Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Transcription

1 Full Attacks on HMAC/NMAC- and NMAC-MD5 Pierre-Alain Fouque, Gaëtan Leurent, Phong Nguyen Laboratoire d Informatique de l École Normale Supérieure CRYPTO /26

2 WhatisaMACalgorithm? M Alice wants to send a message to Bob But Charlie has access to the communication channel Alice and Bob share a secret key k......and use a MAC algorithm. Bob rejects the message if MAC k (M) t 2/26

3 WhatisaMACalgorithm? M Alice wants to send a message to Bob But Charlie has access to the communication channel Alice and Bob share a secret key k......and use a MAC algorithm. Bob rejects the message if MAC k (M) t 2/26

4 WhatisaMACalgorithm? k M k Alice wants to send a message to Bob But Charlie has access to the communication channel Alice and Bob share a secret key k......and use a MAC algorithm. Bob rejects the message if MAC k (M) t 2/26

5 WhatisaMACalgorithm? M, t k t = MAC k (M) k Alice wants to send a message to Bob But Charlie has access to the communication channel Alice and Bob share a secret key k......and use a MAC algorithm. Bob rejects the message if MAC k (M) t 2/26

6 WhatisaMACalgorithm? M, t k t = MAC k (M) t k? = MAC k (M) Alice wants to send a message to Bob But Charlie has access to the communication channel Alice and Bob share a secret key k......and use a MAC algorithm. Bob rejects the message if MAC k (M) t 2/26

7 MAC security A MAC (Message Authentication Code) should provide authentication and integrity protection. MAC security notions: chosen message attacks The adversary has access to an oracle M MAC k (M). He must compute a new MAC for: One message of his choice: existential forgery. Any message: universal forgery. One very popular MAC (ANSI, IETF, ISO, NIST), HMAC is based on a hash function. Topicofthetalk 3/26 Can we use the attacks on or MD5 to break HMAC?

8 Known attacks on MD hash functions M 1 IV h M 2 Collision attacks: generate M 1, M 2 : H(M 1 ) = H(M 2 ) in 2 1, MD5 in 2 27, SHA-1 in 2 63 Colliding blocks look random Limited impact: commitment Add a prefix and a suffix, hide the randomness Partial freedom in the colliding blocks Chosen prefix collisions: given P 1, P 2 generate M 1, M 2 : H(P 1 M 1 ) = H(P 2 M 2 ) 4/26

9 Known attacks on MD hash functions M 1 M 2 Collision attacks: generate M 1, M 2 : H(M 1 ) = H(M 2 ) Add a prefix and a suffix, hide the randomness Include two documents, use the collision as a switch Signature by a third party Fraud is detectable Partial freedom in the colliding blocks Chosen prefix collisions: given P 1, P 2 generate M 1, M 2 : H(P 1 M 1 ) = H(P 2 M 2 ) 4/26

10 Known attacks on MD hash functions M 1 M 2 Collision attacks: generate M 1, M 2 : H(M 1 ) = H(M 2 ) Add a prefix and a suffix, hide the randomness Partial freedom in the colliding blocks Weak challenge-response authentication: APOP Chosen prefix collisions: given P 1, P 2 generate M 1, M 2 : H(P 1 M 1 ) = H(P 2 M 2 ) 4/26

11 Known attacks on MD hash functions P 1 M 1 P 2 M 2 Collision attacks: generate M 1, M 2 : H(M 1 ) = H(M 2 ) Add a prefix and a suffix, hide the randomness Partial freedom in the colliding blocks Chosen prefix collisions: given P 1, P 2 generate M 1, M 2 : H(P 1 M 1 ) = H(P 2 M 2 ) Colliding certificates with different names. 4/26

12 MD family status Current status Collision-resistance is seriously broken, but for most constructions, no real attacks are known: Key derivation Peer authentication HMAC... More in-depth study and improvement of are needed. Ourresultson We adapted to HMAC/NMAC. Universal forgery attack with 2 88 data and 2 95 CPU. 5/26

13 MD family status Current status Collision-resistance is seriously broken, but for most constructions, no real attacks are known: Key derivation Peer authentication HMAC... More in-depth study and improvement of are needed. Ourresultson We adapted to HMAC/NMAC. Universal forgery attack with 2 88 data and 2 95 CPU. 5/26

14 Outline The hash function HMAC and NMAC Contini-Yin NMAC attack IV-dependent differential path Efficient computation of message pairs Differential paths Extracting more key bits 6/26

15 The hash function General design Merkle-Damgård: H i = F(M i, H i 1 ) M M 0 M 1 M 2 M 3 F F F F IV H 0 H 1 H 2 H 3 D h(m) Davies-Meyer with a Feistel-like cipher. m i H i 1 C H i 7/26

16 The compression function Step update Q i 4 Q i 3 Q i 2 Q i 1 Φ i m i k i s i Q i 3 Q i 2 Q i 1 Q i Q i = (Q i 4 Φ i (Q i 1, Q i 2, Q i 3 ) m i k i ) s i In: Q 4 Q 1 Q 2 Q 3 Out: Q 4 Q 44 Q 1 Q 47 Q 2 Q 46 Q 3 Q 45 8/26

17 NMAC description M 0...M i... M k k 2 H k2 (M) k 1 MAC NMAC k1,k 2 (M) = H k1 (H k2 (M)) Keyed hash function H k : replace the IV by the key. Prevents offline collision search and extension attacks. 9/26

18 HMAC description HMAC k (M) = H( k opad H( k ipad M)) opad and ipad are 1-block constants k is k padded to one block No need to key the hash function. HMAC k NMAC H( k opad),h( k ipad) HMAC security is equivalent to NMAC security. HMAC/NMAC security proof If the compression function F is secure as a PRF then HMAC/NMAC is: secure against existential forgery up to 2 n/2 secure against universal forgery up to 2 n 10/26

19 Outline The hash function HMAC and NMAC Contini-Yin NMAC attack IV-dependent differential path Efficient computation of message pairs Differential paths Extracting more key bits 11/26

20 Collisions: 1 Precomputation: Choose a message difference. Compute a differential path. Derive a set of sufficient conditions. 2 Collision search: Main result Find a message that satisfies the set of conditions. We know a difference and a set of conditions on the internal state variables Q i s, such that: If all the conditions are satisfied by the internal state variable in the computation of H(M), then H(M) = H(M + ). 12/26

21 How to use collisions? M 0...M i... M k k 2 H k2 (M) k 1 MAC 13/26 We can detect hash collisions through NMAC collisions. Without the IV, we can t use message modifications. Try many pairs (M, M + ), and wait for a collision. The collision contains some key information, but we need a way to extract it...

22 Inner key recovery M M + k 2 H k2 (M) k 1 MAC 1 Find an inner collision. 2 Use M to modify the inner state. 3 Learn bits of Q i by observing collisions; compute k 2. 14/26

23 Inner key recovery M M + k 2 H k2 (M) k 1 MAC 1 Find an inner collision. 2 Use M to modify the inner state. 3 Learn bits of Q i by observing collisions; compute k 2. 14/26

24 Inner key recovery M M + k 2 H k2 (M) k 1 MAC 1 Find an inner collision. 2 Use M to modify the inner state. 3 Learn bits of Q i by observing collisions; compute k 2. 14/26

25 Inner key recovery M M + k 2 H k2 (M) k 1 MAC 1 Find an inner collision. 2 Use M to modify the inner state. 3 Learn bits of Q i by observing collisions; compute k 2. 14/26

26 Outer key recovery M k 2 H k2 (M) k 1 MAC Problems We can t choose H k2 (M). We can only have a difference in the first 128 bits. 15/26

27 Outer key recovery M k 2 H k2 (M) k 1 MAC Problems We can t choose H k2 (M). We can only have a difference in the first 128 bits. 15/26

