1

Suppose we are encrypting multiple files with AES in CBC mode and using 256 bit keys. Assume the IVs for the files are randomly generated with a secure method. Assume some key $K$ is generated with Argon2 from a secure passphrase with secure parameters.

Assume for each file we store the IV and 32 bytes of random data $R$. Let $K'=K\oplus{}R$.

Are there any benefits or drawbacks associated with using $K'$ instead of $K$ for encrption? Any protection against theoretical or practical key-reuse attacks or anything similar?

user
  • 160
  • 1
  • 7

1 Answers1

2

There are no theoretical or practical advantages when it comes to security, as the XOR with $R$ is easily reversed. Since the key is fully randomized and only dependent on the password, the security isn't degraded either. The XOR with a known value doesn't give any information to the attacker as both input and output are unknown - presuming your cipher / key usage is secure.

There is a practical advantage. It is possible to reuse an existing data encryption key while replacing the password. First you calculate a $K_{org}$ using a password hash and $P_{org}$, for which you require the initial password; $K_{org}$ or a derived key is used to encrypt the data. Then you calculate $K_{new}$ using $P_{new}$. What you store is with the ciphertext is $D=K_{new} \oplus K_{org}$. Now you've replaced your password, by calculating $K_{org}=K_{new} \oplus D$.

When you start you can also generate a random $K_{data}$ or $K_{master}$ which you can get to by always creating a $D$ for XOR key derivation. Basically you first create a randomized key, which you then force to another unpublished, randomized key using the XOR.

In other words, the advantage is in key management which helps with system level security rather than algorithm security.

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323