Martin Thomson <martin.thom...@gmail.com> writes: > On 13 August 2015 at 15:22, David Mazieres > <dm-list-tcpcr...@scs.stanford.edu> wrote: >> >> * Unless and until applications disclose information about the session >> ID, all but the first byte MUST be computationally indistinguishable >> from random bytes to a network eavesdropper. > > > Don't call out the first byte. The whole thing is what will matter > here. As long as two session IDs are indistinguishable from each > other, I think that we're OK.
Well, currently the first byte is the particular encryption spec you are using, and the length of the whole thing is also dependent on the spec. That's of course open to debate, but currently we can't require any two session IDs to be indistinguishable. More fundamentally, though, comparing session IDs with each other will lead to a much more complicated security definition for a property that's much harder to use in other proofs. Given that specs will almost certainly be generating the session ID from a PRF like HKDF anyway, why do we need to allow lower-entropy session IDs? David _______________________________________________ Tcpinc mailing list Tcpinc@ietf.org https://www.ietf.org/mailman/listinfo/tcpinc
