Full Key-Recovery Attacks on HMAC/NMAC

Full Key-Recovery Attacks on HMAC/NMAC

Full Key-Recovery attack on HMAC-MD4 G. Leurent Full Key-Recovery Attacks on Introduction HMAC/NMAC-MD4 and NMAC-MD5 MD4 HMAC and NMAC Previous work Wang’s attack NMAC attack Pierre-Alain Fouque, Gaëtan Leurent, Phong Nguyen New ideas IV-dependent paths Message pairs Laboratoire d’Informatique de l’École Normale Supérieure Differential paths Extracting more Conclusion CRYPTO 2007 1/ 26 Full Key-Recovery What is a MAC algorithm? attack on HMAC-MD4 G. Leurent Introduction M MD4 HMAC and NMAC Previous work Wang’s attack NMAC attack New ideas IV-dependent paths Message pairs Differential paths Extracting more Conclusion ◮ Alice wants to send a message to Bob ◮ But Charlie has access to the communication channel ◮ Alice and Bob share a secret key k... ◮ ...and use a MAC algorithm. ◮ Bob rejects the message if MACk(M) 6= t 2/ 26 Full Key-Recovery What is a MAC algorithm? attack on HMAC-MD4 G. Leurent Introduction M MD4 HMAC and NMAC Previous work Wang’s attack NMAC attack New ideas IV-dependent paths Message pairs Differential paths Extracting more Conclusion ◮ Alice wants to send a message to Bob ◮ But Charlie has access to the communication channel ◮ Alice and Bob share a secret key k... ◮ ...and use a MAC algorithm. ◮ Bob rejects the message if MACk(M) 6= t 2/ 26 Full Key-Recovery What is a MAC algorithm? attack on HMAC-MD4 G. Leurent Introduction M MD4 HMAC and NMAC Previous work Wang’s attack NMAC attack New ideas k k IV-dependent paths Message pairs Differential paths Extracting more Conclusion ◮ Alice wants to send a message to Bob ◮ But Charlie has access to the communication channel ◮ Alice and Bob share a secret key k... ◮ ...and use a MAC algorithm. ◮ Bob rejects the message if MACk(M) 6= t 2/ 26 Full Key-Recovery What is a MAC algorithm? attack on HMAC-MD4 G. Leurent Introduction M, t MD4 HMAC and NMAC Previous work Wang’s attack NMAC attack New ideas k k IV-dependent paths Message pairs Differential paths t = MACk(M) Extracting more Conclusion ◮ Alice wants to send a message to Bob ◮ But Charlie has access to the communication channel ◮ Alice and Bob share a secret key k... ◮ ...and use a MAC algorithm. ◮ Bob rejects the message if MACk(M) 6= t 2/ 26 Full Key-Recovery What is a MAC algorithm? attack on HMAC-MD4 G. Leurent Introduction M, t MD4 HMAC and NMAC Previous work Wang’s attack NMAC attack New ideas k k IV-dependent paths Message pairs ? Differential paths t = MACk(M) t = MACk(M) Extracting more Conclusion ◮ Alice wants to send a message to Bob ◮ But Charlie has access to the communication channel ◮ Alice and Bob share a secret key k... ◮ ...and use a MAC algorithm. ◮ Bob rejects the message if MACk(M) 6= t 2/ 26 Full Key-Recovery MAC security attack on HMAC-MD4 A MAC (Message Authentication Code) should provide G. Leurent authentication and integrity protection. Introduction MD4 HMAC and NMAC Previous work MAC security notions: chosen message attacks Wang’s attack NMAC attack The adversary has access to an oracle M 7→ MACk(M). New ideas He must compute a new MAC for: IV-dependent paths Message pairs ◮ Differential paths One message of his choice: existential forgery. Extracting more ◮ Any message: universal forgery. Conclusion One very popular MAC (ANSI, IETF, ISO, NIST), HMAC is based on a hash function. Topic of the talk Can we use the attacks on MD4 or MD5 to break HMAC? 3/ 26 Full Key-Recovery Known attacks on MD hash functions attack on HMAC-MD4 G. Leurent M1 Introduction MD4 IV h HMAC and NMAC Previous work M2 Wang’s attack NMAC attack New ideas ◮ Collision attacks: IV-dependent paths Message pairs generate M1, M2: H(M1)= H(M2) Differential paths ◮ 1 27 63 Extracting more MD4 in 2 , MD5 in 2 , SHA-1 in 2 ◮ Conclusion Colliding blocks look random ◮ Limited impact: commitment ◮ Add a prefix and a suffix, hide the randomness ◮ Partial freedom in the colliding blocks ◮ Chosen prefix collisions: given P1, P2 generate M1, M2: H(P1||M1)= H(P2||M2) 4/ 26 Full Key-Recovery Known attacks on MD hash functions attack on HMAC-MD4 G. Leurent M1 Introduction MD4 HMAC and NMAC Previous work M2 Wang’s attack NMAC attack New ideas ◮ Collision attacks: IV-dependent paths Message pairs generate M1, M2: H(M1)= H(M2) Differential paths Extracting more ◮ Add a prefix and a suffix, hide the randomness Conclusion ◮ Include two documents, use the collision as a switch ◮ Signature by a third party ◮ Fraud is detectable ◮ Partial freedom in the colliding blocks ◮ Chosen prefix collisions: given P1, P2 generate M1, M2: H(P1||M1)= H(P2||M2) 4/ 26 Full Key-Recovery Known attacks on MD hash functions attack on HMAC-MD4 G. Leurent M1 Introduction MD4 HMAC and NMAC Previous work M2 Wang’s attack NMAC attack New ideas ◮ Collision attacks: IV-dependent paths Message pairs generate M1, M2: H(M1)= H(M2) Differential paths Extracting more ◮ Add a prefix and a suffix, hide the randomness Conclusion ◮ Partial freedom in the colliding blocks ◮ Weak challenge-response authentication: APOP ◮ Chosen prefix collisions: given P1, P2 generate M1, M2: H(P1||M1)= H(P2||M2) 4/ 26 Full Key-Recovery Known attacks on MD hash functions attack on HMAC-MD4 G. Leurent P1 M1 Introduction MD4 HMAC and NMAC Previous work P2 M2 Wang’s attack NMAC attack New ideas ◮ Collision attacks: IV-dependent paths Message pairs generate M1, M2: H(M1)= H(M2) Differential paths Extracting more ◮ Add a prefix and a suffix, hide the randomness Conclusion ◮ Partial freedom in the colliding blocks ◮ Chosen prefix collisions: given P1, P2 generate M1, M2: H(P1||M1)= H(P2||M2) ◮ Colliding certificates with different names. 4/ 26 Full Key-Recovery MD family status attack on HMAC-MD4 G. Leurent Current status Introduction Collision-resistance is seriously broken, MD4 HMAC and NMAC but for most constructions, no real attacks are known: Previous work ◮ Key derivation Wang’s attack ◮ NMAC attack Peer authentication ◮ New ideas HMAC IV-dependent paths ◮ ... Message pairs Differential paths Extracting more Conclusion More in-depth study and improvement of Wang’s attack are needed. Our results on MD4 ◮ We adapted Wang’s attack to HMAC/NMAC. ◮ Universal forgery attack with 288 data and 295 CPU. 5/ 26 Full Key-Recovery MD family status attack on HMAC-MD4 G. Leurent Current status Introduction Collision-resistance is seriously broken, MD4 HMAC and NMAC but for most constructions, no real attacks are known: Previous work ◮ Key derivation Wang’s attack ◮ NMAC attack Peer authentication ◮ New ideas HMAC IV-dependent paths ◮ ... Message pairs Differential paths Extracting more Conclusion More in-depth study and improvement of Wang’s attack are needed. Our results on MD4 ◮ We adapted Wang’s attack to HMAC/NMAC. ◮ Universal forgery attack with 288 data and 295 CPU. 5/ 26 Full Key-Recovery Outline attack on HMAC-MD4 G. Leurent Introduction Introduction The MD4 hash function MD4 HMAC and NMAC HMAC and NMAC Previous work Wang’s attack NMAC attack Previous work New ideas Wang’s attack IV-dependent paths Message pairs Contini-Yin NMAC attack Differential paths Extracting more Conclusion New ideas IV-dependent differential path Efficient computation of message pairs Differential paths Extracting more key bits Conclusion 6/ 26 Full Key-Recovery The MD4 hash function attack on HMAC-MD4 General design G. Leurent ◮ Introduction Merkle-Damgård: Hi = F(Mi , Hi−1) MD4 HMAC and NMAC M Previous work Wang’s attack NMAC attack New ideas M0 M1 M2 M3 IV-dependent paths Message pairs Differential paths Extracting more F F F F D Conclusion IV H0 H1 H2 H3 h(M) m ◮ Davies-Meyer with i a Feistel-like cipher. Hi−1 H C i 7/ 26 Full Key-Recovery The MD4 compression function attack on HMAC-MD4 Step update G. Leurent Introduction Qi−4 Qi−3 Qi−2 Qi−1 MD4 HMAC and NMAC Φi Previous work Wang’s attack NMAC attack mi New ideas IV-dependent paths Message pairs ki Differential paths ≪ Extracting more si Conclusion Qi−3 Qi−2 Qi−1 Qi ◮ ⊞ ⊞ ⊞ ≪ Qi = (Qi−4 Φi(Qi−1, Qi−2, Qi−3) mi ki) si ◮ In: Q−4||Q−1||Q−2||Q−3 ◮ ⊞ ⊞ ⊞ ⊞ Out: Q−4 Q44||Q−1 Q47||Q−2 Q46||Q−3 Q45 8/ 26 Full Key-Recovery NMAC description attack on HMAC-MD4 G. Leurent M0 ...Mi... Mk Introduction MD4 HMAC and NMAC k2 Previous work Wang’s attack NMAC attack Hk (M) New ideas 2 IV-dependent paths Message pairs Differential paths Extracting more Conclusion k1 MAC ◮ NMAC (M)= H (H (M)) k1,k2 k1 k2 ◮ Keyed hash function Hk: replace the IV by the key. ◮ Prevents offline collision search and extension attacks. 9/ 26 Full Key-Recovery HMAC description attack on HMAC-MD4 ◮ ¯ ¯ G. Leurent HMACk(M)= H(k ⊕ opad ||H(k ⊕ ipad ||M)) ◮ Introduction opad and ipad are 1-block constants MD4 ◮ k¯ is k padded to one block HMAC and NMAC Previous work ◮ No need to key the hash function. Wang’s attack NMAC attack ◮ New ideas HMACk ≈ NMAC ¯⊕ ¯⊕ IV-dependent paths H(k opad),H(k ipad) Message pairs ◮ Differential paths HMAC security is equivalent to NMAC security. Extracting more Conclusion HMAC/NMAC security proof If the compression function F is secure as a PRF then HMAC/NMAC is: ◮ secure against existential forgery up to 2n/2 ◮ secure against universal forgery up to 2n 10/ 26 Full Key-Recovery Outline attack on HMAC-MD4 G. Leurent Introduction Introduction The MD4 hash function MD4 HMAC and NMAC HMAC and NMAC Previous work Wang’s attack NMAC attack Previous work New ideas Wang’s attack IV-dependent paths Message pairs Contini-Yin NMAC attack Differential paths Extracting more Conclusion New ideas IV-dependent differential path Efficient computation of message pairs Differential paths Extracting more key bits Conclusion 11/ 26 Full Key-Recovery MD4 Collisions: Wang’s attack attack on HMAC-MD4 G.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    50 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us