https://tools.ietf.org/html/draft-gutmann-tls-lts-01#section-3.2
> TLS-LTS adds a hash of the domain parameters into the master secret > to protect against the use of manipulated curves/domain parameters: > > o TLS-LTS implementations MUST include a SHA-256 hash of the EDH or > ECDH parameters in the master secret computation by concatenating > the hash to the pre_master_secret value. In the case of EDH, the > value that's hashed is the ServerDHParams structure. In the case > of ECDH the value that's hashed is the ServerECDHParams structure. > This means that the master_secret computation becomes: > > master_secret = PRF(pre_master_secret || param_hash, "master secret", > ClientHello.random + ServerHello.random) > [0..47]; It would be a lot simpler, safer, and interoperable to just mandate use of the Extended Master Secret Extension [RFC 7627]. https://tools.ietf.org/html/rfc7627 Dave _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
