generic related key attacks for hmac
play

Generic Related-key Attacks for HMAC Thomas Peyrin, Yu Sasaki and - PowerPoint PPT Presentation

Oct 28, 2022 •2.96k likes •3.43k views

Introduction A generic related-key attack on HMAC Conclusion Generic Related-key Attacks for HMAC Thomas Peyrin, Yu Sasaki and Lei Wang Nanyang Technological University - Singapore NTT - Japan Asiacrypt 2012 Beijing, China - December 5, 2012

  1. Introduction A generic related-key attack on HMAC Conclusion Generic Related-key Attacks for HMAC Thomas Peyrin, Yu Sasaki and Lei Wang Nanyang Technological University - Singapore NTT - Japan Asiacrypt 2012 Beijing, China - December 5, 2012

  2. Introduction A generic related-key attack on HMAC Conclusion Outline Introduction What is HMAC Current state of HMAC A generic related-key attack on HMAC Distinguish-R attack Intermediate internal state recovery Existential forgery and distinguish-H attack Patching HMAC and Conclusion

  3. Introduction A generic related-key attack on HMAC Conclusion Outline Introduction What is HMAC Current state of HMAC A generic related-key attack on HMAC Distinguish-R attack Intermediate internal state recovery Existential forgery and distinguish-H attack Patching HMAC and Conclusion

  4. Introduction A generic related-key attack on HMAC Conclusion Outline Introduction What is HMAC Current state of HMAC A generic related-key attack on HMAC Distinguish-R attack Intermediate internal state recovery Existential forgery and distinguish-H attack Patching HMAC and Conclusion

  5. Introduction A generic related-key attack on HMAC Conclusion HMAC and NMAC (Bellare et al. - 1996) A MAC outputs an n -bit value from a k -bit key K and an arbitrary long message M . NMAC ( K 1 , K 2 , M ) = H ( K 2 , H ( K 1 , M ))

  6. Introduction A generic related-key attack on HMAC Conclusion HMAC and NMAC (Bellare et al. - 1996) A MAC outputs an n -bit value from a k -bit key K and an arbitrary long message M . HMAC ( K , M ) = H ( K ⊕ opad || H ( K ⊕ ipad || M ))

  7. Introduction A generic related-key attack on HMAC Conclusion HMAC and NMAC (Bellare et al. - 1996) A MAC outputs an n -bit value from a k -bit key K and an arbitrary long message M . HMAC ( K , M ) = H ( K ⊕ opad || H ( K ⊕ ipad || M ))

  8. Introduction A generic related-key attack on HMAC Conclusion Outline Introduction What is HMAC Current state of HMAC A generic related-key attack on HMAC Distinguish-R attack Intermediate internal state recovery Existential forgery and distinguish-H attack Patching HMAC and Conclusion

  9. Introduction A generic related-key attack on HMAC Conclusion Known dedicated attacks on HMAC Attack Key Setting Target Size #Rounds Comp. Ref. 2 121 . 5 Dist.-H Single key MD4 128 Full [KBPH06] 2 126 . 1 Dist.-H Single key MD5 128 33/64 [KBPH06] 2 97 Dist.-H Single Key MD5 128 Full [WYWZZ09] 2 228 . 6 Dist.-H Single key 3p HAVAL 256 Full [KBPH06] 2 253 . 9 Dist.-H Single key 4p HAVAL 256 102/128 [KBPH06] 2 109 Dist.-H Single key SHA0 160 Full [KBPH06] 2 154 . 9 Dist.-H Single key SHA1 160 43/80 [KBPH06] 2 153 . 5 Dist.-H Single key SHA1 160 50/80 [RR08] 2 158 . 74 Dist.-H Related Key SHA1 160 58/80 [RR08] 2 63 Inner key rec. Single Key MD4 128 Full [CY06] 2 84 Inner key rec. Single Key SHA0 160 Full [CY06] 2 32 Inner key rec. Single Key SHA1 64 34/80 [RR08] 2 122 Inner key rec. Single Key 3p HAVAL 256 Full [LCKSH08] 2 95 Full key rec. Single Key MD4 128 Full [FLN07] 2 77 Full key rec. Single Key MD4 128 Full [WOK08]

