Re: [TLS] open issues for draft-ietf-tls-chacha20-poly1305-00

Martin Thomson Tue, 04 Aug 2015 10:36:03 -0700

On 4 August 2015 at 10:24, Wan-Teh Chang <w...@google.com> wrote:
> The consistency you want to see seems to be
> consistency with the AES GCM cipher suites, rather than with TLS 1.2.



Yes, this is correct.

RFC 5288:
             struct {
                opaque salt[4];
                opaque nonce_explicit[8];
             } GCMNonce;

RFC 6655:
                       struct {
             opaque salt[4];
             opaque nonce_explicit[8];
                       } CCMNonce;

Interestingly, RFC 6655 removes the explicit nonce for DTLS, but DTLS
only (if I'm reading it correctly).

Either way, I think that we should attempt to be consistent with
these.  Which suggests that perhaps we can adopt a zero-length
explicit nonce and borrow the 6655 DTLS construction.

As for the wasted bytes, I don't care for that.  We will fix that later.

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] open issues for draft-ietf-tls-chacha20-poly1305-00

Reply via email to