This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How Key Expansion is structured

1

From the wireshark logs I can see that the first 32 bytes are used for Client Write Key where in RFC5246 it stated that the first bytes are for the MAC then the Key and then the IV. What is the correct order? I'm using protocol TLS_RSA_WITH_AES_256_GCM_SHA384

Thanks

key expansion[168]:
| 74 0e 20 ea 20 ea 7b db dd d8 31 85 e6 1c ec 52 |t. . .{...1....R|
| be a0 8d ad 48 73 08 ac 0e 09 06 4f dd a4 68 5f |....Hs.....O..h_|
| 2d 4d d3 bf 92 3d 96 a8 38 a4 c0 35 21 f9 dd ce |-M...=..8..5!...|
| 9e a9 28 60 c5 a5 17 38 85 ca fe a9 66 35 db 1f |..(`...8....f5..|
| b5 68 3e 15 4c 81 23 64 7d e6 31 f0 40 79 80 17 |.h>.L.#d}.1.@y..|
| 03 06 0d 27 d5 4f 52 f0 6c 8a 30 12 65 3d 9c 70 |...'.OR.l.0.e=.p|
| 74 18 cb 6b 77 55 24 f9 e2 06 83 48 89 83 10 3c |t..kwU$....H...<|
| 59 70 83 b1 04 38 c6 cf 19 2f 17 4c 19 f5 bb 6e |Yp...8.../.L...n|
| 58 b6 d6 da 92 f0 64 14 55 8f f1 4a 43 1c ef c2 |X.....d.U..JC...|
| 7e 67 a3 8b b8 c4 b3 71 61 28 c2 58 8d 3b 1c a8 |~g.....qa(.X.;..|
| b1 fe 63 20 7b 19 61 b6                         |..c {.a.        |
Client Write key[32]:
| 74 0e 20 ea 20 ea 7b db dd d8 31 85 e6 1c ec 52 |t. . .{...1....R|
| be a0 8d ad 48 73 08 ac 0e 09 06 4f dd a4 68 5f |....Hs.....O..h_|
Server Write key[32]:
| 2d 4d d3 bf 92 3d 96 a8 38 a4 c0 35 21 f9 dd ce |-M...=..8..5!...|
| 9e a9 28 60 c5 a5 17 38 85 ca fe a9 66 35 db 1f |..(`...8....f5..|
Client Write IV[4]:
| b5 68 3e 15                                     |.h>.            |
Server Write IV[4]:
| 4c 81 23 64                                     |L.#d            |

asked 17 Oct '16, 12:15

Gil%20Fefer's gravatar image

Gil Fefer
46225
accept rate: 100%

edited 18 Oct '16, 00:55

Lekensteyn's gravatar image

Lekensteyn
2.2k3724


One Answer:

1

AEAD ciphers (like the AES-GCM family) do not need an additional MAC key since the construction already provides authentication (AEAD = Authenticated Encryption with Additional Data).

In RFC 5246 (Section 6.3) you can find the following partitioning of the key expansion block:

  client_write_MAC_key[SecurityParameters.mac_key_length]
  server_write_MAC_key[SecurityParameters.mac_key_length]
  client_write_key[SecurityParameters.enc_key_length]
  server_write_key[SecurityParameters.enc_key_length]
  client_write_IV[SecurityParameters.fixed_iv_length]
  server_write_IV[SecurityParameters.fixed_iv_length]

For TLS_RSA_WITH_AES_256_GCM_SHA384, the MAC key length is zero (as explained above). The encryption key length is 32 bytes (due to AES256). The "IV" block is actually being used as part of the GCM nonce and is four bytes.

You can find these details also in RFC 5288.

answered 18 Oct '16, 01:38

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%