[Cryptography] Literature on reusing same key for AES / HMAC?
John-Mark Gurney
jmg at funkthat.com
Sun Nov 8 12:29:44 EST 2015
Krisztin Pintr wrote this message on Sat, Nov 07, 2015 at 21:56 +0100:
> ianG (at Friday, November 6, 2015, 2:33:43 AM):
> > 3. In contrast, I'd say, just don't do that. At a minimum take the one
> > key and expand it into two keys.
>
> this sums up pretty much my problem with this "be on the safe side"
> argument.
>
> resuing the key is something like
>
> AES(K, M) || HMAC-SHA256(K, M)
This is Mac then encrypt which is recommended NOT to be used. The
reason being that if M is large, then cipher text is large, and you
can perform a side channel attack on the AES decryption. If you
instead do:
C = AES(Ke, M)
C || HMAC-SHA256(Ka, C)
Then an attacker would have to break the authentication step before
getting to the easier AES step. This does have the disadvantage
that you have to fully process the cipher text before you start
decrypting, which for some applications could be a problem.
The reason the AES step is easier is that you are performing many AES
block en/decryptions w/ the same key, which gives you significantly
more data to perform a DPA (Differential power analysis)[1] attack.
In some cases, when you're encrypting a multi megabyte file, one or
two decryption attempts could be enough data to successfully perform a
DPA attack to retrieve the key.
So, if you used the same key for both encryption and authentication
as you suggested, then the attacker once a successful attack was
completed on the decryption would now be able to forge the
authentication token for any message they wanted. If different or
derived keys were used, then this would not be possible.
[1] https://en.wikipedia.org/wiki/Power_analysis
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
More information about the cryptography
mailing list