Thanks for the quick response, David. I now agree with Martin and Adam that we should remove this.
Chairs, I haven't seen any objections any reason I shouldn't make this change? -Ekr On Thu, Oct 22, 2015 at 6:59 AM, David McGrew (mcgrew) <mcg...@cisco.com> wrote: > > > *From:* Eric Rescorla [mailto:e...@rtfm.com] > *Sent:* Thursday, October 22, 2015 9:33 AM > *To:* Adam Langley > *Cc:* Martin Thomson; tls@ietf.org; Hugo Krawczyk; David McGrew (mcgrew) > *Subject:* Re: [TLS] Version in record MAC > > > > I'm mostly convinced by this text in RFC 5116: > > http://tools.ietf.org/html/rfc5116#section-2.1 > > > > Because the authenticated decryption process > > detects incorrect nonce values, no security failure will result if a > > nonce is incorrectly reconstructed and fed into an authenticated > > decryption operation. Any nonce reconstruction method will need to > > take into account the possibility of loss or reorder of ciphertexts > > between the encryption and decryption processes. > > It would probably be worth checking with the cryptographers in the room. > > CCing Hugo and McGrew. > > -Ekr > > > > > > > > On Mon, Oct 19, 2015 at 5:46 PM, Adam Langley <a...@imperialviolet.org> > wrote: > > On Monday, October 19, 2015, Martin Thomson <martin.thom...@gmail.com> > wrote: > > On 19 October 2015 at 11:17, Eric Rescorla <e...@rtfm.com> wrote: > > Yeah, I think that's riding the nonce far too hard. > > On what basis? Any change in the nonce will cause the record > decryption to fail. That's the property we're looking for here, isn't > it? > > > > I don't believe that there's any reason to include the sequence number in > the AD input of an AEAD. I think that an empty AD for TLS would be fine now > that the content type is encrypted. (Not that I deeply care either way.) > > > > Agreed. Any value that always goes into the nonce doesn’t need to go into > the AD. > > > > David > > > > > > Cheers > > > > AGL > > > > -- > Adam Langley a...@imperialviolet.org https://www.imperialviolet.org > > >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls