security - Are there any serious problems with this technique for generating symmetric keys? -

I am using borrowed techniques from books from Bruce Schneier and Niels Ferguson. Basically, it boils down to this:

---

Bob does this:

pubk_A = Alice's public key

Entropy = Byte cryptographic PRNG to Quality

Encrypted_Netropp = RSA_Encrypt _{pubk_A (entropy)}

hashed_netroopy = SHA2-512 (Entropy)

encrypt_key ba = hashead_transpot [0:32]
encrypted_napes BA = haschendropopopie [32:48]
hmac_key < All> ba = hash_intropi [48:64]

Bob then ali Sends encrypted_trropy to S

Then Alice does this:

privk_A = Alice's private key

enterpp = rsa_drycrypt _{personal_a (Encrypted_entrophy)}

hash_droppy = Shah-2-512 (entropy)

encrypt_key BA = hashead_intropy [0:32 ]
EncryptedAnpes BA = hashed_intropy [32:48]
hmac_key BA = haschendroppy [48:64]

---

This Works great to generate the key that Bob interacts with Alice Area can be used for. But I need those keys which I can use in both directions. I was thinking of modifying the algorithm like this:

---

Bob enters with the entropy:

pubk_B = Bob's public key

hashed_intropi BA = SHA2-512 ( SHA2-256 (pubk_A) + entropy

encrypt_key = hashead_natropi [0:32]
EncryptedAnapace BA = hashead_intropy [32:48]
hmac_key BA = hashead_intropy [48:64]

Hash_Intropy AB = SHA2-512 ( SHA2-256 (pubk_B) + entropy

encrypt T_keys AB = hash_intropy [0:32]
encrypted_napes AB = haschendroppy [32:48]
hmac_key AB = haschendropopopie [ 48:64]

As you can see, now there are two sets of keys, which are used to communicate with Bob. And for the second.

Is there something wrong with it? What safety is I taking? Is the security of the system low or if I just cross one Did Tweak tweak a little bit more? Is there a better way without a round trip to solve this problem?

The problem with both Alice and Bob is a shared key for bi-directional communication. like. The only idea is that you can not use the same iv + master key combo with any packet. Apart from it, iv.

This improvement can be made on the Saturn / Ferguson Protocol, which will remove the requirement for hmac_key . This will reduce bandwidth used for handshake and CPU usage for each packet.

In terms of your version of this protocol, you still have to rely on sending encrypted_tropy = RSA_Encryptpubk_A (entropy) . This is an important step because you have to share the share. Uses the known value of pubk_A in the main generation. Keep in mind that it should be assumed that any public key is known to the attacker, the use of Sha256 is more costly or brutal force Does not make it more difficult for In this way, the number of guessing the attacker is equal to these three calculations: sha512 (sha256 (pubk_A) + entropy) , sha512 (pubk_a + entropy) , SHA512 (Entropy) . This means that it is a waste of resources because you are not benefiting from your attacker.