28 Contini and Yin s attack(asiacrypt 2006) Recovers the inner key k 2 but not the outer key k 1. Best path: p = Complexity Not enough for universal forgery. Attacker still need 2 n computations. 16/26

29 Outline The hash function HMAC and NMAC Contini-Yin NMAC attack IV-dependent differential path Efficient computation of message pairs Differential paths Extracting more key bits 17/26

30 A New IV-recovery Attack We want to avoid the need for related messages. We look for paths where the existence of collision discloses information about the key. Advantage In Contini-Yin attack, you need to choose a lot of bits in H k2 (M) (related messages). We only need to choose the differences in H k2 (M). 18/26

31 Using IV-dependent paths Use a differential path with δm 0 0. The beginning of the path depends on a condition (X) of the IV: px = Pr M [H(M) = H(M + ) X] step δm i Φ i Q i conditions 0 [0] [3] 1 Q [3] 1 = Q[3] 2 (X) PrM [H(M) = H(M + ) X] p X. step δm i Φ i Q i conditions 0 [0] [3] 1 [3] [10] Q [3] 1 Q[3] 2 ( X) We try 2/p X pairs: If we have a collision then (X) is satisfied. Otherwise, (X) is not satisfied. 19/26

32 Efficient computation of message pairs To recover the outer key, we need 2/p X message pairs with H k2 (M 2 ) = H k2 (M 1 ) + k 2 δq = δh = δq = δq = 0 δh = R i M i We start with one message pair (R 1, R 2 ) such that H k2 (R 2 ) = H k2 (R 1 ) + (birthday paradox). We compute second blocks (N 1, N 2 ) such that H k2 (R 2 N 2 ) = H k2 (R 1 N 1 ) + This is essentially a collision search with the padding inside the block. 20/26

33 New outer key recovery M k 2 k 1 H k2 (M) MAC 1 Recover k 2. 2 Generate pairs with H k2 (M 2 ) = H k2 (M 1 ) +. 3 Learn bits of k 1 by observing collisions. 21/26

34 New outer key recovery M k 2 k 1 H k2 (M) MAC 1 Recover k 2. 2 Generate pairs with H k2 (M 2 ) = H k2 (M 1 ) +. 3 Learn bits of k 1 by observing collisions. 21/26

35 New outer key recovery M k 2 k 1 H k2 (M) MAC 1 Recover k 2. 2 Generate pairs with H k2 (M 2 ) = H k2 (M 1 ) +. 3 Learn bits of k 1 by observing collisions. 21/26

36 New outer key recovery M k 2 k 1 H k2 (M) MAC 1 Recover k 2. 2 Generate pairs with H k2 (M 2 ) = H k2 (M 1 ) +. 3 Learn bits of k 1 by observing collisions. 21/26

37 Differential paths We need very constrained paths: At least one difference in m 0. No difference in m 4...m 15. High probability. Many paths (each one gives only one bit of the key). Differential path algorithm We use an algorithm to find a differential path from the message difference. We found 22 paths with p X Attack complexity: 2 88 data, time. 22/26

38 Differential paths We need very constrained paths: At least one difference in m 0. No difference in m 4...m 15. High probability. Many paths (each one gives only one bit of the key). Differential path algorithm We use an algorithm to find a differential path from the message difference. We found 22 paths with p X Attack complexity: 2 88 data, time. 22/26

39 Extracting more key bits When we have a collision for one of the paths, we can recover some extra information on the key: step s i δm i Φ i Q i conditions 0 3 [0] [3] 1 7 Q [3] 1 = Q[3] 2 (X) 2 11 Q [3] 1 = 0 (Y) 3 19 Q [3] 2 = 1 (Z) 4 3 [6] Note: (Y) and (Z) are not key bits, they depend on the message. Use(Y)and(Z)toefficientlyreducethekeyentropy. On average we reduce the search space from to /26

