Re: [TLS] Key Hierarchy TLS 1.3 RFC8446(bis)

Hi Hugo, Following the related sources [1-4], it appears to be - as Eric called it - a theoretical and futuristic concern. In my understanding, the main concern was that with the key hierarchy of draft 18: * the Handshake Secret could collide with binder_key if the attacker is somehow

Re: [TLS] Key Hierarchy TLS 1.3 RFC8446(bis)

See full thread here https://mailarchive.ietf.org/arch/msg/tls/cS4vdMvENOGdpall7uos9iwZ5OA/ See also how this helped analysis here (search for reference [73] https://inria.hal.science/hal-01528752v3/file/RR-9040.pdf On Sat, Dec 16, 2023 at 1:16 PM Muhammad Usama Sardar <

[TLS] Key Hierarchy TLS 1.3 RFC8446(bis)

Hi all, In the key schedule (section 7.1) of RFC8446(bis), what is the rationale for using /*Derive-Secret(., "derived", "")*/in the derivations of Handshake and Master Secrets? Since this change was made in draft 19, I expect there should be some reasoning of why this was added.

Re: [TLS] Key Hierarchy

On Sun, Sep 20, 2015 at 9:56 PM, Brian Smith wrote: > On Sun, Sep 20, 2015 at 4:58 PM, Eric Rescorla wrote: > >> https://github.com/tlswg/tls13-spec/pull/248 >> >> Aside from some analytic advantages >> > > What are the analytic advantages? > ​The

Re: [TLS] Key Hierarchy

On Sun, Sep 20, 2015 at 4:58 PM, Eric Rescorla wrote: > https://github.com/tlswg/tls13-spec/pull/248 > > Aside from some analytic advantages > What are the analytic advantages? Also, a question that applied even to the older design: I remember the an HKDF paper and the HKDF