LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

Why must you use separate keys for encryption and MAC, and what attack is possible if you don't?

Using the same key for encryption and MAC can lead to attacks where the attacker exploits the relationship between the two operations to forge messages or recover plaintext.

The deeper rule is domain separation: a key proven safe for one job carries no guarantee when reused for another, because the two algorithms can interact in ways that cancel each other's protections. Treating one secret as if it were two independent ones is exactly the kind of hidden assumption attackers look for.

The principle of key separation:

  • Encryption key K_E and MAC key K_M must be different
  • Even if using the same algorithm (e.g., AES), different keys ensure the operations are independent
  • One key for confidentiality, another for integrity

Why?

  • If K_E = K_M, an attacker who can observe both the ciphertext and MAC tag might find mathematical relationships that leak information
  • Certain combinations create vulnerabilities: e.g., if you CBC-encrypt and CBC-MAC with the same key, the MAC tag equals the last ciphertext block — providing no additional security

Best practice:

  • Derive two keys from a master key using a KDF: K_E = KDF(K_master, "encrypt"), K_M = KDF(K_master, "mac")
  • Or use authenticated encryption modes (GCM, CCM) that handle this internally

Go deeper:

From Quiz: KRYPTOG / Symmetric Cryptography | Updated: Jul 14, 2026