[Cryptography] Should the IV of an encryption operation be input to the key derivation function?
Phillip Hallam-Baker
phill at hallambaker.com
Thu Apr 6 12:37:33 EDT 2017
Further to my explorations of HKDF (RFC 3394) I am thinking as follows:
Most cryptographic modes use the same key to encrypt a message. CBC, GCM ,
etc all perform operations on the input data, the key is constant.
When using a public key for exchange, we choose a session key which is
random every time. This each message is guaranteed to be encrypted under a
different key.
If I use KDF with a fixed salt (the norm for most protocols) I get
inter-protocol separation but not separation per message. The IV provides
some protection but I am still handing the attacker a possible advantage.
So what if I was to use the IV of the encrypted data as a part of the salt
in the Key derivation function? Is this a good idea or a bad one?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170406/afe80bb0/attachment.html>
More information about the cryptography
mailing list