Greetings. I would like to suggest a small tweak to the nonce generation method in TLS 1.3.
The motivation for this is stronger separation between the encryption layer and the TLS layer. An alignment with FIPS 140 guidance is another motivation, which tells that the IV management shall be internal (in encryption direction). I realize that what I propose is a small tweak, and consequently, it provides small benefits. One can take any side here. My view is that we should try to clean things up, when possible. Instead of requiring the understanding of the record numbers, the encryption layer simply increments the initial nonce, which is a 12-byte quantity for AES-GCM. The TLS layer passes in client_write_iv or server_write_iv, along with the key, once per session, and the encryption layer does ++ on nonce for each record from that point. The method can be described as a counter mode with a random start. There is one caveat. In order to maintain protocol version independence we want to inhibit carry into the higher bytes (4 high bytes for AES-GCM). This is behavior is standardized by https://tools.ietf.org/html/rfc5116 and applies to TLS 1.2. The benefits are that the encryption layer doesn't need to deal with a record number or its serialization, or the mask. The state is minimal. The nonce update code is faster and smaller (e.g. 3 instructions on x86_64). I would like to thank earlier reviewers. As part of these reviews RFC7905 was brought up. I appreciate the desire not to update the RFC7905, but this should not interfere with the WGLC, and it's a fairly new stream cipher anyway. Details are in https://github.com/tlswg/tls13-spec/pull/1027 Thank you. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
