new generic attacks on hash based macs
play

New Generic Attacks on Hash-based MACs G. Leurent (Inria) New - PowerPoint PPT Presentation

Oct 18, 2023 •224 likes •759 views

Introduction New generic attacks HMAC-GOST key-recovery Conclusion New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs Asiacrypt 2013 1 / 22 . . . . . . . . . . . . . . . . . Gatan Leurent,

  1. Introduction New generic attacks HMAC-GOST key-recovery Conclusion New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs Asiacrypt 2013 1 / 22 . . . . . . . . . . . . . . . . . Gaëtan Leurent, Thomas Peyrin, Lei Wang Inria, France  UCL, Belgium Nanyang Technological University, Singapore Asiacrypt 2013

  2. 2 / 22 Introduction Asiacrypt 2013 New generic attacks New Generic Attacks on Hash-based MACs HMAC-GOST key-recovery Conclusion Message Authentication Codes G. Leurent (Inria) ? . . . . . . . . . . . . . . . . . . . . . . . . M , t Alice Bob ▶ Alice sends a message to Bob ▶ Bob wants to authenticate the message. ▶ Alice use a key k to compute a tag: t = MAC k ( M ) ▶ Bob verifies the tag with the same key k : t = MAC k ( M ) ▶ Symmetric equivalent to digital signatures

  3. 3 / 22 Introduction Asiacrypt 2013 New generic attacks New Generic Attacks on Hash-based MACs HMAC-GOST key-recovery Conclusion MAC Constructions G. Leurent (Inria) . . . . . . . . . . . . . . . . . ▶ Dedicated designs ▶ PelicanMAC, SQUASH, SipHash ▶ From universal hash functions ▶ UMAC, VMAC, Poly1305 ▶ From block ciphers ▶ CBCMAC, OMAC, PMAC ▶ From hash functions ▶ HMAC, SandwichMAC, EnvelopeMAC

  4. 3 / 22 Introduction Asiacrypt 2013 New generic attacks New Generic Attacks on Hash-based MACs HMAC-GOST key-recovery Conclusion MAC Constructions G. Leurent (Inria) . . . . . . . . . . . . . . . . . ▶ Dedicated designs ▶ PelicanMAC, SQUASH, SipHash ▶ From universal hash functions ▶ UMAC, VMAC, Poly1305 ▶ From block ciphers ▶ CBCMAC, OMAC, PMAC ▶ From hash functions ▶ HMAC, SandwichMAC, EnvelopeMAC

  5. 4 / 22 Introduction Asiacrypt 2013 New generic attacks New Generic Attacks on Hash-based MACs HMAC-GOST key-recovery Conclusion HMAC G. Leurent (Inria) . . . . . . . . . . . . . . . . . ▶ HMAC has been designed by Bellare, Canetti, and Krawczyk in 1996 ▶ Standardized by ANSI, IETF, ISO, NIST. ▶ Used in many applications: ▶ To provide authentication: ▶ SSL, IPSEC, ... ▶ To provide identification: ▶ Challengeresponse protocols ▶ CRAMMD5 authentication in SASL, POP3, IMAP, SMTP, ... ▶ For keyderivation: ▶ HMAC as a PRF in IPsec ▶ HMACbased PRF in TLS

  6. 5 / 22 Introduction Asiacrypt 2013 New generic attacks New Generic Attacks on Hash-based MACs HMAC-GOST key-recovery Conclusion Hash-based MACs G. Leurent (Inria) . . . . . . . . . . . . . . . . . m 0 m 1 m 2 | M | h h h g k l l l l n I k MAC k ( M ) x 0 . . . . . . . . . . . . . . . . . . . . x 1 x 2 x 3 ▶ l bit chaining value ▶ n bit output ▶ k bit key ▶ Keydependant initial value I k ▶ Unkeyed compression function h ▶ Keydependant finalization, with message length g k

  7. 6 / 22 Introduction Asiacrypt 2013 New generic attacks New Generic Attacks on Hash-based MACs HMAC-GOST key-recovery Conclusion Security of HMAC G. Leurent (Inria) . . . . . . . . . . . . . . . . . Security proof / Attack ▶ Existential forgery: 2 l / 2 2 l / 2 ▶ Forge a valid pair ▶ Universal forgery: 2 l / 2 2 n ▶ Predict the MAC of a challenge ▶ DistinguishingR: 2 l / 2 2 l / 2 ▶ Distinguish HMAC from a PRF ▶ DistinguishingH: 2 l / 2 2 l ▶ Distinguish HMACSHA1 from HMACPRF ▶ Staterecovery: 2 l / 2 2 l ▶ Find the internal state after some message ▶ Keyrecovery: 2 l / 2 2 k ▶ Extract the key from a MAC oracle

  8. 7 / 22 Introduction Asiacrypt 2013 New generic attacks New Generic Attacks on Hash-based MACs HMAC-GOST key-recovery Conclusion Distinguishing-H attack G. Leurent (Inria) . . . . . . . . . . . . . . . . . k ← $ M . . . . . . . . . MAC k ( M ) OXYGEN Adversary Oracle H k or HMAC PRF HMAC H k ▶ Security notion from PRF ▶ Distinguish HMAC using H from HMAC with a PRF

  9. 8 / 22 Introduction Asiacrypt 2013 New generic attacks New Generic Attacks on Hash-based MACs HMAC-GOST key-recovery Conclusion Distinguishing-H attack G. Leurent (Inria) . . . . . . . . . . . . . . . . . ▶ Collisionbased attack does not work: ▶ Any compression function has collisions ▶ Secret key prevents precomputed collisions ▶ Folklore assumption: distinguishingH attack should require 2 l “ If we can recognize the hash function inside HMAC, it must be a bad hash function ”

  10. 9 / 22 Introduction Asiacrypt 2013 New Generic Attacks on Hash-based MACs G. Leurent (Inria) Key-recovery Attack on HMAC-GOST Introduction New generic attacks Outline Conclusion HMAC-GOST key-recovery New generic attacks . . . . . . . . . . . . . . . . . MACs HMAC Cycle detection DistinguishingH attack State recovery attack HMACGOST Key recovery

  11. 10 / 22 Introduction Asiacrypt 2013 New generic attacks New Generic Attacks on Hash-based MACs HMAC-GOST key-recovery Conclusion Main Idea G. Leurent (Inria) . . . . . . . . . . . . . . . . . | M | 0 0 0 h h h g K l l l l n I K MAC K ( M ) x 0 . . . . . . . . . . . . . . . . . . . . x 1 x 2 x 3 ▶ Using a fixed message block, we iterate a fixed function ▶ Starting point and ending point unknown because of the key Can we detect properties of the function h 0 ∶ x ↦ h ( x , 0 ) ? ▶ Study the cycle structure of random mappings ▶ Used to attack HMAC in relatedkey setting [Peyrin, Sasaki  Wang, Asiacrypt 12]

  12. 10 / 22 Introduction Asiacrypt 2013 New generic attacks New Generic Attacks on Hash-based MACs HMAC-GOST key-recovery Conclusion Main Idea G. Leurent (Inria) . . . . . . . . . . . . . . . . . | M | 0 0 0 h h h g K l l l l n I K MAC K ( M ) x 0 . . . . . . . . . . . . . . . . . . . . x 1 x 2 x 3 ▶ Using a fixed message block, we iterate a fixed function ▶ Starting point and ending point unknown because of the key Can we detect properties of the function h 0 ∶ x ↦ h ( x , 0 ) ? ▶ Study the cycle structure of random mappings ▶ Used to attack HMAC in relatedkey setting [Peyrin, Sasaki  Wang, Asiacrypt 12]

  13. 11 / 22 Introduction Asiacrypt 2013 New generic attacks New Generic Attacks on Hash-based MACs HMAC-GOST key-recovery Conclusion Random Mappings G. Leurent (Inria) . . . . . . . . . . . . . . . . . x 3 ▶ Functional graph of a random mapping x 4 x → f ( x ) ▶ Iterate f : x i = f ( x i − 1 ) x 2 x 7 x 5 ▶ Collision after ≈ 2 l / 2 iterations x 6 ▶ Cycles x 1 ▶ Trees rooted in the cycle ▶ Several components . . . . . . . . . x 0

  14. 11 / 22 Introduction Asiacrypt 2013 New generic attacks New Generic Attacks on Hash-based MACs HMAC-GOST key-recovery Conclusion Random Mappings G. Leurent (Inria) . . . . . . . . . . . . . . . . . ▶ Functional graph of a random mapping x → f ( x ) ▶ Iterate f : x i = f ( x i − 1 ) ▶ Collision after ≈ 2 l / 2 iterations ▶ Cycles ▶ Trees rooted in the cycle ▶ Several components . .

