- From: Manger, James <James.H.Manger@team.telstra.com>
- Date: Fri, 27 Jan 2017 01:50:15 +0000
- To: Martin Thomson <martin.thomson@gmail.com>
- CC: "ilariliusvaara@welho.com" <ilariliusvaara@welho.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
>> If we go with this approach, we should also distinguish the 1st record. For instance, for the end-of-padding byte: > I think that might be going too far. Truncating the first record requires that you are able to find an input to HKDF that provides the same key, and a nonce that has just the lower bit flipped (you can truncate more with higher probability). That requires several preimage attacks on SHA-256 in series. Mostly though, marking the start also increases complexity. I think that it's enough to say 0x01 = keep going, 0x02 = all done. I agree that Start-or-middle vs End is enough in this case due to the KDF. I was hoping for an anti-truncation mechanism that didn't depend in a not-completely-obvious-to-me manner on a seemingly quite separate aspect: the KDF. For instance, even with no KDF (for key or nonce) having a byte distinguishing start/middle/end would be sufficient to authenticate you have received an authentic prefix or suffix or complete message. -- James Manger
Received on Friday, 27 January 2017 01:51:26 UTC