________________________________ From: Martin Thomson <[email protected]> ... > TLS security depends on uniqueness of key shares. In ECDH, it can be > sufficient for one peer to generate a fresh share. However, a recommendation > against reuse does not prevent BOTH peers from reusing shares. In that case, > session transcripts will only be divergent based on > {Client|Server}Hello.random. The shared secrets will be duplicated between > connections. This is a bad outcome.
I don't understand this. All secrets derived from ECDH also depend on the (hashed) handshake transcript, including the randoms, so the resulting shared secrets will never be duplicated between connections. What am I missing? --Ben Schwartz
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
