[Cryptography] Why two keys? [was: Re: WhatsApp, Curve25519 workspace etc.]
Benjamin Kreuter
brk7bx at virginia.edu
Fri May 6 12:23:11 EDT 2016
On Thu, 2016-05-05 at 13:40 -0500, Andrew Donoho wrote:
>
> Gentle folk,
>
>
>
> I have a question about the WhatsApp protocol. On page 6 of the
> WhatsApp Security Whitepaper, they describe their end to end
> encryption for media and attachments. To support encrypting in AES-
> CBC mode, they generate an ephemeral 256 bit key and a 128 bit IV.
> Then they go further and generate a second 256 bit ephemeral key for
> calculating the HMAC-SHA256. As the first key already has a
> significant amount of entropy and is only used once, why isn’t it
> reused for the HMAC-SHA256 calculation? On the face of it, it looks
> redundant for a single use key.
Typically it is considered bad practice to use one key for two
different purposes. Also the proof of security for encrypt-then-MAC
relies in subtle ways on the keys being different, so reusing the key
can be insecure -- certainly true for CBC-MAC when the same block
cipher is used for encryption. Entropy is not really the issue here,
since the encryption and MAC keys can safely be generated using a PRNG.
-- Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160506/9a988cde/attachment.sig>
More information about the cryptography
mailing list