On Mon, Jun 19, 2017 at 8:01 AM, Paul Wouters <paul@xxxxxxxxx> wrote:
On Mon, 19 Jun 2017, Eric Rescorla wrote:
Also the consequences of being strict can be worse. Should a TLS connection fail if the nonce size for the
integrity algorithm is too weak?
Not to get too into the weeds, but this isn't a coherent question: In TLS 1.1 and TLS 1.2 [0]
the size of the nonce is associated with the cipher suite and it's encoded onto the wire
without framing. If the sender uses the wrong nonce size, you just get integrity failures.
Ok you caught me on a last minute IKE -> TLS word-smithing change :)
We did run into this in our IKE implementation when going through FIPS
validation. And it seemed no one care that our values were too small
to do SHA2_512.
Maybe we should take this offline, but I'm not really seeing a connection between
the size of the hash function you are using as the basis for your MAC and the
size of the nonces.
-Ekr
Paul