generic related key attacks for hmac
play

Generic Related-key Attacks for HMAC Thomas Peyrin, Yu Sasaki and - PowerPoint PPT Presentation

Oct 28, 2022 •2.96k likes •3.43k views

Introduction A generic related-key attack on HMAC Conclusion Generic Related-key Attacks for HMAC Thomas Peyrin, Yu Sasaki and Lei Wang Nanyang Technological University - Singapore NTT - Japan Asiacrypt 2012 Beijing, China - December 5, 2012

  1. Introduction A generic related-key attack on HMAC Conclusion Generic Related-key Attacks for HMAC Thomas Peyrin, Yu Sasaki and Lei Wang Nanyang Technological University - Singapore NTT - Japan Asiacrypt 2012 Beijing, China - December 5, 2012

  2. Introduction A generic related-key attack on HMAC Conclusion Outline Introduction What is HMAC Current state of HMAC A generic related-key attack on HMAC Distinguish-R attack Intermediate internal state recovery Existential forgery and distinguish-H attack Patching HMAC and Conclusion

  3. Introduction A generic related-key attack on HMAC Conclusion Outline Introduction What is HMAC Current state of HMAC A generic related-key attack on HMAC Distinguish-R attack Intermediate internal state recovery Existential forgery and distinguish-H attack Patching HMAC and Conclusion

  4. Introduction A generic related-key attack on HMAC Conclusion Outline Introduction What is HMAC Current state of HMAC A generic related-key attack on HMAC Distinguish-R attack Intermediate internal state recovery Existential forgery and distinguish-H attack Patching HMAC and Conclusion

  5. Introduction A generic related-key attack on HMAC Conclusion HMAC and NMAC (Bellare et al. - 1996) A MAC outputs an n -bit value from a k -bit key K and an arbitrary long message M . NMAC ( K 1 , K 2 , M ) = H ( K 2 , H ( K 1 , M ))

  6. Introduction A generic related-key attack on HMAC Conclusion HMAC and NMAC (Bellare et al. - 1996) A MAC outputs an n -bit value from a k -bit key K and an arbitrary long message M . HMAC ( K , M ) = H ( K ⊕ opad || H ( K ⊕ ipad || M ))

  7. Introduction A generic related-key attack on HMAC Conclusion HMAC and NMAC (Bellare et al. - 1996) A MAC outputs an n -bit value from a k -bit key K and an arbitrary long message M . HMAC ( K , M ) = H ( K ⊕ opad || H ( K ⊕ ipad || M ))

  8. Introduction A generic related-key attack on HMAC Conclusion Outline Introduction What is HMAC Current state of HMAC A generic related-key attack on HMAC Distinguish-R attack Intermediate internal state recovery Existential forgery and distinguish-H attack Patching HMAC and Conclusion

  9. Introduction A generic related-key attack on HMAC Conclusion Known dedicated attacks on HMAC Attack Key Setting Target Size #Rounds Comp. Ref. 2 121 . 5 Dist.-H Single key MD4 128 Full [KBPH06] 2 126 . 1 Dist.-H Single key MD5 128 33/64 [KBPH06] 2 97 Dist.-H Single Key MD5 128 Full [WYWZZ09] 2 228 . 6 Dist.-H Single key 3p HAVAL 256 Full [KBPH06] 2 253 . 9 Dist.-H Single key 4p HAVAL 256 102/128 [KBPH06] 2 109 Dist.-H Single key SHA0 160 Full [KBPH06] 2 154 . 9 Dist.-H Single key SHA1 160 43/80 [KBPH06] 2 153 . 5 Dist.-H Single key SHA1 160 50/80 [RR08] 2 158 . 74 Dist.-H Related Key SHA1 160 58/80 [RR08] 2 63 Inner key rec. Single Key MD4 128 Full [CY06] 2 84 Inner key rec. Single Key SHA0 160 Full [CY06] 2 32 Inner key rec. Single Key SHA1 64 34/80 [RR08] 2 122 Inner key rec. Single Key 3p HAVAL 256 Full [LCKSH08] 2 95 Full key rec. Single Key MD4 128 Full [FLN07] 2 77 Full key rec. Single Key MD4 128 Full [WOK08]

  10. Introduction A generic related-key attack on HMAC Conclusion Known generic attacks on HMAC Universal forgery attack costs 2 n computations (ideal) Existential forgery attack costs 2 l / 2 computations (not ideal) Distinguishing-R attack costs 2 l / 2 computations (not ideal) Distinguishing-H attack costs 2 l computations (ideal)

  11. Introduction A generic related-key attack on HMAC Conclusion Known generic attacks on HMAC Existential forgery attack costs 2 l / 2 computations (not ideal) The procedure • step 1: query 2 l / 2 messages and gather all pairs ( M , M ′ ) that collides on the output • step 2: for all colliding pairs, append an extra random message block M 1 and check if this new message pair ( M || M 1 , M ′ || M 1 ) collides as well. Pick one such pair. • step 3: append another extra random message block M 2 and query the MAC for message M || M 2 . Then it is equal to the MAC for message ( M ′ || M 2 )

  12. Introduction A generic related-key attack on HMAC Conclusion Known generic attacks on HMAC Generic Attack Key Setting Complexity 2 n Universal forgery Single Key 2 l / 2 Existential forgery Single Key 2 l / 2 Dist.-R Single Key 2 l Dist.-H Single Key

  13. Introduction A generic related-key attack on HMAC Conclusion Known generic attacks on HMAC Generic Attack Key Setting Complexity 2 n ? Universal forgery Related Key 2 l / 2 ? Existential forgery Related Key 2 l / 2 ? Dist.-R Related Key 2 l ? Dist.-H Related Key

  14. Introduction A generic related-key attack on HMAC Conclusion Outline Introduction What is HMAC Current state of HMAC A generic related-key attack on HMAC Distinguish-R attack Intermediate internal state recovery Existential forgery and distinguish-H attack Patching HMAC and Conclusion

  15. Introduction A generic related-key attack on HMAC Conclusion Outline Introduction What is HMAC Current state of HMAC A generic related-key attack on HMAC Distinguish-R attack Intermediate internal state recovery Existential forgery and distinguish-H attack Patching HMAC and Conclusion

  16. Introduction A generic related-key attack on HMAC Conclusion What weakness to attack ? NMAC

  17. Introduction A generic related-key attack on HMAC Conclusion What weakness to attack ? HMAC

  18. Introduction A generic related-key attack on HMAC Conclusion What weakness to attack ? HMAC (with key K )

  19. Introduction A generic related-key attack on HMAC Conclusion What weakness to attack ? HMAC (with key K ′ = K ⊕ ipad ⊕ opad )

  20. Introduction A generic related-key attack on HMAC Conclusion What weakness to attack ? HMAC (with key K ′ = K ⊕ ipad ⊕ opad )

  21. Introduction A generic related-key attack on HMAC Conclusion What to detect ? HMAC (with key K and arbitrary message)

  22. Introduction A generic related-key attack on HMAC Conclusion What to detect ? HMAC (with key K and n -bit message)

  23. Introduction A generic related-key attack on HMAC Conclusion What to detect ? HMAC (with key K and n -bit message)

  24. Introduction A generic related-key attack on HMAC Conclusion What to detect ? HMAC (with K and K ′ = K ⊕ ipad ⊕ opad and n -bit message)

  25. Introduction A generic related-key attack on HMAC Conclusion What to detect ? HMAC (with K and K ′ = K ⊕ ipad ⊕ opad and n -bit message)

  26. Introduction A generic related-key attack on HMAC Conclusion What to detect ? Functions f ( g ( x )) and g ( f ( x )) have a particular cycle structure: there is a 1-to-1 correspondence between cycles of f ( g ( x )) and g ( f ( x ))

  27. Introduction A generic related-key attack on HMAC Conclusion How to detect the cycle structure ? = ⇒ by measuring cycles length The game played (distinguishing-R in the related-key model): The attacker can query two oracles, F K and F K ′ , that are instantiated either with HMAC K and HMAC K ′ , or with two independent random functions R K and R K ′ . He must obtain non-negligible advantage in distinguishing the two cases: Adv ( A ) = | Pr [ A ( HMAC K , HMAC K ′ ) = 1 ] − Pr [ A ( R K , R K ′ ) = 1 ] |

  28. Introduction A generic related-key attack on HMAC Conclusion The attack First step (walk A) Start from an n -bit random input message, query F K , and keep querying as new message the MAC just received. Continue so for about 2 n / 2 + 2 n / 2 − 1 queries until getting a collision among the MACs received. If no collision is found, or if the collision occurred in the 2 n / 2 first queries, the attacker outputs 0.

  29. Introduction A generic related-key attack on HMAC Conclusion The attack Second step (walk B) Do the same for oracle F K ′ .

  30. Introduction A generic related-key attack on HMAC Conclusion The attack Third step (colliding walk A and walk B) If the cycle of walk A has the same length as the one from walk B, then output 1. Otherwise output 0.

  31. Introduction A generic related-key attack on HMAC Conclusion Results - distinguishing-R for HMAC with wide-pipe The advantage of the attacker is non-negligible and the complexity of the distinguisher is about 2 n / 2 + 2 n / 2 − 1 computations for each of the first and second phase, thus about 2 n / 2 + 1 computations in total . We implemented and verified the distinguisher . With SHA-2 truncated to 32 bits, we found two walks A and B that have the same cycle length of 79146 elements with 2 17 computations. The best previously known attack for HMAC instantiated with SHA-2 truncated to 32 bits required 2 128 computations. Old Generic New Generic Attack Key Setting Target Complexity Complexity 2 l / 2 2 n / 2 + 1 Dist.-R Related Key Wide-pipe

  32. Introduction A generic related-key attack on HMAC Conclusion Outline Introduction What is HMAC Current state of HMAC A generic related-key attack on HMAC Distinguish-R attack Intermediate internal state recovery Existential forgery and distinguish-H attack Patching HMAC and Conclusion

  33. Introduction A generic related-key attack on HMAC Conclusion How to recover the intermediate internal state ? We would like to know some of the intermediate internal state of HMAC K and HMAC K ′ Inside a colliding cycle for HMAC K and HMAC K ′ , the input or output queries to HMAC K are intermediate internal state of HMAC K ′ (and vice-versa) ... but we don’t know which one it is, so we need to synchronize the cycles

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

Introduction New generic attacks HMAC-GOST key-recovery Conclusion New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs Asiacrypt 2013 1 / 22 . . . . . . . . . . . . . . . . . Gatan Leurent,

759 views • 52 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Introduction Hash-based MACs State recovery Universal forgery Key-recovery Conclusion Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 1 / 59 Gatan Leurent Inria Rocquencourt,

1.71k views • 102 slides
Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin

Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin

Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin University of Versailles and Orange Labs SAC 2008 August 14-15, 2008 intro the Russian Dolls construction generic attacks application to

539 views • 17 slides
Recent Advances in Analysis of HMAC Jian Guo Nanyang Technological University, Singapore 22

Recent Advances in Analysis of HMAC Jian Guo Nanyang Technological University, Singapore 22

Recent Advances in Analysis of HMAC Jian Guo Nanyang Technological University, Singapore 22 Dec, ASK 2014 @ Chennai, India 1 Overview Introduction to HMAC Pollard Rho Method and Functional Graph Distinguishers, Forgeries and Key

604 views • 34 slides
On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key

On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key

Introduction Related-Key Attacks Chosen-Key Attacks Conclusion On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key Attacks Benot Cogliati 1 and Yannick Seurin 2 1 Versailles University, France 2

1.23k views • 94 slides
Generic attacks and index calculus D. J. Bernstein University of Illinois at Chicago The

Generic attacks and index calculus D. J. Bernstein University of Illinois at Chicago The

Generic attacks and index calculus D. J. Bernstein University of Illinois at Chicago The discrete-logarithm problem p = 1000003. Define p is prime. Easy to prove: Can we find an integer n 2 f 1 ; 2 ; 3 ; : : : ; p 1 g n mod p =

279 views • 26 slides
On related-key attacks and KASUMI: the case of A5/3 Phuong Ha Nguyen 1 , M.J.B. Robshaw 2 ,

On related-key attacks and KASUMI: the case of A5/3 Phuong Ha Nguyen 1 , M.J.B. Robshaw 2 ,

Motivation 64-bit key version of Kasumi used for A5/3 Upper bound for any 3-round related-key differential over A5/3 Resistance against Crypto2010 Attack Conclusion On related-key attacks and KASUMI: the case of A5/3 Phuong Ha Nguyen 1 ,

624 views • 26 slides
Generic attacks The discrete-logarithm problem and index calculus Define = 1000003. D. J.

Generic attacks The discrete-logarithm problem and index calculus Define = 1000003. D. J.

Generic attacks The discrete-logarithm problem and index calculus Define = 1000003. D. J. Bernstein Easy to prove: is prime. University of Illinois at Chicago Can we find an integer 1 2 3

1.24k views • 97 slides
A Generic Approach to Invariant Subspace Attacks Cryptanalysis of Robin, iSCREAM and Zorro Gregor

A Generic Approach to Invariant Subspace Attacks Cryptanalysis of Robin, iSCREAM and Zorro Gregor

A Generic Approach to Invariant Subspace Attacks Cryptanalysis of Robin, iSCREAM and Zorro Gregor Leander 1 , Brice Minaud 2 , Sondre Rnjom 3 1 Ruhr-Universitt Bochum, Germany 2 ANSSI and Universit Rennes 1, France 3 Nasjonal

590 views • 42 slides
Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir

Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir

Towards Generic Countermeasures Against Fault Injection Attacks Gilles Barthe 2 , cois Dupressoir 2 , Sylvain Guilley 1 , Fran Pablo Rauzy 1 , Pierre-Yves Strub 2 1 Telecom ParisTech 2 IMDEA Software Institute Crypto Seminar Day @ IMDEA

101 views • 9 slides
1 Definition of a simple generic class Why generic programming (cont.) class Pair <T> {

