Adam Langley <a...@imperialviolet.org> wrote:
> The major change in this version is that the nonce is constructed
> using the scheme that's currently in TLS 1.3.
>
Would it be possible to do something similar for the additional data, so
that there is no additional data in TLS 1.2, just like in TLS 1.3 for
application_data records?
This is the TLS 1.2 definition of additional_data is:
additional_data = seq_num +
TLSCompressed.type +
TLSCompressed.version +
TLSCompressed.length;
In particular, I think we could define the cipher suite to preprocess
the AAD so that if it were equal to this:
(seq_num XOR client_write_iv)[4..] || 23 || 3 || 3 || HI(len) || LO(len)
then the AAD could be replaced with zero bytes of AAD; otherwise, the
AAD be equal to the input AAD. In other words, compress the AAD with a
very simple function prior to passing it to the RFC 7539
chacha20-poly1305 AEAD function.
This way, one Poly1305 invocation per record could be saved,
potentially, for application_data records, which is the common case.
An implementation that avavoids sending encrypted alerts and avoids
renegotiation could avoid writing code for the case where non-empty
AAD is needed, and could share the exact same code between TLS 1.2 and
TLS 1.3 for ChaCha20-Poly1305.
Cheers,
Brian
--
https://briansmith.org/
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
