I'm still struggling to figure out what the exact problem is you're describing or if you have an actual class of attack in mind that might be possible due to this, but the following in your previous email jumped out at me:
On Tue, Nov 9, 2021, at 13:03, Jonathan Hoyland wrote: > If you include channel bindings in your key derivation then you cannot > assume that the keys are unrelated. Is this the crux of the issue you're pointing out? If so, I'd say surely you need to do a formal analysis of a specific key derivation mechanism instead of the data being mixed into it, and you can't (and shouldn't) worry about all future mechanisms. If a key derivation mechanism is so weak that mixing in the same arbitrary string to two keys results in related keys that can be correlated or attacked, this is a weakness in the key derivation function and not something that can be solved by adding more randomness to every possible set of bytes that could ever be hashed into those keys. In other words: keys should be unpredictable and not leak data used to derive them; if they do, the data is not at fault. —Sam _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