40 Hash collisions can be detected through HMAC/NMAC Tailoring : IV-dependent collisions Full key recovery Attack complexity Generic Attacks NMAC- Data Time Mem Remark E-Forgery 2 n/2 - - Collision based U-Forgery 2n/2 2 n+1 - Collision based 1 2 2n/3 2 2n/3 TM tradeoff, 2 n precpu E-Forgery Partial-KR U-Forgery New result 24/26

41 Possible improvements Find better paths. Use the method of Contini and Yin for the inner key. Use near-collisions for the outer key. About MD5 Our NMAC-MD5 attack is in the related-key model. A real attack would require a differential path with less than one block of message... More NMAC-MD5 25/26

42 Any Questions? Thank you for your attention. 26/26

43 NMAC-MD5 attack M NMAC-MD5 Diff. paths k 2 H k2 (M) k 1 MAC 1 We don t have a path with a suitable. 2 We use a path with a difference in the IV 3 Filter H k2 (M) to modify the outer state 4 Learn bits of Q i by observing collisions; compute k 1. 27/26

44 NMAC-MD5 attack M NMAC-MD5 Diff. paths k 2 H k2 (M) k 1 MAC 1 We don t have a path with a suitable. 2 We use a path with a difference in the IV 3 Filter H k2 (M) to modify the outer state 4 Learn bits of Q i by observing collisions; compute k 1. 27/26

45 NMAC-MD5 attack M NMAC-MD5 Diff. paths k 2 H k2 (M) k 1 MAC 1 We don t have a path with a suitable. 2 We use a path with a difference in the IV 3 Filter H k2 (M) to modify the outer state 4 Learn bits of Q i by observing collisions; compute k 1. 27/26

46 NMAC-MD5 attack M NMAC-MD5 Diff. paths k 2 H k2 (M) k 1 MAC 1 We don t have a path with a suitable. 2 We use a path with a difference in the IV 3 Filter H k2 (M) to modify the outer state 4 Learn bits of Q i by observing collisions; compute k 1. 27/26

47 NMAC-MD5 Diff. paths NMAC-MD5 attack Small improvement of Contini & Yin s attack. Independently found by Rechberger & Rijmen (FC 2007). Related key model Generic Attacks NMAC-MD5 Related keys Data Time Mem Remark E-Forgery 2 n/2 - - Collision based U-Forgery 2n/2 2 n+1 - Collision based 1 2 2n/3 2 2n/3 TM tradeoff, 2 n precpu E-Forgery Partial-KR U-Forgery New result 28/26

48 Differential paths NMAC-MD5 Diff. paths The next slides show some examples of the differential paths used in the NMAC attack. For more information see: Automatic search of differential path in, by Pierre-Alain Fouque, Gaëtan Leurent and Phong Nguyen, Presented in the ECRYPT hash workshop, 2007, Cryptology eprint Archive, Report 2007/ /26

