https://github.com/tlswg/tls13-spec
Revision c3902e65affec8123486f137a149da31f15e30c1 authored by Adam Langley on 01 December 2014, 22:21:09 UTC, committed by EKR on 29 December 2014, 16:49:26 UTC
The TLS 1.2 ServerKeyExchange signature never included enough context and it was possible to lift a signature for one ciphersuite into a handshake for a different one. TLS 1.2 only avoided signature repurposing attacks because of luck[1]. Additionally, TLS 1.2 allows an attacker to obtain a signature of a message with a chosen, 32-byte prefix. Because of this, this change causes TLS 1.3 to include 64 bytes of padding at the begining of signed messages in order to easily clear the chosen-prefix and also context strings to ensure that signatures cannot be repurposed. For more context, see https://www.ietf.org/mail-archive/web/tls/current/msg14734.html [1] https://www.cosic.esat.kuleuven.be/publications/article-2216.pdf
1 parent 1c897d5
Tip revision: c3902e65affec8123486f137a149da31f15e30c1 authored by Adam Langley on 01 December 2014, 22:21:09 UTC
Specify padding and context strings for signatures
Specify padding and context strings for signatures
Tip revision: c3902e6
File | Mode | Size |
---|---|---|
.gitignore | -rw-r--r-- | 50 bytes |
.travis.yml | -rw-r--r-- | 708 bytes |
CONTRIBUTING.md | -rw-r--r-- | 3.3 KB |
Makefile | -rw-r--r-- | 1.2 KB |
README.md | -rw-r--r-- | 3.6 KB |
SUBMITTING.md | -rw-r--r-- | 673 bytes |
draft-ietf-tls-tls13.md | -rw-r--r-- | 158.9 KB |
upload-draft.py | -rw-r--r-- | 1.0 KB |
Computing file changes ...