On Mon, Sep 21, 2015 at 3:19 AM, Jeffrey Walton <noloa...@gmail.com> wrote: > On Mon, Sep 21, 2015 at 3:02 AM, Daniel Kahn Gillmor > <d...@fifthhorseman.net> wrote: >> Hey TLS folks-- >> >> apologies for the delay in sending these pull requests. >> >> encrypted content type: >> ----------------------- >> >> https://github.com/tlswg/tls13-spec/pull/51 >> >> This should be uncontroversial, and just needed freshening against the >> current draft. > > :) > >> padding: >> -------- >> >> We're now proposing that handshake padding should be offered by >> introducing a new HandshakePadding message. I've avoided any sort of >> padding negotiation in the handshake in favor of making padding always >> available in TLS 1.3 and up. Life is simpler this way. > > Padding can create oracles and complicates proofs. > > When sending data that needs to be padded during key exchange, then > fill it up with random data and digest it in HKDF- like fashion. > > When sending data that needs to be padded during bulk transfer, then > don't do it. Use GCM, CTR, etc. > > Why make life more complicated then it needs to be?
Is this actually true in the second pull request? No: a moment of actually reading reveals that the string is inside an AEAD encrypted packet. There is no way in which this padding could be modified for use in a side-channel attack. > > Jeff > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls -- "Man is born free, but everywhere he is in chains". --Rousseau. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
