On Tue, May 5, 2020 at 10:55 AM Felix Günther <m...@felixguenther.info> wrote:
> 4) I slightly disagree with "epochs determine the key" (true) as, what > I understand is, an argument that "the full epoch is implicitly > authenticated by using the right key", at least in its absoluteness. My > *guess* would be that, due to the key schedule, this argument comes down > to the probability of keys colliding (which is anyway to be avoided, so > probably fine). Still, from a security analysis point of view, showing > security with key updates might be easier if the (full) epoch was > authenticated as part of the AAD. > Actually, the full epoch is included in the overall sequence number and hence used to generate the nonce. https://tools.ietf.org/html/draft-ietf-tls-dtls13-37#section-4 Does that help? -Ekr
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
