Karthikeyan Bhargavan <karthik.bharga...@gmail.com> writes: >Adding the handshake hash to the ServerKeyExchange (a la EMS) provides some >nice protections against downgrade and seems to be worth the effort.
My only real concern with this is that if you've got an API that doesn't allow forking, you're now running three hashes in parallel. Still, for everything else it'd be pretty straightforward, fork once after Server Hello for the Server Keyex sig and a second time after Client Keyex for EMS. So presumably instead of hashing the bare nonces for the keyex sig you'd hash the entire hello message that contains them? >Of course, for all of these LTS improvements, we need to assume that the LTS >extension itself cannot be deleted by the attacker. That is, we’d assume that >the client or server supports *only* LTS mode. Otherwise, we’d have to look >closer to eliminate other downgrade attacks. There's an SCSV-shaped hole in the draft for that :-). Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
