There's been some drama in the TLS WG. I wrote it up. https://www.cs.uic.edu/~s/musings/tls13-enterprises/ …
-
-
I also think of it as preventing an inadvertent implementation mistake, similar to how implicit nonces do for AEAD.
-
Maybe one could use a NIZK to prove knowledge of PRNG inputs used for DH sk, but who wants to verify a proof each TLS connection?
- 7 more replies
New conversation -
-
-
Not that I want to give anyone ideas, but SHA256(ServerHello.random || exfil_secret) produces a workable ECDH secret key.
-
(This idea, or the germ of this idea is not mine, it was on the TLS list.)
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.