security of design for sending files

Question

let's say I have a protocol to send a file $F$. I am intending to employ AES in CBC mode for encrypting $F$ where the $IV$ is randomly chosen. For authenticity, I am employing $HMAC$ to compute a Message Authentication Code ($MAC$). Both the encrypted version of $F$ and the $MAC$ are sent to the receiver.

Is there any flaw in this design?

@SEJPM: I suppose the OP is using the contents of the file as the input to the HMAC. — meta_warrior, Nov 16 '16 at 23:46
@freak_warrior Please do not answer instead of qwerty89. SEJPM is after a specific flaw here. — Maarten Bodewes, Nov 17 '16 at 01:15
Hi @SEJPM: freak_warrior is correct, I am thinking of passing the contents of $F$ into the $HMAC$. — qwerty89, Nov 17 '16 at 01:19

score 2 · Answer 1 · answered Nov 17 '16 at 16:40

So here's what you're doing: $$E_{K_1,IV}(F)||H_{K_2}(F)$$

where E denotes encryption with AES-CBC and H denotes HMAC. This is also known as "Encrypt and MAC".

This scheme potentially has a few issues.

It's (formally) not IND-CPA secure, because an attacker can query the encryption oracle for the challenge ciphertexts and compare the resulting MACs.
The scheme puts higher-than-normal contraints on the MAC, because normally MACs aren't assumed to guarantee not to leak anything about their inputs. With HMAC this isn't a problem though.
The scheme could potentially be vulnerable to POODLE-style attacks if you don't validate your CBC padding properly.

As a secure alternative I highly recommend using AES-GCM if you encrypt less than a few GB per key or AES-EAX if you do. Preferably use some well-known and reviewed implmentation of them because getting AES-GCM right isn't exactly easy. As EAX and GCM are authenticated encryption modes they only expect a unique IV from you and the key and will encrypt and authenticate the message properly.

score 1 · Answer 2 · answered Nov 18 '16 at 04:10

Some things other people missed:

It would be my thought that you are sending a file over the internet. I assume you are not employing key exchange since you did not explicitly state it, in which, your system is doomed. Use proper key exchange and do not send the key in plaintext, I suggest RSA since it is easy to implement in software.

Another answer addressed the possible insecurity of Encrypt & Mac. If you are paranoid, then you Encrypt Then Mac

Keep in mind, the MAC only verifies integrity of the data you are sending, and will not verify authenticity. That is, it will make sure you received the file correctly without errors, and will not make sure you are talking to a man-in-the-middle. If you are looking for authenticity, the a way to do this is via digital certificate authentication.

HMAC (or other good MAC) using a shared secret key DOES authenticate as long as the key is in fact secret; what it does not do is prove to a third party aka nonrepudiation; signature does both. Signature doesn't inherently require certificates, although they are the most common and often most convenient method of binding public keys. — dave_thompson_085, Nov 18 '16 at 12:22

security of design for sending files

2 Answers2