On Wed, Dec 30, 2015 at 09:16:12PM -0500, Watson Ladd wrote: > On Wed, Dec 30, 2015 at 7:47 PM, Brian Smith <br...@briansmith.org> wrote: > > Watson Ladd <watsonbl...@gmail.com> wrote: > > > > Actually, because the check for non-zero result can/should/is in the > > X25519/X448 functions themselves, the check for non-zero result is the least > > likely of all these possible solutions to be omitted. And, it is also the > > easiest to test. > > Failure to compute H(A, B, X25591(a, B)) would result in an > interoperability failure with any other implementation of this > ciphersuite. By contrast a zero check will not be exercised by basic > interoperability testing, nor would mandatory use of session hash.
Actually, I figured out an attack. Which also breaks my original scheme (except in one rare case). A hack to break that attack would be to zero-pad the hash output to minimum of 48 bytes and then to append (prepending won't work) something nonzero (e.g the group id, that is 00 29 for X25519 and 00 30 for X448). -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
