On Fri, Jan 01, 2016 at 08:22:40PM +0200, Ilari Liusvaara wrote: > On Thu, Dec 31, 2015 at 08:16:35PM +0000, Blumenthal, Uri - 0553 - MITLL > wrote: > > I think Watson made a good point about "omittable checks". If an > > implementation A "omits" this mechanism, it should fail session > > establishment. > > Well, here is one scheme that I can't break myself and has no checks one > can just "omit": > > PMS = SHA-512(A|B|DHF(a,B)) = SHA-512(A|B|DHF(b,A)) > > Where a and b are the private keys and A and B are the public keys > and DHF is X25519 or X448. And I broke that too...
Really, the only choice without omittable checks nor known security issues is to imply EMS (or another modification to master secret derivation) off the codeponts in TLS 1.0-1.2. That is, if those groups are sent, thekey derivation will be EMS, even if EMS extension was absent (and sending it is no-op). (If there ever is another key derivation modifying extension, let that specify what the heck to do with those groups). -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
