Databases
StackOverflow2013
Postsdbo
POAES256 CBC + HMAC SHA256 ensuring confidentiality *and* authentication?
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POAES256 CBC + HMAC SHA256 ensuring confidentiality *and* authentication?
    primarykey
    data
    text
    <p>I'm thinking of using AES256 CBC + HMAC SHA-256 as a building block for messages that ensures both confidentiality and authentication.</p> <p>In particular, consider this scenario:</p> <ul> <li>Alice is possession a public key belonging to Bob (the key exchange and algorithm is outside the scope of this question). Alice has an identifying key K, also shared with Bob, that she can use to identify herself with. Only Alice and Bob knows the key K.</li> <li>Alice encrypts (nonce || K) using Bob's public key.</li> <li>Bob decrypts the packet and has now has K and nonce.</li> <li>Bob uses SHA-256 with SHA256(K || nonce) to yield a K(e) of 256 bits.</li> <li>Bob uses SHA-256 with SHA256(K || nonce + 1) to yield a K(s) of 256 bits.</li> </ul> <p>Now for every packet Bob wishes to send Alice he performs the following:</p> <ul> <li>Create a new random 128 bit IV</li> <li>Encrypts the message using the IV and K(e) as the key.</li> <li>Creates a SHA-256 HMAC with K(s) as key and (IV || Encrypted message) as data.</li> <li>Finally sends (IV || HMAC || Ciphertext) to Alice</li> </ul> <p>Alice has also calculated K(e) and K(s), and follows the following procedure when receiving data from Bob:</p> <ul> <li>Split the message into IV, ciphertext and HMAC.</li> <li>Calculate the HMAC using K(s), IV and ciphertext.</li> <li>Compare HMAC with the HMAC sent. If this matches, Alice considers this message authenticated as a message sent by Bob, otherwise it is discarded.</li> <li>Alice decrypts the message using K(e)</li> </ul> <p>Does this protocol ensure that Alice only decrypts messages from Bob, assuming that no one other than Bob can read the encrypted message that Alice sends him encrypted using his public key? </p> <p>I.e. does messages constructed in this manner ensure both confidentiality and authentication?</p> <p><em>Note: If the protocol requires Bob to send multiple messages, this scheme needs a slight modification to avoid replay attacks.</em></p> <p><em>P.S. I am aware of AES-GCM/CCM, but this scheme would work with the basic AES, SHA and HMAC algorithms that are found in most crypto packages. This solution might also be slower, but that too is out of the scope for the question.</em></p>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. USNuoji
    1. USNuoji
    plurals
    1. This table or related slice is empty.
    1. PL
      singulars
      1. LTLinked
    2. PL
      singulars
      1. LTLinked
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    3. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POAES256 CBC + HMAC SHA256 ensuring confidentiality *and* authentication?
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POAES256 CBC + HMAC SHA256 ensuring confidentiality *and* authentication?
      1. USaaz
      1. VTFavorite
    3. VO
      singulars
      1. POAES256 CBC + HMAC SHA256 ensuring confidentiality *and* authentication?
      1. This table or related slice is empty.
      1. VTUpMod
    1. COI don't believe there's any need to include the IV in the HMAC. And it sounds like you're using a packet protocol rather than a stream-based one; beware of replay attacks.
      singulars
      1. POAES256 CBC + HMAC SHA256 ensuring confidentiality *and* authentication?
      1. USNick Johnson
    2. CO@Nick: You MUST include the IV in the HMAC, if the HMAC is over the encrypted message. Otherwise, you are not protecting the integrity: an attacker could alter the IV, which in effect would alter the first block of the decrypted message (furthermore, this can be done with precise bit flipping abilities).
      singulars
      1. POAES256 CBC + HMAC SHA256 ensuring confidentiality *and* authentication?
      1. USThomas Pornin
    3. CO@Thomas You're right; I didn't pay attention to the fact that the HMAC was on the encrypted message rather than the plaintext.
      singulars
      1. POAES256 CBC + HMAC SHA256 ensuring confidentiality *and* authentication?
      1. USNick Johnson
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload