Re: [TLS] Fully encrypted and authenticated headers (was Re: Encrypting record headers: practical for TLS 1.3 after all?)

Bryan Ford <> Fri, 04 December 2015 10:17 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 926E81B2F6C for <>; Fri, 4 Dec 2015 02:17:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id aJ2kRJrANldV for <>; Fri, 4 Dec 2015 02:17:26 -0800 (PST)
Received: from ( [IPv6:2a00:1450:400c:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 22B691B2F6F for <>; Fri, 4 Dec 2015 02:17:26 -0800 (PST)
Received: by wmww144 with SMTP id w144so55668181wmw.1 for <>; Fri, 04 Dec 2015 02:17:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to; bh=YqoOOmksrhrI4TXUXnc0PMi6CSuVti1UupZd1ZUDiXg=; b=lbMLBF816Zzky4G/eSlssrBiCG1QcGoJBR5g9f+VR22x/Y/3Y/XLr8Y7rL/Gk9Lc6X 3FdmjN2J8SZn1MVtvbABfEQH8KhU8xK/+m6X0B0xLWktAYUGIZ1GRNLT4Ima5VOkFlB9 c/FukdtM8QNyKRSzKWNrPlMd5m4J9YFBdYau+skL0p2tDQTmNzohSuGovfIDhq/maLcr u31D3omUJ+9bOjyo8MurtkmVTtip2SWUmCW6oZItWaF0rb/XK+D0oQf43KbIkNkPokPy uzFgFtQMNAv4FAn4tjLM38dhb7Z/a65OBFZjrAt9FjELPu9A9SWUKT1nTiIOKsjIUjN+ mqvA==
X-Received: by with SMTP id j81mr3894332wma.15.1449224244755; Fri, 04 Dec 2015 02:17:24 -0800 (PST)
Received: from ( []) by with ESMTPSA id a63sm2838551wmc.5.2015. (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 04 Dec 2015 02:17:22 -0800 (PST)
Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\))
Content-Type: multipart/signed; boundary="Apple-Mail=_31B931E6-A4C6-40A1-A9D2-BB7F5C8DFF29"; protocol="application/pkcs7-signature"; micalg="sha1"
From: Bryan Ford <>
X-Priority: 3
In-Reply-To: <7F6CAD8F92F54AD5A4F6B14D5F471740@buildpc>
Date: Fri, 04 Dec 2015 11:17:21 +0100
Message-Id: <>
References: <> <> <> <> <> <> <> <> <7F6CAD8F92F54AD5A4F6B14D5F471740@buildpc>
To: Valery Smyslov <>
X-Mailer: Apple Mail (2.3096.5)
Archived-At: <>
Subject: Re: [TLS] Fully encrypted and authenticated headers (was Re: Encrypting record headers: practical for TLS 1.3 after all?)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 04 Dec 2015 10:17:28 -0000

On 04 Dec 2015, at 07:56, Valery Smyslov <> wrote:
> Hi Bryan,
> I guess Dmitry is talking about the trick when each datagram is encrypted with its own key, 
> derived from the "master" session key using some unique public parameter of the datagram,
> like its sequence_number. This trick makes attacks on encryption key almost useless.
> It is not specifically bound to GOST cipher, however it is sometimes used with this cipher 
> to deal with its short (by current standards) block size. See for example the (now expired) draft 
> <>
> (it is about ESP, but the general principles are the same for DTLS).

Ah, I see - thanks for the clarification.

> As far as I understand your proposal makes impossible to use this trick, 
> if we consider packets loss and reordering.

Actually, if I’m understanding correctly how you’re doing this per-datagram rekeying, I think it still should be compatible with the hash-table-based approach I proposed.  Assuming you’re using some key derivation function that takes a master key and sequence number as input and produces a per-datagram key, the receiver just needs to pre-compute the per-datagram keys for the sequence numbers within the current window, and encrypt the sequence numbers with those respective per-datagram keys, in order to populate its hash table.  I don’t think anything breaks at least.