On 3/18/2021 7:35 AM, Christopher Patton wrote:
I forget, did we need to bind it to the actual handshake secret, or was
the transcript and ClientHelloInner.random sufficient? That would avoid the
circular processing dependency.
As I recall, it was decided to bind the acceptance signal to the handshake
signal in order to mitigate some specific, active, "don't-stick-out"
attacks.
The specific suggestion to tie the acceptance signal to the handshake
secret was made I believe to simplify the security analysis. There are a
variety of attacks in which a man in the middle can play games with
specific extensions. Tying the signal to the handshake secret provides a
robust defense against such games, and simplifies the analysis of the
security properties. It also has nice 'don't stick out' properties, but
those are not the only reasons.
-- Christian Huitema
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
