Re: [TLS] Data limit for GCM under a given key.

2015-11-06 Thread Tony Arcieri
On Friday, November 6, 2015, Watson Ladd wrote: > On Wed, Nov 4, 2015 at 3:43 PM, Dang, Quynh > wrote: > > I did not talk under indistinguishability framework. My discussion was > about confidentiality protection and authentication. >

Re: [TLS] Data limit for GCM under a given key.

2015-11-06 Thread Dave Garrett
On Friday, November 06, 2015 08:13:44 pm Eric Rescorla wrote: > Update: we discussed this extensively in Yokohama and based on Watson's > feedback and offline comments from David McGrew, the consensus was that we > needed to add some sort of rekeying mechanism to support long-lived flows. > Expect

Re: [TLS] Data limit for GCM under a given key.

2015-11-06 Thread Eric Rescorla
Update: we discussed this extensively in Yokohama and based on Watson's feedback and offline comments from David McGrew, the consensus was that we needed to add some sort of rekeying mechanism to support long-lived flows. Expect a PR on this next week. Note: We'll still need guidance to

Re: [TLS] Data limit for GCM under a given key.

2015-11-06 Thread Watson Ladd
On Wed, Nov 4, 2015 at 3:43 PM, Dang, Quynh wrote: > I did not talk under indistinguishability framework. My discussion was about > confidentiality protection and authentication. What is the definition of "confidentiality protection" being used here? > > Quynh. >

Re: [TLS] Data limit for GCM under a given key.

2015-11-06 Thread Eric Rescorla
On Fri, Nov 6, 2015 at 7:50 PM, Eric Rescorla wrote: > > > On Fri, Nov 6, 2015 at 7:46 PM, Yoav Nir wrote: > >> >> > On 7 Nov 2015, at 11:39 AM, Dave Garrett >> wrote: >> > >> > On Friday, November 06, 2015 08:13:44 pm Eric Rescorla

Re: [TLS] Data limit for GCM under a given key.

2015-11-06 Thread Dang, Quynh
Tony, You are correct. An Indistinguishability bound promises you no attacks will be below the bound assuming the claimed property(ies) of the underline function in the construction (mode) hold(s). A distinguishing attack below the bound tells you that the construction or the underlined

[TLS] I-D Action: draft-ietf-tls-chacha20-poly1305-02.txt

2015-11-06 Thread internet-drafts
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Transport Layer Security Working Group of the IETF. Title : ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS) Authors : Adam

Re: [TLS] I-D Action: draft-ietf-tls-chacha20-poly1305-01.txt

2015-11-06 Thread Adam Langley
On Tue, Nov 3, 2015 at 8:25 AM, Benjamin Kaduk wrote: > % 1. The 64-bit record sequence number is serialized as an 8-byte, > % big-endian value and padded on the left with 4 zeroes. > > I assume you mean zero octets/bytes, and not ASCII '0' (or EBCDIC, or ...) > >