On Wed, Aug 17, 2016 at 4:08 PM, Brian Smith <br...@briansmith.org> wrote:
> Eric Rescorla <e...@rtfm.com> wrote: > > Issue: > > https://github.com/tlswg/tls13-spec/issues/555 > > > > ADL suggested that we could slightly reduce the number of HKDF > > computations by generating the IVs as a single block rather than > > with individual HKDF-Expands. You can't generally do this kind > > of slice-and-dice and preserve the key boundary, but IVs are > > public anyway. > > When you say "IV," what are you referring to? Definitely the original > intent of my proposal to use client_write_iv and server_write_iv is > that they would remain secret. I suspect that some analysis might be > simplified by assuming that they are publicly-known as a worst-case > scenerio, but that's different than them being "public", and we should > design things assuming that we're trying to keep them private. > Sorry, that's bad writing on my part. I meant they should be kept private but that in practice, PKCS#11 and similar implementations almost certainly don't have support for TLS 1.3-style AES-GCM and therefore you'll have to let the IV out of the tamper boundary at least for the foreseeable future. -Ekr > > Cheers, > Brian > -- > https://briansmith.org/ >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
