Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CCM: a meta-analysis

[Tom Ritter <tom@ritter.vg>]

On 27 January 2015 at 00:33, Nikos Mavrogiannopoulos <nmav@redhat.com> wrote:
> On Mon, 2015-01-26 at 13:08 -0600, Tom Ritter wrote:
>
>> Length Hiding in TLS gets you good protection against passive captures
>> and lets you deploy the mechanism independent of building in the
>> feature at Layer 7 or above in multiple applications, application
>> protocols, web frameworks, etc.  (Some of which may be old and
>> unmaintained, but still running lots of services on the Internet.)
>>
>> >From my recollection at Denver:
>>  - Consensus was we didn't want to pay a 2-byte penalty to put padding
>> in everywhere by default
>> - Rough Consensus was padding without paying a penalty was something
>> reasonable to pursue
>
> If that refers to draft-pironti-tls-length-hiding0-2, I believe these
> comments are mislead. There is no penalty "everywhere" as you pose it.
> Peers who need no padding don't use the additional length bytes. Only
> peers who need to hide length use these two bytes. This is not a
> penalty, as it can simply be considered part of the pad (min size of pad
> = 2).

Yes, draft-pironti-tls-length-hiding-02 does not put a penalty
everywhere. One of the initial discussions was "Let's not make it an
option, let's just have padding by default, and the folks who don't
want to use it will put a zero-length pad".  But to do so, AIUI, we
needed to stash a 2 byte padding length somewhere. (Hence paying the
cost.) People didn't want to pay the extra two bytes all the time, so
we started looking at using an alternate record type (possibly
encrypting them), or an extension as in the draft...

-tom