On Tue, Nov 3, 2015 at 2:34 AM, Nikos Mavrogiannopoulos <[email protected]> wrote:
> I agree that protecting the length of the communicated data is
> important, but there is nothing specific to this cipher. All modern TLS
> ciphers today are stream ciphers (i.e., AES-GCM and AES-CCM (*)), so
> they offer the same protection as chacha20 with respect to hiding the
> length. Maybe we should add a note about that in the security
> considerations.
I've added the following to the security considerations section in -02:
It should be noted that AEADs, such as ChaCha20-Poly1305, are not
intended to hide the lengths of plaintext. When this document speaks of
side-channel attacks, it is not considering traffic analysis, but
rather timing and cache side-channels. Traffic analysis, while a valid
concern, is outside the scope of the AEAD and is being addressed
elsewhere in future versions of TLS.
Cheers
AGL
--
Adam Langley [email protected] https://www.imperialviolet.org
_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls
