Exploiting an HMAC-SHA-1 optimization to speed up PBKDF2? Andrea Visconti and Federico Gorla Department of Computer Science “Giovanni degli Antoni”, Università degli Studi di Milano [email protected] [email protected] http://www.di.unimi.it/visconti Abstract. PBKDF2 [27] is a well-known password-based key derivation function. In order to slow attackers down, PBKDF2 introduces CPU- intensive operations based on an iterated pseudorandom function (in our case HMAC-SHA-1). If we are able to speed up a SHA-1 or an HMAC implementation, we are able to speed up PBKDF2-HMAC-SHA-1. This means that a performance improvement might be exploited by regular users and attackers. Interestingly, FIPS 198-1 [31] suggests that it is possible to precompute first message block of a keyed hash function only once, store such a value and use it each time is needed [43]. Therefore the computation of first message block does not contribute to slowing attackers down, thus making the computation of second message block crucial. In this paper we focus on the latter, investigating the possibil- ity to avoid part of the HMAC-SHA-1 operations. We show that some CPU-intensive operations may be replaced with a set of equivalent, but less onerous, instructions. We identify useless XOR operations exploiting and extending Intel optimizations [26], and applying the Boyar-Peralta heuristic [12]. In addition, we provide an alternative method to compute the SHA-1 message scheduling function and explain why attackers might exploit these findings to speed up a brute force attack. Keywords: HMAC-SHA-1, Password-Based Key Derivation Function 2, PKCS#5, Intel optimizations, Boyar-Peralta heuristic 1 Introduction When faced with the problem of accessing a protected resource, many applica- tions ultimately rely on the knowledge of one or more secrets. Such secrets are commonly passwords or passphrases that can lead to a number of security is- sues. Firstly, giving the user the choice of selecting the secret to be used, usually ? An improved version of the paper A. Visconti and F. Gorla, "Exploiting an HMAC- SHA-1 optimization to speed up PBKDF2," appeared in IEEE Transactions on Dependable and Secure Computing. doi: 10.1109/TDSC.2018.2878697 2 Andrea Visconti and Federico Gorla results in a very “humanly predictable” secret being chosen. The user will most likely choose a short, and easy to remember, passphrase which might undermine the security of the system to be protected [14], [39], [7], [19]. Secondly, password- based authentication can often be effectively attacked by employing techniques such as exhaustive search and dictionary attacks. In order to avoid the use of user-chosen passwords as a key to cryptographic systems, a number of approaches have been developed. In particular, we are in- terested in password-based Key Derivation Functions, a set of algorithms which input a user-chosen password and provide a stream of pseudorandom bits pre- senting enough entropy and an adequate length to be used as key in real-world applications. Password-based KDFs introduce CPU/memory intensive operations which avoid, or make dictionary and brute force attacks less feasible. At the same time, such operations are not so expensive to become a burden for a regular user. In 2013, a Password Hashing Competition (PHC) [1] was held to develop a number of resistant password-based key derivation functions. PHC selected a winner (Argon2 [6]) and gave a special recognition to four algorithms (Catena [18], Lyra2 [40], yescrypt [34] and Makwa [35]). Although Argon2 is expected to be the password-based KDF of the next years, currently one of the most widely used functions is PBKDF2 [37]. Described by RSA Labs in PKCS#5 [37], PBKDF2 has been implemented in several real-world applications such as WPA/WPA2 [25], 1Password [2], Keeper [28], LUKS [20] [9], LassPass [30], Codebook [16], GRUB2[24], RAR archive format [36], FileVault Mac OS X [3], [15], Android’s full disk encryption (since version 3.0 Honeycomb to 4.3 Jelly Bean), and many others. PBKDF2 uses a salt to prevent the construction of universal dictionaries and an iteration count to accurately tune the tradeoff between user perceived slowness of the key derivation process and bruteforce attack resistance [42]. Most of the PBKDF2 computations are performed by a pseudorandom func- tion, and in this paper we focus on HMAC-SHA-1. Notice that not all the appli- cations previously mentioned use PBKDF2-HMAC-SHA1 by default. For exam- ple, 1Password (Agile Keychain format) [23]) does, while 1Password (OPVault format) [22] does not. Cryptsetup version 1.6.8 (and above) does, while versions 1.7.0–1.7.5 do not and the hash function used is SHA-256 [13]. RAR (previous to version 5) does, while versions 5.00–5.50 do not and the pseudorandom func- tion is HMAC-SHA-256 [36]. GRUB2 [24] implements PBKDF2-HMAC-SHA512 while Codebook [16] uses PBKDF2-HMAC-SHA-1. If we are able to speed up SHA-1 or HMAC-SHA-1, we are able to speed up PBKDF2. Interestingly, when the HMAC function is implemented without following the performance improvement described in [29] and [31], it is possible to avoid 50% of PBKDF2’s CPU intensive operations involved in the key derivation process. Moreover, as described in [41], [43] and [38], other critical flaws might be exploited, thus reducing the total number of CPU-intensive operations to be performed for computing a key. Therefore, the only requirement to maintain Exploiting an HMAC-SHA-1 optimization to speed up PBKDF2 3 Fig. 1. A graphical representation of HMAC-SHA-1 security is to increase the number of computations through the iteration count parameter of PBKDF2. In this paper, we describe an HMAC-SHA-1 optimization which can be used to speed up PBKDF2. Focusing on the computation of second message block of HMAC-SHA-1, we investigate the possibility to avoid part of the CPU-intensive operations by executing a set of equivalent, but less onerous, instructions. By doing so, we identify useless XOR operations exploiting and extending Intel optimizations [26] and applying the Boyar-Peralta heuristic [12]. In addition, we provide an alternative method to compute the SHA-1 message scheduling function and explain why attackers might exploit these findings to speed up a brute force attack against PBKDF2-HMAC-SHA-1. The remainder of this paper is organized as follows. In Section 2 we briefly introduce the Hash-based Message Authentication Code (HMAC) algorithm, re- ferring in particular to HMAC-SHA-1. Password-based Key Derivation Function version 2 (PKBDF2) is described in Section 3. In Section 4 we present the origi- nal contribution of this paper, showing how performance improvements of SHA-1 and HMAC-SHA-1 might be exploited to speed up PBKDF2-HMAC-SHA-1. Fi- nally, discussion and concluding remarks are drawn in Section 5. 2 HMAC-SHA-1 A Hash-based Message Authentication Code is an algorithm for computing a message authentication code based on any iterated cryptographic hash function. The definition of HMAC [29] requires – H: a cryptographic hash function; – K: the secret key; – text: the message to be authenticated. As described in RFC 2104 [29], an HMAC can be defined as follows: HMAC = H(K ⊕ opad jj H(K ⊕ ipad jj text)) (1) where H is the chosen hash function, K is the secret key, ⊕ is the exclusive OR symbol, jj is the concatenation symbol and ipad, opad are constant values 4 Andrea Visconti and Federico Gorla — respectively, the byte 0x36 and 0x5C repeated 64 times. In order to better understand Equation 1, we can expand it in the form: h = H(K ⊕ ipad jj text) HMAC = H(K ⊕ opad jj h) In this paper we will refer to HMAC-SHA-1 which is the default as per [37]. Therefore Equation 1 can be graphically represented as in Figure 1. Readers who are not familiar with SHA-1 may find a detailed description of the cryptographic algorithm in [32] and [17]. However, it is worth recalling some basic concepts: – SHA-1 [32] processes blocks of the size of 512 bits — i.e., sixteen 32-bit words W0;:::;W15, – it iterates for 80 rounds in order to produce a 160-bit message digest, – the original message is padded with one bit 1 first then, zero or more bits 0 so that its length is congruent to 448, modulo 512, and – the last 64 bits of the last 512-bit block represent the message length L. In addition, the SHA-1 algorithm uses the following message scheduling function to expand W0;:::;W15 into eighty words: W [i] = ROT L1(W [i − 3] ⊕ W [i − 8] ⊕ W [i − 14] ⊕ W [i − 16]) i 2 [16 ::: 79] (2) This function requires to store eighty 32-bit words, therefore if memory is lim- ited an alternative method should be adopted. In [32], NIST suggests to regard W0;:::;W15 as a circular queue and substitute the Equation 2 with the following: s i ^ MASK i 2 [16 ::: 79] W [s] ROT L1(W [s] ⊕ W [(s + 2) ^ MASK] ⊕ W [(s + 8) ^ MASK] ⊕ W [(s + 13) ^ MASK]) (3) where MASK is set to the value 0000000f (in hex), thus performing arithmetic modulo 16. This new equation requires only sixteen words, thus saving sixty-four 32-bit words of storage. 3 PBKDF version 2 Password Based Key Derivation Function version 2, PBKDF2 for short, is a key derivation function published by RSA Laboratories in PKCS #5 [37]. In order to face brute force attacks based on weak user passwords, PBKDF2 introduces CPU-intensive operations. Such operations are based on an iterated pseudoran- dom function which maps input values to a derived key.