It's a well-known best practice to not use one key to both encrypt and MAC data. In my application, there are instances where I MAC a piece of data without having encrypted it first. Do I still need a different key than the one used for encryption? Is it OK to use the same key to MAC one piece of data if I'm going to re-use that key to encrypt some other data under the same key?
Asked
Active
Viewed 1,699 times
2
-
1I'm confused by the juxtaposition of "best practice" and your situation. You state best practice is to not use the same key for MAC and encryption, then ask if you need a different key for MACing and encrypting the plaintext, which is answered by your statement of best practice. Are you trying to confirm whether that is indeed best practice? – B-Con Jun 13 '13 at 21:10
-
1@B-Con: The way I interpret this question, he isn't asking whether or not you should encrypt and MAC the same data with the same key. Rather, he's asking is it okay if you MAC some data and then encrypt some other data with the same key. – Reid Jun 13 '13 at 22:01
-
1Reid is correct, sorry if that was ambiguous. – pg1989 Jun 13 '13 at 22:45
2 Answers
3
It depends on how you encrypt and mac.
If you can still choose then you should use an authenticated encryption with associated data mode (AEAD) like Galois/Counter Mode. If all data you want authenticated in a message has to be transmitted in the clear then just leave the encrypted part empty. These modes have the advantage that they were designed to use just one key and have solid security proofs.
For any other combinations it depends on what algorithms and modes you use for encryption and mac. Mostly this analysis is not worth the trouble, as deriving two keys from one master key is pretty simple (HMAC(masterKey,"Key one"), and HMAC(masterKey,"Key two") for example, or AES(masterKey,0x0…01) and AES(masterKey,0x0…02)). Also any custom crypto (and using the same key twice this way is non-standard) has the disadvantage that code and security reviews get way more complicated and any error is on you.
If you use two algorithms with completely different roots (for example Sha256-HMAC and AES counter mode) you are probably on the safe side, but that is just my feeling with no rigid argumentation behind it.
Perseids
- 562
- 3
- 13
-
1
-
2Then it's probably okay, but it still remains bad practice. Avoid it if at all possible.
Also AES/GCM is an AEAD scheme. Why don't you just AES/GCM for MAC as well? Be careful to never use the same combination of key nonce
– Perseids Jun 14 '13 at 08:40 -
2
- never use the same combination of key and nonce though, as this destroys confidentiality of those messages with the same (nonce,key) and integrity protection of all messages with this key.
– Perseids Jun 14 '13 at 08:50
3
Generally speaking: no, it is not OK. If you're going to encrypt any data at all with this key, you shouldn't reuse it to MAC other data. Using the same key for two purposes is bad practice and has often led to security problems in the practice.
Encrypting data without MACing it is also bad practice.
Instead, I recommend you use an "authenticated encryption with associated data" (AEAD) scheme. AEAD schemes have two inputs: the message, and the associated data. The confidentiality of the message is protected (by encrypting), while the confidentiality of the associated data is not protected. The integrity of both pieces are protected. If you like, you can think of this as encrypting the message, then MACing the message and associated data -- except done in a very careful way to ensure you are secure. My recommendation is to use an AEAD scheme. When you have some data you need to be kept confidential, input it as the message and encrypt it using the AEAD scheme (without any associated data). When you have some data that doesn't need to be confidential but does need to be integrity-protected, input it as the associated data, with the message part left empty, and encrypt using the AEAD scheme -- this will be the rough equivalent of MACing the data without encrypting anything. If you use the AEAD scheme in this way, you can use the same key for both kinds of data, as long as the nonce never repeats.
D.W.
- 36,365
- 13
- 102
- 187
-
1As a side question part of this. Is it safe to authenticate different data with the same MAC key? – curious Jun 14 '13 at 09:18
-
1@curious, yes, it's safe to use the same MAC key to authenticate multiple messages/packages. – D.W. Jun 14 '13 at 17:02