On Aug 25, 2015 7:26 AM, "Kyle Rose" <kr...@krose.org> wrote: > > >> uint16 length = TLSPlaintext.length; > > > > You can't recover the plaintext without knowing how long it is. This > > part at a minimum needs to be in the clear. At which point you need > > it to be based on TLSCiphertext.length > > Is that really true? You could decrypt the first block/few bytes to > get the length (without authentication, of course) and then decrypt > the remainder according to this candidate length. Then authenticate > the entire record to make sure the candidate length was correct.
That depends on the aead - and the implementation. GCM can - maybe - be broken apart that way*, but I can't think that going to all the trouble of formulating an aead just to break it open at the first point that it becomes inconvenient. You could imagine an aead that made that difficult or impossible (just reverse the order of the bytes...). Or, without imagining at all, you can have hardware module that enforce authentication before releasing plaintext.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
