New Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
Lei Wang, Kazuo Ohta and Noboru Kunihiro* The University of Electro-Communications * The University of Tokyo at present.
1 Motivation of This Research
• HMAC has been widely applied in many protocols including SSL, TLS, SSH, IPSec and so on.
• NMAC is theoretical foundation of HMAC: attacks on NMAC (without related-key setting) can be applied to HMAC.
In this presentation, we will pick NMAC as an example.
2 Structure of NMAC
M
k2 H
k1 H
M: massage; One structural weakness of NMAC k1: the outer key; based on iterating hash functions: k1 k : the inner key; 2 and k2 can be recovered separately. Corresponding hash functions will be the inner and outer hash functions. 3 General Key-Recovery Attacks on NMAC
• Proposed by Preneel and van Oorschot in 1999:
Crucial idea: generate a collision in the inner hash function by the birthday attack. M
k2 H 1. Obtain one pair messages (M, M’) cause collision of NMAC. k1 H collision 2. Randomly generate r, and M’ check whether (M||r, M’||r) collide. If collision does not k 2 H happen, repeat steps 1 and 2.
k1 H 4 General Key-Recovery Attacks on NMAC
• Proposed by Preneel and van Oorschot in 1999:
Crucial idea: generate a collision in the inner hash function by the birthday attack. M To recover k : k2 H 2 1. guess the value of k . k1 H 2
collision 2. check whether the guessed k2 M’ can satisfy that (M, M’) cause the inner collision. k2 H
k1 H 5 General Key-Recovery Attacks on NMAC
• Proposed by Preneel and van Oorschot in 1999:
Crucial idea: generate a collision in the inner hash function by the birthday attack. M
k2 H To recover k1 after k2 has been recovered:
k 1 H 1. guess the value of k . recovered 1 2. check whether the guessed k M’ 1 can satisfy that NMAC(M) using
guessed k1 is the same with orginal k2 H value.
k1 H 6 Security Boundary of NMAC
M
Suppose bit-length of hash value and k2 H secret keys is n:
k1 H Whatever H is, NMAC n/2 One collision canIf underlyingbe found by hash 2 queriesfunctionwith is weak, more a high probabilitypowerful using the key birthday-recovery attack. attack is possible.
Both secret keys of NMAC can be recovered with 2n/2 online queries and 2n+1 offline computations.
7 Key-Recovery Attacks on NMAC
Wang et al. revealed weakness of several hash functions from MD4 family, which leaded to key-recovery attacks on NMAC based on specific weak hash functions:
• At Asiacrypt 2006, Contini and Yin proposed inner-key recovery attacks on NMAC instantiated with MD4, MD5, SHA-1.
• At Crypto 2007, Fouque, Leurent and Nguyen proposed full-key recovery attacks on NMAC-MD4 and NMAC-MD5.
• At Financial Crypt 2007, Rechberger and Rijmen proposed full-key recovery attacks on NMAC-MD5 and NMAC-SHA-1.
8 Key-Recovery Attacks on NMAC
Wang et al. revealed weakness of several hash functions from MD4 family, which leaded to key-recovery attacks on NMAC based on specific weak hash functions:
• At Asiacrypt 2006, Contini and Yin proposed inner-key recovery attacks on NMAC instantiated with MD4, MD5, SHA-1.
• At Crypto 2007, Fouque, Leurent and Nguyen proposed full-key recovery attacks on NMAC-MD4 and NMAC-MD5.
• At Financial Crypt 2007, Rechberger and Rijmen proposed full-key recovery attacks on NMAC-MD5 and NMAC-SHA-1.
Related to our research. 9 Framework of Key-Recovery Attacks
1. Online work.
Secret key will be partially recovered by online queries.
Theoretically interesting! In this presentation, we 2. Offline work. only focus on online work.
The remaining part of secret key will be recovered by the exhaustive search.
10 Previous Outer-Key Recovery Attack Previous outer-key recovery attacks on HMAC/NMAC-MD4 and NMAC-MD5:
1 : the value is known based on NMAC the knowledge of k2. M 2 : detect whether collision happens.
k H 1 MD4: set conditions on k1 for collision 2 attack.
If collision happens with expected number of k1 H 2 pair queries, k1 can satisfy the conditions;
Otherwise, k1 can not satisfy the conditions.
11 Previous Outer-Key Recovery Attack Previous outer-key recovery attacks on HMAC/NMAC-MD4 and NMAC-MD5:
1 : the value is known based on NMAC the knowledge of k2. M 2 : detect whether collision happens.
MD5: recover internal states in outer k H 1 2 MD5, and then inverse calculate k1. modifying the value at point 1 to set
k1 H 2 conditions on internal states. If collision happens with expexted number of queries, internal states satisfy conditions. 12 Analysis of previous work
The outer-key recovery attack is NMAC much more expensive than the inner key recovery attack. M We will reduce the complexity Main reason: control ability and for these two cases! freedom lost at point 1 . k2 H 1 MD4: pre-determined pair difference should be generated. k1 H 2 MD5: partially pre-fixed pair values should be generated during modifiying inner hash values.
13 Advantages of Our Attack (MD4)
HMAC/NMAC-MD4: Previous work: Point 1 : generate pre-determined pair difference.
Differential attack: real collision.
Our work: Point 1 : the same with previous work.
Differential attack: near collision attack, which reduces the complexity, since generating one near-collision needs less pair queries. Moreover it can recover more bit- values. 14 Advantages of Our Attack (MD4)
[FLN 07] Our Work
Online complexity 288 272
#bits by online 22 51
Offline comlexity 295 277
Total complexity 295 277
HMAC/NMAC-MD4: both online and offline complexities have been improved. 15 Advantages of Our Attack (MD5)
the number of pre-fixed values will increase NMAC-MD5: with the number of recovered bits. Previous work: Point 1 : generate partially pre-fixed values.
Differential attack: real collision (FLN work), near-collision (RR work). Our work:
Point 1 : not necessary (online work). k1 can be recovered partially without the knowledge of k2 at all. Differential attack: near-collision.
16 Advantages of Our Attack (MD5)
Complexity becomes higher than the exhaustive NMAC-MD5: search to recover remaining bits after 28 bits recovered. Previous work: Point 1 : generate partially pre-fixed values.
Differential attack: real collision (FLN work), near-collision (RR work). Up to 53 bits can be recovered. Our work:
Point 1 : not necessary (online work). k1 can be recovered partially without the knowledge of k2.
Differential attack: near collision attack.
17 Usage of Near-collision attacks
In Financial Cryptography 2007, Rechberger and Rijmen utilized near-collisions on MD5 to recover the outer key of NMAC-MD5, which might be the first usage of near-collision to attack HMAC and NMAC.
18 Advantages of Our Attack (MD5)
[FLN 07] [RR 07] Our Work
Online complexity 251 275
#bits by online 28 53
Offline comlexity 2100 275
Total complexity 2100 276
NMAC-MD5: more bit-values can be recovered by online work. The outer key can be partially recovered without the knowledge of the inner key. 19 One Novelty of Our Attack
M A new approach of key-recovery technique: utilizing feed-forward operation. k2 H The inner hash value after padding is only k1 H one block: NMAC
M0 M1 Mn CF: compression function.
IV CF CF … CF
20 One Novelty of Our Attack
M A new approach of key-recovery technique: utilizing feed-forward operation. k2 H The inner hash value after padding is only k1 H one block: NMAC
hin CF: compression function.
k1 CF NMAC value
21 CFs of MD4 and MD5
CFs of MD5 and MD4 : E denotes n-step updating functions: n is 64 and 48 for hin MD5 and MD4 respectively.
CF
k1 E + NMAC value
We will obtain output of E, then recover k . 1 22 Our outer key-recovery attacks on HMAC/NMAC-MD4
We will omit description of NMAC-MD5 case because of limited time.
23 Procedure of Our Attack
1. Obtain output of E in the outer MD4.
hin
k1 E + NMAC value
24 Obtain Output of E for MD4 Case
1. Determine message difference and differential path for near- collision attack:
Model of near-collision attack:
• Local collisions.
• The other differences only exist in last several steps.
25 Our Near-Collision on MD4
• Message differences:
i ∆m3 = 2
• Differential path:
The local Collision from step 1 until step 29;
The other differences only exist in the last 4 steps in third round.
26 3R of MD4
a b c d a b c d a b c44 d44 a32 b32 c32 d32 36 36 36 36 40 40 40 40 44 44
f f f 2i f m0 m2 m1 m3
<<< 3 <<< 3 <<< 3 <<< 3
a b c d a c d a b c d 33 33 33 33 a37 b37 c37 d37 41 b41 41 41 45 45 45 45
f f f f
m8 m10 m9 m11
<<< 9 <<< 9 <<< 9 <<< 9
a b c d a b c38 d38 a b c42 d42 a b c46 d46 34 34 34 Local34 38 collision38 42 42 46 46 f f f f m4 m6 m5 m7
<<<11 <<< 11 <<<11 <<<11
a b c d b c d 35 35 35 35 a39 b39 c39 d39 a43 43 43 43 a47 b47 c47 d47
f f f f m12 m14 Localm13 m15 <<<15 <<<15 collision<<<15 <<<15
c d a b c d a40 b40 40 40 a b c d a b c48 d48 36 36 36 36 44 44 44 44 48 48 27 Obtain Output of E for MD4 Case
1. Determine message difference and differential path for near- collision attack
2. Obtain output of E by detecting near-colliding shape.
28 One Weakness of Feed-Forward Operation
(ka, kb, kc, kd): 128-bit k1 divided into four 32-bit values.
(a48, b48, c48, d48): output of E in the outer MD4 divied into four 32- bit values.
(ha, hb, hc, hd): final output of NMAC divided into four 32-bit values.
(h , h , h , h ) = (k + a , k + b , k + c , k + d ) a b Consequently,c d a 48we canb obtain48 coutput48 ofd E by48 detecting difference propagation in last 4 steps.
∆ha = ∆a48 ∆hb = ∆b48 ∆hc = ∆c48 ∆hd = ∆d48 29 One Toy Example b c d a b c d a44 44 44 44 collision 44 44 44 44 f ’ i+3 f m3 – m3 = 2 m3 m’3 <<< 3 <<< 3 near-collision shape: a45 b45 c45 d45 a45 b’45 c45 d45 i+3 f ∆ha = 2 ; f m i+14 i+15 i+23 m 11 ∆hc = 2 +2 +2 ; 11 <<< 9 <<< 9 i+12 ∆hd = 2 ; a46 b46 c46 d46 a46 b’46 c’46 d46 f f m7 m7 <<<11 <<<11
a47 b47 c47 d47 a47 b’47 c’47 d’47 i+3 f ∆a48 = 2 ; f m m 15 ∆c = 2i+14+2i+15+2i+23; 15 <<<15 48 <<<15 i+12 ∆d48 = 2 ; 30 a48 b48 c48 d48 a’48 b’48 c’48 d’48 One Toy Example b c d a b c d a44 44 44 44 collision 44 44 44 44 f ’ i+3 f m3 – m3 = 2 m3 m’3 <<< 3 <<< 3 near-collision shape: a45 b45 c45 d45 a45 b’45 c45 d45 i+3 f ∆ha = 2 ; f m i+14 i+15 i+23 m 11 ∆hc = 2 +2 +2 ; 11 <<< 9 <<< 9 i+12 ∆hd = 2 ; a46 b46 c46 d46 a46 b’46 c’46 d46 f f m7 m7 <<<11 <<<11
a47 b47 c47 d47 a47 b’47 c’47 d’47 i+3 f ∆a48 = 2 ; f m m 15 ∆c = 2i+14+2i+15+2i+23; 15 <<<15 48 <<<15 i+12 ∆d48 = 2 ; 31 a48 b48 c48 d48 a’48 b’48 c’48 d’48 One Toy Example b c d a b c d a44 44 44 44 collision 44 44 44 44 f f m3 m’3 <<< 3 <<< 3
a b c d i+3 a b’ c d 45 45 45 45 ∆b45 =∆a48 = 2 ; 45 45 45 45 f f m11 m11 <<< 9 <<< 9
a b c d i+12 a b’ c’ d 46 46 46 46 ∆b46 =∆d48 = 2 ; 46 46 46 46 f f m7 m7 <<<11 <<<11 ∆b =∆c = 2i+14+2i+15+2i+23; a47 b47 c47 d47 47 48 a47 b’47 c’47 d’47 f f m15 m15 <<<15 <<<15
32 a48 b48 c48 d48 a’48 b’48 c’48 d’48 One Toy Example b c d a b c d a44 44 44 44 collision 44 44 44 44 f f m3 m’3 <<< 3 <<< 3
a b c d i+3 a b’ c d 45 45 45 45 ∆b45 =∆a48 = 2 ; 45 45 45 45 f f m11 m11 <<< 9 <<< 9
a b c d i+12 a b’ c’ d 46 46 46 46 ∆b46 =∆d48 = 2 ; 46 46 46 46 f f m7 m7 <<<11 <<<11 ∆b =∆c = 2i+14+2i+15+2i+23; a47 b47 c47 d47 47 48 a47 b’47 c’47 d’47 f f m15 m15 <<<15 <<<15
33 a48 b48 c48 d48 a’48 b’48 c’48 d’48 One Toy Example
a46 b46 c46 d46 a46 b’46 c’46 d46
f f m7 m7 <<<11 <<<11
c d c’ d a47 b47 47 47 a47 b’47 47 47
∆b47 should be caused by ∆b46 and ∆c46: i+3 ∆c46 = 2 ; i+14 i+15 ∆b = 2i+12; Both 2 and 2 are caused 46 i+3 i+14 i+15 i+23 by 2 of ∆c46. ∆b47 = 2 +2 +2 ; f function works bit-independently 34 One Toy Example
a46 b46 c46 d46 a46 b’46 c’46 d46
f f m7 m7 <<<11 <<<11
c d c’ d a47 b47 47 47 a47 b’47 47 47
i+3 Both 2i+14 and 2i+15 are caused c46: 1 by 2i+3 of ∆c . 46 + 2i+3: 0 1 0
f function works bit-independently c’46: 35 One Toy Example
a44 b44 c44 d44 f near-collision shape: m3 <<< 3 i+3 ∆ha = 2 ; b c d i+14 i+15 i+23 a45 45 45 45 ∆hc = 2 +2 +2 ; f i+12 ∆hd = 2 ; m11 <<< 9
a46 b46 c46 d46 f m7 <<<11 a48,i+3 = c46, i+3 =1;
a47 b47 c47 d47 f By similar way, we will obtain many messages m15 such that bit-values of output of E has been <<<15 recovered. 36 a48 b48 c48 d48 Procedure of Our Attack
1. Obtain output of E of the outer MD4.
2. Recover the outer key using output of E of the outer MD4.
37 The Toy Example
We obtained one message such that a48, i+3 =1, and its corresponding MAC value: 31 ~ i+4 i+3 i+2 ~ 0
ka:
Can be + a48: 1 calculated! ?
ha: Known Carry influence from bits i+2 to i+3
ha,(i+2)~0 ≥ ka, (i+2)~0: no carry during ka, (i+2)~0 +a48, (i+2)~0
ha,(i+2)~0 We obtained one message such that a48, i+3 =1, and its corresponding MAC value: 1. Guess the values ka, (i+2)~0. By similar way, we can recover the outer key 2. Compare ka, (i+2)~0partiallywith using ha, (i+2)~0 the. obtained messages. ha,(i+2)~0 ≥ ka, (i+2)~0: no carry during ka, (i+2)~0 +a48, (i+2)~0 ha,(i+2)~0 3. Calculate the bit-value of ka, i+3. 39 Experiment a44 b44 c44 d44 2i f It is impossible to apply the real experiment m 3 because of complexity. <<< 3 a b45 c45 d45 45 Instead, we did two separate experiments: f m11 <<< 9 • Confirm the correctness of differential path of a b c d 46 46 46 46 the local collision in first and second rounds. f m7 <<<11 • Confirm the correctness of key-recovery technique: randomly generate chaining variables a47 b47 c47 d47 in step 44. f m15 <<<15 40 a48 b48 c48 d48 Conclusion We proposed new outer-key recovery attacks on HMAC/NMAC- MD4 and NMAC-MD5: There might be two interesting points: • New approach of key-recovery attack: using feed- forward operation of MD4 and MD5. • One near-collision model: local collisions + the other difference propagation in last several steps. 41 Complexity Comparison Standard Attack Related-Key Attack 42 Thank you & Question 43