Re: [TLS] Computation of static secret in anonymous DH

Ilari Liusvaara <> Wed, 17 June 2015 08:25 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id B8D5A1A7005 for <>; Wed, 17 Jun 2015 01:25:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id v7lqEq_pm1oX for <>; Wed, 17 Jun 2015 01:25:33 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7F6E21A6FED for <>; Wed, 17 Jun 2015 01:25:33 -0700 (PDT)
Received: from LK-Perkele-VII ( []) by (Postfix) with ESMTP id 1251781CA2; Wed, 17 Jun 2015 11:25:29 +0300 (EEST)
Date: Wed, 17 Jun 2015 11:25:29 +0300
From: Ilari Liusvaara <>
To: Douglas Stebila <>
Message-ID: <20150617082529.GA17280@LK-Perkele-VII>
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <>
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] Computation of static secret in anonymous DH
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 17 Jun 2015 08:25:36 -0000

On Wed, Jun 17, 2015 at 07:33:31AM +0000, Douglas Stebila wrote:
> In the DH-based draft of TLS 1.3 (,
> how is the ServerParameters message containing the static secret SS
> constructed in the unauthenticated setting?

There's much newer version in ekr/tls13-spec#WIP_draft_06
(seems to have fixed most of the mistakes in the original WIP)

There for anonymous setting, seemingly SS is copy of ES, and
configurations (essentially replacement of ServerParameters) can't
appear at all (because one needs a certificate to send one).

I can't figure out what to use as configurations hash part of
session hash in case there isn't assumed or negotiated
configuration (some session hashes are seemingly always that
way, especially things like the one used for handshake key

It also does not say what master key to use for handshake
encryption key derivation. I presume tmp2.

Also, I note that seemingly if configuration private key
gets compromised, one can MITM all sessions using it at
will (it has finite lifetime, but other than that, I see
no good way to revoke).