diff --git a/common/crypto/auth.go b/common/crypto/auth.go
index b3a1aadf3..1f174dcf2 100644
--- a/common/crypto/auth.go
+++ b/common/crypto/auth.go
@@ -128,8 +128,10 @@ func (v *AuthenticationReader) CopyChunk(b []byte) int {
 }
 
 func (v *AuthenticationReader) EnsureChunk() error {
+	atHead := false
 	if v.buffer.IsEmpty() {
 		v.buffer.Clear()
+		atHead = true
 	}
 
 	for {
@@ -139,7 +141,7 @@ func (v *AuthenticationReader) EnsureChunk() error {
 		}
 
 		leftover := v.buffer.Bytes()
-		if len(leftover) > 0 {
+		if !atHead && len(leftover) > 0 {
 			common.Must(v.buffer.Reset(func(b []byte) (int, error) {
 				return copy(b, leftover), nil
 			}))
diff --git a/common/crypto/auth_test.go b/common/crypto/auth_test.go
index 1ee2a7a6a..b104cb864 100644
--- a/common/crypto/auth_test.go
+++ b/common/crypto/auth_test.go
@@ -91,6 +91,8 @@ func TestAuthenticationReaderWriterPartial(t *testing.T) {
 		AdditionalDataGenerator: &NoOpBytesGenerator{},
 	}, cache)
 
+	writer.Write([]byte{'a', 'b', 'c', 'd'})
+
 	nBytes, err := writer.Write(payload)
 	assert.Error(err).IsNil()
 	assert.Int(nBytes).Equals(len(payload))
@@ -120,6 +122,11 @@ func TestAuthenticationReaderWriterPartial(t *testing.T) {
 	}, pr)
 
 	actualPayload := make([]byte, 7*1024)
+	nBytes, err = reader.Read(actualPayload)
+	assert.Error(err).IsNil()
+	assert.Int(nBytes).Equals(4)
+	assert.Bytes(actualPayload[:nBytes]).Equals([]byte{'a', 'b', 'c', 'd'})
+
 	nBytes, err = reader.Read(actualPayload)
 	assert.Error(err).IsNil()
 	assert.Int(nBytes).Equals(len(actualPayload))