On 09/12/2013 03:15 AM, Perry E. Metzger wrote:
On Wed, 11 Sep 2013 20:01:28 -0400 Jerry Leichter <[email protected]>
wrote:
...Note that if you still transmit the IVs, a misimplemented
client could still interoperate with a malicious counterparty
that did not use the enforced method for IV calculation. If you
don't transmit the IVs at all but calculate them, the system will
not interoperate if the implicit IVs aren't calculated the same
way by both sides, thus ensuring that the covert channel is
closed.
IMO going through hoops to try to avoid covert channels is not worth our
time. Both IPsec and TLS have a huge capacity for covert channels at the
handshake (or key exchange) level, certainly enough to leak the
*previous* session state. So plugging the per-record (per packet) holes
is not interesting.
These are living protocols, and extensions create an infinite amount of
redundancy. If you try to eliminate covert channels you need to freeze
the protocol and engineer it specifically for that purpose. This may be
right for a project like Tor, but not for a general purpose protocol.
Thanks,
Yaron
_______________________________________________
The cryptography mailing list
[email protected]
http://www.metzdowd.com/mailman/listinfo/cryptography
