On 5 August 2015 at 11:13, Wan-Teh Chang wrote:
> Then, define the ChaChaNonce struct as described in the draft-TLS 1.3.
>
>struct {
>opaque nonce[12];
>} ChaChaNonce;
>
> 1. The 64-bit record sequence number is padded to the left with
> zeroes to 96 bits
On Tue, Aug 4, 2015 at 10:35 AM, Martin Thomson
wrote:
> On 4 August 2015 at 10:24, Wan-Teh Chang wrote:
>> The consistency you want to see seems to be
>> consistency with the AES GCM cipher suites, rather than with TLS 1.2.
>
> Yes, this is correct.
>
> RFC 5288:
> struct {
>
On Tue, Aug 04, 2015 at 10:35:30AM -0700, Martin Thomson wrote:
>
> As for the wasted bytes, I don't care for that. We will fix that later.
It is not just wasted bytes.
It is also increased auditing requirements: Auditing that the nonce
generation is sound (e.g. not random).
And in constructs
On 4 August 2015 at 10:24, Wan-Teh Chang wrote:
> The consistency you want to see seems to be
> consistency with the AES GCM cipher suites, rather than with TLS 1.2.
Yes, this is correct.
RFC 5288:
struct {
opaque salt[4];
opaque nonce_explicit[8];
On Tue, Aug 4, 2015 at 12:20 PM Salz, Rich wrote:
> > Personally, I would rather see the nonce construction follow the form
> > defined in the respective TLS version. [DB: Adding back in for context:
> "That means including redundant bytes in TLS 1.2 and only getting the full
> advantage when we
> Personally, I would rather see the nonce construction follow the form
> defined in the respective TLS version.
Yes, consistency. +1
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
On 4 August 2015 at 05:37, Nikos Mavrogiannopoulos wrote:
> Is there any support for
> switching these ciphersuites to draft-TLS 1.3 nonce mechanism even for
> TLS 1.2? The alternative is to use the TLS 1.2 mechanism with the
> redundant bytes redacted as the draft is now [1].
Personally, I would
Hi,
An open issue for draft-ietf-tls-chacha20-poly1305-00 raised by Eric
Rescorla is that this draft doesn't use the draft-TLS 1.3 mechanism
for setting the nonce per record [0]. Is there any support for
switching these ciphersuites to draft-TLS 1.3 nonce mechanism even for
TLS 1.2? The altern