We have + a HMAC key (128 bit/16 bytes) + an AES key (128 bit/16 bytes) + an AES
ID: 652935 • Letter: W
Question
We have
+ a HMAC key (128 bit/16 bytes)
+ an AES key (128 bit/16 bytes)
+ an AES IV (128 bit/16 bytes)
+a random salt (128 bit/16 bytes)
Each packet is signed with a HMAC (SHA256)
After each packet is sent, all those keys are packed together into a 64 byte array (HMAC + AES Key + AES IV + salt). Take the SHA512-hash of that nonce. Take the result and:
+xor the first 16 bytes with the HMAC
+xor the second 16 bytes with the AES key
+xor the third 16 bytes with the AES IV
+xor the fourth 16 bytes with the salt
The keys are generated using the Windows's Random Number Generator and shared via RSA with OAEP padding (PKCS #1 v2.1).
Explanation / Answer
No, this protocol does not provide perfect forward secrecy. Record the initial key transport message (shared via RSA-OAEP). If the attacker later gets access to the corresponding RSA private key, and decrypts the original key transport message, the entire symmetric key evolution sequence for that session will trivially unfold.