[Cryptography] Literature on reusing same key for AES / HMAC?

Jerry Leichter leichter at lrw.com
Sun Nov 8 14:35:28 EST 2015 

> (BTW, calling the HMAC-SHA1 'signing' isn't quite right.  Signing is reserved for public key ops, as they have long term reliability, whereas the use of HMACs is considered to be ephemeral, temporary, good enough to stop an attacker in the next minute.  Authentication is the verb most used there.)
This is a bizarre characterization.

There are three different concepts here:

1.  A MAC - Message Authentication Code - attests that the bytes delivered were the bytes sent.  Since everything about a MAC is public, anyone can take a MAC-protected message and replace it with a different message that's also MAC protected.  So in and of itself, it's a rather limited form of protection.  But if you combine it with encryption, it can prevent alteration of messages.

2.  A Keyed MAC is a MAC that incorporates a common key shared between sender and receiver.  To either compute or check the authentication code, you need to know the key.  Thus, a check shows not just that the message wasn't modified since the authentication code was computed, but that the code was computed by someone who knows the key.

3.  A signature algorithm has a separate signing key - which can only be used to generated a signature - and verification key, which can only be used to verify a signature produced by the corresponding signing key.  The signing key is private; the verification key can be public.

The most salient difference between a Keyed MAC and a signature is that in order to convince a third party that something was produced by a party who had inside information, in the Keyed MAC case, you have to reveal the secret key, rendering it useless.  In the signature case, the verification key is already public (or can be made public at no cost).  Also, of course, for the same reasons, you need a single signature key - but one keyed MAC key per peer you need to talk to.

In practical terms, signatures are much more expensive to compute than Keyed MAC's, and unkeyed MAC's are even cheaper, so a good design will chose the cheapest that's strong enough to provide the required properties.  A signature isn't "more permanent" than a Keyed MAC.
                                                        -- Jerry

More information about the cryptography mailing list