On Thu, Nov 12, 2015 at 11:05 AM, Nick Badger <[email protected]> wrote:
> > Second question: assuming it is reasonable, what's the best way to do > this? We do have to be concerned about leaking information from the inner > container, so our current process is NONCE = AES-ECB( message_key, HASH( > plaintext ) ) with the hash truncated to match the symmetric block size. > Frankly though, that seems off to me, at the very least because we're > reusing the message key. We should probably transition the message key to a > master key, and use a KDF to generate both the nonce key and the message > key. To that end, would NONCE = AES-ECB( KDF( master_key, HASH(plaintext) > ), HASH(plaintext) ) make more sense? The "extra" AES here is to protect > from dictionary attacks and against potential hash compromise. > Your proposed scheme might be secure there, but the straightforward way to do what you're trying to do is compute a MAC of the plaintext and use that as your IV. Key-reuse is a problem for provable security, as you point out. The simplest thing is to just have two keys, one for the MAC computation and one for the encryption.
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
