From: Eric Rescorla [mailto:e...@rtfm.com] Sent: Thursday, October 22, 2015 9:33 AM To: Adam Langley Cc: Martin Thomson; tls@ietf.org; Hugo Krawczyk; David McGrew (mcgrew) Subject: Re: [TLS] Version in record MAC
I'm mostly convinced by this text in RFC 5116: http://tools.ietf.org/html/rfc5116#section-2.1 Because the authenticated decryption process detects incorrect nonce values, no security failure will result if a nonce is incorrectly reconstructed and fed into an authenticated decryption operation. Any nonce reconstruction method will need to take into account the possibility of loss or reorder of ciphertexts between the encryption and decryption processes. It would probably be worth checking with the cryptographers in the room. CCing Hugo and McGrew. -Ekr On Mon, Oct 19, 2015 at 5:46 PM, Adam Langley <a...@imperialviolet.org<mailto:a...@imperialviolet.org>> wrote: On Monday, October 19, 2015, Martin Thomson <martin.thom...@gmail.com<mailto:martin.thom...@gmail.com>> wrote: On 19 October 2015 at 11:17, Eric Rescorla <e...@rtfm.com<mailto:e...@rtfm.com>> wrote: > Yeah, I think that's riding the nonce far too hard. On what basis? Any change in the nonce will cause the record decryption to fail. That's the property we're looking for here, isn't it? I don't believe that there's any reason to include the sequence number in the AD input of an AEAD. I think that an empty AD for TLS would be fine now that the content type is encrypted. (Not that I deeply care either way.) Agreed. Any value that always goes into the nonce doesn’t need to go into the AD. David Cheers AGL -- Adam Langley a...@imperialviolet.org<mailto:a...@imperialviolet.org> https://www.imperialviolet.org
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
