[Cryptography] Literature on reusing same key for AES / HMAC?

ianG iang at iang.org
Sat Nov 7 05:14:49 EST 2015 

On 7/11/2015 02:24 am, Will Sargent wrote:
> On Fri, Nov 6, 2015 at 6:01 AM, Max Kington <mkington at webhanger.com
> <mailto:mkington at webhanger.com>> wrote:
>
>
>
>     On Wed, Nov 4, 2015 at 7:09 PM, Will Sargent <will.sargent at gmail.com
>     <mailto:will.sargent at gmail.com>> wrote:
>
>         Hi there,
>
>         I'm looking at a very specific issue, where the same secret key
>         is used with AES-CTR for encryption, and then later that same
>         key is used for signing the ciphertext with HMAC-SHA1.  I know
>         that generally it's unsafe for CBC-MAC (which I'm not familiar
>         with) and RSA keys: I want to be able to say AES / HMAC is a
>         safe or unsafe construction, and so far I'm not sure which.
>
>
>     Ultimately you could only be /sure /it's an unsafe construction but
>     only have some confidence in it being a safe construction.
>
>     I guess the real question is to what end?
>
>     As Ian says, are you reviewing an existing system?  If so are you
>     trying to assert that the application *needs* changing to better
>     apply a separation of use principle for the purpose of a key (namely
>     that your encryption and integrity keys should be different for all
>     the key management reasons that's a good idea)?  Or is is that you
>     want to assert that in this case, the risk is low and doesn't *have*
>     to be changed but could be?
>
>
> This is a system I'm decommissioning, because homegrown crypto is a Bad
> Idea.


That's quite controversial.

  * It sort of posits that homegrown crypto causes people to act more 
dangerously, the so-called "false sense of security" ... but this isn't 
really how the world works.  In the real world, we run through the list 
of risks, do what we can to mitigate them, and then move on.  Those that 
we fail to close of, we accept.  We're at risk all the time against 
everything, it's just a set of different levels.

  * As a practical observation, home grown crypto is often shown to have 
weaknesses due to the simple lack of knowledge - fair enough given the 
limited time the home gardener has to pick up the skills.  But what is 
not shown very often is that the home grown crypto led to actual 
monetary damages, and that is because:

  * Homegrown crypto is a far better thing than no crypto, and while 
it's not being attacked by an actual person with cryptanalytic 
experience, it's knocking hordes of scammers, script kiddies, criminal 
gangs and what-have-you.  There still remains a tight negative 
correlation between cryptanalytic skills and criminal gangs, although 
the publication of academic results does tend to lead to the development 
of script exploits leading to potential dangers.

  * people in the crypto business like to say "homegrown crypto is a bad 
idea" so that they get the job.  But this is about their security not 
yours.  Unfortunately, the professionals who say that often can't do 
risk analysis so they can't see that their approach can take away 
important elements of your other security.  Leaving you worse off than 
if you focus on what is really hurting your business.


> I want to be able to assert that the reuse of keys here, while
> not recommended, has not been actively broken (or at least, there are no
> publications to that effect), and if they used AES-CTR and then
> immediately MACed the result and didn't mix it with anything... then
> they're probably fine.  Maybe.


Sounds ok.


>     I think you need to be a bit careful about what is meant here by
>     safe and unsafe and think about it in the context of what you're
>     concerned about.  Specific cryptographic attacks relating to using
>     AES as the chosen block cipher to underpin MAC OR the general
>     principal of key separation.
>
>
> Right -- I know that AES-CTR + HMAC is a construction and so there are
> Ways To Do That Wrong.  However, I can't know how users put them
> together.  I have a library that exposes an encrypt method, and a sign
> (HMAC-SHA1) method -- no real way to know how users composed them, if
> they did at all.


Ah.  So maybe what you really want is a library that exposes an 
encrypt&auth method.  This is called Authenticated Encryption or AEAD, 
and is a thing.  It's not so well standardised as yet, there is an 
active competition to provide it.  Probably the algorithm that is most 
popular in this vein is Chacha/Poly but even that is two algorithms 
composed.

(BTW, calling the HMAC-SHA1 'signing' isn't quite right.  Signing is 
reserved for public key ops, as they have long term reliability, whereas 
the use of HMACs is considered to be ephemeral, temporary, good enough 
to stop an attacker in the next minute.  Authentication is the verb most 
used there.)


>       Key purpose reuse is what Weis goes on to talk about is the
>     general idea that every time you use a key you expose information
>     about the key.  If you are ever forced to have to change a key
>     because it has been compromised (either stolen or broken and
>     recovered) then you are able to make assertions about what you've
>     lost, i.e. the data previously might not have had integrity but it
>     wasn't ever exposed.  Can I go back, check the contents of my data
>     and be satisfied that it is what was transmitted and not interfered
>     with but still be happy it's not been leaked.
>
>     The general perspective case to my mind probably doesn't warrant
>     changing an incumbent system (at least in any high priority) but
>     would make me want to encourage a change to the design of a system
>     yet to be deployed if that's an option.
>
>     Sorry if this is all a bit teaching granny to suck eggs but are you
>     worried about the general case or some specific attack? Because that
>     matters a lot in the context of your question.
>
>
> It's more general advice.  The encrypt method is not used at all within
> the system itself, only signing is used.  Some end users found and
> started using the encrypt / sign methods for their own crypto and so I'm
> deprecating those methods and sticking large warnings over everything.


Hmmm... you haven't established a harm as yet.  Maybe you know something 
else, but it doesn't seem like a huge problem that they're putting some 
extra encryption in place?


> Then I'm going to point them at Kalium or Keyczar and wish them good luck.


If you're moving them from an old deprecated library to a newer 
supported one, ok.  OTOH, if you're moving them from some standard 
inhouse thing that they already have, and are just adding another 
external dependency, well, that could cause issues on its own.



iang

More information about the cryptography mailing list