I've just posted a pull request which slightly adjusts the structure of key derivation. PR#875 adds another Derive-Secret stage to the left side of the key ladder between each pair of HKDF-Extracts. There are two reasons for this:
- Address a potential issue raised by Trevor Perrin where an attacker somehow forces the IKM value to match the label value for Derive-Secret, in which case the output of HKDF-Extract would match the derived secret. This doesn't seem like it should be possible for any of the DH variants we are using, and it's not clear that it would lead to any concrete attack, but in the interest of cleanliness, it seemed good to address. - Restore Extract/Expand parity which gives us some flexibility in case we want to replace HKDF. I don't expect this change to be controversial and I'll merge it on Monday unless I hear objections. Thanks, -Ekr
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
