- From: Ilari Liusvaara <ilariliusvaara@welho.com>
- Date: Fri, 27 Jan 2017 09:20:41 +0200
- To: "Manger, James" <James.H.Manger@team.telstra.com>
- Cc: Martin Thomson <martin.thomson@gmail.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On Fri, Jan 27, 2017 at 01:50:15AM +0000, Manger, James wrote: > I was hoping for an anti-truncation mechanism that didn't depend in a > not-completely-obvious-to-me manner on a seemingly quite separate aspect: > the KDF. For instance, even with no KDF (for key or nonce) having a byte > distinguishing start/middle/end would be sufficient to authenticate you > have received an authentic prefix or suffix or complete message. Actually, if you don't use KDF to obtain the nonce base together with the key, attacker can corrupt messages unless you actually verify that the start block is in its proper place. This is because if attacker can choose noncebase, attacker can reorder the blocks so all decrypt properly. Using KDF prevents this because attacker can't produce suitably related noncebase pairs for the same key -Ilari
Received on Friday, 27 January 2017 07:21:18 UTC