  10. Introduction A generic related-key attack on HMAC Conclusion Known generic attacks on HMAC Universal forgery attack costs 2 n computations (ideal) Existential forgery attack costs 2 l / 2 computations (not ideal) Distinguishing-R attack costs 2 l / 2 computations (not ideal) Distinguishing-H attack costs 2 l computations (ideal)

  11. Introduction A generic related-key attack on HMAC Conclusion Known generic attacks on HMAC Existential forgery attack costs 2 l / 2 computations (not ideal) The procedure • step 1: query 2 l / 2 messages and gather all pairs ( M , M ′ ) that collides on the output • step 2: for all colliding pairs, append an extra random message block M 1 and check if this new message pair ( M || M 1 , M ′ || M 1 ) collides as well. Pick one such pair. • step 3: append another extra random message block M 2 and query the MAC for message M || M 2 . Then it is equal to the MAC for message ( M ′ || M 2 )

  12. Introduction A generic related-key attack on HMAC Conclusion Known generic attacks on HMAC Generic Attack Key Setting Complexity 2 n Universal forgery Single Key 2 l / 2 Existential forgery Single Key 2 l / 2 Dist.-R Single Key 2 l Dist.-H Single Key

  13. Introduction A generic related-key attack on HMAC Conclusion Known generic attacks on HMAC Generic Attack Key Setting Complexity 2 n ? Universal forgery Related Key 2 l / 2 ? Existential forgery Related Key 2 l / 2 ? Dist.-R Related Key 2 l ? Dist.-H Related Key

  14. Introduction A generic related-key attack on HMAC Conclusion Outline Introduction What is HMAC Current state of HMAC A generic related-key attack on HMAC Distinguish-R attack Intermediate internal state recovery Existential forgery and distinguish-H attack Patching HMAC and Conclusion

  15. Introduction A generic related-key attack on HMAC Conclusion Outline Introduction What is HMAC Current state of HMAC A generic related-key attack on HMAC Distinguish-R attack Intermediate internal state recovery Existential forgery and distinguish-H attack Patching HMAC and Conclusion

  16. Introduction A generic related-key attack on HMAC Conclusion What weakness to attack ? NMAC

  17. Introduction A generic related-key attack on HMAC Conclusion What weakness to attack ? HMAC

  18. Introduction A generic related-key attack on HMAC Conclusion What weakness to attack ? HMAC (with key K )

  19. Introduction A generic related-key attack on HMAC Conclusion What weakness to attack ? HMAC (with key K ′ = K ⊕ ipad ⊕ opad )

  20. Introduction A generic related-key attack on HMAC Conclusion What weakness to attack ? HMAC (with key K ′ = K ⊕ ipad ⊕ opad )

  21. Introduction A generic related-key attack on HMAC Conclusion What to detect ? HMAC (with key K and arbitrary message)

  22. Introduction A generic related-key attack on HMAC Conclusion What to detect ? HMAC (with key K and n -bit message)

  23. Introduction A generic related-key attack on HMAC Conclusion What to detect ? HMAC (with key K and n -bit message)

  24. Introduction A generic related-key attack on HMAC Conclusion What to detect ? HMAC (with K and K ′ = K ⊕ ipad ⊕ opad and n -bit message)

  25. Introduction A generic related-key attack on HMAC Conclusion What to detect ? HMAC (with K and K ′ = K ⊕ ipad ⊕ opad and n -bit message)

  26. Introduction A generic related-key attack on HMAC Conclusion What to detect ? Functions f ( g ( x )) and g ( f ( x )) have a particular cycle structure: there is a 1-to-1 correspondence between cycles of f ( g ( x )) and g ( f ( x ))

