Hi Hugo,
Following the related sources [1-4], it appears to be - as Eric called
it - a theoretical and futuristic concern. In my understanding, the main
concern was that with the key hierarchy of draft 18:
* the Handshake Secret could collide with binder_key if the attacker
is somehow
See full thread here
https://mailarchive.ietf.org/arch/msg/tls/cS4vdMvENOGdpall7uos9iwZ5OA/
See also how this helped analysis here (search for reference [73]
https://inria.hal.science/hal-01528752v3/file/RR-9040.pdf
On Sat, Dec 16, 2023 at 1:16 PM Muhammad Usama Sardar <
Hi all,
In the key schedule (section 7.1) of RFC8446(bis), what is the rationale
for using /*Derive-Secret(., "derived", "")*/in the derivations of
Handshake and Master Secrets? Since this change was made in draft 19, I
expect there should be some reasoning of why this was added.
On Sun, Sep 20, 2015 at 9:56 PM, Brian Smith wrote:
> On Sun, Sep 20, 2015 at 4:58 PM, Eric Rescorla wrote:
>
>> https://github.com/tlswg/tls13-spec/pull/248
>>
>> Aside from some analytic advantages
>>
>
> What are the analytic advantages?
>
The
On Sun, Sep 20, 2015 at 4:58 PM, Eric Rescorla wrote:
> https://github.com/tlswg/tls13-spec/pull/248
>
> Aside from some analytic advantages
>
What are the analytic advantages?
Also, a question that applied even to the older design: I remember the an
HKDF paper and the HKDF