why is tls having a MAC in the finished message instead of a HASH if it's encrypted/authenticated already?
-
-
Replying to @cryptodavidw @lyon01_david
OTTOMH: Both sides must prove they know output of (EC)DHE op. Deriving a key from it & using it in a standard way is safest way of doing it.
1 reply 0 retweets 2 likes -
Replying to @BRIAN_____
but they are already using it when encrypting/authenticating the finished message : o
2 replies 0 retweets 1 like -
Replying to @cryptodavidw @lyon01_david
Is that true for all (SSL 3.0, TLS 1.0, etc.) cipher suites, though? Not sure. For TLS 1.3 it might be simply "because we always did that."
2 replies 0 retweets 1 like -
Replying to @BRIAN_____ @lyon01_david
Also, I guess you don't have to worry about any kind of known plaintext attack on the finished message when its content is derived from kex.
1 reply 0 retweets 0 likes
In general such (psuedo-)randomization should make some proofs easier. YOu might check if TLS 1.3 security proofs rely on it.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.