- I am not sure if I got it right: a counter of messages can be used as/instead of the nonce?
I mean a message like this:
Header(2bytes) | counter(8bytes) | Body(n bytes encrypted) | HMAC-SHA1
with counter = 1 (63 of the bits=0) is ok?
- I understand that I should never use the same key with the same nonce twice.
What do I do when a new connection is started and counter starts from 1 again?
I understand that I should never use the same key with the same nonce twice. What do I do when a new connection is started and counter starts from 1 again?
If you re-use a nonce with the same key, this happens. You should store the counter, which you use as a nonce, somewhere on the client, increment it for every message that you send and write it back to storage before you send that message. This is important, because if you fail to write it back, but send the message, the next message will use the same counter. You really should not send the message if you can't write the counter back.
If you cannot store something like a counter on the client, then you can randomly generate the nonce. 64 bit does not provide much space for good collision resistance. You should expect to get the first nonce collision after 232 messages with the same key. If you have much much fewer messages than this, then you can simply generate a random nonce and be fairly sure that there won't be a collision. If you want to be extra sure, use XSalsa20, which uses a 192 bit IV/nonce.
I am not sure if I got it right: a counter of messages can be used as/instead of the nonce?
Nonce means number used once. If you always increment the counter, then you will always have a different number which you use once. So, yes, a counter can be used as a nonce.