> On 3 Nov 2015, at 4:59 AM, Brian Smith <br...@briansmith.org> wrote: > > Watson Ladd <watsonbl...@gmail.com <mailto:watsonbl...@gmail.com>> wrote: > For these results a > sender of 2^60 messages can tolerate 2^60 forgery attempts while the > probability of forgery is at most 1.002/2^52. > > TLS only allows one forgery attempt per connection (thus per key). That is, > as soon as a TLS implementation fails to verify a record's authentication > tag, it must shut down the connection. Thus, it would be more useful to state > the analysis as "Observing X signed records over Y bytes increases the odds > of the attacker forging the next record to Z.”
That is true for TLS, but not for DTLS, so I guess we have to state it both ways. Yoav
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls