Full Key-Recovery Attacks on HMAC/NMAC
Full Key-Recovery attack on HMAC-MD4 G. Leurent Full Key-Recovery Attacks on Introduction HMAC/NMAC-MD4 and NMAC-MD5 MD4 HMAC and NMAC
Previous work Wang’s attack NMAC attack Pierre-Alain Fouque, Gaëtan Leurent, Phong Nguyen New ideas IV-dependent paths Message pairs Laboratoire d’Informatique de l’École Normale Supérieure Differential paths Extracting more Conclusion CRYPTO 2007
1/ 26 Full Key-Recovery What is a MAC algorithm? attack on HMAC-MD4 G. Leurent
Introduction M MD4 HMAC and NMAC
Previous work Wang’s attack NMAC attack
New ideas IV-dependent paths Message pairs Differential paths Extracting more
Conclusion
◮ Alice wants to send a message to Bob ◮ But Charlie has access to the communication channel ◮ Alice and Bob share a secret key k... ◮ ...and use a MAC algorithm. ◮ Bob rejects the message if MACk(M) 6= t
2/ 26 Full Key-Recovery What is a MAC algorithm? attack on HMAC-MD4 G. Leurent
Introduction M MD4 HMAC and NMAC
Previous work Wang’s attack NMAC attack
New ideas IV-dependent paths Message pairs Differential paths Extracting more
Conclusion
◮ Alice wants to send a message to Bob ◮ But Charlie has access to the communication channel ◮ Alice and Bob share a secret key k... ◮ ...and use a MAC algorithm. ◮ Bob rejects the message if MACk(M) 6= t
2/ 26 Full Key-Recovery What is a MAC algorithm? attack on HMAC-MD4 G. Leurent
Introduction M MD4 HMAC and NMAC
Previous work Wang’s attack NMAC attack
New ideas k k IV-dependent paths Message pairs Differential paths Extracting more
Conclusion
◮ Alice wants to send a message to Bob ◮ But Charlie has access to the communication channel ◮ Alice and Bob share a secret key k... ◮ ...and use a MAC algorithm. ◮ Bob rejects the message if MACk(M) 6= t
2/ 26 Full Key-Recovery What is a MAC algorithm? attack on HMAC-MD4 G. Leurent
Introduction M, t MD4 HMAC and NMAC
Previous work Wang’s attack NMAC attack
New ideas k k IV-dependent paths Message pairs Differential paths t = MACk(M) Extracting more
Conclusion
◮ Alice wants to send a message to Bob ◮ But Charlie has access to the communication channel ◮ Alice and Bob share a secret key k... ◮ ...and use a MAC algorithm. ◮ Bob rejects the message if MACk(M) 6= t
2/ 26 Full Key-Recovery What is a MAC algorithm? attack on HMAC-MD4 G. Leurent
Introduction M, t MD4 HMAC and NMAC
Previous work Wang’s attack NMAC attack
New ideas k k IV-dependent paths Message pairs ? Differential paths t = MACk(M) t = MACk(M) Extracting more
Conclusion
◮ Alice wants to send a message to Bob ◮ But Charlie has access to the communication channel ◮ Alice and Bob share a secret key k... ◮ ...and use a MAC algorithm. ◮ Bob rejects the message if MACk(M) 6= t
2/ 26 Full Key-Recovery MAC security attack on HMAC-MD4 A MAC (Message Authentication Code) should provide G. Leurent authentication and integrity protection. Introduction MD4 HMAC and NMAC
Previous work MAC security notions: chosen message attacks Wang’s attack NMAC attack The adversary has access to an oracle M 7→ MACk(M). New ideas He must compute a new MAC for: IV-dependent paths Message pairs ◮ Differential paths One message of his choice: existential forgery. Extracting more ◮ Any message: universal forgery. Conclusion
One very popular MAC (ANSI, IETF, ISO, NIST), HMAC is based on a hash function.
