How Key Expansion is structured

Question

From the wireshark logs I can see that the first 32 bytes are used for Client Write Key where in RFC5246 it stated that the first bytes are for the MAC then the Key and then the IV. What is the correct order? I'm using protocol TLS_RSA_WITH_AES_256_GCM_SHA384

Thanks

key expansion[168]:
| 74 0e 20 ea 20 ea 7b db dd d8 31 85 e6 1c ec 52 |t. . .{...1....R|
| be a0 8d ad 48 73 08 ac 0e 09 06 4f dd a4 68 5f |....Hs.....O..h_|
| 2d 4d d3 bf 92 3d 96 a8 38 a4 c0 35 21 f9 dd ce |-M...=..8..5!...|
| 9e a9 28 60 c5 a5 17 38 85 ca fe a9 66 35 db 1f |..(`...8....f5..|
| b5 68 3e 15 4c 81 23 64 7d e6 31 f0 40 79 80 17 |.h>.L.#d}.1.@y..|
| 03 06 0d 27 d5 4f 52 f0 6c 8a 30 12 65 3d 9c 70 |...'.OR.l.0.e=.p|
| 74 18 cb 6b 77 55 24 f9 e2 06 83 48 89 83 10 3c |t..kwU$....H...<|
| 59 70 83 b1 04 38 c6 cf 19 2f 17 4c 19 f5 bb 6e |Yp...8.../.L...n|
| 58 b6 d6 da 92 f0 64 14 55 8f f1 4a 43 1c ef c2 |X.....d.U..JC...|
| 7e 67 a3 8b b8 c4 b3 71 61 28 c2 58 8d 3b 1c a8 |~g.....qa(.X.;..|
| b1 fe 63 20 7b 19 61 b6                         |..c {.a.        |
Client Write key[32]:
| 74 0e 20 ea 20 ea 7b db dd d8 31 85 e6 1c ec 52 |t. . .{...1....R|
| be a0 8d ad 48 73 08 ac 0e 09 06 4f dd a4 68 5f |....Hs.....O..h_|
Server Write key[32]:
| 2d 4d d3 bf 92 3d 96 a8 38 a4 c0 35 21 f9 dd ce |-M...=..8..5!...|
| 9e a9 28 60 c5 a5 17 38 85 ca fe a9 66 35 db 1f |..(`...8....f5..|
Client Write IV[4]:
| b5 68 3e 15                                     |.h>.            |
Server Write IV[4]:
| 4c 81 23 64                                     |L.#d            |

Answer 1

AEAD ciphers (like the AES-GCM family) do not need an additional MAC key since the construction already provides authentication (AEAD = Authenticated Encryption with Additional Data).

In RFC 5246 (Section 6.3) you can find the following partitioning of the key expansion block:

  client_write_MAC_key[SecurityParameters.mac_key_length]
  server_write_MAC_key[SecurityParameters.mac_key_length]
  client_write_key[SecurityParameters.enc_key_length]
  server_write_key[SecurityParameters.enc_key_length]
  client_write_IV[SecurityParameters.fixed_iv_length]
  server_write_IV[SecurityParameters.fixed_iv_length]

For TLS_RSA_WITH_AES_256_GCM_SHA384, the MAC key length is zero (as explained above). The encryption key length is 32 bytes (due to AES256). The "IV" block is actually being used as part of the GCM nonce and is four bytes.

You can find these details also in RFC 5288.