1

I need to check integrity of high secure system value - in this case encryption key(s)

I would like to create HMAC digest of this user encryption key (key is used in application as a key for AES-256 cipher) to check it's integrity. The encryption key is derived with a KDF from his password and salt, after every user's login into the application. After user registration, I create an integrity HMAC-SHA256 digest for user's encryption key. This digest IMHO shouldn't be kept secret and will be saved with other user data. While user is logging in, I create digest and compare it with saved value of the digest. If both of digests are same, integrity is approved.

-This makes me ask: Is it required to keep keys used for HMAC-SHA256 secured or can I leave it with other user data (non-secure, "in the open")? When a hypothetical opponent gets the key, is it possible for the opponent to restore the original value of an encryption key from a HMAC-SHA256 digest?

Edit

I'm not sure, because I'm thinking; when an opponent doesn't know the "secret value" (application encryption key), the opponent is not able to create the same digest, even if he knows the HMAC-SHA256 key. Is that a correct assumption?

e-sushi
  • 17,891
  • 12
  • 83
  • 229
jnemecz
  • 155
  • 5

1 Answers1

3

My question: Is required to keep a key for HMAC-SHA256 secured or can I leave it with other user data as non-secure?

If your goal is integrity and you use a HMAC, then it is mandatory to keep the key secret. A public key in HMAC would mean anyone can create valid tags for any message - and integrity is gone.

When hypothetical opponent gets the key, is it possible from HMAC-SHA256 digest restore original encryption key?

No, it should be impossible to find the key from any HMAC value (that would contradict the security definition).

tylo
  • 12,654
  • 24
  • 39
  • Just for clarification, maybe I'm not totally clear - I am asking if is mandatory to keep secret key for HMAC-SHA256 (and not an "encryption key" from application). – jnemecz Jun 09 '17 at 10:33
  • That is exactly what I meant. There are only two cases: Either the secret value in HMAC (which we can call key) has to be secret or it doesn't. If it is not secret, there is no integrity. By Kerckhoff's theorem, the attacker knows everything except the key. – tylo Jun 09 '17 at 10:47
  • I think I understand. One more question - final digest created by HMAC-SHA256 is public knowledge, isn't it? – jnemecz Jun 09 '17 at 10:59
  • Yes. That's the whole point. If you have some integrity verification which is entirely hidden, then you don't need HMAC. If you think about message integrity, HMAC is part of the message and usually not encrypted - see this question (that's called encrypt-then-mac) – tylo Jun 09 '17 at 11:28
  • @tylo I believe you are using the word integrity instead of authenticity, there. – Lery Jun 13 '17 at 11:22
  • @Lery The basic goal of information security is called integrity - and that is the term used in the question. Authenticity is another point of view on mostly the same mechanisms. But in this case I guess the user should not be able to change his key unnoticed - and that is the very definition of integrity. – tylo Jun 13 '17 at 13:37
  • I guess it works, if you include the notion of authenticity in your definition of the integrity. I personally refer to integrity and authenticity as two distinct things, just like Thomas Pornin addressed it in this question. Even though we could certainly argue that integrity has not much value without authenticity in most case. – Lery Jun 13 '17 at 13:45