Encrypting and MACing different data with same key

Question

It's a well-known best practice to not use one key to both encrypt and MAC data. In my application, there are instances where I MAC a piece of data without having encrypted it first. Do I still need a different key than the one used for encryption? Is it OK to use the same key to MAC one piece of data if I'm going to re-use that key to encrypt some other data under the same key?

Answer 1

It depends on how you encrypt and mac.

If you can still choose then you should use an authenticated encryption with associated data mode (AEAD) like Galois/Counter Mode. If all data you want authenticated in a message has to be transmitted in the clear then just leave the encrypted part empty. These modes have the advantage that they were designed to use just one key and have solid security proofs.

For any other combinations it depends on what algorithms and modes you use for encryption and mac. Mostly this analysis is not worth the trouble, as deriving two keys from one master key is pretty simple (HMAC(masterKey,"Key one"), and HMAC(masterKey,"Key two") for example, or AES(masterKey,0x0…01) and AES(masterKey,0x0…02)). Also any custom crypto (and using the same key twice this way is non-standard) has the disadvantage that code and security reviews get way more complicated and any error is on you.

If you use two algorithms with completely different roots (for example Sha256-HMAC and AES counter mode) you are probably on the safe side, but that is just my feeling with no rigid argumentation behind it.

Answer 2

Generally speaking: no, it is not OK. If you're going to encrypt any data at all with this key, you shouldn't reuse it to MAC other data. Using the same key for two purposes is bad practice and has often led to security problems in the practice.

Encrypting data without MACing it is also bad practice.

Instead, I recommend you use an "authenticated encryption with associated data" (AEAD) scheme. AEAD schemes have two inputs: the message, and the associated data. The confidentiality of the message is protected (by encrypting), while the confidentiality of the associated data is not protected. The integrity of both pieces are protected. If you like, you can think of this as encrypting the message, then MACing the message and associated data -- except done in a very careful way to ensure you are secure. My recommendation is to use an AEAD scheme. When you have some data you need to be kept confidential, input it as the message and encrypt it using the AEAD scheme (without any associated data). When you have some data that doesn't need to be confidential but does need to be integrity-protected, input it as the associated data, with the message part left empty, and encrypt using the AEAD scheme -- this will be the rough equivalent of MACing the data without encrypting anything. If you use the AEAD scheme in this way, you can use the same key for both kinds of data, as long as the nonce never repeats.