On 5 August 2015 at 11:13, Wan-Teh Chang <w...@google.com> wrote:
> Then, define the ChaChaNonce struct as described in the draft-TLS 1.3.
>
> struct {
> opaque nonce[12];
> } ChaChaNonce;
>
> 1. The 64-bit record sequence number is padded to the left with
> zeroes to 96 bits (12 octets).
> 2. The padded sequence number is XORed with either the
> client_write_IV (when the client is sending) or the
> server_write_IV (when the server is sending)
> 3. Store the XOR result in ChaChaNonce.nonce.
This looks fine. Note that the general construction in TLS 1.3 should
be, more formally:
assert(N_MAX > 64bits)
nonce = {client|server|_{read|write}_IV[0..N_MAX] XOR lpad0(seq_num)
Of course, ChaChaX sets N_MAX to 96 bits, so what you described was correct.
--Martin
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
