> On May 19, 2017, at 4:49 PM, David Benjamin <david...@chromium.org> wrote:
>
> Could you expand on your cryptanalysis? I don't believe this is actually
> leaked. It's addition mod 2^32, not XOR, which means you effectively
> randomize the parent starting time. (It was initially XOR, and then shortly
> changed to addition.) Consider:
>
> initial connection at time t1, issues a ticket with ticket_age_add = x. Let
> t1' = t1 - x.
> Resumption 1 at time t2, offers t1's ticket. The attacker learns t2 - t1 + x
> = t2 - t1'.
> Resumption 2 (or HelloRetryRequest) at time t3, offers t1's ticket. The
> attacker learns t3 - t1 + x = t3 - t1'.
>
> x is uniformly distributed over [0, 2^32), so t1' = t1 - x is as well. This
> is a one-time pad on t1, correctly used only once. x is only ever used to
> encrypt one timestamp, t1.
>
> Of course, the attacker can correlate t2 and t3 by subtracting the two public
> values and checking against the public difference between connections they
> observe. But the ticket's already leaked anyway.
+1. The additive obfuscation leaks nothing that is not already leaked just by
sending the tickets.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
