Random unique key per message, safe to use key as IV?

Question

The overall setup is that I am using RSA public key encryption, and because the messages are big instead of encrypting the entire message via RSA I am encrypting a random AES-128 key with the PK and then encrypting the message with that in AES-CBC.

The AES key is randomly generated for each message. Questions:

Is it safe to use the key as the IV of the CBC? The rationale here is the key is unique and random for each message and I'm not seeing a problem. The key is used in 3 places thus: the encryption itself, then as an IV, then again concatenated with the encrypted message's hash and everything hashed again as a MAC.
Do I still need to do any random padding on the IM itself? The key and IV are already unique and random.

Why are you inventing your own MAC? There are plenty of authenticated encryption algos. And why are you reusing the key, instead of simply hardcoding the IV? — CodesInChaos, Dec 28 '16 at 13:21
You might as well use the 128 bit output of a hash of the key, e.g. — Henno Brandsma, Dec 28 '16 at 14:09
I'm not familiar with the abbreviation "IM" in this context. Could you please clarify it? — Ilmari Karonen, Dec 28 '16 at 20:36

score 1 · Answer 1 · answered Dec 28 '16 at 14:49

Is it safe to use the key as the IV of the CBC?

CodesInChaos has answered this sufficiently in the Q&A he linked (AES key equal to IV (CBC mode)) and the TL;DR is: It's risky, but not directly exploitable.

Do I still need to do any random padding on the IM itself?

Hybrid encryption modes generally don't need random message padding as the randomness is already encapsulated in the key.

Now for some other issues with your scheme:

You're using concatenation and hashing as the MAC. More precisely your MAC construction is $\tau=H(H(M)\parallel K)$ is potentially broken.
You're using CBC. Using CBC in newly deployed system is highly discouraged, especially due to padding oracle attacks and the likes which are only an issue in block-based encryption modes.
You're not using AEAD. Rolling your own mode of encryption and authentication is dangerous without proper knowledge and formal security reductions. Using a proper mode like GCM, OCB or EAX is really recommended and will ease implementation and use proven-secure constructions.
Your RSA encryption is probably risky to say the least. If I'm reading your question right you may be using straight, textbook RSA encryption of the 128-bit secret. However this is highly susceptible to brute-force attacks which can recover this secret in roughly $2^{64}$ steps.

The last paragraph has its own explaining Q&A now. – SEJPM Dec 28 '16 at 16:01 — SEJPM, Dec 28 '16 at 16:01

Random unique key per message, safe to use key as IV?

1 Answers1

Linked