Re: [TLS] where IVs come from (and other mysteries ...)

[Stephen Kent <kent@bbn.com>]

Sandeep,

Sorry to be so late in replying.
> ....
>
> RFC5288 states that
>    struct {
>                 opaque salt[4];
>                 opaque nonce_explicit[8];
>              } GCMNonce;
>
> ...the salt is generated as part of the handshake
>    process: it is either the client_write_IV (when the client is
>    sending) or the server_write_IV (when the server is sending).
>
> Does it mean that the module generates the nonce_explicit or the whole 
> GCMNonce. If it's the latter then the sequence number checking on 
> the TLS packet will not help.
The part of the structure labeled "salt" above is called the "fixed 
field" in NIST 800-38.
The FIPS 140-2 implementation guidance doc says that if one generates 
the explicit nonce
deterministically, e.g., using a counter or LFSR, then the fixed field 
represents the
"name" of the module and the name needs to be long enough to allow for 
at least 2**32
distinct values. The name need not be generated internal to the module; 
according to
Additional Comment #2, page 136, this field may be assigned by a user. 
So, in the context
of interest, TLS could supply the salt to an evaluated module, but the 
module would
generate the explicit nonce internally. There is separate test guidance 
if the whole IV
were to be generated randomly, but we're not discussing that approach 
here, based on
the RFC 5288 description you cited above.

Steve