On Wed, Dec 30, 2015 at 7:23 PM, Watson Ladd <watsonbl...@gmail.com> wrote:
> > On Dec 30, 2015 7:08 PM, "Ilari Liusvaara" <ilariliusva...@welho.com> > wrote: > > > > On Thu, Dec 31, 2015 at 09:55:10AM +1100, Martin Thomson wrote: > > > On 30 December 2015 at 22:16, Ilari Liusvaara < > ilariliusva...@welho.com> wrote: > > > >> Would it make sense to have session hash as a requirement in TLS > > > >> 1.2 when you want to use Curve25519? > > > > > > > > I don't think that is reasonable. > > > > > > I think that is entirely reasonable. TLS 1.2 relies on contributory > > > behaviour. 25519 doesn't provide that unless you do some extra > > > checking that we know many implementations don't do. > > > > > > I'd be OK with either requiring session hash, some checking of values, > > > or both. Otherwise we create a situation where the shared secret can > > > be forced by an attacker. > > > > The draft already has the checks. > > > > I also think I figured out a way to truly force contributory behaviour > > without any checks: > > > > It is a bit nasty hack: Throw the exchange keys into the PMS, expanding > > it from 32/56 bytes to 96/168 bytes. > > Why not hash the public values into the result of the key exchange? I > don't want security to depend on omittable checks. > Note that session-hash does this, so it seems best to use session-hash if you want to adopt this strategy. -Ekr > > > > > > -Ilari > > > > _______________________________________________ > > TLS mailing list > > TLS@ietf.org > > https://www.ietf.org/mailman/listinfo/tls > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls