On Thu, Dec 31, 2015 at 09:55:10AM +1100, Martin Thomson wrote: > On 30 December 2015 at 22:16, Ilari Liusvaara <ilariliusva...@welho.com> > wrote: > >> Would it make sense to have session hash as a requirement in TLS > >> 1.2 when you want to use Curve25519? > > > > I don't think that is reasonable. > > I think that is entirely reasonable. TLS 1.2 relies on contributory > behaviour. 25519 doesn't provide that unless you do some extra > checking that we know many implementations don't do. > > I'd be OK with either requiring session hash, some checking of values, > or both. Otherwise we create a situation where the shared secret can > be forced by an attacker.
The draft already has the checks. I also think I figured out a way to truly force contributory behaviour without any checks: It is a bit nasty hack: Throw the exchange keys into the PMS, expanding it from 32/56 bytes to 96/168 bytes. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
