Is key rotation necessary when using HMAC as a pseudo random function?

Nathan

7/11/23, 4:53 AM

I need to generate a deterministic identifier from some user data. One of the user data items is highly sensitive, but the other two are not. The identifier will be sent to an external party regularly, so it must not change in the future - i.e. the same input should always produce the same output in the future.

A pseudo random function (PRF) seems like an ideal solution to this problem. We use the Google Tink library for crypto operations. It provides a PRF primitive with several implementation algorithms, one of which is HMAC-SHA-512. This implementation uses a 512 bit key which is stored encrypted under a key encryption key.

Conventional wisdom seems to be that if you have any kind of cryptographic key, it must be rotated periodically. However, rotating the key for a PRF seems to defeat its purpose. The PRF is supposed to be deterministic, but rotating the key breaks determinism.

Is it necessary to rotate the HMAC-SHA-512 key periodically in this scenario, or can we use the original key indefinitely?

0 + 0

pseudo-random-function

Score:1

Crypto

fgrieu

7/11/23, 7:01 AM

Choosing (and /or observing) input and observing output of a black box implementing HMAC-SHA-512 for a fixed suitably large and random key won't allow to find the key, or otherwise predict output for other input. That's by definition of an unbroken Message Authentication Code. HMAC-SHA-512 is a fine one as far as we know, including with respect to hypothetical Cryptographically Relevant Quantum Computers for suitable key size (e.g. at least 256 bits of entropy). Thus under that attack model, no, it's not necessary to rotate a suitably large and random HMAC-SHA-512 key.

However, the key can still leak otherwise. Perhaps the person that injected the key in the black boxes used compromised equipment, or kept a copy in an unsafe location, or was subject to rubber-hoose cryptanalysis or some variant. Or perhaps the key is extracted from the box with adequate equipment: for example if the black box is implemented with a standard micro-controller, perhaps a JTAG probe can be connected and dump it's content; or perhaps some clever microscopy can be used to find the state of memory cells; or the power consumption/electromagnetic emission of the box functioning leaks the key; or carefully crafted fault injection allows that. Thus under other attack models, yes, it's good to rotate a key.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is key rotation necessary when using HMAC as a pseudo random function?

TH: การหมุนเวียนคีย์จำเป็นหรือไม่เมื่อใช้ HMAC เป็นฟังก์ชันสุ่มหลอก

RO: Este necesară rotația tastelor atunci când utilizați HMAC ca funcție pseudoaleatorie?

RU: Необходима ли ротация ключей при использовании HMAC в качестве псевдослучайной функции?

VI: Xoay phím có cần thiết khi sử dụng HMAC làm chức năng giả ngẫu nhiên không?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.