[Cryptography] Why two keys? [was: Re: WhatsApp, Curve25519 workspace etc.]
Andrew Donoho
awd at ddg.com
Thu May 5 14:40:43 EDT 2016
> On May 1, 2016, at 06:16 , Hanno Böck <hanno at hboeck.de> wrote:
>
>> Moreover, more important: WhatsApp uses AES 256 in CBC mode, which is
>> excluded from TLS 1.3 draft. And there are some articles about it:
>> http://link.springer.com/chapter/10.1007%2F3-540-45708-9_2
>
> Ok, I must say I was surprised that Whatsapp uses CBC (I had expected
> either gcm or chacha20-poly1305), but there is no risk here either.
> All the weaknesses of CBC don't affect the mode itself, but a bad
> combination of cbc+hmac. Quickly skimming into the whatsapp whitepaper
> they use cbc+hmac with encrypt-then-mac.
Gentle folk,
I have a question about the WhatsApp protocol. On page 6 of the WhatsApp Security Whitepaper, they describe their end to end encryption for media and attachments. To support encrypting in AES-CBC mode, they generate an ephemeral 256 bit key and a 128 bit IV. Then they go further and generate a second 256 bit ephemeral key for calculating the HMAC-SHA256. As the first key already has a significant amount of entropy and is only used once, why isn’t it reused for the HMAC-SHA256 calculation? On the face of it, it looks redundant for a single use key.
Anon,
Andrew
____________________________________
Andrew W. Donoho
Donoho Design Group, L.L.C.
awd at DDG.com, +1 (512) 750-7596, twitter.com/adonoho
Essentially, all models are wrong, but some are useful.
— George E.P. Box
More information about the cryptography
mailing list