David Benjamin <david...@chromium.org> writes: >Given that the new client_server_hello_hash fully overlaps with the old >client_random (totally under the client's control) and then the new params >overlap with the old server_random (totally under the server's control), >it's... not immediately obvious to me whether this is fine.
If I'm reading your comment correctly then I'm not sure how that could be exploitable, an attacker only controls one side and even if they didn't, to move the signature across from LTS -> TLS you'd have to stuff the entire client and server hello into the client/server_random contained within them in order to get the same hash value. Since this is fixed at 32 bytes, or 64 if you control both client and server, it's not really possible, and going TLS -> LTS is a complete non-starter. Peter. _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
