IETF Logo Mail Archive

Re: [CFRG] Reference for weakness in MAC=hash(key|msg) construct

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Fri, 13 May 2022 14:54 UTC

Return-Path: <prvs=3132ee0fa0=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D919C14F723 for <cfrg@ietfa.amsl.com>; Fri, 13 May 2022 07:54:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.892
X-Spam-Level:
X-Spam-Status: No, score=-1.892 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YLnWtz_GA5Ja for <cfrg@ietfa.amsl.com>; Fri, 13 May 2022 07:54:31 -0700 (PDT)
Received: from MX2.LL.MIT.EDU (mx2.ll.mit.edu [129.55.12.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C3B1EC14EB1F for <cfrg@irtf.org>; Fri, 13 May 2022 07:54:30 -0700 (PDT)
Received: from LLEX2019-1.mitll.ad.local ([172.25.4.123]) by MX2.LL.MIT.EDU (8.16.1.2/8.16.1.2) with ESMTPS id 24DEsOWp247754 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Fri, 13 May 2022 10:54:24 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=U84WWFp25/TgnvZMJmh/csWfXegPjfrZCFRrdf+41IxfkMBeGUQTv7iTqzodpKLu6G0XZ3B95zlnpm9hOF/RjXW1Q4Fw6M0KlJZYdw5QslZNKwEfR44JglG5eNguMEVvKGxAerywfIKtQuDQ+4O6lWRus2i9QP6BHXoBjIVR9/VrSgIsTqQZTWUfZXw1h8zH2DR8c9UdjhQSQrezrNiwRur85fpRoHzOX0s0tiSQdgX/npkUnvn96o4hme+7TdABffyPAs88dt9kquTekOrUbasrKYEGc2xG0NHNg+ck1LSUQOJPRBtrTO/vFsWt2M0+k8tHyWXOqsyPipZF4mK0Kw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=OPhX+YXGACNyoiHREy2IRLcmdLhZ9UQUqc6d4aIxbzI=; b=er2ksEWY1P1OqEZkTetphd8U5wviedgid7JaVWcd83zwD2an/oKjDMu7sNCgFBCgGRo0SYxD8gBCfRxn8WpwcJREAPs+CcL6vsBRy19O8Jm28SoCztDPs81JR/F+cMRFHJP7DmphgHssp3TAoRheYB4drKertI4cRJSuESUfuo7wFC/9+Scg5m9v8gByjz+BmPj+a2nNaQnH+D9ANxF3kTo7QPHFM+t1PxmziuwZ9eKHBLgT1wmpEp33YYkyYa3G8h3a+SmuJUoZSmoq9jVUdOPtQLMvCKBCxjzJtnINN2/kL21ELuDQIh+feutqpGW+QKvgVA/U3ynn9RcTr5FuBQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Robert Moskowitz <rgm-sec@htt-consult.com>, CFRG <cfrg@irtf.org>
Thread-Topic: [CFRG] Reference for weakness in MAC=hash(key|msg) construct
Thread-Index: AQHYZtU2Kdmh1idoFU6l2x6kKgAW4q0cofAA
Date: Fri, 13 May 2022 14:54:23 +0000
Message-ID: <208BCA61-EAB4-43E0-A4E9-10BD90A17975@ll.mit.edu>
References: <5eec9c58-4bfd-7ada-2fdd-90d1180100e1@htt-consult.com>
In-Reply-To: <5eec9c58-4bfd-7ada-2fdd-90d1180100e1@htt-consult.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.58.22021501
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 32e52f1c-2e77-4bad-e13a-08da34f077cf
x-ms-traffictypediagnostic: BN0P110MB1080:EE_
x-microsoft-antispam-prvs: <BN0P110MB1080EDC1E4B5328CEEA9FF1B90CA9@BN0P110MB1080.NAMP110.PROD.OUTLOOK.COM>
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: mBZYAEcsjkG+YmBLD3KX29wQgov2YyR4v4qiWQp+rdHclN7VejUriuda0b1CbO73B5/qjtg5+nEsffF9Gu+4LjwYvrliH193wUeo7BN6kCBUJCmMLrxSP7NxxM5iB04yqwLP57yD7VKAjh9/xcfZ4DLKiaLwPkAjuzI3i8MbyiYP7N9V1xMp1g4mw6Jb0nnst3yyRHGbCOttRe5tFLavzREyEuz0fpSlzu7GwfuSI6fCZL2032zd/wxjqyzS4fhfyU41bgIVbGrPhudY1D385s9o4EOknYSmw0QCFHXUN4rM5vT+5WqeYxcdnMP1Pvheb6HeVZhz9fsMBL0ao24HnWsVlY/k8BJgumWpf9lpRVlYPefOd71k2hZIUj7td6jUoYAUS+jXoft/3VfUargplmGu3fjCAonVwanD7S1cE2NzvBytSqeDwKFUeJWFfuLEuTTFDkj7I7Kt7pejleheM6T/twpuAVK3ycI+iZN/2DVE4lpejB5xhkpRH9geu4SNxSLUIcjK+6dqoyx9229TtL1yEaouvN66nJ3NoRDtbEX33vRrxBMGBxXPXuPhjJy/ae25ESmr0aAYF/iyfvJeAEuCcCyA7yZbfH0wHTnS8D9whXAojCC2N25I6f3l/M39ove+tA0o4r/tYPOqRCKItNUp3C8tlarvQ1mPqCNJcK0m39S0PRJf79Y0Ln3OZuFkYf2fxyoUIL4yhvNHsiMmiq990A2OokmkOPgjGM1GrL4=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230001)(366004)(2616005)(122000001)(6506007)(86362001)(38070700005)(6512007)(38100700002)(26005)(186003)(5660300002)(966005)(6486002)(8936002)(71200400001)(75432002)(498600001)(99936003)(76116006)(66946007)(2906002)(33656002)(64756008)(66476007)(66556008)(66446008)(83380400001)(110136005)(8676002)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ml/5s0HmUgGLnz6xgEFcDZH42Hrk7mdrapijuhWHlUFx4LfAje+EVx9P4KI6c33RHCmcRRNXwE3BzHjNFyzhydmeKGo95Y5xNRu4A+SD/XWvistGC9CxMp96mwjohTpLvDu8DNKbYwrZxg8HxoATW0sxHDrfAAB8+sf4RICE0bVLzQN/vIYCfmFrJEne2OwdnQ/65nogvnkL6wkMFS3+noBitaZYQ3Xfq9/bAeKxec111Wb74HzmFHwh8jam6gSWsbvx0MXFQC/+asu7vV6vP4UK8E14wctcq6v3pUKSKz4gyzmcfVTP+d2CSR6a2TNzZoHEqXhO50yAku5HZwmCNqy5XB2Ly0/rjnLt3ofHYDKlYlPbJCvkwhFGecFhVnxaqbBcdjne9XAnol8SAfxnRyZBKIJdlhdT2u0lKVUHRU8=
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3735284062_2143402867"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 32e52f1c-2e77-4bad-e13a-08da34f077cf
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 May 2022 14:54:23.3098 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0P110MB1080
X-Proofpoint-ORIG-GUID: 98Ncr1Cn53Wmr4AWaYExBIhR5B7p0AMM
X-Proofpoint-GUID: 98Ncr1Cn53Wmr4AWaYExBIhR5B7p0AMM
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.486, 18.0.858 definitions=2022-05-13_04:2022-05-13, 2022-05-13 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 phishscore=0 adultscore=0 mlxscore=0 bulkscore=0 suspectscore=0 malwarescore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2205130065
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/EKkmzB9MD2BcCIdc_zKa3sDoAuc>
Subject: Re: [CFRG] Reference for weakness in MAC=hash(key|msg) construct
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 May 2022 14:54:35 -0000

