document that key exchange signature has enough randomness #736
Comments
themighty1
changed the title
themighty1
changed the title
|
We need to document the findings in the mdbook |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Background:
When the Prover wants to hide the identity of the server, they must make sure that the pre-image of the
handshake hash(which the Verifier learns) has enough entropy so as to prevent the Verifier from brute-forcing the pre-image and learning the server identity.We achieved that earlier by P not revealing
client_randomto V.What changed:
As part of PRF optimization #728 we will be revealing the client_random to the Verifier.
Solution:
We assume that server's signature over the key exchange parameters (see Signature at the bottom of https://tls12.xargs.org/#server-key-exchange) has enough entropy, so as long as it is not revealed to V our original objective holds.
Action:
Investigate if the assumption holds for sig schemes used in TLS.
The digest is recoverable from PKCS#1 v1.5 sig but is not recoverable to a PSS sig based on excerpt from here https://www.encryptionconsulting.com/overview-of-rsassa-pss/
The text was updated successfully, but these errors were encountered: