[Cryptography] Literature on reusing same key for AES / HMAC?

[ianG]

On 8/11/2015 17:43 pm, Krisztián Pintér wrote:
>
> John-Mark Gurney (at Sunday, November 8, 2015, 6:29:44 PM):
>>> resuing the key is something like
>>> AES(K, M) || HMAC-SHA256(K, M)
>
>> This is Mac then encrypt which is recommended NOT to be used.
>
> this was not the point at all, and you can fix it for yourself:
>
> AES(K, M) || HMAC-SHA256(K, AES(K, M))
>
>
> but as you brought it up, the notion that encrypt-then-MAC would be
> the secure option over mac-then-encrypt is just as false the other
> weird recommendations we often hear. in fact they are both equally
> secure if implemented right. the only difference is when you implement
> them wrong, you are more likely to get away with it with enc-then-mac.
> in particular, since you detect malicious activity early, you simply
> don't do most of the processing, and thus avoid any bugs or
> insecurities there. but it is a patchwork. the implementation must be
> solid regardless.
>
> just to give an example, keccak guys recommend a single pass
> authenticated encryption. this is encrypt-and-mac, but it is as secure
> as it gets. also, we have the CAESAR competition, in which many (all?)
> candidates are also encrypt-and-mac. so obviously, actual
> cryptographers don't know about the enc-then-mac rule, only the
> blogosphere does.


That's a little unkind, although I'm not sure to whom.  The late 1990s 
and 2000s was about encrypt & MAC and we kept getting it wrong.  At some 
stage we figured out the problem was as much crypto interactions as 
programming, so we threw the whole lot back over the fence and yelled to 
the cryptologers on the other side:

Compose it!  Throw back an AEAD algorithm!  We'll buy you a beer!



iang