Confused how to use AES and HMAC

cryptography aes hmac
Valentin picture Valentin · Apr 23, 2012 · Viewed 18.2k times · Source

I'm a little bit confused how to use AES and HMAC (based on SHA-256) in a proper way when transmitting the encrypted message from server to client or vice versa

Correct me please if the following method is wrong:

  1. Take the secure key from the key file (for example we suggest to use the AES-256 and we already have a valid 256 bit length key)
  2. Generate random IV for AES-256 to be sure that the same plain text will have different encryption output.
  3. Calculate HMAC-SHA-256 using the plain text and secure key. (The first question: should I use IV for HMAC calculation? For example append to secure key?)
  4. Encrypt the plain text using AES-256.
  5. Compose message for client as following: HMAC + IV+ ENCRYPTED_MESSAGE

The biggest question is: is it possible somehow not to send IV to client but instead generate it the same way and still be crypto safe? Or is it ok to send the IV too?

I've end up with random IV generation, because it is needed that the same plain text will end up in different encryption results.

Answer

imichaelmiers picture imichaelmiers · Apr 24, 2012

Don't send hmac(message),aes(message). If you send the same message twice, anyone can tell. Moreover, you need to mac the cipher-text to prevent attacks such as the padding oracle attack.

IV: In general, the easy way to deal with the iv is to prepend it, since it's fixed length, to the cipher text.You can then just read off those bytes before decrypting. IV's can be public, but they must be random.

HMAC: Easiest way, if your library supports it, is to use AES in GCM mode (or, less preferably EAX). This is not actually an HMAC, but it provides authenticated encryption which is just as good.If these are not supported :

You do need to compute the hmac over both the iv and the cipher text. if || is concatenation ( which you could do with say array copy if dealing with byte arrays) then you want 

CipherText = iv|| aes(key1,iv,message)  
tag = hmac(key2,ciphertext)

And then send (tag,CipherText). On the other end, you run the same hmac call to regenerate the tag and the compare the received tag with the computed one. Compare the sha1 or sha256 hashes of the tags instead of directly so you don't leak where the comparison fails.

You should use a different key for the hmac. In practice tacking the sha1 sum of your encryption key is good enough.

Related questions

AES256 CBC + HMAC SHA256 ensuring confidentiality *and* authentication?

I'm thinking of using AES256 CBC + HMAC SHA-256 as a building block for messages that ensures both confidentiality and authentication. In particular, consider this scenario: Alice is possession a public key belonging to Bob (the key exchange and algorithm is …

Read More
Java 256-bit AES Password-Based Encryption

I need to implement 256 bit AES encryption, but all the examples I have found online use a "KeyGenerator" to generate a 256 bit key, but I would like to use my own passkey. How can I create my own key? I …

Read More
Using AES encryption in C#

I can't seem to find a nice clean example of using AES 128 bit encryption. Does anyone have some sample code?

Read More