We have + a HMAC key (128 bit/16 bytes) + an AES key (128 bit/16 bytes) + an AES

Question

We have

+ a HMAC key (128 bit/16 bytes)
+ an AES key (128 bit/16 bytes)
+ an AES IV (128 bit/16 bytes)
+a random salt (128 bit/16 bytes)

Each packet is signed with a HMAC (SHA256)

After each packet is sent, all those keys are packed together into a 64 byte array (HMAC + AES Key + AES IV + salt). Take the SHA512-hash of that nonce. Take the result and:

+xor the first 16 bytes with the HMAC
+xor the second 16 bytes with the AES key
+xor the third 16 bytes with the AES IV
+xor the fourth 16 bytes with the salt

The keys are generated using the Windows's Random Number Generator and shared via RSA with OAEP padding (PKCS #1 v2.1).

Explanation / Answer

No, this protocol does not provide perfect forward secrecy. Record the initial key transport message (shared via RSA-OAEP). If the attacker later gets access to the corresponding RSA private key, and decrypts the original key transport message, the entire symmetric key evolution sequence for that session will trivially unfold.

Related Questions

Navigate

• Browse (All)
• Browse W
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.