49 NMAC-MD5 Diff. paths 30/26 An IV-dependent path [29] step si δmi Φi Qi conditions 0 3 [0] [3] 1 7 Q [3] 1 = Q[3] Q [3] 1 = Q [3] 2 = [6,7] 5 7 Q [6] 3 Q[6] 2, Q[7] 3 = = Q[7] Q [6] 5 = 0, Q[7] 5 = [7] [26] Q [6] 6 = 1, Q[7] 6 = [26] [9], [29] Q [26] 5 = 1, Q [26] 6 = Q [9] 7 Q[9], Q[26] 6 8 = = 0, Q 7 = Q Q [9] = 0, Q[26] Q = 1, = [13] Q [9] 10 = 1, Q[29] 10 = [0], [12] Q [13] 10 = Q[13] Q [0] 11 = Q[0] 10, Q[12] 11 = Q[12] 10, Q[13] 12 = [0] [ ] Q [0] 13 = 1, Q[12] 13 = 0, Q[13] 13 = [13] Q [0] = 1, Q[11] = Q[11] 12, Q[12] 13 = 0, Q[13] 13 = 1, Q[13] 12 = [0] [12,13] Q [11] [ ] Q [11] 16 Q[11] 15, Q[12] 16 Q[12] 15, Q[13] 16 = = = Q[13] Q [20] 17 = Q[20] 16, Q[21] 17 = Q[21] 16, Q[22] 17 = Q[22] 16, Q[23] 17 = Q[23] [23] [26] Q [20] 19 = Q[20] 17, Q[21] 19 = Q[21] 17, Q[22] 19 = Q[22] 17, Q[23] 19 Q[23] Q [20] 20 = Q[20] 19, Q[21] 20 = Q[21] 19, Q[22] 20 = Q[22] 19, Q[23] 20 = Q[23] 19, Q[26] 19 = Q[26] [29] Q [26] 21 = Q[26] Q [26] 22 = Q[26] 21, Q[29] 21 = Q[29] [29,30] Q [29] 23 = Q[29] Q [30] 23 = Q[30] [29] Q [29] 25 Q[29] 23, Q[30] 25 = Q[30] Q [29] [0] Q[29] 25, Q[30] 26 = = Q[30] Q [0] 27 = Q[0] Q [0] 29 = Q[0] Q [0] 30 = Q[0] [0]

50 A path for the message pair generation step s i δm i Φ i Q i conditions 4 0 [4] [7] 1 7 [31] [6] Q [7] 1 = Q[7] [28], [31] [7], [10] Q [6] 0 = Q[6] 1, Q[7] 1 = Q [6] = 0, Q[7] = 0, Q[10] = Q [10] [6] [9...11] Q [6] = 0, Q[7] = 0, Q[10] = [13] Q [7] = 1, Q[9] = 4 3 Q[9], 2 Q[10] = 0, Q [11] = Q [11] [10,11] [18] Q [9] = 0, Q[10] = 1, Q [11] = 1, Q [13] = Q [13] Q [9] 6 = 1, Q[10] 6 = 1, Q [11] 6 = 1, Q [13] 6 = 0, Q [18] 5 = Q [18] [13] [12], [16] Q [13] 7 = 0, Q [18] 7 = [12] [19] Q [12] 7 = 1, Q [12] 6 = 0, Q [16] 7 = Q [16] 6, Q [18] 8 = [29] Q [12] 9 = 0, Q [16] 9 = 0, Q [19] 8 = Q [19] Q [12] 10 = 1, Q[16] 10 = 1, Q[19] 10 = 0, Q[29] 9 = Q [29] [16] [19] [15,16], [22] Q [19] 11 = 0, Q[29] 11 = [ ] Q [15] 11 = Q[15] 10, Q[16] 11 = Q[16] 10, Q[22] 11 = Q[22] 10, Q[29] 12 = [29] Q [15] 13 = 0, Q[16] 13 = 0, Q[22] 13 = 0, Q[26] 12 = Q[26] 11, Q[27] 12 = Q[27] 11, Q[28] 12 = Q[28] 11, Q[29] 12 = 1, Q[29] 11 = [28,29] [15] Q [15] = 1, Q[16] = 1, Q[22] = 1, Q[26] = 0, Q[27] = 0, Q[28] = 1, Q[29] = [15] [25] Q [15] 14 Q[15] 13, Q[26] 15 = Q[26], 14 Q[27] 15 = Q[27], 14 Q[28] 15 = Q[28], 14 Q[29] 15 = Q[29] [31] Q [15] 16 = Q[15], 14 Q[25] 15 = Q[25] Q [15] 17 = Q[15] 16, Q[25] 17 = Q[25] 15, Q[31] 16 = Q[31] [16] [28] Q [25] 18 = Q[25] 17, Q[31] 18 = Q[31] [31] [28], [31] [28], [31] Q [28] 18 Q[28] 17, Q[31] 19 Q[31] [31] Q [31] 19 Q[31] Q [31] 21 = Q[31] [28] Q [28] 22 Q[28] 21, Q[31] 22 = Q[31] [28], [31]