On Wed, Jun 15, 2016 at 09:44:18AM -0400, Daniel Kahn Gillmor wrote: > On Wed 2016-06-15 04:44:59 -0400, Yoav Nir wrote: > > To be clear, we're being asked to trade these things off against each > other here, but there are other options which were ruled out in the > prior framing of the question which don't rule either of them out. > > In particular, if we're willing to pay the cost of a slightly more > complex key schedule (and an increased TLS record size), we could have > "packet header" keys which protect the content-type itself for all > non-cleartext TLS records. If we do that, these keys might as well also > be used to protect the TLS record size itself. This would result in an > opaque data stream (though obviously record size would still leak in > DTLS, and timing and framing is still likely to leak the record size in > the lowest-latency TLS applications).
Does this need to enlarge TLS record size? Why doesn't encrypting the content-type/length and then authenticating those off main MAC work (that's how SSH with CHACHA20-POLY1305 does things)? I presume problems from header-flipping (tho in TLS that will kill the connection if you try...) Also, in DTLS, there could be issues switching the encryption on (but then, looks like DTLS 1.3 has other unsolved problems currently..) -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
