> > But I'd like to hear Chris weigh in on whether he thinks we should have > them explicitly in the AD (and whether that should be true in QUIC too). >
I would need to study the specs in order to provide an intelligent answer here. Off the hip, it would seem to depend on how the boundaries between record headers and ciphertexts are determined. Taking a quick look at draft-37, Fig. 4: the "full" header includes three values that are excluded from the "minimal" header, the length of the ciphertext being one of the fields. Presumably, when using the "minimal" header, the length is a parameter that the sender and receiver already agree on. If this is case, then I don't see a need to add the length to the AD. If the attacker manages to convince the receiver to use the wrong length parameter (maybe this is negotiated during the handshake?), then as Ekr points out, AEAD decryption would fail, thereby "implicitly authenticating the input length". Chris P.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls