2

We're using AES-CBC and HMAC to encrypt and authenticate our messages (using encrypt-then-authenticate method).

Sometimes I see solutions (like this one) which are deriving encryption and authorization keys from single AES master key:

Kenc = AES(Kmaster, P + "1")

Kauth = AES(Kmaster, P + "2")

Questions

Is it somehow improves security (in case if P and derivation algorithm is know to attacker)? If so, does deriving Kenc from Kmaster is really a necessary step?

  • 1
    See [Why can't I use the same key for encryption and MAC?](https://security.stackexchange.com/questions/37880/why-cant-i-use-the-same-key-for-encryption-and-mac). In short for this specific combination it's only about good style, in other combinations using the same key for both can be fatal. – CodesInChaos Mar 25 '14 at 17:27
  • @CodesInChaos thanks! That mostly answers my question, but is specifically this approach (in my question) valid for a such purpose? – Dmitry Zaytsev Mar 25 '14 at 17:31
  • If your approach is valid depends on the details. What exactly you mean by AES, what P is,... There are certainly similar constructions for deriving key (e.g. GCM derives the MAC key by encryption a specific block) I recommend using HKDF instead, which is a similar construction but using HMAC as building block. – CodesInChaos Mar 25 '14 at 17:36

1 Answers1

3

Using the same key for two distinct algorithms incurs the risk of interactions. An extreme example is when you use both AES/CBC for encryption and CBC-MAC as MAC algorithm: if you use the same key for both, then it is pretty obvious that the MAC can be trivially worked around. For AES/CBC + HMAC, the gut feeling of most cryptographers is that the two algorithms are sufficiently "different" from each other that these interactions do not occur, but putting a precise, mathematical definition under that term looks challenging.

Basically, this is untrodden territory, so don't do it. Deriving an encryption key and a MAC key from a given master key, using a Key Derivation Function, is the cautious and safe method: it ensures that no deadly interaction may occur. Since you have some HMAC code, use HKDF for such derivation: it is easy to implement, and has received the blessing of many cryptographers.

Alternatively, you may want to ditch both CBC and HMAC, and instead use an authenticated encryption mode which combines encryption and MAC with the same key. These are specialized modes where interactions have been thoroughly analysed, and all nasty details worked out. GCM and EAX are usable without legal hassle, and are fine; GCM is also a NIST standard and is beginning to be widely used (e.g. as part of SSL/TLS).

Tom Leek
  • 170,038
  • 29
  • 342
  • 480