I am glad that someone in the working group is looking at this. However, as I reviewed this before the wg meeting, I was completely puzzled by this text (from section 6.1):
3DH C computes K = H(g^y ^ PrivU || PubU ^ x || PubS ^ PrivU || IdU || IdS ) S computes K = H(g^x ^ PrivS || PubS ^ y || PubU ^ PrivS || IdU || IdS ) Obviously these needs to be the same for an honest client-server pair. I can't see where the above variables are defined in the doc; I would assume that the meanings are: * x, y are the private values from the ephemeral DH operation, and are randomly selected for each exchange. * PrivU, PubU, PrivS, PubS are static values from the Opaque record. However, if that's the case, I can't see how that could work; for one, g^y ^ PrivU and g^x ^ PrivS would be different values, and so differing values would be stirred into the Master Secret. In addition, I can't see how PubU ^ x (where PubU and x would appear to be client specific) could be expected to be the same as PubS ^ y (as both those values would be server specific). What am I missing?
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
