To recap what I was saying at the microphone earlier today about selfie/reroute issues, there are actually three separate issues.
- A reflection attack where an outside attacker makes the client also act as a server. - A reroute attack where an outside attacker makes the client talk to another server with the same PSK as the intended server. - An attack where an inside attacker impersonates another attacker who also has the PSK. The reflection attack is a special case of the reroute attack. The general solution to the reroute attack is to carry the identities of the communicating endpoints in the handshake [0]; AFAIK it's not necessary to have separate keys, though the current text actually generates distinct keys for each pair as well. It's not a problem to have distinct keys, but it's important to know what piece does what. However, that doesn't generally solve the third class of attack if the inside attacker is configured with the input key rather than the fanned out pairwise keys. -Ekr [0] As John Mattson has pointed out, you can fix just the reflection attack by comparing the random values you have outstanding in each direction.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
