> On 3 Nov 2015, at 4:59 AM, Brian Smith <[email protected]> wrote: > > Watson Ladd <[email protected] <mailto:[email protected]>> wrote: > For these results a > sender of 2^60 messages can tolerate 2^60 forgery attempts while the > probability of forgery is at most 1.002/2^52. > > TLS only allows one forgery attempt per connection (thus per key). That is, > as soon as a TLS implementation fails to verify a record's authentication > tag, it must shut down the connection. Thus, it would be more useful to state > the analysis as "Observing X signed records over Y bytes increases the odds > of the attacker forging the next record to Z.”
That is true for TLS, but not for DTLS, so I guess we have to state it both ways. Yoav
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
