Struct rustls::crypto::CipherSuiteCommon
source · pub struct CipherSuiteCommon {
pub suite: CipherSuite,
pub hash_provider: &'static dyn Hash,
pub confidentiality_limit: u64,
}
Expand description
Common state for cipher suites (both for TLS 1.2 and TLS 1.3)
Fields§
§suite: CipherSuite
The TLS enumeration naming this cipher suite.
hash_provider: &'static dyn Hash
Which hash function the suite uses.
confidentiality_limit: u64
Number of TCP-TLS messages that can be safely encrypted with a single key of this type
Once a MessageEncrypter
produced for this suite has encrypted more than
confidentiality_limit
messages, an attacker gains an advantage in distinguishing it
from an ideal pseudorandom permutation (PRP).
This is to be set on the assumption that messages are maximally sized –
each is 214 bytes. It does not consider confidentiality limits for
QUIC connections - see the [quic::KeyBuilder.confidentiality_limit
] field for
this context.
For AES-GCM implementations, this should be set to 224 to limit attack probability to one in 260. See AEBounds (Table 1) and draft-irtf-aead-limits-08:
>>> p = 2 ** -60
>>> L = (2 ** 14 // 16) + 1
>>> qlim = (math.sqrt(p) * (2 ** (129 // 2)) - 1) / (L + 1)
>>> print(int(qlim).bit_length())
24
For chacha20-poly1305 implementations, this should be set to u64::MAX
:
see https://www.ietf.org/archive/id/draft-irtf-cfrg-aead-limits-08.html#section-5.2.1