On Fri, Nov 9, 2018 at 11:10 PM Juliusz Chroboczek <j...@irif.fr> wrote: > > Offhand, it seems like replays are possible if you allow the possibility > > of the node crashing and dumping state. > > Unless I've missed something -- they are not, assuming you have > a sufficiently strong random number generator. The challenge mechanism > rebuilds the shared state in a secure manner, and the index mechanism > ensures that an (index, seqno) pair is never reused.
I had a really hard time understanding this, even with this help. Right now, I don't know what key is used for HMAC. I think that the expectation is that each peer has a fixed HMAC key, but the contents of the packet always change, thereby ensuring that the resulting MAC is different for every packet. Given how non-intuitive this whole thing is, I would suggest that a formal analysis would be a good idea. Or you could just use DTLS and get things like post compromise security and nice things like that. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls