Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Encrypt content type #51

Merged
merged 2 commits into from
Sep 22, 2015
Merged

Encrypt content type #51

merged 2 commits into from
Sep 22, 2015

Conversation

dkg
Copy link
Contributor

@dkg dkg commented Jul 1, 2014

No description provided.

This was referenced Mar 8, 2015
Closed
Closed
@dkg
Copy link
Contributor Author

dkg commented Sep 20, 2015

This pull request has been updated to the current master

ekr
ekr reviewed Sep 20, 2015
View reviewed changes
draft-ietf-tls-tls13.md
@@ -1010,17 +1010,14 @@ of {{RFC5116}}. The key is either the client_write_key or the server_write_key.

%%% Record Layer
struct {
ContentType type;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought we had agreed to have a dummy type outside the record, so that it doesn't break everyone's parser.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought the plan was just to do all the changes and see if anything important breaks that needs a kludge to deal with. I think you said this at one of the meetings, if I'm remembering from the video correctly.

@ekr
Copy link
Contributor

ekr commented Sep 21, 2015

Consensus at meeting to merge this PR with updates and with the dummy type byte restored.

@ekr has action item to actually measure whether we can strip off the now fixed type, record.version bytes.

@dkg
Move ContentType inside encryption
797f53a 
Previous versions of TLS have left the ContentType in the clear
without justifying the exposure of this piece of information.

This change moves the real ContentType inside the encryption to
protect its confidentiality.  It leaves the external ContentType, but
fixes its value to application_data(23) to appease silly middleboxes.

For clarity, this also means redefining the NULL_NULL case to not
simply be an pseudo-cipher that implements the identity
transformation, but to explicitly state it as sending the TLSPlaintext
struct directly over the wire.  ekr has agreed to re-write that text.
@dkg
Copy link
Contributor Author

dkg commented Sep 22, 2015

I've updated this with the expected changes: dummy external ContentType octet is restored, and fragment.type is after fragment.content instead of the other way around (to make it easier to encrypt without having to shuffle buffers).

@dkg
update exterior content type field name to opaque_type
26716d0 
This follows a good suggestion from Dave Garrett about disambiguating
field names.
@dkg
Copy link
Contributor Author

dkg commented Sep 22, 2015

I agree with davegarrett's suggestion about field naming here, and have supplied a change implementing it.

ekr added a commit that referenced this pull request Sep 22, 2015
@ekr
Merge pull request #51 from dkg/encrypt-content-type
84670a8 
Encrypt content type
@ekr ekr merged commit 84670a8 into tlswg:master Sep 22, 2015
ekr added a commit that referenced this pull request Oct 3, 2020
@ekr
Clarify PSK can't be used with certificate-based auth unless there is…
7905a13 
… some future extension. Fixes #52, Fixes #51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dkg @ekr @davegarrett