At the very least, MAC=H(key || msg) suffers from length extension attacks.

At the very least, use envelope method - see https://people.scs.carleton.ca/~paulv/papers/Euro96-2MACs.pdf and https://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=5367681D1DA5BDA44A5247EEA2DB7AD2?doi=10.1.1.490.8595&rep=rep1&type=pdf 

Also, you may want to look at NMAC-related papers.
https://link.springer.com/chapter/10.1007/11818175_36 aka https://eprint.iacr.org/2006/043.pdf 

Having said all that - it appears that SHA-3 would *not* suffer from those vulnerabilities. As a precaution, the key must be padded to the complete block size.

TNX
-- 
V/R,
Uri
 

On 5/13/22, 10:24, "CFRG on behalf of Robert Moskowitz" <cfrg-bounces@irtf.org on behalf of rgm-sec@htt-consult.com> wrote:


    I need to show that a MAC based on hash(key|msg) is bad and this has 
    been known since the mid-90s.

    This is for the Drone Command and Control (C2) open protocol MAVlink's 6 
    byte authentication:

    https://mavlink.io/en/guide/message_signing.html

    I am familiar with "Keying hash functions for message authentication 
    (1996)" by Mihir Bellare , Ran Canetti , Hugo Krawczyk, but it does not 
    clearly show the weakness of hash (key|msg). 
    (https://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.134.8430)

    I attended Hugo's presentations of HMAC and SIGMA at the ISOC Security 
    Conference in '96 and have been using them since.  But now I encounter, 
    and have to deal with what I believe is a flawed design.  I need to show 
    references that this was known flawed for 20 years prior to MAVlink 2.0 
    (that added the auth).

    Well, anyway, what I learned 25 years ago set my mind that 
    MAC=hash(key|msg) construct is flawed.  Details tend to get hazy over time.

    Note that MAVlink may be transported over UDP on port 14550.  By using 
    RFC8750 (and a 12-byte ICV for GCM) and draft-mglt-ipsecme-diet-esp I 
    can have ESP/AES-GCM-12/UDP in 16 bytes.  Compress the MAVlink Seq, 
    Checksum, and Sig out, replacing them with this design in the same 
    length (and include the 8 byte UDP cost).

    So anyway, the basic need is a reference on the weakness of 
    MAC=hash(key|msg) construct

    thanks.


    _______________________________________________
    CFRG mailing list
    CFRG@irtf.org
    https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email