On Tue, May 24, 2016 at 10:44:15AM -0700, Colm MacCárthaigh wrote: > On Tue, May 24, 2016 at 9:13 AM, Martin Thomson <martin.thom...@gmail.com> > wrote: > > > > 3. "The padded sequence number is XORed with the static client_write_iv > > or > > > server_write_iv, depending on the role.” I think the ivs are not needed. > > > > We discussed this at quite some length. I originally took your > > position, but the IVs add an extra layer of safety at very little > > cost. > > > > Is this more safe? wouldn't this disclose the key in the event that the > HKDF and the underlying hash turned out to have some cryptanalytical flaw > that meant it wasn't back-tracking resistant? I think otherwise TLS can > survive such a flaw because the output of the PRF is not directly > discernible on the wire.
It seems like failing backtracking resistance would need really major breakage in PRF-hash. And the whole TLS will fall apart pretty badly WAY before that point with broken PRF. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
