Kevin W. Wall wrote:
> So given these limited choices, what are the best options to the
> questions I posed in my original post yesterday?

Given these choices, I'd suggest that you first encrypt with AES-CBC mode.
Then apply a message authentication code (MAC) to the whole ciphertext
(including the IV).  You then send the ciphertext followed the MAC digest.

SHA1-HMAC would be a reasonable choice of algorithm for message
authentication.  Sun's JCA appears to support SHA1-HMAC.

http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#Mac
http://java.sun.com/javase/6/docs/technotes/guides/security/StandardNames.html#Mac

You'll want to use key separation to derive two separate keys.  So
if the key K is the master key, you could use

    Kenc  = SHA1-HMAC(K, "encrypt")
    Kauth = SHA1-HMAC(K, "authenticate")

or you could use

    Kenc  = AES-ECB(K, all-zeros)
    Kauth = AES-ECB(K, all-ones)

(Either is fine.)  Then use Kenc as the crypto key for AES-CBC encryption
and Kauth as the crypto key for SHA1-HMAC authentication.

If you are encrypting messages that will be sent over a two-way channel,
you'll probably want to either use a different crypto key for each
direction or include a direction bit in the inputs to the key separation
step.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to