Ø IIRC, in TLS 1.2 the same keys are used after resumption, and EKM values do not change. Is this correct? EKM mixes in client and server randoms, which are hopefully different in each resumption.
Cheers, Andrei From: Bill Cox [mailto:[email protected]] Sent: Tuesday, July 12, 2016 8:35 AM To: Douglas Stebila <[email protected]> Cc: Andrei Popov <[email protected]>; Martin Thomson <[email protected]>; [email protected] Subject: Re: [TLS] Should exporter keys be updated with post-handshake authentication and/or KeyUpdate? IIRC, in TLS 1.2 the same keys are used after resumption, and EKM values do not change. I think most applications currently using EKM will break if the EKM values change after a PSK resume. However, forcing TLS 1.3 to remember a 256-bit EKM seed will bloat tickets by 32 bytes, and complicate the state machine. I think this could partially be addressed by enhancing the custom extension APIs found in popular TLS libraries to enable custom extensions to specify state that needs to be remembered on a resume. That, in combination with requiring extensions to be sent and processed in order of extension number, could enable a lot of this complexity to be taken out of the main TLS code, and only connections that actually need such extensions would see the increase in ticket size. Could something like this could work well for channel binding? Bill
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
