[Cryptography] Literature on reusing same key for AES / HMAC?
Bertrand Mollinier Toublet
crypto-metzdowd at bmt-online.org
Wed Nov 4 20:09:45 EST 2015
> On Nov 4, 2015, at 11:09, Will Sargent <will.sargent at gmail.com> wrote:
>
> Hi there,
>
> I'm looking at a very specific issue, where the same secret key is used with AES-CTR for encryption, and then later that same key is used for signing the ciphertext with HMAC-SHA1. I know that generally it's unsafe for CBC-MAC (which I'm not familiar with) and RSA keys: I want to be able to say AES / HMAC is a safe or unsafe construction, and so far I'm not sure which.
>
> […] If the answer is "no-one's looked, but it can't be good" then that's fine too.
>
Will,
as long as I have HMAC-SHA signed AES-XXX encrypted messages, I’ve made sure to carry two, separate, keys dedicated to the AES operation and to the HMAC operation. That is I’m bringing one voice to the “I haven’t looked but it can’t be good” line of answers. For credentials (i.e. not just that random French dude trolling on metzdowd), this has been in the context of the Netflix control protocol, and before that in the context of the iTunes Store content security protocols.
HTH,
-—
Bertrand
More information about the cryptography
mailing list