On Tue, May 24, 2016 at 9:13 AM, Martin Thomson <martin.thom...@gmail.com> wrote:
> > 3. "The padded sequence number is XORed with the static client_write_iv > or > > server_write_iv, depending on the role.” I think the ivs are not needed. > > We discussed this at quite some length. I originally took your > position, but the IVs add an extra layer of safety at very little > cost. > Is this more safe? wouldn't this disclose the key in the event that the HKDF and the underlying hash turned out to have some cryptanalytical flaw that meant it wasn't back-tracking resistant? I think otherwise TLS can survive such a flaw because the output of the PRF is not directly discernible on the wire. -- Colm
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
