On Dec 30, 2015 7:08 PM, "Ilari Liusvaara" <ilariliusva...@welho.com> wrote: > > On Thu, Dec 31, 2015 at 09:55:10AM +1100, Martin Thomson wrote: > > On 30 December 2015 at 22:16, Ilari Liusvaara <ilariliusva...@welho.com> wrote: > > >> Would it make sense to have session hash as a requirement in TLS > > >> 1.2 when you want to use Curve25519? > > > > > > I don't think that is reasonable. > > > > I think that is entirely reasonable. TLS 1.2 relies on contributory > > behaviour. 25519 doesn't provide that unless you do some extra > > checking that we know many implementations don't do. > > > > I'd be OK with either requiring session hash, some checking of values, > > or both. Otherwise we create a situation where the shared secret can > > be forced by an attacker. > > The draft already has the checks. > > I also think I figured out a way to truly force contributory behaviour > without any checks: > > It is a bit nasty hack: Throw the exchange keys into the PMS, expanding > it from 32/56 bytes to 96/168 bytes.
Why not hash the public values into the result of the key exchange? I don't want security to depend on omittable checks. > > > -Ilari > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