  27. Introduction A generic related-key attack on HMAC Conclusion How to detect the cycle structure ? = ⇒ by measuring cycles length The game played (distinguishing-R in the related-key model): The attacker can query two oracles, F K and F K ′ , that are instantiated either with HMAC K and HMAC K ′ , or with two independent random functions R K and R K ′ . He must obtain non-negligible advantage in distinguishing the two cases: Adv ( A ) = | Pr [ A ( HMAC K , HMAC K ′ ) = 1 ] − Pr [ A ( R K , R K ′ ) = 1 ] |

  28. Introduction A generic related-key attack on HMAC Conclusion The attack First step (walk A) Start from an n -bit random input message, query F K , and keep querying as new message the MAC just received. Continue so for about 2 n / 2 + 2 n / 2 − 1 queries until getting a collision among the MACs received. If no collision is found, or if the collision occurred in the 2 n / 2 first queries, the attacker outputs 0.

  29. Introduction A generic related-key attack on HMAC Conclusion The attack Second step (walk B) Do the same for oracle F K ′ .

  30. Introduction A generic related-key attack on HMAC Conclusion The attack Third step (colliding walk A and walk B) If the cycle of walk A has the same length as the one from walk B, then output 1. Otherwise output 0.

  31. Introduction A generic related-key attack on HMAC Conclusion Results - distinguishing-R for HMAC with wide-pipe The advantage of the attacker is non-negligible and the complexity of the distinguisher is about 2 n / 2 + 2 n / 2 − 1 computations for each of the first and second phase, thus about 2 n / 2 + 1 computations in total . We implemented and verified the distinguisher . With SHA-2 truncated to 32 bits, we found two walks A and B that have the same cycle length of 79146 elements with 2 17 computations. The best previously known attack for HMAC instantiated with SHA-2 truncated to 32 bits required 2 128 computations. Old Generic New Generic Attack Key Setting Target Complexity Complexity 2 l / 2 2 n / 2 + 1 Dist.-R Related Key Wide-pipe

  32. Introduction A generic related-key attack on HMAC Conclusion Outline Introduction What is HMAC Current state of HMAC A generic related-key attack on HMAC Distinguish-R attack Intermediate internal state recovery Existential forgery and distinguish-H attack Patching HMAC and Conclusion

  33. Introduction A generic related-key attack on HMAC Conclusion How to recover the intermediate internal state ? We would like to know some of the intermediate internal state of HMAC K and HMAC K ′ Inside a colliding cycle for HMAC K and HMAC K ′ , the input or output queries to HMAC K are intermediate internal state of HMAC K ′ (and vice-versa) ... but we don’t know which one it is, so we need to synchronize the cycles

Recommend

New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

Introduction New generic attacks HMAC-GOST key-recovery Conclusion New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs Asiacrypt 2013 1 / 22 . . . . . . . . . . . . . . . . . Gatan Leurent,

759 views • 52 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Introduction Hash-based MACs State recovery Universal forgery Key-recovery Conclusion Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 1 / 59 Gatan Leurent Inria Rocquencourt,

1.71k views • 102 slides
Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin

Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin

Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin University of Versailles and Orange Labs SAC 2008 August 14-15, 2008 intro the Russian Dolls construction generic attacks application to

539 views • 17 slides
Recent Advances in Analysis of HMAC Jian Guo Nanyang Technological University, Singapore 22

Recent Advances in Analysis of HMAC Jian Guo Nanyang Technological University, Singapore 22

Recent Advances in Analysis of HMAC Jian Guo Nanyang Technological University, Singapore 22 Dec, ASK 2014 @ Chennai, India 1 Overview Introduction to HMAC Pollard Rho Method and Functional Graph Distinguishers, Forgeries and Key

604 views • 34 slides
On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key

On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key

Introduction Related-Key Attacks Chosen-Key Attacks Conclusion On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key Attacks Benot Cogliati 1 and Yannick Seurin 2 1 Versailles University, France 2

