> On May 19, 2017, at 4:49 PM, David Benjamin <david...@chromium.org> wrote: > > Could you expand on your cryptanalysis? I don't believe this is actually > leaked. It's addition mod 2^32, not XOR, which means you effectively > randomize the parent starting time. (It was initially XOR, and then shortly > changed to addition.) Consider: > > initial connection at time t1, issues a ticket with ticket_age_add = x. Let > t1' = t1 - x. > Resumption 1 at time t2, offers t1's ticket. The attacker learns t2 - t1 + x > = t2 - t1'. > Resumption 2 (or HelloRetryRequest) at time t3, offers t1's ticket. The > attacker learns t3 - t1 + x = t3 - t1'. > > x is uniformly distributed over [0, 2^32), so t1' = t1 - x is as well. This > is a one-time pad on t1, correctly used only once. x is only ever used to > encrypt one timestamp, t1. > > Of course, the attacker can correlate t2 and t3 by subtracting the two public > values and checking against the public difference between connections they > observe. But the ticket's already leaked anyway.
+1. The additive obfuscation leaks nothing that is not already leaked just by sending the tickets. -- Viktor. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls