AES CBC key reuse and derived keys

user

5/6/23, 11:20 PM

Suppose we are encrypting multiple files with AES in CBC mode and using 256 bit keys. Assume the IVs for the files are randomly generated with a secure method. Assume some key $K$ is generated with Argon2 from a secure passphrase with secure parameters.

Assume for each file we store the IV and 32 bytes of random data $R$. Let $K'=K\oplus{}R$.

Are there any benefits or drawbacks associated with using $K'$ instead of $K$ for encrption? Any protection against theoretical or practical key-reuse attacks or anything similar?

0 + 0

aes

key-reuse

kelalaka

5/6/23, 11:55 PM

Last paragraph is not clear..

kelalaka

5/6/23, 11:58 PM

There is one main reason of PBKDFs ( Argon2 is one of them); make the password guess harder. AFAIK, you remove this main advantage.

kelalaka

5/7/23, 12:01 AM

Maybe you should [edit] your question to write step by step? What is stored what is genereated, etc.? Why do you need to remove Argon2? instead of generating such methods?

user

5/7/23, 12:08 AM

@kelalaka I think that may be more accurate to what I'm thinking.

kelalaka

5/7/23, 12:14 AM

No problem that I can see though you can derive each key from Argon2 with salt parameter. You can also generate random key for each file and encrypt it with the derived key from password via Argon2 as [descibed here.](https://crypto.stackexchange.com/q/75021/18298)

user

5/7/23, 12:16 AM

@kelalaka I considered removing the Argon2 key derivation part because I didn't want that to come up as a potential answer due to the computational overhead when regenerating the key. If there was some benefit to using $K'$ then I could use that instead of running Argon2 again for each file.

Score:2

Crypto

Maarten Bodewes

5/7/23, 1:29 PM

There are no theoretical or practical advantages when it comes to security, as the XOR with $R$ is easily reversed. Since the key is fully randomized and only dependent on the password, the security isn't degraded either. The XOR with a known value doesn't give any information to the attacker as both input and output are unknown - presuming your cipher / key usage is secure.

There is a practical advantage. It is possible to reuse an existing data encryption key while replacing the password. First you calculate a $K_{org}$ using a password hash and $P_{org}$, for which you require the initial password; $K_{org}$ or a derived key is used to encrypt the data. Then you calculate $K_{new}$ using $P_{new}$. What you store is with the ciphertext is $D=K_{new} \oplus K_{org}$. Now you've replaced your password, by calculating $K_{org}=K_{new} \oplus D$.

When you start you can also generate a random $K_{data}$ or $K_{master}$ which you can get to by always creating a $D$ for XOR key derivation. Basically you first create a randomized key, which you then force to another unpublished, randomized key using the XOR.

In other words, the advantage is in key management which helps with system level security rather than algorithm security.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: AES CBC key reuse and derived keys

TH: การใช้คีย์ AES CBC ซ้ำและคีย์ที่ได้รับ

RO: Reutilizarea cheilor AES CBC și cheile derivate

RU: Повторное использование ключа AES CBC и производные ключи

VI: Tái sử dụng khóa AES CBC và các khóa dẫn xuất

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.