Re: [TLS] Pull Request: Removing the AEAD explicit IV

Brian Smith <> Thu, 19 March 2015 20:11 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 784761A88BD for <>; Thu, 19 Mar 2015 13:11:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mofzBXVP5bke for <>; Thu, 19 Mar 2015 13:11:42 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3AFD81A1B56 for <>; Thu, 19 Mar 2015 13:11:41 -0700 (PDT)
Received: by obcjt1 with SMTP id jt1so43099744obc.2 for <>; Thu, 19 Mar 2015 13:11:40 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=h4TvR/4qsEpcLyRxwQmkLfjPNR+5vSygkfdHa1qFXd0=; b=UXxI/rHdE9U/kBuUt2E/XygSuhmo3m1Aw/lirHiLBftfrRBI+RywPrrVesJTFie0HY tNPs/QcN5MljxtFCtcqe2InLJmlKTTI1ZuGo0t14lonhXTm2t7zJbURGenU43t1F59vA vyt+QpBULjy1fffnxlhcdFHTynClZ90laHQa3LlX0tw+R91zvkOfXPYw2kvxa9fA0dMx rWWWlFmIbpRC/QQOJKEAh/FVbCPPuIKNvcYvmmiC8SHd9G1/bnBuoAlJAVFMRlbDdQ67 hrtMILQqSxrC3OQsa7IExmM1ZV01QVm9k9n/5pKHfyBcjW3svIdL0RpUvbZsEjaR/ejw fvYA==
X-Gm-Message-State: ALoCoQlnLmJcJetJa/0+pD4JP41o+NTZNAzVYzgWwsqsSs09ipxlzA39bHqtVLjuRqGd9+/Yn/IG
MIME-Version: 1.0
X-Received: by with SMTP id k1mr27884615obz.20.1426795900492; Thu, 19 Mar 2015 13:11:40 -0700 (PDT)
Received: by with HTTP; Thu, 19 Mar 2015 13:11:40 -0700 (PDT)
In-Reply-To: <>
References: <> <> <>
Date: Thu, 19 Mar 2015 10:11:40 -1000
Message-ID: <>
From: Brian Smith <>
To: Eric Rescorla <>
Content-Type: text/plain; charset=UTF-8
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] Pull Request: Removing the AEAD explicit IV
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 19 Mar 2015 20:11:43 -0000

Eric Rescorla <> wrote:
> On Thu, Mar 19, 2015 at 12:53 PM, Brian Smith <> wrote:
>> It seems like it would be better, instead, to require that the initial
>> nonces to be calculated from the keyblock established during key
>> agreement,
> Is there any reason why these should be derived from the keyblock
> as opposed to from purely public information such as the random
> values?

Intuitively, I expect the attacker to have more difficulty if they
don't know the nonce than if they do. In general, we should not
divulge more than the minimum amount of information in cleartext. And,
in particular, one of the design goals is to encrypt as much of the
handshake as possible, and the nonce selection is part of the

I wouldn't be surprised if somebody pointed out a good reason to avoid
deriving them out of the key block, though I don't know of one now.

>> and then have them incremented as counters (with
>> wraparound) in the same fashion as being proposed.
> Can you explain why you think they need to change? I note that TLS 1.2
> currently does not behave in this fashion.

I think you interpreted my suggested as <initial-nonce> || <record
sequence number>. I just mean that the per-record nonce should be
calculated as <initial-nonce> + <record sequence number>. It seems
better to start all the initial bits of the nonce in a randomly-chosen
state, instead of just a prefix, if there's no conflicting
considerations to do otherwise.