See full thread here https://mailarchive.ietf.org/arch/msg/tls/cS4vdMvENOGdpall7uos9iwZ5OA/
See also how this helped analysis here (search for reference [73] https://inria.hal.science/hal-01528752v3/file/RR-9040.pdf On Sat, Dec 16, 2023 at 1:16 PM Muhammad Usama Sardar < [email protected]> wrote: > Hi all, > In the key schedule (section 7.1) of RFC8446(bis), what is the rationale > for using *Derive-Secret(., "derived", "")* in the derivations of > Handshake and Master Secrets? Since this change was made in draft 19, I > expect there should be some reasoning of why this was added. Specifically, > what are the security implications if this step is missed, i.e., > > - if Early Secret is directly used as the Salt argument for > HKDF-Extract of Handshake Secret; > - and similarly if Handshake Secret is directly used as the Salt > argument for HKDF-Extract of Master Secret. > > Regards, > > Usama > > _______________________________________________ > TLS mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
