メインコンテンツまでスキップ

8. Security Considerations

この節では BUSA-TLS の RFC テキストを保持し, TLS 1.3 HKDF key schedule changes, Mandatory Audio Component, MAC derivation, alert handling, implementation notes, security considerations, IANA considerations を扱う.

RFC 原文

8.  Security Considerations

8.1. Key Material Confidentiality

The Mandatory Audio Component is a commercially available recording
that can be obtained by any party for a modest sum. Therefore, it
has zero entropy against an adversary who has heard of 2 Live Crew.
Implementors MUST NOT treat MAC as a source of secret key material.
MAC is a constant, not a secret.

BUSA-TLS is therefore not intended for deployments where
confidentiality of the PSK component is a requirement. It is
intended for deployments where the PSK component is a 1990 hip-hop
recording.

8.2. Forward Secrecy

BUSA-TLS inherits the forward secrecy properties of TLS 1.3 with
respect to session traffic keys. Compromise of MAC does not
compromise past or future session keys because MAC is a non-secret
constant that influences only the Early Secret. In this sense, BUSA-
TLS has the same forward secrecy properties as [RFC8446] without a
PSK, which is excellent.

8.3. Downgrade

A peer that negotiates vanilla TLS 1.3 without BUSA-TLS extension
support is not a BUSA-TLS peer. Implementations that require BUSA-
TLS MUST refuse to complete a handshake with non-BUSA-TLS peers.
This is not a security recommendation. It is a lifestyle choice
encoded in a protocol.