Re: [CFRG] Reference for weakness in MAC=hash(key|msg) construct

Samuel Neves <samuel.c.p.neves@gmail.com> Fri, 13 May 2022 16:25 UTC

Return-Path: <samuel.c.p.neves@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71516C1594A9 for <cfrg@ietfa.amsl.com>; Fri, 13 May 2022 09:25:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.098
X-Spam-Level:
X-Spam-Status: No, score=-6.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_DOTEDU=1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IPjVwrBYh5WI for <cfrg@ietfa.amsl.com>; Fri, 13 May 2022 09:25:13 -0700 (PDT)
Received: from mail-io1-xd35.google.com (mail-io1-xd35.google.com [IPv6:2607:f8b0:4864:20::d35]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D0FAC14F743 for <cfrg@irtf.org>; Fri, 13 May 2022 09:25:13 -0700 (PDT)
Received: by mail-io1-xd35.google.com with SMTP id h85so9201144iof.12 for <cfrg@irtf.org>; Fri, 13 May 2022 09:25:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YsSeBJLR4PA76TvkIs0vDA3a5q48Tnol10KRXhW9NzE=; b=BlYd71LQUjbUjv89SlvXSMSEjCsee9WgrycOaZsyvTpuyUJ5UB9/nLX5AYivvZssl0 pyEdNmgWuAuWTcXaQpSc/OAPTVofXc04r8hlNOMDpw611v2mcdBWwQOIR8HqBZfCyfpu pTy/2mKr8NgglWzEW3oq09obMwDXcxxQByHnt4zCVYffkaCvZbuvZXBd9TrAP+IXkGSu dprqBf0sz/rOT0vOyDMjVZOHHOQWeLyjrwppweG05BXELyBcxH1bz7w5kg7oaqjrOmZ0 xPglukr9ZCkuq3dzw3Nk+W0WG9iN5mY2VvuHK+Pad7V28xre/sxq+EviyyTXnsY3Jbd8 NM2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YsSeBJLR4PA76TvkIs0vDA3a5q48Tnol10KRXhW9NzE=; b=me766N49m8m11vBOgDx/82ADxEfCbf/zzftjMYTomCrsXgWftmoxgxKMo1MqSH1c+L z/kg2KN+N+QWuLX5oJmM0fIwB/of0Bjffz3VPWUwpfFeBzcoIgzuju+6r3bZdl8HRPIT 4nyU+tXZAo/4y+cOETO8E9E670DiN5iYbV50x8vDBmaHEYA2KcmahyoaLjfeuTy64RtJ epVU02RIhJg7OYhmEQ5vjAwjIKtem3t9P/kf5KFP44+Z1Y8DyHj7qtlHosYoYNnzZCcC 4MLT9jayG4zgDAj+Hz4XbHAiaVL8I/qm9D4s4BKSuweXmU4HLqdQ42P3rl0z7Tsuc05D BVNg==
X-Gm-Message-State: AOAM532f/d7bxM5XcKl70XNGc99zXAR9pdObUM3IjiPf85y1Sm9J/8sE vuYa6Sl/My3eDjD5CV4voAjKhVF+70BPouNGnOU=
X-Google-Smtp-Source: ABdhPJwNdqJiRWX8nwHw+sRIOQfgnnFCpgPn1kFByeBPYnIMe9mfwWvCLzZCfBhWYFPrtwBU1V1o237kWFELfI20yUc=
X-Received: by 2002:a02:c6af:0:b0:32a:f5f6:34bc with SMTP id o15-20020a02c6af000000b0032af5f634bcmr3016868jan.186.1652459112354; Fri, 13 May 2022 09:25:12 -0700 (PDT)
MIME-Version: 1.0
References: <5eec9c58-4bfd-7ada-2fdd-90d1180100e1@htt-consult.com>
In-Reply-To: <5eec9c58-4bfd-7ada-2fdd-90d1180100e1@htt-consult.com>
From: Samuel Neves <samuel.c.p.neves@gmail.com>
Date: Fri, 13 May 2022 17:24:36 +0100
Message-ID: <CAEX_ruH8wwxwFNJbvtZRzVS94gC0DorrYvRzgXyryUcm_sdhNQ@mail.gmail.com>
To: Robert Moskowitz <rgm-sec@htt-consult.com>
Cc: CFRG <cfrg@irtf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/858ZLDZZnp_Khrusi7ScGtmWkxM>
Subject: Re: [CFRG] Reference for weakness in MAC=hash(key|msg) construct
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 May 2022 16:25:17 -0000

Tsudik described length-extension attacks for Merkle-Damgard
constructions in 1992 [1,2, Section 5.2], calling it the "padding
attack" and attributed it to Dave Solo and Steve Kent.

[1] https://doi.org/10.1145/141809.141812
[2] https://doi.org/10.1109/INFCOM.1992.263477

On Fri, May 13, 2022 at 3:25 PM Robert Moskowitz
<rgm-sec@htt-consult.com> wrote:
>
>
> I need to show that a MAC based on hash(key|msg) is bad and this has
> been known since the mid-90s.
>
> This is for the Drone Command and Control (C2) open protocol MAVlink's 6
> byte authentication:
>
> https://mavlink.io/en/guide/message_signing.html
>
> I am familiar with "Keying hash functions for message authentication
> (1996)" by Mihir Bellare , Ran Canetti , Hugo Krawczyk, but it does not
> clearly show the weakness of hash (key|msg).
> (https://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.134.8430)
>
> I attended Hugo's presentations of HMAC and SIGMA at the ISOC Security
> Conference in '96 and have been using them since.  But now I encounter,
> and have to deal with what I believe is a flawed design.  I need to show
> references that this was known flawed for 20 years prior to MAVlink 2.0
> (that added the auth).
>
> Well, anyway, what I learned 25 years ago set my mind that
> MAC=hash(key|msg) construct is flawed.  Details tend to get hazy over time.
>
> Note that MAVlink may be transported over UDP on port 14550.  By using
> RFC8750 (and a 12-byte ICV for GCM) and draft-mglt-ipsecme-diet-esp I
> can have ESP/AES-GCM-12/UDP in 16 bytes.  Compress the MAVlink Seq,
> Checksum, and Sig out, replacing them with this design in the same
> length (and include the 8 byte UDP cost).
>
> So anyway, the basic need is a reference on the weakness of
> MAC=hash(key|msg) construct
>
> thanks.
>
>
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg