Is it safe to use the same password/secret for both VeraCrypt volume and its HMAC?

Question

I am trying to script the integrity check of a VeraCrypt volume.

#! /bin/sh
red=$'\e[1;31m'
end=$'\e[0m'
set -e
printf "Please enter password: "
read -s p
if [ -f "/Volumes/Samsung BAR/bar.hmac" ]; then
  printf "\n%s" "Checking integrity..."
  if [ "$(openssl dgst -sha512 -hmac "$p" "/Volumes/Samsung BAR/bar")" != "$(<"/Volumes/Samsung BAR/bar.hmac")" ]; then
    printf "\n%s" "${red}Check failed${end}"
    exit 1
  fi
fi
printf "\n%s\n" "Unlocking VeraCrypt volume..."
veracrypt --text --non-interactive --mount --pim 0 --keyfiles "" --protect-hidden no --password "$p" "/Volumes/Samsung BAR/bar" /Volumes/Backup
declare -a files=(
  "/Users/sunknudsen/.gnupg"
  "/Users/sunknudsen/.ssh"
  "/Users/sunknudsen/Library/Keychains"
)
for file in "${files[@]}"; do
  rsync -axRS --delete "$file" /Volumes/Backup
done
open /Volumes/Backup
printf "${red}Inspect backup and press enter${end}"
read -r answer
veracrypt --text --dismount "/Volumes/Samsung BAR/bar"
echo "Saving HMAC..."
openssl dgst -sha512 -hmac "$p" "/Volumes/Samsung BAR/bar" > "/Volumes/Samsung BAR/bar.hmac"
echo "Done"

Security warning: Using read -s p is vulnerable to process listing leaks so I need to find another way to feed the password to both openssl and veracrypt.

Use a PBKDF to drive two keys. And make sure that you are using a good password mechanism like diceware. — kelalaka, Sep 08 '20 at 21:26
Does this answer your question? Using the same secret key for encryption and authentication in a Encrypt-then-MAC scheme — kelalaka, Sep 08 '20 at 21:30
@kelalaka I thought of using key derivation. What would be the benefits of that approach? — sunknudsen, Sep 08 '20 at 21:30
If you are not using a password manager to generate good keys for you, then you can choose a good one password and safely drive both keys. If you are using one then it can handle those for you. — kelalaka, Sep 08 '20 at 21:33
@kelalaka How would you solve the following problem? VeraCrypt encrypted volumes don't support authentication. How can I know the volume has not been tampered with? I am trying to script a solution to that problem. — sunknudsen, Sep 08 '20 at 21:35
Two ways: first inside the volume, each file is protected with a keyed mac like HMAC or KMAC, etc, or from outside altogether. — kelalaka, Sep 08 '20 at 21:37
@kelalaka Read the above question. Thanks! My understanding is GCM uses the same key for both authentication and encryption. Is that assumption correct? — sunknudsen, Sep 08 '20 at 21:42

score 1 · Answer 1 · answered Sep 08 '20 at 21:12

Assuming your password is secure, yes it is (and I've seen your YouTube channel so I guess that's a non-issue). If you use the same key in both, an attacker would still have to find your key. Since your data this encrypted this requires breaking either the encryption or the HMAC'd hash - even if the hash is broken, they may find a collision but your key would be significantly harder to obtain, since collisions usually don't involve finding the original data.

The point of HMAC is to pair the data with the hash. Someone may tamper with the data, but without the key they can't make the hash collide with the new data. You can use one or multiple keys, it really doesn't matter.

Also, don't forget to store 2 separate hashes. That way, if one has a collision attack developed later on, you can still verify the authenticity using the other. SHA-512 and BLAKE2b? (C'mon, don't tell me forked their official implementation for nothing)

Just kidding, but really... Store the hash with 2 separate algorithms.

Is it safe to use the same password/secret for both VeraCrypt volume and its HMAC?

1 Answers1