Ho ragione riguardo al fatto che la crittografia / decodifica di AEAD utilizza due volte un numero di sequenza TLS, la prima volta nel nonce e un secondo nei dati aggiuntivi?
E perché hanno reso il numero di sequenza TLS 1.2 2 volte più grande del numero di sequenza TSP? Perché hanno bisogno di questo overhead?
Informazioni aggiuntive su rfc5246 # page-25
The additional authenticated data, which we denote as additional_data, is defined as follows:
additional_data = seq_num + TLSCompressed.type + TLSCompressed.version + TLSCompressed.length;
Informazioni su nonce da rfc5288 # page-2
struct { opaque salt[4]; opaque nonce_explicit[8]; } GCMNonce;
The salt is the "implicit" part of the nonce and is not sent in the packet. Instead, the salt is generated as part of the handshake process: it is either the client_write_IV (when the client is sending) or the server_write_IV (when the server is sending). The salt length (SecurityParameters.fixed_iv_length) is 4 octets.
The nonce_explicit is the "explicit" part of the nonce. It is chosen by the sender and is carried in each TLS record in the GenericAEADCipher.nonce_explicit field. The nonce_explicit length (SecurityParameters.record_iv_length) is 8 octets.
Each value of the nonce_explicit MUST be distinct for each distinct invocation of the GCM encrypt function for any fixed key. Failure to meet this uniqueness requirement can significantly degrade security. The nonce_explicit MAY be the 64-bit sequence number.