Re: [TLS] Fully encrypted and authenticated headers (was Re: Encrypting record headers: practical for TLS 1.3 after all?)

Bryan A Ford <> Tue, 01 December 2015 21:46 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 8A1281A19FA for <>; Tue, 1 Dec 2015 13:46:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vr7upc48AcB0 for <>; Tue, 1 Dec 2015 13:46:03 -0800 (PST)
Received: from ( [IPv6:2a00:1450:400c:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BBD341A19E3 for <>; Tue, 1 Dec 2015 13:46:02 -0800 (PST)
Received: by wmuu63 with SMTP id u63so191179459wmu.0 for <>; Tue, 01 Dec 2015 13:46:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-type; bh=/jAml6NDGEApzRN5RfHWMHri9BtvHGcLS65Gnk0td/w=; b=aXcEuGRDB+vQIj4FFp+Oa4vdpbJTnbYQrkMg0PQ7lXehTDhVtdkLXQf7W/TLWO05us i/+LSQi2lEQKMA/IzbhaHJnR87gbhbAKh8q99o8LuTIwRBlmF36jE60dpbm3tOA+GBdb fSlkFJKBa71/X0Telv4afCJsDQADE3Chp6i9hb2qigk6MP6VSMMHa5h6O7ZGxfRINqb5 yH87ng2Di6NwDuNAv8ae0wb8JPPN8HQtE6TdvVvxyoPeGJDaNoNl0W0y/eED8CRpLkHG AtPWXe94CI96Gk2BmD3oKcUTLzt2M2k0q0KEjMLl/ojcyK/UAs4eTxzbNGFGWW36sgvU b0KA==
X-Received: by with SMTP id d126mr509860wmf.72.1449006361383; Tue, 01 Dec 2015 13:46:01 -0800 (PST)
Received: from ( []) by with ESMTPSA id pn6sm53329972wjb.15.2015. (version=TLSv1/SSLv3 cipher=OTHER); Tue, 01 Dec 2015 13:45:59 -0800 (PST)
To: Dmitry Belyavsky <>
References: <> <> <> <> <>
From: Bryan A Ford <>
Message-ID: <>
Date: Tue, 01 Dec 2015 22:45:59 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms030506090305060408000802"
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] Fully encrypted and authenticated headers (was Re: Encrypting record headers: practical for TLS 1.3 after all?)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 01 Dec 2015 21:46:04 -0000

Hi Dmitry,

On 12/1/15 9:49 PM, Dmitry Belyavsky wrote:
> Dear Bryan, 
> On Tue, Dec 1, 2015 at 7:22 PM, Bryan A Ford <
> <>> wrote:
>     DTLS:
>     Now there's still the important question of whether this (new) proposal
>     could be made to work in the context of DTLS.  For the DTLS case, my
>     current thinking is that some elements of my earlier proposal is
>     probably more suitable: namely using a stream cipher (or AEAD used as a
>     stream cipher) to encrypt and recognize the explicitly-transmitted
>     sequence numbers that DTLS needs.  This could operate basically the same
>     as I described in my earlier E-mail on this topic.  Note that the length
>     field is no longer a problem in DTLS as it is in TLS, because the
>     receiver already gets the length of the datagram from UDP.
> Do I understand correctly that your propose makes difficult to derive
> the key from the original value depending on the sequence number?

I'm not sure I understand your question; can you clarify?  What is the
"original value" you are worried about the key being derivable from?
Certainly if the cipher (stream cipher or AEAD) is working correctly, it
should make it cryptographically infeasible for an attacker to derive
the shared secret key from anything the protocol transmits.