  15. 11 / 22 Introduction Asiacrypt 2013 New generic attacks New Generic Attacks on Hash-based MACs HMAC-GOST key-recovery Conclusion Random Mappings G. Leurent (Inria) . . . . . . . . . . . . . . . . . ▶ Functional graph of a random mapping x → f ( x ) ▶ Iterate f : x i = f ( x i − 1 ) ▶ Collision after ≈ 2 l / 2 iterations ▶ Cycles ▶ Trees rooted in the cycle ▶ Several components . .

  16. 12 / 22 Introduction Asiacrypt 2013 New generic attacks New Generic Attacks on Hash-based MACs HMAC-GOST key-recovery Conclusion Cycle structure G. Leurent (Inria) . . . . . . . . . . . . . . . . . Expected properties of a random mapping over N points: ▶ # Components: 1 2 log N ▶ # Cyclic nodes: √𝜌 N / 2 ▶ Tail length: √𝜌 N / 8 ▶ Rho length: √𝜌 N / 2 ▶ Largest tree: 0 . 48 N ▶ Largest component: 0 . 76 N

  17. 13 / 22 Introduction Asiacrypt 2013 New generic attacks New Generic Attacks on Hash-based MACs HMAC-GOST key-recovery Conclusion Using the cycle length G. Leurent (Inria) Success if . . . . . . . . . . . . . . . . . 1 Offline: find the cycle length L of the main component of h 0 . . . 2 Online: query t = MAC ( r ‖ [ 0 ] 2 l / 2 ) and t ′ = MAC ( r ‖ [ 0 ] 2 l / 2 + L ) ▶ The starting point is in the main component p = 0 . 76 ▶ The cycle is reached with less than 2 l / 2 iterations p ≥ 0 . 5 Randomize starting point

  18. 13 / 22 Introduction Asiacrypt 2013 New generic attacks New Generic Attacks on Hash-based MACs HMAC-GOST key-recovery Conclusion Cycle structure G. Leurent (Inria) . . . . . . . . . . . . . . . . . Expected properties of a random mapping over N points: ▶ # Components: 1 2 log N ▶ # Cyclic nodes: √𝜌 N / 2 ▶ Tail length: √𝜌 N / 8 ▶ Rho length: √𝜌 N / 2 ▶ Largest tree: 0 . 48 N ▶ Largest component: 0 . 76 N

  19. 13 / 22 Introduction Asiacrypt 2013 New generic attacks New Generic Attacks on Hash-based MACs HMAC-GOST key-recovery Conclusion Using the cycle length G. Leurent (Inria) Success if . . . . . . . . . . . . . . . . . 1 Offline: find the cycle length L of the main component of h 0 . . . 2 Online: query t = MAC ( r ‖ [ 0 ] 2 l / 2 ) and t ′ = MAC ( r ‖ [ 0 ] 2 l / 2 + L ) ▶ The starting point is in the main component p = 0 . 76 ▶ The cycle is reached with less than 2 l / 2 iterations p ≥ 0 . 5 Randomize starting point

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Introduction Hash-based MACs State recovery Universal forgery Key-recovery Conclusion Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 1 / 59 Gatan Leurent Inria Rocquencourt,

1.71k views • 102 slides
Combining Compression Functions and Block Cipher-Based Hash Functions Asiacrypt 2006 Thomas

Combining Compression Functions and Block Cipher-Based Hash Functions Asiacrypt 2006 Thomas

Introduction The Framework Known Generic Attacks Against Multiple Block Length Hashing How to Avoid Known Generic Attacks ? Conclusions Combining Compression Functions and Block Cipher-Based Hash Functions Asiacrypt 2006 Thomas Peyrin 1 ,

655 views • 44 slides
Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC 1kf9 Conclusion Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand Sibleyras 1 1 Inria quipe SECRET, Paris, France 2 Indian

1.05k views • 67 slides
Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand

Introduction Birthday Bound Attack Beyond Birthday Bound SUM-ECBC Conclusion Generic Attacks against Beyond-Birthday-Bound MACs Gatan Leurent 1 , Mridul Nandi 2 , Ferdinand Sibleyras 1 1 Inria quipe SECRET, Paris, France 2 Indian

771 views • 59 slides
Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Cryptography Hash Functions and MACs Introduction to Hash Functions Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message Cryptography Authentication Codes School of Engineering and Technology

338 views • 23 slides
Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Cryptography Hash Functions and MACs Introduction to Hash Functions Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message Cryptography Authentication Codes School of Engineering and Technology

787 views • 23 slides
pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks

pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks

Syndrome Based Collision Resistant Hashing Matthieu Finiasz pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks Proposed Improvements and Parameters pq 1 Description of the FSB Hash Function pq

286 views • 28 slides
x ? ? ? ? computation easy One Way Hash Function (OWHF) h h h h h

x ? ? ? ? computation easy One Way Hash Function (OWHF) h h h h h

ECRYPT Bart Preneel Emerging Topics in Cryptographic Design and Cryptanalysis Generic Constructions 30 April- 4 May 2007, Samos Greece for Iterated Hash Functions Outline Generic Constructions Generic Constructions for Iterated Hash

759 views • 10 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Cryptography: Hash Functions and MACs [continued] Asymmetric

Cryptography: Hash Functions and MACs [continued] Asymmetric

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Hash Functions and MACs [continued] Asymmetric Cryptography [start] Spring 2015

707 views • 23 slides
Tight PRF-Security of Double-block Hash-then-Sum MACs Seongkwang Kim, Byeonghak Lee , Jooyoung Lee

Tight PRF-Security of Double-block Hash-then-Sum MACs Seongkwang Kim, Byeonghak Lee , Jooyoung Lee

Tight PRF-Security of Double-block Hash-then-Sum MACs Seongkwang Kim, Byeonghak Lee , Jooyoung Lee KAIST Outline Introduction - Message Authentication Code - Double-block Hash-then-Sum paradigm Our Contribution - Tight security proof of

394 views • 24 slides
1 Simple Hash Functions Requirements for Hash Functions 1. can be applied to any sized message M

1 Simple Hash Functions Requirements for Hash Functions 1. can be applied to any sized message M

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Using Symmetric Ciphers for MACs can use any block cipher chaining mode and use final block as a MAC Chapter 12 Hash Algorithms Data Authentication Algorithm (DAA) is a widely used MAC

305 views • 5 slides
Hash Function Based MAC Message Authentication Codes (MAC) provide the integrity and

Hash Function Based MAC Message Authentication Codes (MAC) provide the integrity and

Improved Single-Key Distinguisher on HMAC-MD5 and Key Recovery Attacks on Sandwich-MAC-MD5 Yu Sasaki 1 and Lei Wang 2 1 NTT Secure Platform Laboratories 2 Nanyang Technological University, Singapore SAC 2013 (16/August/2013) 1 Hash Function Based

822 views • 25 slides
Cryptography [MACs and Hash Functions] Spring 2020 Franziska (Franzi) Roesner

Cryptography [MACs and Hash Functions] Spring 2020 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography [MACs and Hash Functions] Spring 2020 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

828 views • 28 slides
Hash-flooding DoS reloaded: Hash flooding begins? attacks and defenses July 1998 article

Hash-flooding DoS reloaded: Hash flooding begins? attacks and defenses July 1998 article

Hash-flooding DoS reloaded: Hash flooding begins? attacks and defenses July 1998 article Jean-Philippe Aumasson, Designing and attacking Kudelski Security (NAGRA) port scan detection tools by Solar Designer (Alexander D. J. Bernstein,

