New Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5 Lei Wang, Kazuo Ohta and Noboru Kunihiro* The University of Electro-Communications * The University of Tokyo at present. 1 Motivation of This Research • HMAC has been widely applied in many protocols including SSL, TLS, SSH, IPSec and so on. • NMAC is theoretical foundation of HMAC: attacks on NMAC (without related-key setting) can be applied to HMAC. In this presentation, we will pick NMAC as an example. 2 Structure of NMAC M k2 H k1 H M： massage; One structural weakness of NMAC k1: the outer key; based on iterating hash functions: k1 k : the inner key; 2 and k2 can be recovered separately. Corresponding hash functions will be the inner and outer hash functions. 3 General Key-Recovery Attacks on NMAC • Proposed by Preneel and van Oorschot in 1999: Crucial idea: generate a collision in the inner hash function by the birthday attack. M k2 H 1. Obtain one pair messages (M, M’) cause collision of NMAC. k1 H collision 2. Randomly generate r, and M’ check whether (M||r, M’||r) collide. If collision does not k 2 H happen, repeat steps 1 and 2. k1 H 4 General Key-Recovery Attacks on NMAC • Proposed by Preneel and van Oorschot in 1999: Crucial idea: generate a collision in the inner hash function by the birthday attack. M To recover k : k2 H 2 1. guess the value of k . k1 H 2 collision 2. check whether the guessed k2 M’ can satisfy that (M, M’) cause the inner collision. k2 H k1 H 5 General Key-Recovery Attacks on NMAC • Proposed by Preneel and van Oorschot in 1999: Crucial idea: generate a collision in the inner hash function by the birthday attack. M k2 H To recover k1 after k2 has been recovered: k 1 H 1. guess the value of k . recovered 1 2. check whether the guessed k M’ 1 can satisfy that NMAC(M) using guessed k1 is the same with orginal k2 H value. k1 H 6 Security Boundary of NMAC M Suppose bit-length of hash value and k2 H secret keys is n: k1 H Whatever H is, NMAC n/2 One collision canIf underlyingbe found by hash 2 queriesfunctionwith is weak, more a high probabilitypowerful using the key birthday-recovery attack. attack is possible. Both secret keys of NMAC can be recovered with 2n/2 online queries and 2n+1 offline computations. 7 Key-Recovery Attacks on NMAC Wang et al. revealed weakness of several hash functions from MD4 family, which leaded to key-recovery attacks on NMAC based on specific weak hash functions: • At Asiacrypt 2006, Contini and Yin proposed inner-key recovery attacks on NMAC instantiated with MD4, MD5, SHA-1. • At Crypto 2007, Fouque, Leurent and Nguyen proposed full-key recovery attacks on NMAC-MD4 and NMAC-MD5. • At Financial Crypt 2007, Rechberger and Rijmen proposed full-key recovery attacks on NMAC-MD5 and NMAC-SHA-1. 8 Key-Recovery Attacks on NMAC Wang et al. revealed weakness of several hash functions from MD4 family, which leaded to key-recovery attacks on NMAC based on specific weak hash functions: • At Asiacrypt 2006, Contini and Yin proposed inner-key recovery attacks on NMAC instantiated with MD4, MD5, SHA-1. • At Crypto 2007, Fouque, Leurent and Nguyen proposed full-key recovery attacks on NMAC-MD4 and NMAC-MD5. • At Financial Crypt 2007, Rechberger and Rijmen proposed full-key recovery attacks on NMAC-MD5 and NMAC-SHA-1. Related to our research. 9 Framework of Key-Recovery Attacks 1. Online work. Secret key will be partially recovered by online queries. Theoretically interesting! In this presentation, we 2. Offline work. only focus on online work. The remaining part of secret key will be recovered by the exhaustive search. 10 Previous Outer-Key Recovery Attack Previous outer-key recovery attacks on HMAC/NMAC-MD4 and NMAC-MD5: 1 : the value is known based on NMAC the knowledge of k2. M 2 : detect whether collision happens. k H 1 MD4: set conditions on k1 for collision 2 attack. If collision happens with expected number of k1 H 2 pair queries, k1 can satisfy the conditions; Otherwise, k1 can not satisfy the conditions. 11 Previous Outer-Key Recovery Attack Previous outer-key recovery attacks on HMAC/NMAC-MD4 and NMAC-MD5: 1 : the value is known based on NMAC the knowledge of k2. M 2 : detect whether collision happens. MD5: recover internal states in outer k H 1 2 MD5, and then inverse calculate k1. modifying the value at point 1 to set k1 H 2 conditions on internal states. If collision happens with expexted number of queries, internal states satisfy conditions. 