[Cryptography] Literature on reusing same key for AES / HMAC?

[Will Sargent]

Hi there,

I'm looking at a very specific issue, where the same secret key is used
with AES-CTR for encryption, and then later that same key is used for
signing the ciphertext with HMAC-SHA1.  I know that generally it's unsafe
for CBC-MAC (which I'm not familiar with) and RSA keys: I want to be able
to say AES / HMAC is a safe or unsafe construction, and so far I'm not sure
which.

I've got two different sources, one saying that this is safe, the other one
that it is not.

Steve Weis here says that AES is not safe when using the same key for both
signing and encryption:

https://youtu.be/KDvt_0cafPw?t=36m45s

But Thomas Porrin says:

"With HMAC vs AES, no such interference is known. The *general feeling* of
cryptographers is that AES and SHA-1 (or SHA-256) are "sufficiently
different" that there should be no practical issue with using the same key
for AES and HMAC/SHA-1."

http://crypto.stackexchange.com/a/8086/10979

I've looked online, but don't know exactly what phrases to look for -- "key
reuse" is typically used in a "reusing key with same IV" sense, and "key
type mixing" doesn't show very much either.  "key separation principle"
brings up "On the Importance of the Key Separation Principle for Different
Modes of Operation" which is firewalled, and a paper on Key Reuse:

* https://crypto.stanford.edu/RealWorldCrypto/slides/kenny.pdf

and seems to be broadly applicable, but again... there doesn't seem to be a
paper available on AES-CTR + HMAC-SHA1.

I know people are busy, and any response at all will be useful, especially
if it can point me to the correct search terms or papers to back this up.
If the answer is "no-one's looked, but it can't be good" then that's fine
too.

Will.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20151104/77d1bb13/attachment.html>