1.23k views • 94 slides
Generic attacks and index calculus D. J. Bernstein University of Illinois at Chicago The

Generic attacks and index calculus D. J. Bernstein University of Illinois at Chicago The

Generic attacks and index calculus D. J. Bernstein University of Illinois at Chicago The discrete-logarithm problem p = 1000003. Define p is prime. Easy to prove: Can we find an integer n 2 f 1 ; 2 ; 3 ; : : : ; p 1 g n mod p =

279 views • 26 slides
On related-key attacks and KASUMI: the case of A5/3 Phuong Ha Nguyen 1 , M.J.B. Robshaw 2 ,

On related-key attacks and KASUMI: the case of A5/3 Phuong Ha Nguyen 1 , M.J.B. Robshaw 2 ,

Motivation 64-bit key version of Kasumi used for A5/3 Upper bound for any 3-round related-key differential over A5/3 Resistance against Crypto2010 Attack Conclusion On related-key attacks and KASUMI: the case of A5/3 Phuong Ha Nguyen 1 ,

624 views • 26 slides
Generic attacks The discrete-logarithm problem and index calculus Define = 1000003. D. J.

Generic attacks The discrete-logarithm problem and index calculus Define = 1000003. D. J.

Generic attacks The discrete-logarithm problem and index calculus Define = 1000003. D. J. Bernstein Easy to prove: is prime. University of Illinois at Chicago Can we find an integer 1 2 3

1.24k views • 97 slides
A Generic Approach to Invariant Subspace Attacks Cryptanalysis of Robin, iSCREAM and Zorro Gregor

A Generic Approach to Invariant Subspace Attacks Cryptanalysis of Robin, iSCREAM and Zorro Gregor

A Generic Approach to Invariant Subspace Attacks Cryptanalysis of Robin, iSCREAM and Zorro Gregor Leander 1 , Brice Minaud 2 , Sondre Rnjom 3 1 Ruhr-Universitt Bochum, Germany 2 ANSSI and Universit Rennes 1, France 3 Nasjonal

590 views • 42 slides
Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir

Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir

Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir 2 , Sylvain Guilley 1 , Fran Pablo Rauzy 1 , Pierre-Yves Strub 2 1 Telecom ParisTech 2 IMDEA Software Institute Crypto Seminar Day @ IMDEA

101 views • 9 slides
1 Definition of a simple generic class Why generic programming (cont.) class Pair <T> {

1 Definition of a simple generic class Why generic programming (cont.) class Pair <T> {

Topics background and goals of generic programming basics of generic classes = parameterized types generic methods for general algorithms inheritance rules for generic types Generic programming in Java bounded type parameters

261 views • 5 slides
Related-Key Attacks Orr Dunkelman Department of Computer Science, University of Haifa Faculty of

Related-Key Attacks Orr Dunkelman Department of Computer Science, University of Haifa Faculty of

Related-Key Attacks Slide Statistical RK Related-Key Attacks Orr Dunkelman Department of Computer Science, University of Haifa Faculty of Mathematics and Computer Science Weizmann Institute of Science June 2nd, 2011 Orr Dunkelman

441 views • 42 slides
Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand Sibleyras 1 1 Inria quipe SECRET, Paris, France 2 Indian

1.05k views • 67 slides
Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand Sibleyras 1 1 Inria quipe SECRET, Paris, France 2 Indian

771 views • 59 slides
Generic Attacks on Feistel Ciphers With Internal Permutations Joana Treger, Jacques Patarin

Generic Attacks on Feistel Ciphers With Internal Permutations Joana Treger, Jacques Patarin

Generic Attacks on Feistel Ciphers With Internal Permutations Joana Treger, Jacques Patarin PRiSM, Universit e de Versailles 2008-11-27 Joana Treger, Jacques Patarin (PRiSM, Universit Generic Attacks on Feistel Ciphers With Internal

