23 December 2015 at 08:51, Watson Ladd <watsonbl...@gmail.com> wrote: > Textbook DH does not ensure contributory behavior. Applications don't > implement the required checks for poorly designed protocols. If we insert > checks, applications which fail to make those checks will be vulnerable, > while fixing protocols closes the hole.
I've done a fair bit of reading into this issue as well, finding Thai's blog posting and a few other things. As Watson says, the protocol can be designed so that it doesn't depend on the DH exchange providing contributory behaviour. We should definitely do that either way. I understand that the checks are considered onerous by some, but I still don't understand why anyone might refuse to do them. Checking that you don't get a bad output from the DH computation is a tiny piece of code that takes almost no time at all, even if you have to worry about doing it in constant time. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
