Hi Ilari, thanks for the great feedback. On the exponents reuse point you raised:
From: Uta <uta-boun...@ietf.org> on behalf of Ilari Liusvaara <ilariliusva...@welho.com> > - Section 6.4: > > Reusing ECDH exponents is insecure unless one either: > > 1) Checks for point validity, or > 2) Uses montgomery ladder with twist-secure curve. > > Currently the only curves in TLS satsifying 2) are x25519 and x448. > For any other elliptic curve, reusing exponents without validating > points is insecure. Few thoursand connection attempts at most is > sufficient for recovering the ECDH private key, which compromises any > connection that used it. Please see https://github.com/yaronf/I-D/pull/291 cheers! -- IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
