From da79ebeaf9e2757d7db1852ac34db8452acd0c20 Mon Sep 17 00:00:00 2001 From: EKR Date: Sun, 12 Nov 2017 09:50:15 +0800 Subject: [PATCH 1/2] Clarify the length of the authentication tag --- draft-ietf-quic-tls.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md index 59503edca9..bb51fd1df3 100644 --- a/draft-ietf-quic-tls.md +++ b/draft-ietf-quic-tls.md @@ -773,7 +773,9 @@ client are derived from the QUIC 0-RTT secret. The packet protection keys and IVs for 1-RTT packets sent by the client and server are derived from the current generation of client_pp_secret and server_pp_secret respectively. The length of the output is determined by the requirements of the AEAD function selected by -TLS. The key length is the AEAD key size. As defined in Section 5.3 of +TLS. All ciphersuites currently used for QUIC have a 16-byte authentication +tag, thus producing an ouput 16 bytes larger than their input. +The key length is the AEAD key size. As defined in Section 5.3 of {{!TLS13}}, the IV length is the larger of 8 or N_MIN (see Section 4 of {{!AEAD=RFC5116}}; all ciphersuites defined in {{?TLS13}} have N_MIN set to 12). For any secret S, the corresponding key and IV are derived as shown below: From 1754fcef9cb483a6196b84afaf34d14ce2cdc07b Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Sun, 12 Nov 2017 13:16:16 +0800 Subject: [PATCH 2/2] expansion isn't the same as authentication tag The size of the authentication tag contributes to the expansion by the AEAD, and it's probably the case that this will remain so, but the expansion could technically be larger (a CBC-mode AEAD for instance might have padding, see https://tools.ietf.org/html/draft-mcgrew-aead-aes-cbc-hmac-sha2-05#section-2.3). --- draft-ietf-quic-tls.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md index bb51fd1df3..cf1ffb7f5d 100644 --- a/draft-ietf-quic-tls.md +++ b/draft-ietf-quic-tls.md @@ -774,7 +774,7 @@ IVs for 1-RTT packets sent by the client and server are derived from the current generation of client_pp_secret and server_pp_secret respectively. The length of the output is determined by the requirements of the AEAD function selected by TLS. All ciphersuites currently used for QUIC have a 16-byte authentication -tag, thus producing an ouput 16 bytes larger than their input. +tag and produce an ouput 16 bytes larger than their input. The key length is the AEAD key size. As defined in Section 5.3 of {{!TLS13}}, the IV length is the larger of 8 or N_MIN (see Section 4 of {{!AEAD=RFC5116}}; all ciphersuites defined in {{?TLS13}} have N_MIN set to