Generic Attacks on Strengthened HMAC: n-bit Secure HMAC Requires Key in All Blocks
HMAC is the most widely used hash based MAC scheme. Recently, several generic attacks have been presented against HMAC with a complexity between 2n/2 and 2n, where n is the output size of an underlying hash function. In this paper, we investigate the security of strengthened HMAC in which the key is used to process underlying compression functions. With such a modification, the attacker is unable to precompute the property of the compression function offline, and thus previous generic attacks are prevented. In this paper, we show that keying the compression function in all blocks is necessary to prevent a generic internal state recovery attack with a complexity less than 2n. In other words, only with a single keyless compression function, the internal state is recovered faster than 2n. To validate the claim, we present a generic attack against the strengthened HMAC in which only one block is keyless, thus pre-computable offline. Our attack uses the previous generic attack by Naito et al. as a base. We improve it so that the attack can be applied only with a single keyless compression function while the attack complexity remains unchanged from the previous work.
KeywordsHMAC generic attack internal state recovery multi- collision
Unable to display preview. Download preview PDF.
- 1.Tsudik, G.: Message Authentication with One-Way Hash Functions. In: ACM SIGCOMM Computer Communication Review, vol. 22(5), pp. 29–38. ACM (1992)Google Scholar
- 2.Bellare, M., Canetti, R., Krawczyk, H.: Keying Hash Functions for Message Authentication. In: Koblitz, N. (ed.) Advances in Cryptology - CRYPT0 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)Google Scholar
- 3.U.S. Department of Commerce, National Institute of Standards and Technology: The Keyed-Hash Message Authentication Code (HMAC) (Federal Information Processing Standards Publication 198) (2008), http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf
- 4.ISO/IEC 9797-2:2011: Information technology – Security techniques – Message Authentication Codes (MACs) – Part 2 (2011)Google Scholar
- 6.U.S. Department of Commerce, National Institute of Standards and Technology: Secure Hash Standard (SHS) (Federal Information Processing Standards Publication 180-3) (2008), http://csrc.nist.gov/publications/fips/fips180-3/fips180-3_final.pdf.
- 7.Preneel, B., van Oorschot, P.C.: On the Security of Two MAC Algorithms. In: Maurer, U. (ed.) Advances in Cryptology - EUROCRYPT 1996. LNCS, vol. 1070, pp. 19–32. Springer, Heidelberg (1996)Google Scholar
- 12.Guo, J., Sasaki, Y., Wang, L., Wang, M., Wen, L.: Equivalent Key Recovery Attacks against HMAC and NMAC with Whirlpool Reduced to 7 Rounds. In: Cid, C., Rechberger, C. (eds.) FSE. LNCS, Springer, Heidelberg (to appear 2014)Google Scholar
- 15.Sasaki, Y., Wang, L.: Improved Single-Key Distinguisher on HMAC-MD5 and Key Recovery Attacks on Sandwich-MAC-MD5. In: Lange, T., Lauter, K., Lisonek, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 493–512. Springer, Heidelberg (2013)Google Scholar
- 20.Gazi, P., Pietrzak, K., Rybar, M.: The Exact PRF-Security of NMAC and HMAC. In: Garay, J., Gennaro, R. (eds.) CRYPTO. LNCS, Springer, Heidelberg (to appear 2014)Google Scholar