On Jan 9, 2016 2:18 AM, "Ilari Liusvaara" <ilariliusva...@welho.com> wrote: > > On Fri, Jan 01, 2016 at 08:22:40PM +0200, Ilari Liusvaara wrote: > > On Thu, Dec 31, 2015 at 08:16:35PM +0000, Blumenthal, Uri - 0553 - MITLL wrote: > > > I think Watson made a good point about "omittable checks". If an > > > implementation A "omits" this mechanism, it should fail session > > > establishment. > > > > Well, here is one scheme that I can't break myself and has no checks one > > can just "omit": > > > > PMS = SHA-512(A|B|DHF(a,B)) = SHA-512(A|B|DHF(b,A)) > > > > Where a and b are the private keys and A and B are the public keys > > and DHF is X25519 or X448. > > And I broke that too... > > Really, the only choice without omittable checks nor known security > issues is to imply EMS (or another modification to master secret > derivation) off the codeponts in TLS 1.0-1.2. That is, if > those groups are sent, thekey derivation will be EMS, even if EMS > extension was absent (and sending it is no-op). > > (If there ever is another key derivation modifying extension, let > that specify what the heck to do with those groups).
Would you mind explaining the attack in more detail? I'm pretty sure that with at least one honestly generated value the result cannot be controlled. > > > -Ilari > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
