Re: MACs + Encryption + same Key
From: Eris Pluvia (eris_pluviaNOSPAM_at_yahoo.es)
Date: 10/18/04
- Previous message: Morten Dahl: "Re: any usb flash-drive with write-protect and zeroize?"
- In reply to: David Wagner: "Re: MACs + Encryption + same Key"
- Next in thread: Anton Stiglic: "Re: MACs + Encryption + same Key"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 18 Oct 2004 00:30:03 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
David Wagner:
> Eris Pluvia wrote:
>>I apologize, but English is not my mother language.
>
> Ahh! My apologies.
>
> I wish I was one-tenth as conversant in any second
> language as you are in English.
Ok. Thanks for encouraging ;-)
> More precisely, I don't know how to do it without very strange and
> artificial-looking assumptions on AES or SHA1-HMAC. Basically, one needs
> a condition that AES and SHA1-HMAC do not have any "funny interactions"
> between them. That condition sounds quite plausible.
But, does not the different coding matters ("M" for SHA1-HMAC, and IVs for
AES-CRT) play any role?
> However, I'm not
> sure how to formalize the condition, and I don't know how to find any
> reasonable-looking cryptographic assumption that implies the condition.
Apply the Ockham's Knife ;-)
> I don't want to leave the impression that re-using the same key for both
> AES and SHA1-HMAC is a major sin. I don't mean to suggest that it will
> certainly render your application insecure. It is secondary, certainly.
> However, key separation is part of best practice, and re-using the same
> key represents a step down from good practice.
As I said, I admit the plausibility of such interactions with certain modes
and certain combinations of algorithms. Your general advice about avoiding
reusing the key, I see as a "not dangerous superstition"; like the
superstition "don't pass down an open stair": it has no serious fundament,
but finally diminishes the risk of an accident with the stair!
What really disturbs me is that, being HMAC a _keyed_ integrity guarantee
for _keyed_ encrypted data (mainly), in no paper, article, comment I've
read since now there is a warning about this matter.
- --
Eris Pluvia
http://pgp.rediris.es:11371/pks/lookup?op=get&search=0x18BE286C
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBcvJyJGhdcRi+KGwRAm8aAJ9/KA/uiMEXFw9qg923FbKZnO0HNgCfSmyQ
yt+Ixb+6DVvlLRNX8BResOA=
=W2IB
-----END PGP SIGNATURE-----
- Previous message: Morten Dahl: "Re: any usb flash-drive with write-protect and zeroize?"
- In reply to: David Wagner: "Re: MACs + Encryption + same Key"
- Next in thread: Anton Stiglic: "Re: MACs + Encryption + same Key"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
