On Fri, Aug 27, 2021 at 9:42 AM Filippo Valsorda
wrote:
>
> If a consistent history of directly linked vulnerabilities across major
> implementations doesn't show something is unsafe, I don't think there is
> progress to be made in the discussion. Blaming the implementers is not
> particularly
Hi Nimrod:
All the quoted Raccoon attack (of which you are a coauthor) does is
highlight that poorly designed post-processing of a shared key
(variable-size bit-string representation) could be used to extract
secret info by solving an instance of the hidden number problem.
Let us not
A closer look at your referenced CVEs suggests these can be classified as (i)
lack of checking for improperly generated DH groups; (ii) exploiting
overflow/underflow/carry bugs. To me, nothing seems to be new here and more
likely a failure of implementers to heed to results and advice predating
> The implementation guidance to avoid weaknesses in any ephemeral-static
exchange is "don't get anything wrong, anything at all
Agreed that it's not workable. I'm not sure there is existing and suitable
implementation guidance.
To avoid the Raccoon attack, one would have to implement the KDF such
2021-08-27 17:25 GMT+02:00 Rene Struik :
> {officially on vacation till Labor Day, but weighing-in briefly}
>
> Hi Filippo:
>
> I had a brief look at the CVEs you referenced and at your Blackhat 2018
> presentation.
>
> Some observations on your Blackhat 2018 presentaton: (a) the attack seems
{officially on vacation till Labor Day, but weighing-in briefly}
Hi Filippo:
I had a brief look at the CVEs you referenced and at your Blackhat 2018
presentation.
Some observations on your Blackhat 2018 presentaton: (a) the attack
seems to be a reincarnation of the so-called Goubin attack
Hi! While address the IoT Directorate comments from IETF LC, some addition
comments have been received. I would like to address these new comments and get
the I-D in the hands of the iESG. There were three set of comments:
1) Based on Daniels and David Benjamin’s reviews, the I-D is not as
Static-ephemeral is not “so unsafe to implement”, not any more than any other
mode. It shouldn’t be encouraged, but shouldn’t be killed off either.
This is empirically disproved by a number of vulnerabilities that are
exploitable (or near-misses for other reasons) only in ephemeral-static
2021-08-27 15:13 GMT+02:00 Blumenthal, Uri - 0553 - MITLL :
>> Thanks for all the discussion on this topic. There are several modes that
>> TLS 1.2 can operate with respect to DH. Below is a proposal on cases to
>> merge some of the cases covered by this draft into the obsolete keyex draft.
Thanks for all the discussion on this topic. There are several modes that TLS
1.2 can operate with respect to DH. Below is a proposal on cases to merge some
of the cases covered by this draft into the obsolete keyex draft. I'd like to
see if there is some consensus to make this change before
2021-08-27 05:08 GMT+02:00 Joseph Salowey :
> Thanks for all the discussion on this topic. There are several modes that
> TLS 1.2 can operate with respect to DH. Below is a proposal on cases to
> merge some of the cases covered by this draft into the obsolete keyex draft.
> I'd like to see
11 matches
Mail list logo
