On Fri, Apr 24, 2020 at 2:29 PM chris - <chrispat...@gmail.com> wrote:
> But I'd like to hear Chris weigh in on whether he thinks we should have >> them explicitly in the AD (and whether that should be true in QUIC too). >> > > I would need to study the specs in order to provide an intelligent answer > here. Off the hip, it would seem to depend on how the boundaries between > record headers and ciphertexts are determined. Taking a quick look at > draft-37, Fig. 4: the "full" header includes three values that are excluded > from the "minimal" header, the length of the ciphertext being one of the > fields. Presumably, when using the "minimal" header, the length is a > parameter that the sender and receiver already agree on. > Yes. It's "the rest of the UDP datagram". -Ekr > If this is case, then I don't see a need to add the length to the AD. If > the attacker manages to convince the receiver to use the wrong length > parameter (maybe this is negotiated during the handshake?), then as Ekr > points out, AEAD decryption would fail, thereby "implicitly authenticating > the input length". > > Chris P. >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
