new generic attacks on hash based macs
play

New Generic Attacks on Hash-based MACs G. Leurent (Inria) New - PowerPoint PPT Presentation

Oct 18, 2023 •224 likes •759 views

Introduction New generic attacks HMAC-GOST key-recovery Conclusion New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs Asiacrypt 2013 1 / 22 . . . . . . . . . . . . . . . . . Gatan Leurent,

  1. Introduction New generic attacks HMAC-GOST key-recovery Conclusion New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs Asiacrypt 2013 1 / 22 . . . . . . . . . . . . . . . . . Gaëtan Leurent, Thomas Peyrin, Lei Wang Inria, France  UCL, Belgium Nanyang Technological University, Singapore Asiacrypt 2013

  2. 2 / 22 Introduction Asiacrypt 2013 New generic attacks New Generic Attacks on Hash-based MACs HMAC-GOST key-recovery Conclusion Message Authentication Codes G. Leurent (Inria) ? . . . . . . . . . . . . . . . . . . . . . . . . M , t Alice Bob ▶ Alice sends a message to Bob ▶ Bob wants to authenticate the message. ▶ Alice use a key k to compute a tag: t = MAC k ( M ) ▶ Bob verifies the tag with the same key k : t = MAC k ( M ) ▶ Symmetric equivalent to digital signatures

  3. 3 / 22 Introduction Asiacrypt 2013 New generic attacks New Generic Attacks on Hash-based MACs HMAC-GOST key-recovery Conclusion MAC Constructions G. Leurent (Inria) . . . . . . . . . . . . . . . . . ▶ Dedicated designs ▶ PelicanMAC, SQUASH, SipHash ▶ From universal hash functions ▶ UMAC, VMAC, Poly1305 ▶ From block ciphers ▶ CBCMAC, OMAC, PMAC ▶ From hash functions ▶ HMAC, SandwichMAC, EnvelopeMAC

  4. 3 / 22 Introduction Asiacrypt 2013 New generic attacks New Generic Attacks on Hash-based MACs HMAC-GOST key-recovery Conclusion MAC Constructions G. Leurent (Inria) . . . . . . . . . . . . . . . . . ▶ Dedicated designs ▶ PelicanMAC, SQUASH, SipHash ▶ From universal hash functions ▶ UMAC, VMAC, Poly1305 ▶ From block ciphers ▶ CBCMAC, OMAC, PMAC ▶ From hash functions ▶ HMAC, SandwichMAC, EnvelopeMAC

  5. 4 / 22 Introduction Asiacrypt 2013 New generic attacks New Generic Attacks on Hash-based MACs HMAC-GOST key-recovery Conclusion HMAC G. Leurent (Inria) . . . . . . . . . . . . . . . . . ▶ HMAC has been designed by Bellare, Canetti, and Krawczyk in 1996 ▶ Standardized by ANSI, IETF, ISO, NIST. ▶ Used in many applications: ▶ To provide authentication: ▶ SSL, IPSEC, ... ▶ To provide identification: ▶ Challengeresponse protocols ▶ CRAMMD5 authentication in SASL, POP3, IMAP, SMTP, ... ▶ For keyderivation: ▶ HMAC as a PRF in IPsec ▶ HMACbased PRF in TLS

  6. 5 / 22 Introduction Asiacrypt 2013 New generic attacks New Generic Attacks on Hash-based MACs HMAC-GOST key-recovery Conclusion Hash-based MACs G. Leurent (Inria) . . . . . . . . . . . . . . . . . m 0 m 1 m 2 | M | h h h g k l l l l n I k MAC k ( M ) x 0 . . . . . . . . . . . . . . . . . . . . x 1 x 2 x 3 ▶ l bit chaining value ▶ n bit output ▶ k bit key ▶ Keydependant initial value I k ▶ Unkeyed compression function h ▶ Keydependant finalization, with message length g k

