[Cryptography] CFB/OFB/CTR mode with HMAC for key stream
huitema at huitema.net
Mon May 1 14:24:47 EDT 2017
On 5/1/2017 8:29 AM, Bill Frantz wrote:
> On 5/1/17 at 12:07 AM, memvandal at gmail.com (Memory Vandal) wrote:
>> I was wondering if using HMAC with something like SHA-256 to create a
>> stream in CFB/OFB/CTR mode is a bad idea.
>> Considering that in CFB/OFB/CTR modes, the cipher required in the
>> mode is
>> used only to perform encryption operation for both encryption and
>> decryption, a HMAC can be used to generate a key stream.
>> So, the overall CFB/OFB/CTR mode remains exactly same with exception of
>> using HMAC in place for a cipher. The key being used as HMAC key
>> while IV
>> can be as the HMAC message.
>> I am not a cryptographer but, have some experience with implementing
>> cryptography. I could not come up with reasons as to why this could be a
>> bad idea.
> Exactly this idea was suggested by at least one well-known
> cryptographer* during the 1990s crypto wars as a thought experiment to
> show that even if encryption algorithms were controlled, MACs could be
This concept was actually used and deployed in the RADIUS Protocol (RFC
2138), when transmitting user passwords from an access point (RADIUS
client) to a Network Authentication Server (NAS): "The NAS and RADIUS
server share a secret. That shared secret followed by the Request
Authenticator is put through a one-way MD5 hash to create a 16 octet
digest value which is xored with the password entered by the user, and
the xored result placed in the User-Password attribute in the
Access-Request packet." That was in 1997. MD5 encryption.
-- Christian Huitema
More information about the cryptography