why is tls having a MAC in the finished message instead of a HASH if it's encrypted/authenticated already?
-
-
Replying to @cryptodavidw @lyon01_david
OTTOMH: Both sides must prove they know output of (EC)DHE op. Deriving a key from it & using it in a standard way is safest way of doing it.
1 reply 0 retweets 2 likes -
Replying to @BRIAN_____
but they are already using it when encrypting/authenticating the finished message : o
2 replies 0 retweets 1 like -
Replying to @cryptodavidw @lyon01_david
Is that true for all (SSL 3.0, TLS 1.0, etc.) cipher suites, though? Not sure. For TLS 1.3 it might be simply "because we always did that."
2 replies 0 retweets 1 like -
Replying to @BRIAN_____ @lyon01_david
I briefly worked on a proposal to make it possible to implement TLS w/o HMAC at all, e.g. if you were using AES-CMAC for record protection…
1 reply 0 retweets 0 likes
…& I remember noticing that TLS uses HMAC in cases that don't make sense if we're otherwise using AES-CMAC. Would've been an uphill battle.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.