This whole problem goes away when considering the TLS negotiation from a systems perspective.
Consider the fact that the initiator and responder in a TLS negotiation are connected via a transmission medium with a finite probability of an undetected transmission error. There is only a one bit checksum on the individual octets and the QUIC/TCP packet checksum is only 16 bits. [There is also the possibility of a CPU issue as people mentioned but that is a game over issue while recovering from transmission failures is something much more in scope] A responder attempting to do a key agreement against a corrupted ephemeral is going to occur far more often than algorithmic decaps failures and this condition should be indistinguishable as far as the initiator is concerned. Even if there is a way for the responder to distinguish the conditions, it shouldn't.
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
