Using the same symmetric key in both directions?

Question

A simple symmetric encryption scheme uses the same key, derived from a password, for both directions of the communication. Is this bad practice, and if so what should be done about it? Is it 'good enough' for many things?

Answer 1

It can be safe, but using the same key in both directions adds several things you need to be careful about:

• One thing you need to make sure is not a problem is if an attacker takes a message from Alice to Bob, and sends it back to Alice as if it were from Bob. Since Bob to Alice communications use the same key, Alice might decrypt the message, and act as if it came from Bob. There are several possible defenses against this; the easiest (if you include a Message Authentication Code, which you really ought) is to include a direction flag within the authentication data; that way, a wrong way message would be rejected.

• If you use a nonce-based encryption method (such as Counter Mode or GCM), you need to make sure that both sides don't use the same nonce. This can be as easy as telling Alice to use even nonces, and Bob to use odd ones. However, if you are going to use the same password (and hence the same keys) for multiple sessions, this would indicate that a nonce-based encryption method is probably the Wrong Answer; something like CBC mode + HMAC would make rather more sense.

However, even though it can be done safely, I would suggest you avoid the issue entirely. Instead, when you send your password to the KDF, ask the KDF for twice the key length (say, 256 bits instead of 128), and use the first 128 bits for Alice to Bob messages, and the second half for Bob to Alice messages.

Answer 2

The question is quite vague, but I'll answer the part of it that's specific.

It's not bad practice to use one symmetric key for both directions of the communication. It's the normal way to use symmetric crypto.

Having a separate symmetric key for each direction would not make it more secure, nor would it add authentication or non-repudiation. Even though the key is derived from a secret, that same secret would need to be known by the receiving end as well.

There's almost no value to be gained by using a separate key in each direction, and in fact, relying on such a scheme to provide any extra security may weaken the overall security.

As for it being "good enough" for "many things", that's just way too vague.

Answer 3

In general - no, as mentioned above. But if it's used in addition with message sequencing and hashing - yes. Any symmetric cipher suffers from the simple problem, regardless of direction, that the same key is on both sides.