0

Given the need to transmit relatively short messages (a few dozens of bytes max), how unsecure would the following bundling of a hash in the initialization vector be?

  • (A) = 64 bits of cryptographic random
  • (B) = cryptographic hash of A concatenated with original Message

Then concatenate (A) with 64 bits of (B), and use that as IV for an AES CTR mode encryption.

This weakens the IV randomness to allow bundling the hash in it, and attempts to hide information the unencrypted hash in the IV could leak.

The key used for AES is itself changed every time, it is a HMAC of (secret + message counter).

Eric Grange
  • 113
  • 4
  • 1
    Since the "key used for AES is itself changed every time," you can instead just use a constant IV, even if the adversary gets to choose that constant. ​ ​ –  Oct 26 '16 at 07:46
  • 1
    @Ricky Demer: things are not quite that simple; see this answer and how I had to bend mine. – fgrieu Oct 26 '16 at 07:54

1 Answers1

2

This is a terminally bad idea: much of the confidentiality of the message $M$ is lost, because $A$ and 64 bits of $B=H(A\|M)$ are available in clear. So if $M$ is enumerable (a password, a name, a Social Security Number) among say $2^{48}$, it can be found by a cheap offline attack with little odds of false positive ($2^{-16}$), totally irrespective of the AES cryptography.

fgrieu
  • 140,762
  • 12
  • 307
  • 587
  • Thanks! And if I understood correctly, to mitigate this I would need to add the same amount of random in the crypted message, which would get me back to the same "crypted message size" as before. – Eric Grange Oct 26 '16 at 07:45