1.83k views • 164 slides
Hash functions : MAC / HMAC Outline Message Authentication Codes Keyed hash family

Hash functions : MAC / HMAC Outline Message Authentication Codes Keyed hash family

Hash functions : MAC / HMAC Outline Message Authentication Codes Keyed hash family Unconditionally Secure MACs Ref: D Stinson: Cryprography Theory and Practice (3 rd ed), Chap 4. Universal hash family Notations: X is a

457 views • 12 slides
SSUSH19 H19 The e stu tudent dent will ill id identif entify y th the e origins, or

SSUSH19 H19 The e stu tudent dent will ill id identif entify y th the e origins, or

SSUSH19 H19 The e stu tudent dent will ill id identif entify y th the e origins, or gins, major or dev evelopments, elopments, and d th the e dom omes estic tic impa pact ct of of Wo World ld Wa War II, es especial

993 views • 42 slides
What do we do in GCSE History? YEAR 10 YEAR 11 Superpower relations and Crime and Punishment

What do we do in GCSE History? YEAR 10 YEAR 11 Superpower relations and Crime and Punishment

What do we do in GCSE History? YEAR 10 YEAR 11 Superpower relations and Crime and Punishment the Cold War 1941-1991 Main features of C&P in Britain from the Middle Ages through to the present day. It Early tensions between

308 views • 7 slides
SYMBOL OF NAZI PARTY THE NAZI WORLD VIEW

SYMBOL OF NAZI PARTY THE NAZI WORLD VIEW

SYMBOL OF NAZI PARTY THE NAZI WORLD VIEW

610 views • 24 slides
Standard 10.8.4 Describe the political, diplomatic, and military leaders during the war (e.g.

Standard 10.8.4 Describe the political, diplomatic, and military leaders during the war (e.g.

Standard 10.8.4 Describe the political, diplomatic, and military leaders during the war (e.g. Winston Churchill, Franklin Delano Roosevelt, Emperor Hirohito, Adolf Hitler, Benito Mussolini, Joseph Stalin, Douglas MacArthur, Dwight Eisenhower).

1.07k views • 40 slides
Security Evaluation on Amazon Web Services REST API Authentication Protocol Signature Version

Security Evaluation on Amazon Web Services REST API Authentication Protocol Signature Version

Security Evaluation on Amazon Web Services REST API Authentication Protocol Signature Version 4 Khanh Hoang Huynh Jason Kerssens Supervisors: Alex Stavroulakis (KPMG) Aristide Bouix (KPMG) Introduction AWS As of 2018, AWS has a

636 views • 26 slides
BIND, from ISC Name Server Round Table ccNSO, ICANN 50 23 June 2014 BIND use cases 2013 BIND

BIND, from ISC Name Server Round Table ccNSO, ICANN 50 23 June 2014 BIND use cases 2013 BIND

BIND, from ISC Name Server Round Table ccNSO, ICANN 50 23 June 2014 BIND use cases 2013 BIND support subscriptions BIND is the Swiss Army Education, knife of DNS software. 3% It is intended to work for TLD, 11% any use case

419 views • 6 slides
2019 SMP Packages 1-V Sira Guajardo, P.E. Mariya Kret, P.E. Pipelines Governmental Janie

2019 SMP Packages 1-V Sira Guajardo, P.E. Mariya Kret, P.E. Pipelines Governmental Janie

2019 SMP Packages 1-V Sira Guajardo, P.E. Mariya Kret, P.E. Pipelines Governmental Janie Powell Contract Administrator Jonathan Miranda, MSJP Contract Administrator Pre-Bid Meeting Monday, August 6, 2018 August 6, 2018 Page 2 Oral

638 views • 48 slides
Public Information Meeting Davis Pressure Plane Expansion Phase 1 Project No. WUOP16011 January

Public Information Meeting Davis Pressure Plane Expansion Phase 1 Project No. WUOP16011 January

Public Information Meeting Davis Pressure Plane Expansion Phase 1 Project No. WUOP16011 January 31, 2018 Ms. Lana Wolff City of Arlington City Council Member (District 5) (817) 459-6122 Keith Hamby City of Arlington Construction Inspector

248 views • 13 slides

More recommend