On 12/17/2015 02:11 PM, Eric Rescorla wrote: > > > On Thu, Dec 17, 2015 at 3:02 PM, Hugo Krawczyk <[email protected] > <mailto:[email protected]>> wrote: > > I have mentioned this in private conversations but let me say this > here: I would prefer that the nonces be explicitly concatenated to > the handshake hash. That is, > > handshake_hash = Hash( > > client random || > > serverrandom || > > Hash(handshake_messages) || > > Hash(configuration) || ) > > > The reason is that nonces are essential for freshness and session > uniqueness and I want to see them explicitly included in the > signed/mac-ed/KDF-ed information. I can envision a future > variant/mode of the protocol where parties do not transmit nonces > but have a synchronized state that they advance separately and use > as nonces (e.g., for key refreshing) - in such case the nonces > would not be included in the handshake-hash computation. > > So while the redundancy of having them twice in the handshake_hash > calculation may be annoying, this adds robustness to the security > (and analysis) of the protocol. > > > This change doesn't make implementation or specification significantly > more difficult. > Does anyone else object or feel it makes analysis harder? :) >
I don't object, but since elsewhere in the thread the possibility of changing the size of or omitting the randoms in the future came up, I will mention the possibility of adding length/framing information and/or labels into the hash input as well as the randoms themselves. -Ben
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
