On Mon, Nov 2, 2015 at 2:06 PM, <internet-dra...@ietf.org> wrote: > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Transport Layer Security Working Group of > the IETF. > > Title : ChaCha20-Poly1305 Cipher Suites for Transport Layer > Security (TLS) > Authors : Adam Langley > Wan-Teh Chang > Nikos Mavrogiannopoulos > Joachim Strombergson > Simon Josefsson > Filename : draft-ietf-tls-chacha20-poly1305-01.txt > Pages : 7 > Date : 2015-11-02 > > Abstract: > This document describes the use of the ChaCha stream cipher and > Poly1305 authenticator in the Transport Layer Security (TLS) and > Datagram Transport Layer Security (DTLS) protocols.
Dear all, I've submitted the above version of the ChaCha20-Poly1305 draft in the hopes of getting consensus that it's basically what the group wants and thus is suitable for early code-point assignment. The major change in this version is that the nonce is constructed using the scheme that's currently in TLS 1.3. To recap: AES-GCM in TLS 1.2 uses a four-byte, fixed nonce fragment with an explicit, eight-byte value from the wire appended. ChaCha20-Poly1305 seeks to eliminate these eight bytes in each record by using the TLS sequence number. (On this I believe that we basically have agreement.) The TLS 1.3 spec already specifies that AEADs use the sequence number and has a construction where a fixed value (from the handshake output) is XORed with it. (See https://tlswg.github.io/tls13-spec/#record-payload-protection.) This draft apes that in the hopes that the TLS 1.3 construction doesn't change before its final. Cheers AGL -- Adam Langley a...@imperialviolet.org https://www.imperialviolet.org _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
