> I'm somewhat dismayed by the firm recommendation to use the HMAC > mechanism,
Yeah, this could probably be loosened somewhat. > which doesn't seem particularly robust. It's designed to be fairly robust. Of course, we may have done things wrong. > Offhand, it seems like replays are possible if you allow the possibility > of the node crashing and dumping state. Unless I've missed something -- they are not, assuming you have a sufficiently strong random number generator. The challenge mechanism rebuilds the shared state in a secure manner, and the index mechanism ensures that an (index, seqno) pair is never reused. > The same applies during a rollover of the 32-bit counter. You generate a new index when the counter overflows, and send a new challenge. First point of Section 4.2 of the HMAC draft. -- Juliusz _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls