Re: [TLS] Inclusion of OCB mode in TLS 1.3

Jack Lloyd <> Wed, 21 January 2015 22:27 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 771E81A8979 for <>; Wed, 21 Jan 2015 14:27:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id c6oUOHq6OS4F for <>; Wed, 21 Jan 2015 14:27:50 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B6B7C1A0047 for <>; Wed, 21 Jan 2015 14:27:48 -0800 (PST)
Received: by (Postfix, from userid 1000) id 2A0F01ADB07; Wed, 21 Jan 2015 17:27:48 -0500 (EST)
Date: Wed, 21 Jan 2015 17:27:48 -0500
From: Jack Lloyd <>
Message-ID: <>
References: <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
X-PGP-Fingerprint: 3F69 2E64 6D92 3BBE E7AE 9258 5C0F 96E8 4EC1 6D6B
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <>
Subject: Re: [TLS] Inclusion of OCB mode in TLS 1.3
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 21 Jan 2015 22:27:51 -0000

On Tue, Jan 20, 2015 at 08:18:21PM +0100, Aaron Zauner wrote:
> Hi TLS-WG,
> The Internet Draft can be found over here:

My initial understanding on reading the draft was that in the nonce construction
the sequence number is implicit (or already explicit in the message in the case
of DTLS), and the record_iv_length of these ciphersuites is zero. However it
then refers to RFC 5288 (the GCM ciphersuite definition), which includes an
explicit 8 byte nonce in each message. Or is this reference purely with regards
to the formatting of the nonce input to the AEAD algorithm? Even just an
additional statement "The record_iv_length is X." should resolve this.

If anyone is interested in interop testing, I have implemented these ciphersuites
(assuming record_iv_length is 0) for the next release of botan (available via using ids in the private use range.