Re: [TLS] Comments on TLS identity protection

[Martin Rex <martin.rex@xxxxxxx>]

EKR wrote:
> 
> Yes, but TLS explicitly forbids you to negotiate this algorithm
> (i.e., it's only useful for performing the handshake).
> 
>    TLS_NULL_WITH_NULL_NULL is specified and is the initial state of a
>    TLS connection during the first handshake on that channel, but must
>    not be negotiated, as it provides no more protection than an
>    unsecured connection.
> 
> So, it's basically a different way of expressing "do your first
> handshake in the clear".

TLS_NULL_WITH_NULL_NULL does not provide per-message MAC.  
It is sort-of a hack for the SSL protocol engine to cover
the initial phase when there is not yet a shared secret.

It is OK to use for the messages of the SSL handshake -- which
do not need a per-message MAC as they're protected by the
full handshake MAC of the Finished messages.

-Martin

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls