I need to send authenticated ciphered messages by using a single password. Reusing the same (derived) key for the block cipher and the HMAC is not a good practice, I know.
My initial idea is to derive two different keys from the password in order to apply a encrypt-then-MAC scheme:
Key1 = PBKDF2(passwd, SALT1, ITERATIONS1)
Key2 = PBKDF2(passwd, SALT2, ITERATIONS2)
Let M be the plaintext, the message sent is:
AES-CTRKey1(M) || HMAC-SHA256Key2(AES-CTRKey1(M))
SALT1, SALT2, ITERATIONS1, ITERATIONS2, and the IV (counter) are also attached.
Do you find any vulnerability in this scheme?
It looks good to me, but I’d like to know your opinion.
I know that AES in CCM mode (counter with CBC-MAC) is an alternative.
You are right, the IV and the rest of parameters must to be included in the HMAC input, I missed this detail in my incomplete description.
Efficiency (second point) is not a problem in this case, because these messages will be very infrequent. I prefer to use a very expensive function in order to avoid brute force and dictionary attacks.
– Winston Wolfe Oct 24 '14 at 19:51