Join Log in
Score:2
SeekingAnswers avatar Crypto

When using AES-256 in combination with HMAC-SHA, should we use SHA-256 or SHA-512?

gm flag
SeekingAnswers

When using AES-256 (cipher mode CBC and padding mode PKCS7) in combination with HMAC-SHA for authenticated encryption (assuming alternatives like TLS and AES-GCM cannot be used), should we use SHA-256 or SHA-512? This answer seems to indicate SHA512. Is this interpretation correct? I've seen an implementation using SHA256 and cannot figure out, why.

Edit: Since it does not seem to be entirely clear: I'm talking about an algorithm using HMAC-SHA for authentification and Aes256 for encryption ("Encrypt-then-MAC") in order to provide authenticated encryption.

403
1 + 2
aes
Amit avatar
ci flag
Amit
Consider also that there's a recommendation (that I don't know the justification for) that: "the minimal recommended length for K is L bytes (as the hash output length)." (source: https://www.rfc-editor.org/rfc/rfc2104). So assuming this guideline is followed, using SHA256 allows you to use the smallest key size among the SHA-2 family of functions
0
Reply
samuel-lucas6 avatar
bs flag
samuel-lucas6
@Amit That realistically doesn't matter in the case of HMAC-SHA-512. A 256-bit key is absolutely fine and still provides 256-bit security.
0
Reply
Score:4
DannyNiu avatar Crypto
vu flag
DannyNiu

That pairing is considering security against the most vulnerable aspect - collision resistance of hash functions.

However, when used in SSL/TLS, hash function is most likely used for key derivation or MAC, in which case, pre-image resistance should be considered. Therefore, SHA-256 is fine here.

+ 7
samuel-lucas6 avatar
bs flag
samuel-lucas6
Collision resistance does matter if you want your scheme to be key or fully committing (committing to the key, nonce, associated data, and message), which prevents attacks in malicious sender type scenarios. For example, HMAC-SHA-1 and HMAC-SHA-256 truncated down to 128 bits are inappropriate for this.
1
Reply
fgrieu avatar
ng flag
fgrieu
On 64-bit platforms, SHA-512 is often preferable to SHA-256 for better efficiency.
2
Reply
DannyNiu avatar
vu flag
DannyNiu
@fgrieu I think that depends. GPR-only implementations of SHA-512 is definitely better than that of SHA-256, but such advantage may not be as significant when using vector instructions. And for the specific case of x86, SHA-256 is available natively, in low-end Intel and newer AMD chips, whereas SHA-512 is simply absent in x86.
2
Reply
SeekingAnswers avatar
gm flag
SeekingAnswers
Does that mean the answer linked in the question is wrong in making that pairing based on collision resistance when only weak collision resistance (https://security.stackexchange.com/a/187868) is required for HMAC? [By the way, I upvoted your answer because it has already helped me. But I need to do some further research before I can accept it]
0
Reply
SeekingAnswers avatar
gm flag
SeekingAnswers
Also I edited the question to clarify what the hash function is used for.
0
Reply
samuel-lucas6 avatar
bs flag
samuel-lucas6
@SeekingAnswers If you want to claim 256-bit committing security, you'd need to use the full output of HMAC-SHA-512. Of course, nobody needs 256-bit committing security; 128-bit security is fine. Some papers also discuss a 160-bit tag to reduce storage overhead, but you may as well use 256 bits. Lower than 160-bit is not sensible. If you're doing Encrypt-then-MAC, there's no reason you shouldn't be aiming for the scheme to be committing. It's an advantage generic composition has over the current standardised AEADs.
1
Reply
SeekingAnswers avatar
gm flag
SeekingAnswers
@samuel-lucas6 Thank you, I will consider that. You could make that an answer.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.