[TLS] About TLS 1.2 AEAD ciphers definition

Juho Vähä-Herttua <juhovh@iki.fi> Thu, 27 May 2010 15:29 UTC

Return-Path: <juhovh@iki.fi>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id A8DF03A6947 for <tls@core3.amsl.com>; Thu, 27 May 2010 08:29:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.699
X-Spam-Status: No, score=-3.699 tagged_above=-999 required=5 tests=[BAYES_50=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id 9K-WB1lkrd+v for <tls@core3.amsl.com>; Thu, 27 May 2010 08:29:28 -0700 (PDT)
Received: from smtp-3.hut.fi (smtp-3.hut.fi []) by core3.amsl.com (Postfix) with ESMTP id 234F53A6955 for <tls@ietf.org>; Thu, 27 May 2010 08:29:27 -0700 (PDT)
Received: from localhost (katosiko.hut.fi []) by smtp-3.hut.fi (8.13.6/8.12.10) with ESMTP id o4RFTEDI028872 for <tls@ietf.org>; Thu, 27 May 2010 18:29:14 +0300
Received: from smtp-3.hut.fi ([]) by localhost (katosiko.hut.fi []) (amavisd-new, port 10024) with LMTP id 21577-970 for <tls@ietf.org>; Thu, 27 May 2010 18:29:14 +0300 (EEST)
Received: from [] (vbwin.cs.hut.fi []) by smtp-3.hut.fi (8.13.6/8.12.10) with ESMTP id o4RFTAut028851 for <tls@ietf.org>; Thu, 27 May 2010 18:29:10 +0300
Message-ID: <4BFE8FC5.4070509@iki.fi>
Date: Thu, 27 May 2010 18:29:09 +0300
From: =?ISO-8859-1?Q?Juho_V=E4h=E4-Herttua?= <juhovh@iki.fi>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; fi; rv: Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: tls@ietf.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-TKK-Virus-Scanned: by amavisd-new-2.1.2-hutcc at katosiko.hut.fi
Subject: [TLS] About TLS 1.2 AEAD ciphers definition
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 May 2010 15:29:29 -0000


I'm implementing TLS (including v1.2) and went through the 
chapter of AEAD ciphers definition. The following puzzles me:

       additional_data = seq_num + TLSCompressed.type +
                         TLSCompressed.version + TLSCompressed.length;

       AEADEncrypted = AEAD-Encrypt(write_key, nonce, plaintext,

       TLSCompressed.fragment = AEAD-Decrypt(write_key, nonce,

This seems to be strange in case of AEAD-Decrypt, because 
additional_data contains TLSCompressed information, which is not 
available before decryption. I started to trace it down and found out it 
was changed in draft-ietf-tls-rfc4346-bis-05 back in 2007. To find some 
reason for this change, I noticed the following email:


It seems to me that the change was made after this email and probably as 
a response to it. Before the change AEAD-Encrypt was using 
TLSCompressed.length and AEAD-Decrypt was using TLSCiphertext.length, 
which may be different if the AEAD cipher adds some own padding to it.

So I'm curious to know how is AEAD actually handled and how to find out 
the TLSCompressed.length when constructing additional_data for 
AEAD-Decrypt? I'm sure there are more experienced people here who can 
tell me the answer. Thank you in advance.