53 research outputs found
On the Security of NMAC and Its Variants
Based on the three earlier MAC (Message Authentication Code) construction approaches, we propose and analyze some variants of NMAC. We propose some key recovery attacks to these NMAC variants, for example, we can recover the equivalent inner key of NMAC in about O(2n/2) MAC operations, in a related key setting. We propose NMAC-E, a variant of NMAC with secret envelop, to achieve more process efficiency and no loss of security, which needs only one call to the underlying hash function, instead of two invocations in HMAC
On the Security of NMAC and Its Variants
We first propose a general equivalent key recovery attack to a -MAC
variant NMAC, which is also provable secure, by applying a generalized birthday attack. Our
result shows that NMAC, even instantiated with a secure Merkle-Damgård hash function, is
not secure. We further show that this equivalent key recovery attack to NMAC
is also applicable to NMAC for recovering the equivalent inner key of NMAC, in a related key
setting. We propose and analyze a series of NMAC variants with different secret approaches and
key distributions, we find that a variant NMAC-E, with secret envelop approach, can withstand
most of the known attacks in this paper. However, all variants including NMAC itself, are vulnerable
to on-line birthday attack for verifiable forgery. Hence, the underlying cryptographic hash functions,
based on Merkle-Damgård construction, should be re-evaluated seriously
Generic Universal Forgery Attack on Iterative Hash-based MACs
In this article, we study the security of iterative hash-based MACs, such as HMAC or NMAC, with regards to universal forgery attacks. Leveraging recent advances in the analysis of functional graphs built from the iteration of HMAC or NMAC, we exhibit the very first generic universal forgery attack against hash-based MACs. In particular, our work implies that the universal forgery resistance of an n-bit output HMAC construction is not 2^n queries as long believed by the community. The techniques we introduce extend the previous functional graphs-based attacks that only took in account the cycle structure or the collision probability: we show that one can extract much more meaningful secret information by also analyzing the distance of a node from the cycle of its component in the functional graph
Cryptanalysis of HMAC/NMAC-Whirlpool
In this paper, we present universal forgery and key recovery attacks on the most popular hash-based MAC constructions, e.g., HMAC and NMAC, instantiated with an AES-like hash function Whirlpool. These attacks work with Whirlpool reduced to 6 out of 10 rounds in single-key setting. To the best of our knowledge, this is the first result on ``original\u27\u27 key recovery for HMAC (previous works only succeeded in recovering the equivalent keys). Interestingly, the number of attacked rounds is comparable with that for collision and preimage attacks on Whirlpool hash function itself. Lastly, we present a distinguishing-H attack against the full HMAC- and NMAC-Whirlpool
Practical Electromagnetic Template Attack on HMAC
The original publication is available at www.springerlink.comInternational audienceIn this paper, we show that HMAC can be attacked using a very efficient side channel attack which reveals the Hamming distance of some registers. After a profiling phase which requires access to a similar device that can be configured by the adversary, the attack recovers the secret key on one recorded execution of HMAC-SHA-1 for example, on an embedded device. We perform experimentations using a NIOS processor executed on a Field Programmable Gate Array (FPGA) to confirm the leakage model. Besides the high efficiency of this attack, where is the number of 32-bit words of the key, that we tested with experimentations, our results also shed some light on the on the requirements in term of side channel attack for the future SHA-3 function. Finally, we show that our attack can also be used to break the confidentiality of network protocols usually implemented on embedded devices. We have performed experiments using a NIOS processor executed on a Field Programmable Gate Array (FPGA) to confirm the leakage model. We hope that our results shed some light on the requirements in term of side channel attack for the future SHA-3 function
Breaking -MAC Using Birthday Paradox
-MAC was proposed to increase efficiency over HMAC by omitting its outer key, and keep the advantage and security of HMAC at the same time. However, as pointed out by the designer, the security of -MAC also depends on the secrecy of the intermediate value (the equivalent key) of the inner hashing. In this paper, we propose an efficient method to break -MAC, by using a generalized birthday attack to recover the equivalent key, under the assumption that the underlying hash function is secure (weak collision resistance). We can successfully recover the equivalent key of -MAC in about on-line MAC queries and off-line MAC computations with great probability. Moreover, we can improve the attack efficiency by reducing the on-line MAC queries, which can\u27t be done concurrently. This attack shows that the security of -MAC is totally dependent on the (weak) collision resistance of the underlying hash function, instead of the PRF-AX of the underlying compression function in the origin security proof of -MAC
Generic Related-key Attacks for HMAC
In this article we describe new generic distinguishing and forgery attacks in the related-key scenario (using only a single related-key) for the HMAC construction. When HMAC uses a k-bit key, outputs an n-bit MAC, and is instantiated with an l-bit inner iterative hash function processing m-bit message blocks where m=k, our distinguishing-R attack requires about 2^{n/2} queries which improves over the currently best known generic attack complexity 2^{l/2} as soon as l>n. This means that contrary to the general belief, using wide-pipe hash functions as internal primitive will not increase the overall security of HMAC in the related-key model when the key size is equal to the message block size.