Topic of the talk Can we use the attacks on MD4 or MD5 to break HMAC? 3/ 26 Full Key-Recovery Known attacks on MD hash functions attack on HMAC-MD4 G. Leurent M1
Introduction MD4 IV h HMAC and NMAC
Previous work M2 Wang’s attack NMAC attack New ideas ◮ Collision attacks: IV-dependent paths Message pairs generate M1, M2: H(M1)= H(M2) Differential paths ◮ 1 27 63 Extracting more MD4 in 2 , MD5 in 2 , SHA-1 in 2 ◮ Conclusion Colliding blocks look random ◮ Limited impact: commitment ◮ Add a prefix and a suffix, hide the randomness ◮ Partial freedom in the colliding blocks ◮ Chosen prefix collisions: given P1, P2 generate M1, M2: H(P1||M1)= H(P2||M2)
4/ 26 Full Key-Recovery Known attacks on MD hash functions attack on HMAC-MD4 G. Leurent M1
Introduction MD4 HMAC and NMAC
Previous work M2 Wang’s attack NMAC attack New ideas ◮ Collision attacks: IV-dependent paths Message pairs generate M1, M2: H(M1)= H(M2) Differential paths Extracting more ◮ Add a prefix and a suffix, hide the randomness Conclusion ◮ Include two documents, use the collision as a switch ◮ Signature by a third party ◮ Fraud is detectable ◮ Partial freedom in the colliding blocks ◮ Chosen prefix collisions: given P1, P2 generate M1, M2: H(P1||M1)= H(P2||M2)
4/ 26 Full Key-Recovery Known attacks on MD hash functions attack on HMAC-MD4 G. Leurent M1
Introduction MD4 HMAC and NMAC
Previous work M2 Wang’s attack NMAC attack New ideas ◮ Collision attacks: IV-dependent paths Message pairs generate M1, M2: H(M1)= H(M2) Differential paths Extracting more ◮ Add a prefix and a suffix, hide the randomness Conclusion ◮ Partial freedom in the colliding blocks ◮ Weak challenge-response authentication: APOP ◮ Chosen prefix collisions: given P1, P2 generate M1, M2: H(P1||M1)= H(P2||M2)
4/ 26 Full Key-Recovery Known attacks on MD hash functions attack on HMAC-MD4 G. Leurent P1 M1
Introduction MD4 HMAC and NMAC
Previous work P2 M2 Wang’s attack NMAC attack New ideas ◮ Collision attacks: IV-dependent paths Message pairs generate M1, M2: H(M1)= H(M2) Differential paths Extracting more ◮ Add a prefix and a suffix, hide the randomness Conclusion ◮ Partial freedom in the colliding blocks ◮ Chosen prefix collisions: given P1, P2 generate M1, M2: H(P1||M1)= H(P2||M2) ◮ Colliding certificates with different names.
4/ 26 Full Key-Recovery MD family status attack on HMAC-MD4 G. Leurent Current status
Introduction Collision-resistance is seriously broken, MD4 HMAC and NMAC but for most constructions, no real attacks are known: Previous work ◮ Key derivation Wang’s attack ◮ NMAC attack Peer authentication ◮ New ideas HMAC IV-dependent paths ◮ ... Message pairs Differential paths Extracting more Conclusion More in-depth study and improvement of Wang’s attack are needed.
Our results on MD4
◮ We adapted Wang’s attack to HMAC/NMAC. ◮ Universal forgery attack with 288 data and 295 CPU.
5/ 26 Full Key-Recovery MD family status attack on HMAC-MD4 G. Leurent Current status
Introduction Collision-resistance is seriously broken, MD4 HMAC and NMAC but for most constructions, no real attacks are known: Previous work ◮ Key derivation Wang’s attack ◮ NMAC attack Peer authentication ◮ New ideas HMAC IV-dependent paths ◮ ... Message pairs Differential paths Extracting more Conclusion More in-depth study and improvement of Wang’s attack are needed.
Our results on MD4
◮ We adapted Wang’s attack to HMAC/NMAC. ◮ Universal forgery attack with 288 data and 295 CPU.
5/ 26 Full Key-Recovery Outline attack on HMAC-MD4 G. Leurent Introduction Introduction The MD4 hash function MD4 HMAC and NMAC HMAC and NMAC Previous work Wang’s attack NMAC attack Previous work New ideas Wang’s attack IV-dependent paths Message pairs Contini-Yin NMAC attack Differential paths Extracting more Conclusion New ideas IV-dependent differential path Efficient computation of message pairs Differential paths Extracting more key bits
Conclusion
6/ 26 Full Key-Recovery The MD4 hash function attack on HMAC-MD4 General design G. Leurent ◮ Introduction Merkle-Damgård: Hi = F(Mi , Hi−1) MD4 HMAC and NMAC M Previous work Wang’s attack NMAC attack
New ideas M0 M1 M2 M3 IV-dependent paths Message pairs Differential paths Extracting more F F F F D Conclusion IV H0 H1 H2 H3 h(M)
m ◮ Davies-Meyer with i a Feistel-like cipher. Hi−1 H C i
7/ 26 Full Key-Recovery The MD4 compression function attack on HMAC-MD4 Step update G. Leurent
Introduction Qi−4 Qi−3 Qi−2 Qi−1 MD4 HMAC and NMAC Φi Previous work Wang’s attack NMAC attack mi New ideas IV-dependent paths Message pairs ki Differential paths ≪ Extracting more si Conclusion
Qi−3 Qi−2 Qi−1 Qi
◮ ⊞ ⊞ ⊞ ≪ Qi = (Qi−4 Φi(Qi−1, Qi−2, Qi−3) mi ki) si ◮ In: Q−4||Q−1||Q−2||Q−3 ◮ ⊞ ⊞ ⊞ ⊞ Out: Q−4 Q44||Q−1 Q47||Q−2 Q46||Q−3 Q45
8/ 26 Full Key-Recovery NMAC description attack on HMAC-MD4 G. Leurent M0 ...Mi... Mk Introduction MD4 HMAC and NMAC k2 Previous work Wang’s attack NMAC attack Hk (M) New ideas 2 IV-dependent paths Message pairs Differential paths Extracting more
Conclusion k1 MAC
◮ NMAC (M)= H (H (M)) k1,k2 k1 k2 ◮ Keyed hash function Hk: replace the IV by the key. ◮ Prevents offline collision search and extension attacks.
9/ 26 Full Key-Recovery HMAC description attack on HMAC-MD4 ◮ ¯ ¯ G. Leurent HMACk(M)= H(k ⊕ opad ||H(k ⊕ ipad ||M)) ◮ Introduction opad and ipad are 1-block constants MD4 ◮ k¯ is k padded to one block HMAC and NMAC Previous work ◮ No need to key the hash function. Wang’s attack NMAC attack ◮ New ideas HMACk ≈ NMAC ¯⊕ ¯⊕ IV-dependent paths H(k opad),H(k ipad) Message pairs ◮ Differential paths HMAC security is equivalent to NMAC security. Extracting more
Conclusion HMAC/NMAC security proof If the compression function F is secure as a PRF then HMAC/NMAC is: ◮ secure against existential forgery up to 2n/2 ◮ secure against universal forgery up to 2n
10/ 26 Full Key-Recovery Outline attack on HMAC-MD4 G. Leurent Introduction Introduction The MD4 hash function MD4 HMAC and NMAC HMAC and NMAC Previous work Wang’s attack NMAC attack Previous work New ideas Wang’s attack IV-dependent paths Message pairs Contini-Yin NMAC attack Differential paths Extracting more Conclusion New ideas IV-dependent differential path Efficient computation of message pairs Differential paths Extracting more key bits
Conclusion
11/ 26 Full Key-Recovery MD4 Collisions: Wang’s attack attack on HMAC-MD4 G. Leurent 1 Precomputation: Introduction ◮ MD4 Choose a message difference. HMAC and NMAC ◮ Compute a differential path. Previous work ◮ Derive a set of sufficient conditions. Wang’s attack NMAC attack 2 Collision search: New ideas ◮ Find a message that satisfies the set of conditions. IV-dependent paths Message pairs Differential paths Extracting more
Conclusion Main result We know a difference ∆ and a set of conditions on the internal state variables Qi’s, such that: If all the conditions are satisfied by the internal state variable in the computation of H(M), then H(M)= H(M + ∆).
12/ 26 Full Key-Recovery How to use collisions? attack on HMAC-MD4 G. Leurent M0 ...Mi... Mk
Introduction MD4 k2 HMAC and NMAC
Previous work Wang’s attack H (M) NMAC attack k2
New ideas IV-dependent paths Message pairs Differential paths Extracting more k1 Conclusion MAC
◮ We can detect hash collisions through NMAC collisions. ◮ Without the IV, we can’t use message modifications. ◮ Try many pairs (M, M + ∆), and wait for a collision. ◮ The collision contains some key information, but we need a way to extract it... 13/ 26 Full Key-Recovery Inner key recovery attack on HMAC-MD4 G. Leurent M
Introduction M +∆ MD4 HMAC and NMAC
Previous work Wang’s attack k2 NMAC attack
New ideas IV-dependent paths H (M) k2 Message pairs Differential paths Extracting more
Conclusion
k1 MAC
1 Find an inner collision. 2 Use M to modify the inner state.
3 Learn bits of Qi by observing collisions; compute k2.
14/ 26 Full Key-Recovery Inner key recovery attack on HMAC-MD4 G. Leurent M
Introduction M +∆ MD4 HMAC and NMAC
Previous work Wang’s attack k2 NMAC attack
New ideas IV-dependent paths H (M) k2 Message pairs Differential paths Extracting more
Conclusion
k1 MAC
1 Find an inner collision. 2 Use M to modify the inner state.
3 Learn bits of Qi by observing collisions; compute k2.
14/ 26 Full Key-Recovery Inner key recovery attack on HMAC-MD4 G. Leurent M
Introduction M +∆ MD4 HMAC and NMAC
Previous work Wang’s attack k2 NMAC attack
New ideas IV-dependent paths H (M) k2 Message pairs Differential paths Extracting more
Conclusion
k1 MAC
1 Find an inner collision. 2 Use M to modify the inner state.
3 Learn bits of Qi by observing collisions; compute k2.
14/ 26 Full Key-Recovery Inner key recovery attack on HMAC-MD4 G. Leurent M
Introduction M +∆ MD4 HMAC and NMAC
Previous work Wang’s attack k2 NMAC attack
New ideas IV-dependent paths H (M) k2 Message pairs Differential paths Extracting more
Conclusion
k1 MAC
1 Find an inner collision. 2 Use M to modify the inner state.
3 Learn bits of Qi by observing collisions; compute k2.
14/ 26 Full Key-Recovery Outer key recovery attack on HMAC-MD4 G. Leurent M
Introduction MD4 k2 HMAC and NMAC H (M) k2 Previous work Wang’s attack NMAC attack
New ideas IV-dependent paths Message pairs Differential paths Extracting more k1 Conclusion MAC
Problems
◮ We can’t choose H (M). k2 ◮ We can only have a difference in the first 128 bits.
15/ 26 Full Key-Recovery Outer key recovery attack on HMAC-MD4 G. Leurent M
Introduction MD4 k2 HMAC and NMAC H (M) k2 Previous work Wang’s attack NMAC attack
New ideas IV-dependent paths Message pairs Differential paths Extracting more k1 Conclusion MAC
Problems
◮ We can’t choose H (M). k2 ◮ We can only have a difference in the first 128 bits.
15/ 26 Full Key-Recovery Contini and Yin’s attack (Asiacrypt 2006) attack on HMAC-MD4 G. Leurent
Introduction MD4 HMAC and NMAC
Previous work ◮ Wang’s attack Recovers the inner key k2 but not the outer key k1. NMAC attack
New ideas − IV-dependent paths ◮ Best path: p = 2 58. Message pairs 63 Differential paths Complexity 2 . Extracting more Conclusion ◮ Not enough for universal forgery. Attacker still need 2n computations.
16/ 26 Full Key-Recovery Outline attack on HMAC-MD4 G. Leurent Introduction Introduction The MD4 hash function MD4 HMAC and NMAC HMAC and NMAC Previous work Wang’s attack NMAC attack Previous work New ideas Wang’s attack IV-dependent paths Message pairs Contini-Yin NMAC attack Differential paths Extracting more Conclusion New ideas IV-dependent differential path Efficient computation of message pairs Differential paths Extracting more key bits
Conclusion
17/ 26 Full Key-Recovery A New IV-recovery Attack attack on HMAC-MD4 G. Leurent
Introduction ◮ MD4 We want to avoid the need for related messages. HMAC and NMAC Previous work ◮ We look for paths where the existence of collision Wang’s attack NMAC attack discloses information about the key. New ideas IV-dependent paths Message pairs Differential paths Extracting more Advantage Conclusion ◮ In Contini-Yin attack, you need to choose a lot of bits in H (M) (related messages). k2 ◮ We only need to choose the differences in H (M). k2
18/ 26 Full Key-Recovery Using IV-dependent paths attack on HMAC-MD4 ◮ G. Leurent Use a differential path with δm0 6= 0.
Introduction ◮ The beginning of the path depends on MD4 HMAC and NMAC a condition (X) of the IV: Previous work ◮ −128 pX = Pr [H(M)= H(M + ∆)|X] ≫ 2 . Wang’s attack M NMAC attack step δmi ∂Φi ∂Qi conditions New ideas [0] [3] IV-dependent paths 0 N N Message pairs Differential paths 1 Q[3] = Q[3] (X) Extracting more −1 −2 Conclusion ◮ PrM[H(M)= H(M + ∆)|¬X] ≪ pX .
step δmi ∂Φi ∂Qi conditions 0 N[0] N[3] N[3] N[10] [3] [3] 1 Q−1 6= Q−2 (¬ X) ◮ We try 2/pX pairs: ◮ If we have a collision then (X) is satisfied. ◮ Otherwise, (X) is not satisfied.
19/ 26 Full Key-Recovery Efficient computation of message pairs attack on HMAC-MD4 To recover the outer key, we need 2/pX message pairs with G. Leurent H (M )= H (M )+∆ k2 2 k2 1 Introduction MD4 HMAC and NMAC Previous work k2 δH =∆ δQ =∆ δH =∆ Wang’s attack NMAC attack δQ =∆ δQ = 0
New ideas IV-dependent paths Message pairs Ri Mi Differential paths Extracting more
Conclusion ◮ We start with one message pair (R1, R2) such that H (R )= H (R )+∆ (birthday paradox). k2 2 k2 1
◮ We compute second blocks (N1, N2) such that H (R ||N )= H (R ||N )+∆ k2 2 2 k2 1 1 ◮ This is essentially a collision search with the padding inside the block.
20/ 26 Full Key-Recovery New outer key recovery attack on HMAC-MD4 G. Leurent M Introduction MD4 HMAC and NMAC k2 H (M) Previous work k2 Wang’s attack NMAC attack
New ideas IV-dependent paths Message pairs Differential paths Extracting more
Conclusion k1 MAC
1 Recover k2. 2 Generate pairs with H (M )= H (M )+∆. k2 2 k2 1
3 Learn bits of k1 by observing collisions.
21/ 26 Full Key-Recovery New outer key recovery attack on HMAC-MD4 G. Leurent M Introduction MD4 HMAC and NMAC k2 H (M) Previous work k2 Wang’s attack NMAC attack
New ideas IV-dependent paths Message pairs Differential paths Extracting more
Conclusion k1 MAC
1 Recover k2. 2 Generate pairs with H (M )= H (M )+∆. k2 2 k2 1
3 Learn bits of k1 by observing collisions.
21/ 26 Full Key-Recovery New outer key recovery attack on HMAC-MD4 G. Leurent M Introduction MD4 HMAC and NMAC k2 H (M) Previous work k2 Wang’s attack NMAC attack
New ideas IV-dependent paths Message pairs Differential paths Extracting more
Conclusion k1 MAC
1 Recover k2. 2 Generate pairs with H (M )= H (M )+∆. k2 2 k2 1
3 Learn bits of k1 by observing collisions.
21/ 26 Full Key-Recovery New outer key recovery attack on HMAC-MD4 G. Leurent M Introduction MD4 HMAC and NMAC k2 H (M) Previous work k2 Wang’s attack NMAC attack
New ideas IV-dependent paths Message pairs Differential paths Extracting more
Conclusion k1 MAC
1 Recover k2. 2 Generate pairs with H (M )= H (M )+∆. k2 2 k2 1
3 Learn bits of k1 by observing collisions.
21/ 26 Full Key-Recovery Differential paths attack on HMAC-MD4 G. Leurent We need very constrained paths: Introduction ◮ MD4 At least one difference in m0. HMAC and NMAC ◮ Previous work No difference in m4...m15. Wang’s attack ◮ NMAC attack High probability. New ideas ◮ Many paths (each one gives only one bit of the key). IV-dependent paths Message pairs Differential paths Extracting more Differential path algorithm Conclusion ◮ We use an algorithm to find a differential path from the message difference ∆. ◮ −79 We found 22 paths with pX ≈ 2 . ◮ Attack complexity: 288 data, 2105 time.
22/ 26 Full Key-Recovery Differential paths attack on HMAC-MD4 G. Leurent We need very constrained paths: Introduction ◮ MD4 At least one difference in m0. HMAC and NMAC ◮ Previous work No difference in m4...m15. Wang’s attack ◮ NMAC attack High probability. New ideas ◮ Many paths (each one gives only one bit of the key). IV-dependent paths Message pairs Differential paths Extracting more Differential path algorithm Conclusion ◮ We use an algorithm to find a differential path from the message difference ∆. ◮ −79 We found 22 paths with pX ≈ 2 . ◮ Attack complexity: 288 data, 2105 time.
22/ 26 Full Key-Recovery Extracting more key bits attack on HMAC-MD4 G. Leurent When we have a collision for one of the paths,
Introduction we can recover some extra information on the key: MD4 HMAC and NMAC step si δmi ∂Φi ∂Qi conditions Previous work N[0] N[3] Wang’s attack 0 3 NMAC attack [3] [3] New ideas 1 7 Q−1 = Q−2 (X) IV-dependent paths [3] Message pairs 2 11 Q = 0 (Y) Differential paths 1 Extracting more 3 19 Q[3] = 1 (Z) Conclusion 2 4 3 N[6] Note: (Y) and (Z) are not key bits, they depend on the message.
Use (Y) and (Z) to efficiently reduce the key entropy. On average we reduce the search space from 2105 to 294.
23/ 26 Full Key-Recovery Conclusion attack on HMAC-MD4 G. Leurent ◮ Hash collisions can be detected through HMAC/NMAC Introduction MD4 ◮ HMAC and NMAC Tailoring Wang’s attack: IV-dependent collisions Previous work Wang’s attack ◮ Full key recovery NMAC attack
New ideas IV-dependent paths Message pairs Attack complexity Differential paths Extracting more Attacks Data Time Mem Remark Conclusion E-Forgery 2n/2 - - Collision based Generic 2n/2 2n+1 - Collision based U-Forgery 1 22n/3 22n/3 TM tradeoff, 2n precpu E-Forgery 258 - - NMAC-MD4 63 40 HMAC-MD4 Partial-KR 2 2 - U-Forgery 288 295 - New result
24/ 26 Full Key-Recovery Conclusion attack on HMAC-MD4 G. Leurent Possible improvements Introduction MD4 HMAC and NMAC ◮ Find better paths. Previous work Wang’s attack ◮ Use the method of Contini and Yin for the inner key. NMAC attack New ideas ◮ Use near-collisions for the outer key. IV-dependent paths Message pairs Differential paths Extracting more Conclusion About MD5
◮ Our NMAC-MD5 attack is in the related-key model. ◮ A real attack would require a differential path with less than one block of message...
More NMAC-MD5
25/ 26 Full Key-Recovery Any Questions? attack on HMAC-MD4 G. Leurent
Introduction MD4 HMAC and NMAC
Previous work Wang’s attack NMAC attack
New ideas IV-dependent paths Message pairs Differential paths Extracting more
Conclusion
Thank you for your attention.
26/ 26 Full Key-Recovery NMAC-MD5 attack attack on HMAC-MD4 G. Leurent M
NMAC-MD5 k2 Diff. paths H (M) k2
k1 MAC
1 We don’t have a path with a suitable ∆. 2 We use a path with a difference in the IV 3 Filter H (M) to modify the outer state k2
4 Learn bits of Qi by observing collisions; compute k1.
27/ 26 Full Key-Recovery NMAC-MD5 attack attack on HMAC-MD4 G. Leurent M
NMAC-MD5 k2 Diff. paths H (M) k2
k1 MAC
1 We don’t have a path with a suitable ∆. 2 We use a path with a difference in the IV 3 Filter H (M) to modify the outer state k2
