Consider the following hybrid encryption scheme (B3||4 is for concatenated IV and AES-CBC encrypted message):
------------------------------------------------------------------- | Encrypted with RSA | HMAC | | | | HMAC_KEY || AES_KEY | of | IV | AES-CBC Encrypted MSG | | (using PK of recipient) | B3||4 | | | -------------------------------------------------------------------
Let's say some message was encrypted with AES-128-CBC with a randomly generated secret key and IV. Then the HMAC was calculated for blocks 3-4 concatenated together. And then the HMAC key and AES encryption key was encrypted with RSA using a public key of a recipient (B).
My question is do I need to include HMAC or even any other digest in such a packet that would be transmitted over reliable connection (let's say TCP) from sender (A) to receiver (B)?
Is the following simplified scheme is worse in terms of security?
----------------------------------------------------------- | Encrypted with RSA | | | | AES_KEY | IV | AES-CBC Encrypted MSG | | (using PK of recipient) | | | -----------------------------------------------------------
My thoughts:
- As message will be 100% delivered to a receiver there is not way it can be damaged during the transmission
- With MITM attack there is no way to alter the encrypted message in a meaningful way so it would be still decryptable with the key from a block 1.
- There is no better way to manipulate transmitted data then to substitute the whole packet to other one which would hold other message and AES encryption key.
- In order to prevent altering in the way described above it's enough to sign the AES key in the block 1 with secret key of a sender (and add the signature to the first block). In such a way the receiver can verify that the key was indeed send by the original sender.
- If with the above tweak MITM would alter 3rd or 2nd block of a packet the decryption would not be possible at all - so there is no way to spoof the message leaving the signed key in the first block as is.
The only thing I can think about is some way to alter the block 3 so it would be still decryptable. Is it possible to accomplish for an attacker?
