0

I was thinking last night about whether or not a HMAC-Encrypt-HMAC would be secure if you used the same HMAC key.

Here is the full recipe:

  • Compute a HMAC on the data to encrypt, and append it to the data.

  • Encrypt the data with AES_CTR_256.

  • Compute another HMAC, this time on the encrypted message+HMAC combo, and append it the the ciphertext.

Would using the same key, eg. thisisareallyinsecurekey, on both the HMAC's be cryptographically secure? Or would I need to use different keys for each HMAC?

Legorooj
  • 474
  • 5
  • 16
  • 2
    Why do you want to do this? The right thing to do is encrypt and then applying the HMAC to the encrypted message (ciphertext). The first HMAC is not needed at all. – Yehuda Lindell Sep 09 '19 at 06:16
  • 1
    Simply theory. I don't plan to use this in production code. – Legorooj Sep 09 '19 at 06:17
  • Related: https://crypto.stackexchange.com/q/8720/54184 – forest Sep 09 '19 at 06:43
  • Worth noting that the terms "MAC" (used in the title) and "HMAC" (used in the text) aren't synonymous; MAC is to HMAC as fruit is to apple. Some MACs have restrictions on using the same key or key/nonce combination to authenticate two or more messages. HMAC isn't one of them. – Luis Casillas Oct 09 '19 at 22:09
  • @LuisCasillas I know - it was a general question meaning fruit in general – Legorooj Oct 09 '19 at 23:52

1 Answers1

2

No, you can use the same HMAC key for any message, including an already HMAC'ed message (regardless if the HMAC value is encrypted or not).

The key in HMAC is protected by the one-way hash function used internally, so getting the key should be hard.

The collision resistance and other security properties will also prevent an attacker from generating a HMAC based on a previous HMAC value. The way that HMAC is preventing length extension attacks may be very important in that regard, because Merkle-Damgård based hashes do (generally) not protect against those. MD5, SHA-1 and SHA-2 (but not SHA-3) are all MD-hashes and vulnerable to length extension attacks.

It is much harder to proof that using the same key for AES is also secure. There may be a mathematical way of retrieving key data if the key is reused in any kind of algorithm. The chance that it is possible to use relations between the algorithms to get information on the key or plaintext message is rather small though. Still, most cryptographers would prefer to use a separate key for different algorithms unless any weakness has been ruled out (as in most AEAD schemes that use a single key, for instance).

Note that this answer is for the security of the HMAC construction itself rather than the security of the entire protocol. Attackers may still perform replay attacks where a previous message and authentication tag are resend to the receiver by the attacker. The protocol should prevent those (e.g. by including a unique message ID in the message).

As Yehuda has already hinted: it isn't apparent if this scheme would be beneficial in any way; you may perform an additional run of HMAC without security benefits. If this is the case or not depends on your use case (maybe you do want to store the decrypted plaintext message together with valid, pre-generated HMAC; that would be a strange use case, but we don't know).

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313