1.04k views • 52 slides
Combining Compression Functions and Block Cipher-Based Hash Functions Asiacrypt 2006 Thomas

Combining Compression Functions and Block Cipher-Based Hash Functions Asiacrypt 2006 Thomas

Introduction The Framework Known Generic Attacks Against Multiple Block Length Hashing How to Avoid Known Generic Attacks ? Conclusions Combining Compression Functions and Block Cipher-Based Hash Functions Asiacrypt 2006 Thomas Peyrin 1 ,

655 views • 44 slides
Hash Function Based MAC Message Authentication Codes (MAC) provide the integrity and

Hash Function Based MAC Message Authentication Codes (MAC) provide the integrity and

Improved Single-Key Distinguisher on HMAC-MD5 and Key Recovery Attacks on Sandwich-MAC-MD5 Yu Sasaki 1 and Lei Wang 2 1 NTT Secure Platform Laboratories 2 Nanyang Technological University, Singapore SAC 2013 (16/August/2013) 1 Hash Function Based

822 views • 25 slides
A Generic Exact Solver for Vehicle Routing and Related Problems Artur Pessoa 1 Ruslan Sadykov 2

A Generic Exact Solver for Vehicle Routing and Related Problems Artur Pessoa 1 Ruslan Sadykov 2

A Generic Exact Solver for Vehicle Routing and Related Problems Artur Pessoa 1 Ruslan Sadykov 2 Eduardo Uchoa 1 Fran cois Vanderbeck 2 Universidade Federal Fluminense - Brazil 1 University of Bordeaux - France 2 Aussois Combinatorial

902 views • 52 slides
A Unified Approach to Related-Key Attacks Orr Dunkelman Katholieke Universitiet Leuven, Dept.

A Unified Approach to Related-Key Attacks Orr Dunkelman Katholieke Universitiet Leuven, Dept.

A Unified Approach to Related-Key Attacks Orr Dunkelman Katholieke Universitiet Leuven, Dept. of Electrical Engineering ESAT- SCD/COSIC joint work with Eli Biham and Nathan Keller 1/46 Outline of the Talk Previous Results: Original

600 views • 46 slides
Generic Methods 36 What are Generic Methods? Generic methods = methods that introduce type

Generic Methods 36 What are Generic Methods? Generic methods = methods that introduce type

Generic Methods 36 What are Generic Methods? Generic methods = methods that introduce type parameters Similar to declaring a generic type but type parameter's scope is limited to method where it is declared The following are

584 views • 6 slides
Empirical study of the impact of Metasploit-related attacks in 4 years of attack traces E.

Empirical study of the impact of Metasploit-related attacks in 4 years of attack traces E.

Empirical study of the impact of Metasploit-related attacks in 4 years of attack traces E. Ramirez-Silva and M. Dacier Eurcom Institute - Sophia Antipolis, France ASIAN'07 December 11, 2007- Doha, Qatar Introduction Overview Introduction

584 views • 42 slides
Related-key Attacks Against Full Hummingbird-2 Markku-Juhani O. Saarinen mjos@iki.fi Research

Related-key Attacks Against Full Hummingbird-2 Markku-Juhani O. Saarinen mjos@iki.fi Research

Related-key Attacks Against Full Hummingbird-2 Markku-Juhani O. Saarinen mjos@iki.fi Research (and my travel!) sponsored by current Intellectual Property owners of Hummingbird-2. Fast Software Encryption 2013 Singapore, Singapore 13 March

719 views • 25 slides
Hash functions : MAC / HMAC Outline Message Authentication Codes Keyed hash family

Hash functions : MAC / HMAC Outline Message Authentication Codes Keyed hash family

Hash functions : MAC / HMAC Outline Message Authentication Codes Keyed hash family Unconditionally Secure MACs Ref: D Stinson: Cryprography Theory and Practice (3 rd ed), Chap 4. Universal hash family Notations: X is a

457 views • 12 slides

More recommend