Re: [TLS] Fully encrypted and authenticated headers (was Re: Encrypting record headers: practical for TLS 1.3 after all?)

"Valery Smyslov" <> Fri, 04 December 2015 12:57 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 17CF31B3125 for <>; Fri, 4 Dec 2015 04:57:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.171
X-Spam-Status: No, score=0.171 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 7yM0av5Yk-2U for <>; Fri, 4 Dec 2015 04:57:31 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4010:c07::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 849451B3121 for <>; Fri, 4 Dec 2015 04:57:31 -0800 (PST)
Received: by lffu14 with SMTP id u14so111408520lff.1 for <>; Fri, 04 Dec 2015 04:57:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=message-id:from:to:cc:references:subject:date:mime-version :content-type; bh=SI7UeqPrzY1XQ6qQKW8PFvp4sOkM+lfGrdTIfpu1Qgc=; b=LMeCgJdYb6/wm8hig3I48+3pTg3bx53XAgB1NioaQNTaO6SUkigCT14QtiMh55CpzI IB84sCyjGGS9U7mrvHlkCciKs3vo+E3BIO/Rce10ZmS2frWGMtH0SeBkfBUoFj079cUE 1WsEUKDZAQhkF2CroExDlTaScUXDeYcO/otOa0RCOfPiImjOfm3d5qAOpG7IJ+XgvwsZ KmChCAjo3hnSzuFbDB2l8o5NwnY/Xy52WCTODJgV0fbyJWHd2D6t7GCH05cUNaITucCD lTGopmayoltfU0dynGvt4WqIgkJP+r5EozOXqTVGjFpVfVJwfZRSR0uTJXlNb3J9eQ5K 8gzw==
X-Received: by with SMTP id m2mr8163339lfm.113.1449233849674; Fri, 04 Dec 2015 04:57:29 -0800 (PST)
Received: from buildpc ([]) by with ESMTPSA id j189sm2289361lfg.46.2015. (version=TLSv1/SSLv3 cipher=OTHER); Fri, 04 Dec 2015 04:57:28 -0800 (PST)
Message-ID: <22CF6E6F4D484DE5B3031B0EAD612F52@buildpc>
From: Valery Smyslov <>
To: Bryan Ford <>
References: <> <> <> <> <> <> <> <> <7F6CAD8F92F54AD5A4F6B14D5F471740@buildpc> <>
Date: Fri, 04 Dec 2015 15:57:27 +0300
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0BF2_01D12EAC.7963A0C0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Archived-At: <>
Subject: Re: [TLS] Fully encrypted and authenticated headers (was Re: Encrypting record headers: practical for TLS 1.3 after all?)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 04 Dec 2015 12:57:33 -0000

    As far as I understand your proposal makes impossible to use this trick, 
    if we consider packets loss and reordering.

  Actually, if I’m understanding correctly how you’re doing this per-datagram rekeying, I think it still should be compatible with the hash-table-based approach I proposed.  Assuming you’re using some key derivation function that takes a master key and sequence number as input and produces a per-datagram key, the receiver just needs to pre-compute the per-datagram keys for the sequence numbers within the current window, and encrypt the sequence numbers with those respective per-datagram keys, in order to populate its hash table.  I don’t think anything breaks at least.
I would say that the hash-table-based approach would work in theory.
In practice it either implies too much burden on the receiver or would fail
in some situations. Consider, for example, situation when the sender 
skips large amount of sequence numbers (say 2^32) for some reason.
It would be difficult for receiver to build such a hash table.

Valery Smyslov.