Re: [CFRG] Reference for weakness in MAC=hash(key|msg) construct
Richard Barnes <rlb@ipv.sx> Fri, 13 May 2022 14:48 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6FD5C20D671 for <cfrg@ietfa.amsl.com>; Fri, 13 May 2022 07:48:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.895
X-Spam-Level:
X-Spam-Status: No, score=-0.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URI_DOTEDU=1] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5IhaancOeQuw for <cfrg@ietfa.amsl.com>; Fri, 13 May 2022 07:48:44 -0700 (PDT)
Received: from mail-qv1-xf34.google.com (mail-qv1-xf34.google.com [IPv6:2607:f8b0:4864:20::f34]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A974FC14F723 for <cfrg@irtf.org>; Fri, 13 May 2022 07:48:43 -0700 (PDT)
Received: by mail-qv1-xf34.google.com with SMTP id n10so6812221qvi.5 for <cfrg@irtf.org>; Fri, 13 May 2022 07:48:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=IeK3g+uohn0TZYKvcTl1sa5VNsMOqxCfSxH63fdYv4k=; b=qTKi/XEq9h0kuZjlCDJXwNbiWKlPLz0Vlbo1kxxToxJ0kSj1J+kgoR6Fvoxl4GSX9D Q9Z16KoMLz230ve97MsybskUZwVYtwiP9N3Dh+4wUiH2ZLjUJgLB5L/kDJlWgdEWPpBO 2ThjTwa1l9+/YCVbqTnBKUakszhRUf7qd2PU05NhpALmdXlehiIfbfPLKLM3+jgmvqhU OJRLG5T38fkqXUxtvfymypNNq4SUMfPvJbn3zfRPD+6gPn9uXI4W0XPOm23LPx46rN0v CQWfgqCMBPsQ+BuHnDlvfJ3PjMRlmQ7Ix7vLiT8PMbjm+ateY3XwAZ6ivkzr/7cuZWFi 5KjA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IeK3g+uohn0TZYKvcTl1sa5VNsMOqxCfSxH63fdYv4k=; b=Bm2RgWwvHjAkOcXoGFPSkRjXCYuKyxnnVIGnvnuWRybD0+7RNgZKUXfhFsTAglPAGz xvu5kw5K/dAOMTqxrEUByUpKmlvb4CYARxSdck0/kz/5E9m5h013bHGsXDOP+quFjN5s zeKK2ryerYS7NC29kCQ0ATMHxINnhoxDVVqgMbGl+DstILkxlBC4PBWEBfX0PPgnSVNy 1bJvZxka3cw2bEtFSjGieARpuSJLQNRwWCwYm3QjO5Qb8cM2JTCX1F4BCmSflzOgJMjf K7Saowf5C5uAutrqLs9DnQbUWWZe7cf2v8VqI60wFtEtYuGFU5lOlvCqUUmWOK0hT4Mo 0C7Q==
X-Gm-Message-State: AOAM532nQI7hQeJ4rB88hA6RfX0rB+mCj8ASJwo2U0fJ6kohMVInUYnK iL+rWyO26VhmCVq7LQB6v6Sb8aCu310oxlzJftCmRVHTtidImvpI
X-Google-Smtp-Source: ABdhPJypCb7Oz1tuMSVR5LICXDIkGF9g6z1dTQe+03UkHOAWCPjUqYif3nPvY9Dcrco0H7q2vCJot58O6OYnhBmt1Ls=
X-Received: by 2002:ad4:596c:0:b0:45d:b08f:830f with SMTP id eq12-20020ad4596c000000b0045db08f830fmr4693533qvb.86.1652453321678; Fri, 13 May 2022 07:48:41 -0700 (PDT)
MIME-Version: 1.0
References: <5eec9c58-4bfd-7ada-2fdd-90d1180100e1@htt-consult.com>
In-Reply-To: <5eec9c58-4bfd-7ada-2fdd-90d1180100e1@htt-consult.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Fri, 13 May 2022 10:48:30 -0400
Message-ID: <CAL02cgR8pD2R+XV=RcHneSAGhQ+LVtqavq-L3XrMHap8d5FSpg@mail.gmail.com>
To: Robert Moskowitz <rgm-sec@htt-consult.com>
Cc: CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="0000000000003f31fd05dee5c5ba"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Y5q8W5spdPupVpbBefzA2OrPAQk>
Subject: Re: [CFRG] Reference for weakness in MAC=hash(key|msg) construct
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 May 2022 14:48:48 -0000
The Wikipedia article on length extension attacks has some links on why H(key|message) is bad if H is length-extensible (e.g., SHA-1, SHA-256). https://en.wikipedia.org/wiki/Length_extension_attack On Fri, May 13, 2022 at 10:25 AM Robert Moskowitz <rgm-sec@htt-consult.com> wrote: > > I need to show that a MAC based on hash(key|msg) is bad and this has > been known since the mid-90s. > > This is for the Drone Command and Control (C2) open protocol MAVlink's 6 > byte authentication: > > https://mavlink.io/en/guide/message_signing.html > > I am familiar with "Keying hash functions for message authentication > (1996)" by Mihir Bellare , Ran Canetti , Hugo Krawczyk, but it does not > clearly show the weakness of hash (key|msg). > (https://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.134.8430) > > I attended Hugo's presentations of HMAC and SIGMA at the ISOC Security > Conference in '96 and have been using them since. But now I encounter, > and have to deal with what I believe is a flawed design. I need to show > references that this was known flawed for 20 years prior to MAVlink 2.0 > (that added the auth). > > Well, anyway, what I learned 25 years ago set my mind that > MAC=hash(key|msg) construct is flawed. Details tend to get hazy over time. > > Note that MAVlink may be transported over UDP on port 14550. By using > RFC8750 (and a 12-byte ICV for GCM) and draft-mglt-ipsecme-diet-esp I > can have ESP/AES-GCM-12/UDP in 16 bytes. Compress the MAVlink Seq, > Checksum, and Sig out, replacing them with this design in the same > length (and include the 8 byte UDP cost). > > So anyway, the basic need is a reference on the weakness of > MAC=hash(key|msg) construct > > thanks. > > > _______________________________________________ > CFRG mailing list > CFRG@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [CFRG] Reference for weakness in MAC=hash(key|msg… Robert Moskowitz
- Re: [CFRG] Reference for weakness in MAC=hash(key… Nimrod Aviram
- Re: [CFRG] Reference for weakness in MAC=hash(key… John Mattsson
- Re: [CFRG] Reference for weakness in MAC=hash(key… Richard Barnes
- Re: [CFRG] Reference for weakness in MAC=hash(key… Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Reference for weakness in MAC=hash(key… Dan Harkins
- Re: [CFRG] Reference for weakness in MAC=hash(key… Robert Moskowitz
- Re: [CFRG] Reference for weakness in MAC=hash(key… Samuel Neves
- Re: [CFRG] Reference for weakness in MAC=hash(key… Yann Droneaud