Does this protocol provide Perfect Forward Secrecy / are there potential security flaws?

Question

We have

a HMAC key (128 bit/16 bytes)
an AES key (128 bit/16 bytes)
an AES IV (128 bit/16 bytes)
a random salt (128 bit/16 bytes)

Each packet is signed with a HMAC (SHA256)

After each packet is sent, all those keys are packed together into a 64 byte array (HMAC + AES Key + AES IV + salt). Take the SHA512-hash of that nonce. Take the result and:

xor the first 16 bytes with the HMAC
xor the second 16 bytes with the AES key
xor the third 16 bytes with the AES IV
xor the fourth 16 bytes with the salt

The keys are generated using the Windows's Random Number Generator and shared via RSA with OAEP padding (PKCS #1 v2.1).

score 5 · Accepted Answer · answered Jun 11 '14 at 16:57

No, this protocol does not provide perfect forward secrecy. Record the initial key transport message (shared via RSA-OAEP). If the attacker later gets access to the corresponding RSA private key, and decrypts the original key transport message, the entire symmetric key evolution sequence for that session will trivially unfold.

Does this protocol provide Perfect Forward Secrecy / are there potential security flaws?

1 Answers1