Re: MACs + Encryption + same Key
From: Eris Pluvia (eris_pluvia_at_yahoo.es)
Date: 10/14/04
- Next message: Henrick Hellström: "Re: MACs + Encryption + same Key"
- Previous message: Lassi Hippeläinen: "Re: Detecting changed portions of large data set"
- In reply to: David Wagner: "Re: MACs + Encryption + same Key"
- Next in thread: Henrick Hellström: "Re: MACs + Encryption + same Key"
- Reply: Henrick Hellström: "Re: MACs + Encryption + same Key"
- Reply: David Wagner: "Re: MACs + Encryption + same Key"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 14 Oct 2004 13:26:19 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
David Wagner:
| Eris Pluvia wrote:
|
|>In the original proposed scenario: HMAC with MD5 using K, K-AES as
|>encryption; if CTR mode is used there is no chance of interaction, because
|>both processes digest different data and uses K in no-related way.
|
|
| How do you know whether there are crazy interactions? Who knows?
This is paranoic point of view! With the same degree of paranoia you
should reject your solution:
~ K_MAC = SHA1-HMAC(K,"MAC")
~ K_encrypt = SHA1-HMAC(K,"encrypt")
because K_MAK and K_encrypt are actually interrelated. You need
statistically independent keys.
I insist: in AES(K)-CTR mode, you are encrypting a random counter (not
the message itself) with one algorithm; while in HMAC-MD5(K) you are
digesting message data with drastically different algorithm.
With lower paranoia level, I could admit such key interactions in ECB,
CBC modes with interrelated algorithms (for example, AES(k)-CBC and
HMAC-Whirlpool(K))
| Rather than take such a risk, and given that it is not hard to provably
| eliminate such a risk, I'd rather use key-separation to avoid having to
| worry about this.
As I said, the HMAC key should be statistically independent of
encryption key. This means wasting the entropy source and hidding both
keys with the public key function, what increases processing time.
| But to illustrate one potential limitation of your approach: the
| integrity of your scheme becomes only as good as the weaker of MD5-HMAC
| or AES (if AES can be broken, then one can recover the AES key, thereby
| learning the MD5-HMAC key, and use that to forge bogus ciphertexts).
In most scenarios, if the attacker gets the encryption key, the game is
over. So, what will happen after the end of the Universe does not ever
matters ;-)
AFAIK, the HMAC is designed to guarantee integrity under malicius
attacks, even without knowing the cleartext. So, the scenario permits
the attacker to corrupt the ciphertext in order to pass the integrity check.
Moreover, "forge bogus ciphertext" means find collitions in MD5-HMAC.
That's not trivial, I suppose.
On the other side (obtaining K from HMAC), if my knowledge of HMAC is
correct, the attacker has chances to recover K by brute force analysis,
*only* if she knows the cleartext.
- --
Eris Pluvia
http://pgp.rediris.es:11371/pks/lookup?op=get&search=0x18BE286C
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBbmJbJGhdcRi+KGwRAvu7AJ9XHayJoIc5zFSuV5eGSdjT/VjomgCeOV0p
pkQotQ7r8PoCqsYkHeCnf7w=
=qDih
-----END PGP SIGNATURE-----
- Next message: Henrick Hellström: "Re: MACs + Encryption + same Key"
- Previous message: Lassi Hippeläinen: "Re: Detecting changed portions of large data set"
- In reply to: David Wagner: "Re: MACs + Encryption + same Key"
- Next in thread: Henrick Hellström: "Re: MACs + Encryption + same Key"
- Reply: Henrick Hellström: "Re: MACs + Encryption + same Key"
- Reply: David Wagner: "Re: MACs + Encryption + same Key"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
