Re: [TLS] Closing on keys used for handshake and data messages

On Jun 3, 2016, at 17:54, Joseph Salowey wrote: > > Unfortunately, the TLS record framing is not easily compatible with having > multiple keys used simultaneously: because we encrypt the content type, it is > not possible to use it to determine which key to use to decrypt. We

Re: [TLS] Closing on keys used for handshake and data messages

Hi dkg, sorry for my late response. Let me start by saying that I do not believe that this is really critical; after all, we can prove alternative (1) as well — it’s just less clean and makes the proofs harder to write, read, and verify, which is generally not a good thing for a cryptographic

Re: [TLS] Closing on keys used for handshake and data messages

On Fri 2016-06-03 17:54:53 -0400, Joseph Salowey wrote: >Trial decryption has serious implementation problems >- >Double-encrypting handshake messages in both the handshake key and the >application key does not actually provide the required key separation >- >Separately

Re: [TLS] Closing on keys used for handshake and data messages

On Sat, Jun 04, 2016 at 02:26:00AM -0400, Dave Garrett wrote: > On Friday, June 03, 2016 05:54:53 pm Joseph Salowey wrote: > > Unfortunately, the TLS record framing is not easily compatible with having > > multiple keys used simultaneously: because we encrypt the content type, it > > is not

Re: [TLS] Closing on keys used for handshake and data messages

On Friday, June 03, 2016 05:54:53 pm Joseph Salowey wrote: > Unfortunately, the TLS record framing is not easily compatible with having > multiple keys used simultaneously: because we encrypt the content type, it > is not possible to use it to determine which key to use to decrypt. We > examined a