  7. 6 / 22 Introduction Asiacrypt 2013 New generic attacks New Generic Attacks on Hash-based MACs HMAC-GOST key-recovery Conclusion Security of HMAC G. Leurent (Inria) . . . . . . . . . . . . . . . . . Security proof / Attack ▶ Existential forgery: 2 l / 2 2 l / 2 ▶ Forge a valid pair ▶ Universal forgery: 2 l / 2 2 n ▶ Predict the MAC of a challenge ▶ DistinguishingR: 2 l / 2 2 l / 2 ▶ Distinguish HMAC from a PRF ▶ DistinguishingH: 2 l / 2 2 l ▶ Distinguish HMACSHA1 from HMACPRF ▶ Staterecovery: 2 l / 2 2 l ▶ Find the internal state after some message ▶ Keyrecovery: 2 l / 2 2 k ▶ Extract the key from a MAC oracle

  8. 7 / 22 Introduction Asiacrypt 2013 New generic attacks New Generic Attacks on Hash-based MACs HMAC-GOST key-recovery Conclusion Distinguishing-H attack G. Leurent (Inria) . . . . . . . . . . . . . . . . . k ← $ M . . . . . . . . . MAC k ( M ) OXYGEN Adversary Oracle H k or HMAC PRF HMAC H k ▶ Security notion from PRF ▶ Distinguish HMAC using H from HMAC with a PRF

  9. 8 / 22 Introduction Asiacrypt 2013 New generic attacks New Generic Attacks on Hash-based MACs HMAC-GOST key-recovery Conclusion Distinguishing-H attack G. Leurent (Inria) . . . . . . . . . . . . . . . . . ▶ Collisionbased attack does not work: ▶ Any compression function has collisions ▶ Secret key prevents precomputed collisions ▶ Folklore assumption: distinguishingH attack should require 2 l “ If we can recognize the hash function inside HMAC, it must be a bad hash function ”

  10. 9 / 22 Introduction Asiacrypt 2013 New Generic Attacks on Hash-based MACs G. Leurent (Inria) Key-recovery Attack on HMAC-GOST Introduction New generic attacks Outline Conclusion HMAC-GOST key-recovery New generic attacks . . . . . . . . . . . . . . . . . MACs HMAC Cycle detection DistinguishingH attack State recovery attack HMACGOST Key recovery

  11. 10 / 22 Introduction Asiacrypt 2013 New generic attacks New Generic Attacks on Hash-based MACs HMAC-GOST key-recovery Conclusion Main Idea G. Leurent (Inria) . . . . . . . . . . . . . . . . . | M | 0 0 0 h h h g K l l l l n I K MAC K ( M ) x 0 . . . . . . . . . . . . . . . . . . . . x 1 x 2 x 3 ▶ Using a fixed message block, we iterate a fixed function ▶ Starting point and ending point unknown because of the key Can we detect properties of the function h 0 ∶ x ↦ h ( x , 0 ) ? ▶ Study the cycle structure of random mappings ▶ Used to attack HMAC in relatedkey setting [Peyrin, Sasaki  Wang, Asiacrypt 12]

  12. 10 / 22 Introduction Asiacrypt 2013 New generic attacks New Generic Attacks on Hash-based MACs HMAC-GOST key-recovery Conclusion Main Idea G. Leurent (Inria) . . . . . . . . . . . . . . . . . | M | 0 0 0 h h h g K l l l l n I K MAC K ( M ) x 0 . . . . . . . . . . . . . . . . . . . . x 1 x 2 x 3 ▶ Using a fixed message block, we iterate a fixed function ▶ Starting point and ending point unknown because of the key Can we detect properties of the function h 0 ∶ x ↦ h ( x , 0 ) ? ▶ Study the cycle structure of random mappings ▶ Used to attack HMAC in relatedkey setting [Peyrin, Sasaki  Wang, Asiacrypt 12]

  13. 11 / 22 Introduction Asiacrypt 2013 New generic attacks New Generic Attacks on Hash-based MACs HMAC-GOST key-recovery Conclusion Random Mappings G. Leurent (Inria) . . . . . . . . . . . . . . . . . x 3 ▶ Functional graph of a random mapping x 4 x → f ( x ) ▶ Iterate f : x i = f ( x i − 1 ) x 2 x 7 x 5 ▶ Collision after ≈ 2 l / 2 iterations x 6 ▶ Cycles x 1 ▶ Trees rooted in the cycle ▶ Several components . . . . . . . . . x 0

