Advertisement

Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC

  • Xiaoyun Wang
  • Hongbo Yu
  • Wei Wang
  • Haina Zhang
  • Tao Zhan
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5479)

Abstract

In this paper, we present the first distinguishing attack on HMAC and NMAC based on MD5 without related keys, which distinguishes the HMAC/NMAC-MD5 from HMAC/NMAC with a random function. The attack needs 297 queries, with a success probability 0.87, while the previous distinguishing attack on HMAC-MD5 reduced to 33 rounds takes 2126.1 messages with a success rate of 0.92. Furthermore, we give distinguishing and partial key recovery attacks on MDx-MAC based on MD5. The MDx-MAC was proposed by Preneel and van Oorschot in Crypto’95 which uses three subkeys derived from the initial key. We are able to recover one 128-bit subkey with 297 queries.

Keywords

HMAC NMAC MDx-MAC MD5 Distinguishing attack Key recovery 

References

  1. 1.
    Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)Google Scholar
  2. 2.
    Bellare, M.: New proofs for NMAC and HMAC: Security without collision-resistance. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 602–619. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  3. 3.
    Biham, E., Chen, R.: Near-collisions of SHA-0. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 290–305. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  4. 4.
    Biham, E., Chen, R., Joux, A., Carribault, P., Lemuet, C., Jalby, W.: Collisions of SHA-0 and reduced SHA-1. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 36–57. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  5. 5.
    den Boer, B., Bosselaers, A.: Collisions for the compression function of MD5. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 293–304. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  6. 6.
    Contini, S., Yin, Y.L.: Forgery and partial key-recovery attacks on HMAC and NMAC using hash collisions. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 37–53. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  7. 7.
    Fouque, P.-A., Leurent, G., Nguyen, P.Q.: Full key-recovery attacks on HMAC/NMAC-MD4 and NMAC-MD5. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 13–30. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  8. 8.
    Galvin, J.M., McCloghrie, K., Davin, J.R.: Secure management of SNMP networks. Integrated Network Management II, pp. 703–714 (1991)Google Scholar
  9. 9.
    Kim, J.-S., Biryukov, A., Preneel, B., Hong, S.H.: On the security of HMAC and NMAC based on HAVAL, MD4, MD5, SHA-0 and SHA-1 (Extended abstract). In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 242–256. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  10. 10.
    Preneel, B., van Oorschot, P.: MDx-MAC and building fast MACs from hash functions. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 1–14. Springer, Heidelberg (1995)Google Scholar
  11. 11.
    Rechberger, C., Rijmen, V.: On authentication with HMAC and non-random properties. In: Dietrich, S., Dhamija, R. (eds.) FC 2007. LNCS, vol. 4886, pp. 119–133. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  12. 12.
    Rechberger, C., Rijmen, V.: New results on NMAC/HMAC when instantiated with popular hash functions. Journal of Universal Computer Science 14(3), 347–376 (2008)MathSciNetGoogle Scholar
  13. 13.
    Rivest, R.L.: The MD5 message digest algorithm. Request for Comments (RFC 1321), Network Working Group (1992)Google Scholar
  14. 14.
    Tsudik, G.: Message authentication with one-way hash functions. ACM Comput. Commun. Rev. 22(5), 29–38 (1992)CrossRefGoogle Scholar
  15. 15.
    Wang, L., Ohta, K., Kunihiro, N.: New key-recovery attacks on HMAC/NMAC-MD4 and NMAC-MD5. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 237–253. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  16. 16.
    Wang, X., Lai, X., Feng, D., Chen, H., Yu, X.: Cryptanalysis of the hash functions MD4 and RIPEMD. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 1–18. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  17. 17.
    Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  18. 18.
    Wang, X., Yu, H., Yin, Y.L.: Efficient collision search attacks on SHA-0. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 1–16. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  19. 19.
    Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  20. 20.
    Yuval, G.: How to swindle rabin. Cryptologia 3, 187–190 (1979)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Xiaoyun Wang
    • 1
    • 2
  • Hongbo Yu
    • 1
  • Wei Wang
    • 2
  • Haina Zhang
    • 2
  • Tao Zhan
    • 3
  1. 1.Center for Advanced StudyTsinghua UniversityBeijingChina
  2. 2.Key Laboratory of Cryptographic Technology and Information Security, Ministry of EducationShandong UniversityJinanChina
  3. 3.Shandong UniversityJinanChina

Personalised recommendations