3 Matching Annotations
  1. Mar 2020
    1. Channel binding: Depending on the DH functions, it might be possible for a malicious party to engage in multiple sessions that derive the same shared secret key by setting public keys to invalid values that cause predictable DH output (as in the previous bullet). It might also be possible to set public keys to equivalent values that cause the same DH output for different inputs. This is why a higher-level protocol should use the handshake hash (h) for a unique channel binding, instead of ck, as explained in Section 11.2.
    1. Thus it's an incomplete fix, and the correct solution is binding the transcript.
    2. It's well-understood nowadays that channel binding must cover the session transcript.