[Cryptography] Literature on reusing same key for AES / HMAC?
Krisztián Pintér
pinterkr at gmail.com
Sat Nov 7 15:56:55 EST 2015
ianG (at Friday, November 6, 2015, 2:33:43 AM):
> 3. In contrast, I'd say, just don't do that. At a minimum take the one
> key and expand it into two keys.
this sums up pretty much my problem with this "be on the safe side"
argument.
resuing the key is something like
AES(K, M) || HMAC-SHA256(K, M)
in contrast, if we derive separate keys from some master key, it
becomes
AES(SHA256(K||1), M) || HMAC-SHA256(SHA256(K||2), M)
how is that more secure? granted, there is a possiblity that SHA256 is
broken in a way that does not affect the second construct. but is this
logic would suggest throwing in as much crap as we can afford, like
replacing AES with AES(AES(AES(x))) and such. but nobody does that.
why?
also, the second method fixes some user errors, like related keys. but
such problems should be solved at the root, and not masked by weird
constructions.
More information about the cryptography
mailing list