Re: [TLS] Still more on Record Layers
"Brian Smith" <brian@briansmith.org> Mon, 02 August 2010 16:29 UTC
Return-Path: <brian@briansmith.org>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 14B5E3A698E for <tls@core3.amsl.com>; Mon, 2 Aug 2010 09:29:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.7
X-Spam-Level:
X-Spam-Status: No, score=-0.7 tagged_above=-999 required=5 tests=[AWL=0.040, BAYES_20=-0.74]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iK+1EmIzTNZZ for <tls@core3.amsl.com>; Mon, 2 Aug 2010 09:29:00 -0700 (PDT)
Received: from mxout-08.mxes.net (mxout-08.mxes.net [216.86.168.183]) by core3.amsl.com (Postfix) with ESMTP id 2C4953A6960 for <tls@ietf.org>; Mon, 2 Aug 2010 09:29:00 -0700 (PDT)
Received: from T60 (unknown [98.200.150.199]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 3A6ED509DD; Mon, 2 Aug 2010 12:29:21 -0400 (EDT)
From: Brian Smith <brian@briansmith.org>
To: 1.41421@gmail.com, tls@ietf.org
References: <AANLkTikVyJAdS1MW791Naqf8_U7FWW+uhQ3j1DzBEc50@mail.gmail.com>
In-Reply-To: <AANLkTikVyJAdS1MW791Naqf8_U7FWW+uhQ3j1DzBEc50@mail.gmail.com>
Date: Mon, 02 Aug 2010 11:29:18 -0500
Message-ID: <006e01cb325f$de61e2b0$9b25a810$@briansmith.org>
X-Mailer: Microsoft Outlook 14.0
MIME-Version: 1.0
Thread-Index: AQFehJhkmsMYjgD3P3g6YCxFpR4dPwFw24rW
Content-Language: en-us
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0069_01CB3235.EFC63170"
Subject: Re: [TLS] Still more on Record Layers
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Aug 2010 16:29:02 -0000
JCA wrote: > If you have encryption you necessarily have MAC, Or an authentication tag, for AEAD cipher suites > but you can have MAC without encryption. What does the Record > Layer length field contain in the latter case? Is it the length of the > (unencrypted) encapsulated protocol messages alone, or the sum > of this plus the length of the MAC? It is treated exactly the same as the stream cipher (e.g. RC4) case, and that is why it is described in the same section. Think of NULL encryption as a stream cipher that always produces zeros. I think many of your questions can be answered by examining the code of one of the many existing open-source implementations such as GnuTLS or OpenSSL. (The code of NSS's libssl is perhaps less clear in how it deals with the record layer as it is kind of obfuscated with optimizations, and also contains some subtle bugs in how it checks the length of the record against the various limits that the specification imposes.) Regards, Brian
- [TLS] Still more on Record Layers JCA
- Re: [TLS] Still more on Record Layers Brian Smith
- Re: [TLS] Still more on Record Layers Marsh Ray
- Re: [TLS] Still more on Record Layers Michael D'Errico
- Re: [TLS] Still more on Record Layers Marsh Ray