[Cryptography] CFB/OFB/CTR mode with HMAC for key stream

Christian Huitema huitema at huitema.net
Mon May 1 14:24:47 EDT 2017

On 5/1/2017 8:29 AM, Bill Frantz wrote:
> On 5/1/17 at 12:07 AM, memvandal at gmail.com (Memory Vandal) wrote:
>> I was wondering if using HMAC with something like SHA-256 to create a
>> key
>> stream in CFB/OFB/CTR mode is a bad idea.
>> Considering that in CFB/OFB/CTR modes, the cipher required in the
>> mode is
>> used only to perform encryption operation for both encryption and
>> decryption, a HMAC can be used to generate a key stream.
>> So, the overall CFB/OFB/CTR mode remains exactly same with exception of
>> using HMAC in place for a cipher. The key being used as HMAC key
>> while IV
>> can be as the HMAC message.
>> I am not a cryptographer but, have some experience with implementing
>> cryptography. I could not come up with reasons as to why this could be a
>> bad idea.
> Exactly this idea was suggested by at least one well-known
> cryptographer* during the 1990s crypto wars as a thought experiment to
> show that even if encryption algorithms were controlled, MACs could be
> substituted. 

This concept was actually used and deployed in the RADIUS Protocol (RFC
2138), when transmitting user passwords from an access point (RADIUS
client) to a Network Authentication Server (NAS): "The NAS and RADIUS
server share a secret.  That shared secret followed by the Request
Authenticator is put through a one-way MD5 hash to create a 16 octet
digest value which is xored with the password entered by the user, and
the xored result placed in the User-Password attribute in the
Access-Request packet." That was in 1997. MD5 encryption.

-- Christian Huitema

More information about the cryptography mailing list