Confused how to use AES and HMAC

14
votes

I'm a little bit confused how to use AES and HMAC (based on SHA-256) in a proper way when transmitting the encrypted message from server to client or vice versa

Correct me please if the following method is wrong:

  1. Take the secure key from the key file (for example we suggest to use the AES-256 and we already have a valid 256 bit length key)
  2. Generate random IV for AES-256 to be sure that the same plain text will have different encryption output.
  3. Calculate HMAC-SHA-256 using the plain text and secure key. (The first question: should I use IV for HMAC calculation? For example append to secure key?)
  4. Encrypt the plain text using AES-256.
  5. Compose message for client as following: HMAC + IV+ ENCRYPTED_MESSAGE

The biggest question is: is it possible somehow not to send IV to client but instead generate it the same way and still be crypto safe? Or is it ok to send the IV too?

I've end up with random IV generation, because it is needed that the same plain text will end up in different encryption results.

1
cryptographyaeshmac

1 Answers

14
votes

Don't send hmac(message),aes(message). If you send the same message twice, anyone can tell. Moreover, you need to mac the cipher-text to prevent attacks such as the padding oracle attack.

IV: In general, the easy way to deal with the iv is to prepend it, since it's fixed length, to the cipher text.You can then just read off those bytes before decrypting. IV's can be public, but they must be random.

HMAC: Easiest way, if your library supports it, is to use AES in GCM mode (or, less preferably EAX). This is not actually an HMAC, but it provides authenticated encryption which is just as good.If these are not supported :

You do need to compute the hmac over both the iv and the cipher text. if || is concatenation ( which you could do with say array copy if dealing with byte arrays) then you want 

CipherText = iv|| aes(key1,iv,message)  
tag = hmac(key2,ciphertext)

And then send (tag,CipherText). On the other end, you run the same hmac call to regenerate the tag and the compare the received tag with the computed one. Compare the sha1 or sha256 hashes of the tags instead of directly so you don't leak where the comparison fails.

You should use a different key for the hmac. In practice tacking the sha1 sum of your encryption key is good enough.