denis bider <ietf-ssh3%denisbider.com@localhost> writes: > Simon - > > >> A simple approach would be to say that if the MSB is 1, >> prepend a zero byte. However, the length difference >> would leak that information. > > The length difference might not be much of a problem, since K is never sent. It shouldn't be difficult to fingerprint (statistically, over many connections) if a remote application performs a hash on X bytes or X+1 bytes. Knowing which leaks the MSB of the derived secret. I'm inclined to add a security consideration describing this, and allow for the potential of a nice conference paper describing how to exploit this observation. At this point, to fix this (as Damien described) appear less appealing. /Simon
Attachment:
signature.asc
Description: PGP signature