  14. 11 / 22 Introduction Asiacrypt 2013 New generic attacks New Generic Attacks on Hash-based MACs HMAC-GOST key-recovery Conclusion Random Mappings G. Leurent (Inria) . . . . . . . . . . . . . . . . . ▶ Functional graph of a random mapping x → f ( x ) ▶ Iterate f : x i = f ( x i − 1 ) ▶ Collision after ≈ 2 l / 2 iterations ▶ Cycles ▶ Trees rooted in the cycle ▶ Several components . .

  15. 11 / 22 Introduction Asiacrypt 2013 New generic attacks New Generic Attacks on Hash-based MACs HMAC-GOST key-recovery Conclusion Random Mappings G. Leurent (Inria) . . . . . . . . . . . . . . . . . ▶ Functional graph of a random mapping x → f ( x ) ▶ Iterate f : x i = f ( x i − 1 ) ▶ Collision after ≈ 2 l / 2 iterations ▶ Cycles ▶ Trees rooted in the cycle ▶ Several components . .

  16. 12 / 22 Introduction Asiacrypt 2013 New generic attacks New Generic Attacks on Hash-based MACs HMAC-GOST key-recovery Conclusion Cycle structure G. Leurent (Inria) . . . . . . . . . . . . . . . . . Expected properties of a random mapping over N points: ▶ # Components: 1 2 log N ▶ # Cyclic nodes: √𝜌 N / 2 ▶ Tail length: √𝜌 N / 8 ▶ Rho length: √𝜌 N / 2 ▶ Largest tree: 0 . 48 N ▶ Largest component: 0 . 76 N

  17. 13 / 22 Introduction Asiacrypt 2013 New generic attacks New Generic Attacks on Hash-based MACs HMAC-GOST key-recovery Conclusion Using the cycle length G. Leurent (Inria) Success if . . . . . . . . . . . . . . . . . 1 Offline: find the cycle length L of the main component of h 0 . . . 2 Online: query t = MAC ( r ‖ [ 0 ] 2 l / 2 ) and t ′ = MAC ( r ‖ [ 0 ] 2 l / 2 + L ) ▶ The starting point is in the main component p = 0 . 76 ▶ The cycle is reached with less than 2 l / 2 iterations p ≥ 0 . 5 Randomize starting point

  18. 13 / 22 Introduction Asiacrypt 2013 New generic attacks New Generic Attacks on Hash-based MACs HMAC-GOST key-recovery Conclusion Cycle structure G. Leurent (Inria) . . . . . . . . . . . . . . . . . Expected properties of a random mapping over N points: ▶ # Components: 1 2 log N ▶ # Cyclic nodes: √𝜌 N / 2 ▶ Tail length: √𝜌 N / 8 ▶ Rho length: √𝜌 N / 2 ▶ Largest tree: 0 . 48 N ▶ Largest component: 0 . 76 N

  19. 13 / 22 Introduction Asiacrypt 2013 New generic attacks New Generic Attacks on Hash-based MACs HMAC-GOST key-recovery Conclusion Using the cycle length G. Leurent (Inria) Success if . . . . . . . . . . . . . . . . . 1 Offline: find the cycle length L of the main component of h 0 . . . 2 Online: query t = MAC ( r ‖ [ 0 ] 2 l / 2 ) and t ′ = MAC ( r ‖ [ 0 ] 2 l / 2 + L ) ▶ The starting point is in the main component p = 0 . 76 ▶ The cycle is reached with less than 2 l / 2 iterations p ≥ 0 . 5 Randomize starting point

Recommend

Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Introduction Hash-based MACs State recovery Universal forgery Key-recovery Conclusion Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 1 / 59 Gatan Leurent Inria Rocquencourt,

1.71k views • 102 slides
Combining Compression Functions and Block Cipher-Based Hash Functions Asiacrypt 2006 Thomas