We also present generic related-key distinguishing-H, internal state recovery and forgery attacks. Our method is new and elegant, and uses a simple cycle-size detection criterion. The issue in the HMAC construction (not present in the NMAC construction) comes from the non-independence of the two inner hash layers and we provide a simple patch in order to avoid this generic attack. Our work finally shows that the choice of the opad and ipad constants value in HMAC is important
Equivalent Key Recovery Attacks against HMAC and NMAC with Whirlpool Reduced to 7 Rounds
A main contribution of this paper is an improved analysis against HMAC instantiating with reduced Whirlpool. It recovers equivalent keys, which are often denoted as Kin and Kout, of HMAC with 7-round Whirlpool, while the previous best attack can work only for 6 rounds. Our approach is applying the meet-in-the-middle (MITM) attack on AES to recover MAC keys of Whirlpool. Several techniques are proposed to bypass different attack scenarios between a block cipher and a MAC, e.g., the chosen plaintext model of the MITM attacks on AES cannot be used for HMAC-Whirlpool. Besides, a larger state size and different key schedule designs of Whirlpool leave us a lot of room to study. As a result, equivalent keys of HMAC with 7-round Whirlpool are recovered with a complexity of (Data, Time, Memory) = (2^481.7, 2^482.3, 2^481)
On the Security of HMAC and NMAC Based on HAVAL, MD4, MD5, SHA-0 and SHA-1
HMAC is a widely used message authentication code and a
pseudorandom function generator based on cryptographic hash
functions such as MD5 and SHA-1. It has been standardized by ANSI,
IETF, ISO and NIST. HMAC is proved to be secure as long as the
compression function of the underlying hash function is a
pseudorandom function. In this paper we devise two new
distinguishers of the structure of HMAC, called {\em differential}
and {\em rectangle distinguishers}, and use them to discuss the
security of HMAC based on HAVAL, MD4, MD5, SHA-0 and SHA-1. We
show how to distinguish HMAC with reduced or full versions of
these cryptographic hash functions from a random function or from
HMAC with a random function. We also show how to use our
differential distinguisher to devise a forgery attack on HMAC. Our
distinguishing and forgery attacks can also be mounted on NMAC
based on HAVAL, MD4, MD5, SHA-0 and SHA-1. Furthermore, we show
that our differential and rectangle distinguishers can lead to
second-preimage attacks on HMAC and NMAC
Про нові потоковi алгоритми створення чутливих дайджестiв електронних документів
Для прийняття обґрунтованих планових рішень у суспільно-економічній сфері спеціалісти повинні користуватися перевіреними документами. До засобів перевірки документів належать криптографічно стабільні алгоритми компресії великого файлу в дайджест визначеного розміру, чутливий до будь-якої зміни символів на вході. Пропонуються нові швидкі алгоритми компресії, криптографічна стабільність яких пов’язується зі складними алгебраїчними проблемами, такими як дослідження систем алгебраїчних рівнянь великої степені та задача розкладу нелінійного відображення простору за твірними. Запропоновані алгоритми створення чутливих до змін дайджестів документів будуть використані для виявлення кібератак та аудиту усіх файлів системи після зареєстрованого втручання.Specialists must use well checked documents to elaborate well founded,decisions and plans in the socio-economic field. Check tools include cryptographically stable algorithms for compressing a large file into a digest of a specified size, sensitive to any change in the characters on the input. New fast compression algorithms are proposed, whose cryptographic stability is associated with complex algebraic problems, such as the study of systems of algebraic equations of large power and the problem of the expansion of nonlinear mapping of space by generators. The proposed algorithms for creation of change-sensitive digests will be used to detect cyberattacks and audit all system files after a registered intervention
- …