0

When using the MAC-then-Encrypt composition, would using the same key for the HMAC in each different message be insecure?

Legorooj
  • 474
  • 5
  • 16

1 Answers1

1

No, with a reasonable choice of hash function, HMAC can safely authenticate many messages under the same key—it is not a one-time MAC like GHASH or Poly1305. Of course, it may be prudent to use a message sequence number so you can reject replays (and it may be necessary for your encryption scheme, e.g. if you're using AES-CTR or ChaCha).

That said, why are you making this decision instead of using an authenticated cipher like AES-GCM or NaCl crypto_secretbox_xsalsa20poly1305?

Squeamish Ossifrage
  • 48,392
  • 3
  • 116
  • 223
  • The reason for not an authenticated encryption mode is I agree with Colin Percival's opinion on those - which you probably know. Also, I use SHA3_256 as my hash. – Legorooj Oct 26 '19 at 00:59
  • If you're referring to Colin Percival's ‘cryptographic right answers’, that was written over a decade ago before authenticated ciphers like AES-GCM and crypto_secretbox_xsalsa20poly1305 were widely available. (What he called ‘CWC’ in his expanded note is a predecessor to GCM, and NaCl had just been released the year prior.) His point about side channel attacks is relevant for AES-GCM in software; not so much for crypto_secretbox_xsalsa20poly1305. – Squeamish Ossifrage Oct 26 '19 at 01:13
  • Side note: There is essentially no technical reason to ever use SHA3-256 for anything because its kind of goofy parameters were chosen for political rather than technical reasons, and no reason to use HMAC with SHA-3 when you can use KMAC128 instead. – Squeamish Ossifrage Oct 26 '19 at 01:14
  • Ok then - he links to an article that is more up-to-date and he mentions gcm in that. Anyway, the associated data is a nuisance in my program, and HMACs serve me better. What is your recommended hash? – Legorooj Oct 26 '19 at 01:19
  • If associated data is a nuisance then just…don't use it. You can safely pass in an empty string as the associated data. For authenticated encryption, I recommend NaCl crypto_secretbox_xsalsa20poly1305 (unless you have constraints—which you don't seem to have—to use US federal government standards, in which case AES-GCM). If you really really want to use SHA-3, just use KMAC128 with a 128-bit output. If for some reason you have some of SHA-3 but not KMAC, SHAKE128(key ∥ msg) with 256-bit key and 128-bit output is perfectly fine as a MAC too. – Squeamish Ossifrage Oct 26 '19 at 01:35
  • To be clear, HMAC-SHA3256 doesn't make a bad MAC. It's just a rather silly way of doing things that can be done much more simply and efficiently—like using two pairs of tongs to manipulate a pair of tongs to pick up and move a carrot when you can just grab the carrot with your hand. It was basically a design goal of SHA-3 was to make HMAC unnecessary. – Squeamish Ossifrage Oct 26 '19 at 01:51
  • Thanks, I'll use SHAKE where possible. Also, how secure is SHA256? – Legorooj Oct 26 '19 at 02:12
  • SHA-256 provides collision resistance and (second-)preimage resistance at a 128-bit security level (and (second-)preimage resistance at a ‘256-bit’ security level, but that level is essentially meaningless). It can be reasonably modeled as a random oracle except for the usual length extension issue. It's a reasonable choice for HMAC. Overall, we have no reason to doubt the standard security claims advertised for SHA-256. – Squeamish Ossifrage Oct 26 '19 at 02:15