On 3 November 2015 at 08:02, Brian Smith <br...@briansmith.org> wrote: >> The major change in this version is that the nonce is constructed >> using the scheme that's currently in TLS 1.3. > > > Would it be possible to do something similar for the additional data, so > that there is no additional data in TLS 1.2, just like in TLS 1.3 for > application_data records?
The construction in TLS 1.3 will have no AAD. I believe that the rationale is: seq_num is masked into the nonce TLSCompressed(sic).type is under encryption TLSCompressed.version is covered by key derivation via the handshake hash TLSCompressed.length was included in the AAD in 1.2 in error Unfortunately, I don't believe that all of the above is true for TLS 1.2. Your proposed construction covers some of these things. If you are willing to rely on session hash, you might drop the version, which leaves this with the type. We have to authenticate the content type somehow, and I like your hack for that. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
