On Tue, Dec 05, 2023 at 06:24:33PM -0800, Christian Huitema wrote: > > Yes. Both are used to compute the "early secret" -- external PSK for the > initial handshake, resumption PSK in subsequent handshakes. If the secrets > are "short" and the attacker can use early data as some kind of oracle, then > the attacker can probably crack the PSK for the initial handshake, or the > resumption PSK in subsequent handshakes. If the PSK is cracked, it probably > does not add much effective entropy to the key computed via the [EC]DH + PSK > combination.
AFAICT, If the PSK is too weak, then the attacker can crack it using the binder, no need for any early data. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
