[144872] in cryptography@c2.net mail archive
Re: Detecting attempts to decrypt with incorrect secret key in OWASP
daemon@ATHENA.MIT.EDU (David Wagner)
Thu Sep 17 23:25:15 2009
From: David Wagner <daw@cs.berkeley.edu>
To: cryptography@metzdowd.com
Date: Thu, 17 Sep 2009 12:42:26 -0700 (PDT)
Kevin W. Wall wrote:
> So given these limited choices, what are the best options to the
> questions I posed in my original post yesterday?
Given these choices, I'd suggest that you first encrypt with AES-CBC mode.
Then apply a message authentication code (MAC) to the whole ciphertext
(including the IV). You then send the ciphertext followed the MAC digest.
SHA1-HMAC would be a reasonable choice of algorithm for message
authentication. Sun's JCA appears to support SHA1-HMAC.
http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#Mac
http://java.sun.com/javase/6/docs/technotes/guides/security/StandardNames.html#Mac
You'll want to use key separation to derive two separate keys. So
if the key K is the master key, you could use
Kenc = SHA1-HMAC(K, "encrypt")
Kauth = SHA1-HMAC(K, "authenticate")
or you could use
Kenc = AES-ECB(K, all-zeros)
Kauth = AES-ECB(K, all-ones)
(Either is fine.) Then use Kenc as the crypto key for AES-CBC encryption
and Kauth as the crypto key for SHA1-HMAC authentication.
If you are encrypting messages that will be sent over a two-way channel,
you'll probably want to either use a different crypto key for each
direction or include a direction bit in the inputs to the key separation
step.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
