On Mon, Jun 20, 2016 at 5:39 PM, Eric Rescorla <e...@rtfm.com> wrote: > > 2. It's odd to just use a piece of the AEAD cipher (the encryption > function), especially if we ever had a really non-composite cipher. > This can be alleviated by using HKDF-Expand to produce the stream > of bits. >
If we're going to use a non-standard construction, would it make more sense to "lose" the authentication on the inner layer? E.g., 1. Encrypt the content type with the "outer" key, 2. Encrypt the with the "inner" key using the same explicit IV. 3. Concatenate the cipher-texts of 1 and 2. 4. Compute an AAD tag/MAC across all of the data, using the "outer" key. In that scheme the content type or "outer" key authenticates all of the data, so you know it's tamper free. Still gross. -- Colm
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
