ietf
[Top] [All Lists]

Re: I-D Action: draft-thomson-postel-was-wrong-01.txt

2017-06-19 11:07:00
On Mon, Jun 19, 2017 at 8:01 AM, Paul Wouters <paul(_at_)nohats(_dot_)ca> wrote:

On Mon, 19 Jun 2017, Eric Rescorla wrote:

      Also the consequences of being strict can be worse. Should a TLS
connection fail if the nonce size for the
      integrity algorithm is too weak?

Not to get too into the weeds, but this isn't a coherent question: In TLS
1.1 and TLS 1.2 [0]
the size of the nonce is associated with the cipher suite and it's
encoded onto the wire
without framing. If the sender uses the wrong nonce size, you just get
integrity failures.


Ok you caught me on a last minute IKE -> TLS word-smithing change :)

We did run into this in our IKE implementation when going through FIPS
validation. And it seemed no one care that our values were too small
to do SHA2_512.


Maybe we should take this offline, but I'm not really seeing a connection
between
the size of the hash function you are using as the basis for your MAC and
the
size of the nonces.

-Ekr



Paul

<Prev in Thread] Current Thread [Next in Thread>