4 Learn bits of Qi by observing collisions; compute k1.
27/ 26 Full Key-Recovery NMAC-MD5 attack attack on HMAC-MD4 G. Leurent M
NMAC-MD5 k2 Diff. paths H (M) k2
k1 MAC
1 We don’t have a path with a suitable ∆. 2 We use a path with a difference in the IV 3 Filter H (M) to modify the outer state k2
4 Learn bits of Qi by observing collisions; compute k1.
27/ 26 Full Key-Recovery NMAC-MD5 attack attack on HMAC-MD4 G. Leurent M
NMAC-MD5 k2 Diff. paths H (M) k2
k1 MAC
1 We don’t have a path with a suitable ∆. 2 We use a path with a difference in the IV 3 Filter H (M) to modify the outer state k2
4 Learn bits of Qi by observing collisions; compute k1.
27/ 26 Full Key-Recovery NMAC-MD5 attack attack on HMAC-MD4 G. Leurent ◮ Small improvement of Contini & Yin’s attack. NMAC-MD5 ◮ Diff. paths Independently found by Rechberger & Rijmen (FC 2007).
◮ Related key model
Attacks Data Time Mem Remark E-Forgery 2n/2 - - Collision based Generic 2n/2 2n+1 - Collision based U-Forgery 1 22n/3 22n/3 TM tradeoff, 2n precpu E-Forgery 247 - - NMAC-MD5 47 45 Related keys Partial-KR 2 2 - U-Forgery 251 2100 - New result
Conclusion
28/ 26 Full Key-Recovery Differential paths attack on HMAC-MD4 G. Leurent
NMAC-MD5
Diff. paths The next slides show some examples of the differential paths used in the NMAC attack.
For more information see: Automatic search of differential path in MD4, by Pierre-Alain Fouque, Gaëtan Leurent and Phong Nguyen, Presented in the ECRYPT hash workshop, 2007, Cryptology ePrint Archive, Report 2007/206.
29/ 26 Full Key-Recovery An IV-dependent path attack on step si δmi ∂Φi ∂Qi conditions HMAC-MD4 0 3 N[0] N[3] [3] [3] 1 7 Q−1 = Q−2 G. Leurent [3] 2 11 Q1 = 0 [3] 3 19 Q2 = 1 NMAC-MD5 4 3 HN[6,7] [6] [6] [7] [7] 5 7 Q3 = Q2 , Q3 = Q2 Diff. paths [6] [7] 6 11 Q5 = 0, Q5 = 0 N[7] N[26] [6] [7] 7 19 Q6 = 1, Q6 = 0 H[26] N[9] H[29] [26] [26] 8 3 , Q5 = 1, Q6 = 0 [9] [9] [26] [29] [29] 9 7 Q7 = Q6 , Q8 = 0, Q7 = Q6 [9] [26] [29] 10 11 Q9 = 0, Q9 = 1, Q9 = 0 N[13] [9] [29] 11 19 Q10 = 1, Q10 = 1 H[0] N[12] [13] [13] 12 3 , Q10 = Q9 [0] [0] [12] [12] [13] 13 7 Q11 = Q10, Q11 = Q10 , Q12 = 0 H[0] NNH[11...13] [0] [12] [13] 14 11 Q13 = 1, Q13 = 0, Q13 = 1 H[13] [0] [11] [11] [12] [13] [13] 15 19 Q14 = 1, Q13 = Q12 , Q13 = 0, Q13 = 1, Q12 = 0 N[0] NH[12,13] [11] [11] [12] [12] [13] [13] 16 3 Q15 = Q13 , Q15 6= Q13 , Q15 6= Q13 [11] [11] [12] [12] [13] [13] 17 5 Q16 = Q15 , Q16 = Q15 , Q16 = Q15 18 9 NNNH[20...23] [20] [20] [21] [21] [22] [22] [23] [23] 19 13 Q17 = Q16 , Q17 = Q16 , Q17 = Q16 , Q17 = Q16 H[23] H[26] [20] [20] [21] [21] [22] [22] [23] [23] 20 3 Q19 = Q17 , Q19 = Q17 , Q19 = Q17 , Q19 6= Q17 [20] [20] [21] [21] [22] [22] [23] [23] [26] [26] 21 5 Q20 = Q19 , Q20 = Q19 , Q20 = Q19 , Q20 = Q19 , Q19 = Q18 H[29] [26] [26] 22 9 Q21 = Q19 [26] [26] [29] [29] 23 13 Q22 = Q21 , Q21 = Q20 NH[29,30] [29] [29] 24 3 Q23 = Q21 [30] [30] 25 5 Q23 = Q22 N[29] [29] [29] [30] [30] 26 9 Q25 6= Q23 , Q25 = Q23 [29] [29] [30] [30] 27 13 Q26 = Q25 , Q26 = Q25 28 3 H[0] [0] [0] 29 5 Q27 = Q26 [0] [0] 30 9 Q29 = Q27 [0] [0] 31 13 Q30 = Q29 30/ 26 32 3 N[0] A path for the message pair generation step si δmi ∂Φi ∂Qi conditions −4 0 H[4] −3 0 −2 0 −1 0 0 3 H[7] N[31] N[6] [7] = [7] 1 7 Q−1 Q−2 H[28] N[31] H[7] N[10] [6] = [6] [7] = 2 11 , , Q0 Q−1, Q1 0 [6] = [7] = [10] = [10] 3 19 Q2 0, Q1 0, Q1 Q0 N[6] NNH[9...11] [6] = [7] = [10] = 4 3 Q3 0, Q3 0, Q3 0 N[13] [7] = [9] = [9] [10] = [11] = [11] 5 7 Q4 1, Q3 Q2 , Q3 0, Q3 Q2 NH[10,11] H[18] [9] = [10] = [11] = [13] = [13] 6 11 Q5 0, Q5 1, Q5 1, Q4 Q3 [9] = [10] = [11] = [13] = [18] = [18] 7 19 Q6 1, Q6 1, Q6 1, Q6 0, Q5 Q4 N[13] H[12] N[16] [13] = [18] = 8 3 , Q7 0, Q7 0 H[12] N[19] [12] = [12] = [16] = [16] [18] = 9 7 Q7 1, Q6 0, Q7 Q6 , Q8 1 H[29] [12] = [16] = [19] = [19] 10 11 Q9 0, Q9 0, Q8 Q7 [12] = [16] = [19] = [29] = [29] 11 19 Q10 1, Q10 1, Q10 0, Q9 Q8 H[16] N[19] NH[15,16] N[22] [19] = [29] = 12 3 , Q11 0, Q11 0 HHHN[26...29] [15] = [15] [16] = [16] [22] = [22] [29] = 13 7 Q11 Q10 , Q11 Q10 , Q11 Q10 , Q12 1 N[29] [15] = [16] = [22] = [26] = [26] [27] = [27] [28] = [28] [29] = [29] = 14 11 Q13 0, Q13 0, Q13 0, Q12 Q11 , Q12 Q11 , Q12 Q11 , Q12 1, Q11 0 HN[28,29] N[15] [15] = [16] = [22] = [26] = [27] = [28] = [29] = 15 19 Q14 1, Q14 1, Q14 1, Q14 0, Q14 0, Q14 1, Q14 1 N[15] N[25] [15] = [15] [26] = [26] [27] = [27] [28] = [28] [29] = [29] 16 3 Q14 6 Q13 , Q15 Q14 , Q15 Q14 , Q15 Q14 , Q15 Q14 N[31] [15] = [15] [25] = [25] 17 5 Q16 Q14 , Q15 Q14 [15] = [15] [25] = [25] [31] = [31] 18 9 Q17 Q16 , Q17 Q15 , Q16 Q15 H[16] H[28] [25] = [25] [31] = [31] 19 13 Q18 Q17 , Q18 Q16 N[31] H[28] N[31] N[28] H[31] [28] = [28] [31] = [31] 20 3 , , Q18 6 Q17 , Q19 6 Q18 H[31] [31] = [31] 21 5 Q19 6 Q18 [31] = [31] 22 9 Q21 Q19 N[28] [28] = [28] [31] = [31] 23 13 Q22 6 Q21 , Q22 Q21 24 3 H[28],N[31]