From 56dd7b0f03088dee7cbbf91ee742e06d161c4da7 Mon Sep 17 00:00:00 2001 From: Alicja Kario Date: Fri, 11 Oct 2024 19:04:56 +0200 Subject: [PATCH] document that error checking still needs to be performed --- draft-kwiatkowski-tls-ecdhe-mlkem.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/draft-kwiatkowski-tls-ecdhe-mlkem.md b/draft-kwiatkowski-tls-ecdhe-mlkem.md index ea9ebd0..350b8c0 100644 --- a/draft-kwiatkowski-tls-ecdhe-mlkem.md +++ b/draft-kwiatkowski-tls-ecdhe-mlkem.md @@ -153,6 +153,18 @@ For all groups, the server MUST perform the encapsulation key check described in Section 7.2 of {{FIPS203}} on the client's encapsulation key, and abort with an illegal_parameter alert if it fails. +For all groups, the client MUST perform the ciphertext check described +in Section 7.3 of {{FIPS203}} on the server's encapsulated key, +and abort with an illegal_parameter alert if it fails. + +For all groups, both client and server MUST perform the key share checks +for the classical part, as described in Section 4.2.8.2 of {{!RFC8446}}, +and abort with an illegal_parameter alert if it fails. + +For all groups, both client and server MUST check if the peer's key share +size matches the negotiated groups and abort with an illegal_parameter alert +if it fails. + ### Shared secret For X25519MLKEM768, the shared secret is the concatenation of the ML-KEM @@ -172,6 +184,10 @@ defined in Section 7.4.2 of {{!RFC8446}}. The size of the shared secret is 80 bytes (48 bytes for the ECDH part and 32 bytes for the ML-KEM part). +For all groups, both client and server MUST perform the shared secret +check described in Section 7.4.2 of {{!RFC8446}} and abort the +connection with an illegal_parameter if it fails. + # Security Considerations The same security considerations as those described in {{hybrid}} apply to the approach used by this document.