1 Definition of a simple generic class Why generic programming (cont.) class Pair <T> {

Topics background and goals of generic programming basics of generic classes = parameterized types generic methods for general algorithms inheritance rules for generic types Generic programming in Java bounded type parameters

261 views • 5 slides
Related-Key Attacks Orr Dunkelman Department of Computer Science, University of Haifa Faculty of

Related-Key Attacks Orr Dunkelman Department of Computer Science, University of Haifa Faculty of

Related-Key Attacks Slide Statistical RK Related-Key Attacks Orr Dunkelman Department of Computer Science, University of Haifa Faculty of Mathematics and Computer Science Weizmann Institute of Science June 2nd, 2011 Orr Dunkelman

441 views • 42 slides
Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand Sibleyras 1 1 Inria quipe SECRET, Paris, France 2 Indian

1.05k views • 67 slides
Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand Sibleyras 1 1 Inria quipe SECRET, Paris, France 2 Indian

771 views • 59 slides
Generic Attacks on Feistel Ciphers With Internal Permutations Joana Treger, Jacques Patarin

Generic Attacks on Feistel Ciphers With Internal Permutations Joana Treger, Jacques Patarin

Generic Attacks on Feistel Ciphers With Internal Permutations Joana Treger, Jacques Patarin PRiSM, Universit e de Versailles 2008-11-27 Joana Treger, Jacques Patarin (PRiSM, Universit Generic Attacks on Feistel Ciphers With Internal

1.04k views • 52 slides
Web Security: Injection Attacks CS 161: Computer Security Prof. Raluca Ada Popa February 5,

Web Security: Injection Attacks CS 161: Computer Security Prof. Raluca Ada Popa February 5,

Web Security: Injection Attacks CS 161: Computer Security Prof. Raluca Ada Popa February 5, 2016 Credit: some slides are adapted from previous offerings of this course and from CS 241 of Prof. Dan Boneh What can go bad if a web server is

702 views • 37 slides
Protocol Attacks What is a protocol attack? How does it work? Different types of

Protocol Attacks What is a protocol attack? How does it work? Different types of

Outline : Part 1 Introduction Protocol Attacks What is a protocol attack? How does it work? Different types of protocol attack By Sushant Rewaskar Introduction: Types of attacks What is a protocol attack? Buffer overflow

518 views • 13 slides
The Journey back to the office Decoding the MindMap Wellness Team - CoreNet Global New England

The Journey back to the office Decoding the MindMap Wellness Team - CoreNet Global New England

The Journey back to the office Decoding the MindMap Wellness Team - CoreNet Global New England And people stayed home. And they read books, and listened, and rested, and exercised, and made Wellness Team CoreNet Global New England

512 views • 11 slides
Cloak of Visibility: Detecting When Machines Browse a Different Web Luca Invernizzi *, Kurt

Cloak of Visibility: Detecting When Machines Browse a Different Web Luca Invernizzi *, Kurt

Cloak of Visibility: Detecting When Machines Browse a Different Web Luca Invernizzi *, Kurt Thomas*, Alexandros Kapravelos , Oxana Comanescu*, Jean-Michel Picod*, and Elie Bursztein* * Google - Anti-fraud and abuse research North Carolina

409 views • 30 slides
The Importance of DNS in Preventing Global Cyber Attacks Ricardo Rodrigues Effective Internet

The Importance of DNS in Preventing Global Cyber Attacks Ricardo Rodrigues Effective Internet

The Importance of DNS in Preventing Global Cyber Attacks Ricardo Rodrigues Effective Internet Security Has Never Been More Important The cost of security incidents has increased, driven by Ransomware $ 20,752 6M 1.6M $8,699 2013 2016

921 views • 32 slides
Administrative Lab 2 is out please form groups of 1-3 and get to work, its due Nov 21!

Administrative Lab 2 is out please form groups of 1-3 and get to work, its due Nov 21!

CSE 484 / CSE M 584: Computer Security and Privacy XSS attacks Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly

940 views • 48 slides
ECE590 Computer and Information Security Fall 2018 Denial of Service Attacks Tyler Bletsch

ECE590 Computer and Information Security Fall 2018 Denial of Service Attacks Tyler Bletsch

ECE590 Computer and Information Security Fall 2018 Denial of Service Attacks Tyler Bletsch Duke University Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: An action that

565 views • 28 slides
Ransomware Threats to Storage(NAS/SAN/Cloud) and possible mitigation Tuesday, May 23, 2017

Ransomware Threats to Storage(NAS/SAN/Cloud) and possible mitigation Tuesday, May 23, 2017

Ransomware Threats to Storage(NAS/SAN/Cloud) and possible mitigation Tuesday, May 23, 2017 Anupam Jagdish Chomal Tech Lead/Principal Software Engineer DellEMC Isilon 1 Who am I? The Eternal Question Who am I? Principal

636 views • 18 slides

More recommend