Thinking about this a little more: If we ever change the nonce construction to have an explicit nonce or otherwise not depend on the RSN (e.g., something like SIV) we're going to be sad if we don't have the RSN in the AD. Obviously, we'd also need to change the text about the nonce construction, so it's not like you could drop in a construction like this, but it would be slightly easier to do if we already MACed the RSN.
I'm not sure which side of the fence I'm on here. What do others think? -Ekr On Thu, Oct 22, 2015 at 10:07 AM, Eric Rescorla <e...@rtfm.com> wrote: > Thanks for the quick response, David. I now agree with Martin and > Adam that we should remove this. > > Chairs, I haven't seen any objections any reason I shouldn't make this > change? > > -Ekr > > > On Thu, Oct 22, 2015 at 6:59 AM, David McGrew (mcgrew) <mcg...@cisco.com> > wrote: > >> >> >> *From:* Eric Rescorla [mailto:e...@rtfm.com] >> *Sent:* Thursday, October 22, 2015 9:33 AM >> *To:* Adam Langley >> *Cc:* Martin Thomson; tls@ietf.org; Hugo Krawczyk; David McGrew (mcgrew) >> *Subject:* Re: [TLS] Version in record MAC >> >> >> >> I'm mostly convinced by this text in RFC 5116: >> >> http://tools.ietf.org/html/rfc5116#section-2.1 >> >> >> >> Because the authenticated decryption process >> >> detects incorrect nonce values, no security failure will result if a >> >> nonce is incorrectly reconstructed and fed into an authenticated >> >> decryption operation. Any nonce reconstruction method will need to >> >> take into account the possibility of loss or reorder of ciphertexts >> >> between the encryption and decryption processes. >> >> It would probably be worth checking with the cryptographers in the room. >> >> CCing Hugo and McGrew. >> >> -Ekr >> >> >> >> >> >> >> >> On Mon, Oct 19, 2015 at 5:46 PM, Adam Langley <a...@imperialviolet.org> >> wrote: >> >> On Monday, October 19, 2015, Martin Thomson <martin.thom...@gmail.com> >> wrote: >> >> On 19 October 2015 at 11:17, Eric Rescorla <e...@rtfm.com> wrote: >> > Yeah, I think that's riding the nonce far too hard. >> >> On what basis? Any change in the nonce will cause the record >> decryption to fail. That's the property we're looking for here, isn't >> it? >> >> >> >> I don't believe that there's any reason to include the sequence number in >> the AD input of an AEAD. I think that an empty AD for TLS would be fine now >> that the content type is encrypted. (Not that I deeply care either way.) >> >> >> >> Agreed. Any value that always goes into the nonce doesn’t need to go >> into the AD. >> >> >> >> David >> >> >> >> >> >> Cheers >> >> >> >> AGL >> >> >> >> -- >> Adam Langley a...@imperialviolet.org https://www.imperialviolet.org >> >> >> > >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
