On 13 August 2015 at 16:42, David Mazieres <[email protected]> wrote: > Martin Thomson <[email protected]> writes: > >> Don't call out the first byte. The whole thing is what will matter >> here. As long as two session IDs are indistinguishable from each >> other, I think that we're OK. > > Well, currently the first byte is the particular encryption spec you are > using, and the length of the whole thing is also dependent on the spec. > That's of course open to debate, but currently we can't require any two > session IDs to be indistinguishable. More fundamentally, though, > comparing session IDs with each other will lead to a much more > complicated security definition for a property that's much harder to use > in other proofs. > > Given that specs will almost certainly be generating the session ID from > a PRF like HKDF anyway, why do we need to allow lower-entropy session > IDs?
I didn't suggest that you reduce entropy. My point was that you are creating a special carve-out for your current solution. What if you decide you want *two* bytes of discriminator? My point is that all you need is to have the session ID as a whole be hard to guess.synthesize, etc... _______________________________________________ Tcpinc mailing list [email protected] https://www.ietf.org/mailman/listinfo/tcpinc