Combining Compression Functions and Block Cipher-Based Hash Functions Asiacrypt 2006 Thomas

Introduction The Framework Known Generic Attacks Against Multiple Block Length Hashing How to Avoid Known Generic Attacks ? Conclusions Combining Compression Functions and Block Cipher-Based Hash Functions Asiacrypt 2006 Thomas Peyrin 1 ,

655 views • 44 slides
Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand Sibleyras 1 1 Inria quipe SECRET, Paris, France 2 Indian

1.05k views • 67 slides
Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand Sibleyras 1 1 Inria quipe SECRET, Paris, France 2 Indian

771 views • 59 slides
Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Cryptography Hash Functions and MACs Introduction to Hash Functions Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message Cryptography Authentication Codes School of Engineering and Technology

338 views • 23 slides
Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Cryptography Hash Functions and MACs Introduction to Hash Functions Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message Cryptography Authentication Codes School of Engineering and Technology

787 views • 23 slides
pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks

pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks

Syndrome Based Collision Resistant Hashing Matthieu Finiasz pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks Proposed Improvements and Parameters pq 1 Description of the FSB Hash Function pq

286 views • 28 slides
x ? ? ? ? computation easy One Way Hash Function (OWHF) h h h h h

x ? ? ? ? computation easy One Way Hash Function (OWHF) h h h h h

ECRYPT Bart Preneel Emerging Topics in Cryptographic Design and Cryptanalysis Generic Constructions 30 April- 4 May 2007, Samos Greece for Iterated Hash Functions Outline Generic Constructions Generic Constructions for Iterated Hash

759 views • 10 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Cryptography: Hash Functions and MACs [continued] Asymmetric

Cryptography: Hash Functions and MACs [continued] Asymmetric

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Hash Functions and MACs [continued] Asymmetric Cryptography [start] Spring 2015

707 views • 23 slides
Tight PRF-Security of Double-block Hash-then-Sum MACs Seongkwang Kim, Byeonghak Lee , Jooyoung Lee

Tight PRF-Security of Double-block Hash-then-Sum MACs Seongkwang Kim, Byeonghak Lee , Jooyoung Lee

Tight PRF-Security of Double-block Hash-then-Sum MACs Seongkwang Kim, Byeonghak Lee , Jooyoung Lee KAIST Outline Introduction - Message Authentication Code - Double-block Hash-then-Sum paradigm Our Contribution - Tight security proof of

394 views • 24 slides
1 Simple Hash Functions Requirements for Hash Functions 1. can be applied to any sized message M

1 Simple Hash Functions Requirements for Hash Functions 1. can be applied to any sized message M

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Using Symmetric Ciphers for MACs can use any block cipher chaining mode and use final block as a MAC Chapter 12 Hash Algorithms Data Authentication Algorithm (DAA) is a widely used MAC

305 views • 5 slides
Hash Function Based MAC Message Authentication Codes (MAC) provide the integrity and

Hash Function Based MAC Message Authentication Codes (MAC) provide the integrity and

Improved Single-Key Distinguisher on HMAC-MD5 and Key Recovery Attacks on Sandwich-MAC-MD5 Yu Sasaki 1 and Lei Wang 2 1 NTT Secure Platform Laboratories 2 Nanyang Technological University, Singapore SAC 2013 (16/August/2013) 1 Hash Function Based

822 views • 25 slides
Cryptography [MACs and Hash Functions] Spring 2020 Franziska (Franzi) Roesner

Cryptography [MACs and Hash Functions] Spring 2020 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography [MACs and Hash Functions] Spring 2020 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

828 views • 28 slides
Hash-flooding DoS reloaded: Hash flooding begins? attacks and defenses July 1998 article

Hash-flooding DoS reloaded: Hash flooding begins? attacks and defenses July 1998 article

Hash-flooding DoS reloaded: Hash flooding begins? attacks and defenses July 1998 article Jean-Philippe Aumasson, Designing and attacking Kudelski Security (NAGRA) port scan detection tools by Solar Designer (Alexander D. J. Bernstein,

