4

I am proposing to use an AES key to encrypt some data to send to a third party and in a completely separate operation/flow use the same key to create a HMAC of a message to send to the same third party.

I have been told that this is a risk to use the same key for two different things. I cannot find any information on why this is a risk. If this is a risk, what is it?

I have found information on this site explaining why you should use different RSA keys pairs for encryption and signing and that makes sense, but nothing on symmetric keys.

Why should one not use the same asymmetric key for encryption as they do for signing?

thanks

Community
  • 1
devo
  • 143
  • 3

1 Answers1

5

The "by the book" approach to this is to use a key-stretching/key-derivation-function to turn a one secret into another (longer) secret. Or two or more secrets. One for HMAC, one AES session key, etc.

This is what TLS does. It expands the master secret into a block of six single other secrets.

I can not name a practical attack if you don't do that.

But stretching the key is cheap. And afterwards you don't have to worry about related primitives attacks anymore. If nothing else, it's a method that allows you to mentally compartmentalize the different crypto parts. It makes the whole construction a lot easier to talk about.

StackzOfZtuff
  • 17,923
  • 1
  • 51
  • 86