12 Analysis of previous work The outer-key recovery attack is NMAC much more expensive than the inner key recovery attack. M We will reduce the complexity Main reason: control ability and for these two cases! freedom lost at point 1 . k2 H 1 MD4: pre-determined pair difference should be generated. k1 H 2 MD5: partially pre-fixed pair values should be generated during modifiying inner hash values. 13 Advantages of Our Attack (MD4) HMAC/NMAC-MD4: Previous work: Point 1 : generate pre-determined pair difference. Differential attack: real collision. Our work: Point 1 : the same with previous work. Differential attack: near collision attack, which reduces the complexity, since generating one near-collision needs less pair queries. Moreover it can recover more bit- values. 14 Advantages of Our Attack (MD4) [FLN 07] Our Work Online complexity 288 272 #bits by online 22 51 Offline comlexity 295 277 Total complexity 295 277 HMAC/NMAC-MD4: both online and offline complexities have been improved. 15 Advantages of Our Attack (MD5) the number of pre-fixed values will increase NMAC-MD5: with the number of recovered bits. Previous work: Point 1 : generate partially pre-fixed values. Differential attack: real collision (FLN work), near-collision (RR work). Our work: Point 1 : not necessary (online work). k1 can be recovered partially without the knowledge of k2 at all. Differential attack: near-collision. 16 Advantages of Our Attack (MD5) Complexity becomes higher than the exhaustive NMAC-MD5: search to recover remaining bits after 28 bits recovered. Previous work: Point 1 : generate partially pre-fixed values. Differential attack: real collision (FLN work), near-collision (RR work). Up to 53 bits can be recovered. Our work: Point 1 : not necessary (online work). k1 can be recovered partially without the knowledge of k2. Differential attack: near collision attack. 17 Usage of Near-collision attacks In Financial Cryptography 2007, Rechberger and Rijmen utilized near-collisions on MD5 to recover the outer key of NMAC-MD5, which might be the first usage of near-collision to attack HMAC and NMAC. 18 Advantages of Our Attack (MD5) [FLN 07] [RR 07] Our Work Online complexity 251 275 #bits by online 28 53 Offline comlexity 2100 275 Total complexity 2100 276 NMAC-MD5: more bit-values can be recovered by online work. The outer key can be partially recovered without the knowledge of the inner key. 19 One Novelty of Our Attack M A new approach of key-recovery technique: utilizing feed-forward operation. k2 H The inner hash value after padding is only k1 H one block: NMAC M0 M1 Mn CF: compression function. IV CF CF … CF 20 One Novelty of Our Attack M A new approach of key-recovery technique: utilizing feed-forward operation. k2 H The inner hash value after padding is only k1 H one block: NMAC hin CF: compression function. k1 CF NMAC value 21 CFs of MD4 and MD5 CFs of MD5 and MD4 : E denotes n-step updating functions: n is 64 and 48 for hin MD5 and MD4 respectively. CF k1 E + NMAC value We will obtain output of E, then recover k . 1 22 Our outer key-recovery attacks on HMAC/NMAC-MD4 We will omit description of NMAC-MD5 case because of limited time. 23 Procedure of Our Attack 1. Obtain output of E in the outer MD4. hin k1 E + NMAC value 24 Obtain Output of E for MD4 Case 1. Determine message difference and differential path for near- collision attack: Model of near-collision attack: • Local collisions. • The other differences only exist in last several steps. 25 Our Near-Collision on MD4 • Message differences: i ∆m3 = 2 • Differential path: The local Collision from step 1 until step 29; The other differences only exist in the last 4 steps in third round. 26 3R of MD4 a b c d a b c d a b c44 d44 a32 b32 c32 d32 36 36 36 36 40 40 40 40 44 44 f f f 2i f m0 m2 m1 m3 <<< 3 <<< 3 <<< 3 <<< 3 a b c d a c d a b c d 33 33 33 33 a37 b37 c37 d37 41 b41 41 41 45 45 45 45 f f f f m8 m10 m9 m11 <<< 9 <<< 9 <<< 9 <<< 9 a b c d a b c38 d38 a b c42 d42 a b c46 d46 34 34 34 Local34 38 collision38 42 42 46 46 f f f f m4 m6 m5 m7 <<<11 <<< 11 <<<11 <<<11 a b c d b c d 35 35 35 35 a39 b39 c39 d39 a43 43 43 43 a47 b47 c47 d47 f f f f m12 m14 Localm13 m15 <<<15 <<<15 collision<<<15 <<<15 c d a b c d a40 b40 40 40 a b c d a b c48 d48 36 36 36 36 44 44 44 44 48 48 27 Obtain Output of E for MD4 Case 1.