0

Given the need to transmit relatively short messages (a few dozens of bytes max), how unsecure would the following bundling of a hash in the initialization vector be?

  • (A) = 64 bits of cryptographic random
  • (B) = cryptographic hash of A concatenated with original Message

Then concatenate (A) with 64 bits of (B), and use that as IV for an AES CTR mode encryption.

This weakens the IV randomness to allow bundling the hash in it, and attempts to hide information the unencrypted hash in the IV could leak.

The key used for AES is itself changed every time, it is a HMAC of (secret + message counter).

Eric Grange
  • 113
  • 4

1 Answers1

2

This is a terminally bad idea: much of the confidentiality of the message $M$ is lost, because $A$ and 64 bits of $B=H(A\|M)$ are available in clear. So if $M$ is enumerable (a password, a name, a Social Security Number) among say $2^{48}$, it can be found by a cheap offline attack with little odds of false positive ($2^{-16}$), totally irrespective of the AES cryptography.

fgrieu
  • 149,326
  • 13
  • 324
  • 622