Re: HTTP/2 States and Frame Types <draft-ietf-httpbis-http2-17>


Don't listen to me on cryptography, I don't 
follow it. I'm probably out of date.

Nonetheless, I just skimmed the POODLE paper 
[Möller14]. From my reading, POODLE surely only 
applies to padding that is beyond the coverage of 
the MAC (i.e. which necessarily has to have been 
added while encrypting). I don't think these 
chosen ciphertext attacks (CCAs) apply to HTTP/2 
padding, because the HTTP/2 padding is in the 
layer below the encryption process, so it will 
surely always be covered by the MAC.

If, as in HTTP/2, the length of the padding field 
is given in the protocol header (which is then 
encrypted), I believe the padding can be 
arbitrary, and I assume it's best for the padding 
not to be structured (predictable).

But please don't take my word for it - crypto is not my field.

[Möller14] Möller, Bodo; Duong, Thai; Kotowicz, 
Krzysztof, "This POODLE Bites: Exploiting The SSL 
3.0 Fallback" (September 2014). <>


At 19:23 06/03/2015, Martin Thomson wrote:
>On 6 March 2015 at 11:05, Bob Briscoe <> wrote:
> > Why does padding have to be filled with zeros? There are good cryptographic
> > reasons for not requiring this.
>Remember POODLE, I think that the opposite is true.  Also c.f. IND-CCA
>(and IND-CCA2).

Bob Briscoe,                                                  BT 

Received on Saturday, 7 March 2015 15:16:15 UTC