[Cryptography] Literature on reusing same key for AES / HMAC?
Krisztián Pintér
pinterkr at gmail.com
Sun Nov 8 12:43:34 EST 2015
John-Mark Gurney (at Sunday, November 8, 2015, 6:29:44 PM):
>> resuing the key is something like
>> AES(K, M) || HMAC-SHA256(K, M)
> This is Mac then encrypt which is recommended NOT to be used.
this was not the point at all, and you can fix it for yourself:
AES(K, M) || HMAC-SHA256(K, AES(K, M))
but as you brought it up, the notion that encrypt-then-MAC would be
the secure option over mac-then-encrypt is just as false the other
weird recommendations we often hear. in fact they are both equally
secure if implemented right. the only difference is when you implement
them wrong, you are more likely to get away with it with enc-then-mac.
in particular, since you detect malicious activity early, you simply
don't do most of the processing, and thus avoid any bugs or
insecurities there. but it is a patchwork. the implementation must be
solid regardless.
just to give an example, keccak guys recommend a single pass
authenticated encryption. this is encrypt-and-mac, but it is as secure
as it gets. also, we have the CAESAR competition, in which many (all?)
candidates are also encrypt-and-mac. so obviously, actual
cryptographers don't know about the enc-then-mac rule, only the
blogosphere does.
More information about the cryptography
mailing list