1.83k views • 164 slides
Hash functions : MAC / HMAC Outline Message Authentication Codes Keyed hash family

Hash functions : MAC / HMAC Outline Message Authentication Codes Keyed hash family

Hash functions : MAC / HMAC Outline Message Authentication Codes Keyed hash family Unconditionally Secure MACs Ref: D Stinson: Cryprography Theory and Practice (3 rd ed), Chap 4. Universal hash family Notations: X is a

457 views • 12 slides
New Attacks on the Concatenation and XOR Hash Combiners Itai Dinur Ben-Gurion University, Israel

New Attacks on the Concatenation and XOR Hash Combiners Itai Dinur Ben-Gurion University, Israel

New Attacks on the Concatenation and XOR Hash Combiners Itai Dinur Ben-Gurion University, Israel Cryptographic Hash Functions A cryptographic hash function is hash function H:{0,1}*-> {0,1} n with strong requirements : Collision

461 views • 33 slides
Cryptography: Hash Functions, MACs (finish) Asymmetric Cryptography (start) Fall 2016 Ada (Adam)

Cryptography: Hash Functions, MACs (finish) Asymmetric Cryptography (start) Fall 2016 Ada (Adam)

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Hash Functions, MACs (finish) Asymmetric Cryptography (start) Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan

567 views • 38 slides
Chapter 6 Hash-Based Indexing Efficient Support for Equality Search Hash-Based Indexing Static

Chapter 6 Hash-Based Indexing Efficient Support for Equality Search Hash-Based Indexing Static

Hash-Based Indexing Torsten Grust Chapter 6 Hash-Based Indexing Efficient Support for Equality Search Hash-Based Indexing Static Hashing Hash Functions Architecture and Implementation of Database Systems Extendible Hashing Summer 2016

930 views • 39 slides
A Tool for Differential Cryptanalysis of ARX Based Hash Functions Florian Mendel KU Leuven,

A Tool for Differential Cryptanalysis of ARX Based Hash Functions Florian Mendel KU Leuven,

A Tool for Differential Cryptanalysis of ARX Based Hash Functions Florian Mendel KU Leuven, Belgium Outline 1 Motivation 2 Application to SHA-1 3 Application to other Hash Functions 4 Summary and Future Work Collision Attacks on the

652 views • 46 slides
M&M: Masks and Macs against Physical Attacks CHES 2019 Lauren De Meyer, Victor Arribas

M&M: Masks and Macs against Physical Attacks CHES 2019 Lauren De Meyer, Victor Arribas

M&M: Masks and Macs against Physical Attacks CHES 2019 Lauren De Meyer, Victor Arribas Svetla Nikova, Ventzislav Nikov, Vincent Rijmen B ACK TO THE 90 S Differential Power Analysis (DPA) Paul Kocher et al. 1999 [KJJ99]

322 views • 28 slides
Outline Hash functions and MACs, contd Building a secure channel CSci 5271 Announcements

Outline Hash functions and MACs, contd Building a secure channel CSci 5271 Announcements

Outline Hash functions and MACs, contd Building a secure channel CSci 5271 Announcements intermission Introduction to Computer Security Crypto combined slides Public-key crypto basics Public key encryption and signatures Stephen McCamant

588 views • 9 slides
Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin

Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin

Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin University of Versailles and Orange Labs SAC 2008 August 14-15, 2008 intro the Russian Dolls construction generic attacks application to

539 views • 17 slides
New Constructions of MACs from (Tweakable) Block Ciphers Benot Cogliati 1 Jooyoung Lee 2 Yannick

New Constructions of MACs from (Tweakable) Block Ciphers Benot Cogliati 1 Jooyoung Lee 2 Yannick

Generalities Stateless Deterministic MACs Nonce-Based MACs Conclusion New Constructions of MACs from (Tweakable) Block Ciphers Benot Cogliati 1 Jooyoung Lee 2 Yannick Seurin 3 1 UL, Luxembourg 2 KAIST, Korea 3 ANSSI, France March 6, 2018

837 views • 55 slides

More recommend