Re: [CFRG] Reference for weakness in MAC=hash(key|msg) construct
Dan Harkins <dharkins@lounge.org> Fri, 13 May 2022 16:05 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8DDEC185B0E for <cfrg@ietfa.amsl.com>; Fri, 13 May 2022 09:05:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.756
X-Spam-Level:
X-Spam-Status: No, score=-2.756 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-1.857, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_DOTEDU=1] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fpeX6Mll7CjF for <cfrg@ietfa.amsl.com>; Fri, 13 May 2022 09:05:23 -0700 (PDT)
Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB53FC15EB5F for <cfrg@irtf.org>; Fri, 13 May 2022 09:05:10 -0700 (PDT)
Received: from kitty.bergandi.net (cpe-76-176-14-122.san.res.rr.com [76.176.14.122]) by wwwlocal.goatley.com (PMDF V6.8 #2433) with ESMTP id <0RBT04N6CWOKHA@wwwlocal.goatley.com> for cfrg@irtf.org; Fri, 13 May 2022 11:05:08 -0500 (CDT)
Received: from [192.168.1.223] (kitty.dhcp.bergandi.net [10.0.42.19]) by kitty.bergandi.net (PMDF V6.8 #2433) with ESMTPSA id <0RBT00M7HWOIP8@kitty.bergandi.net> for cfrg@irtf.org; Fri, 13 May 2022 09:05:07 -0700 (PDT)
Received: from customer.lsancax1.pop.starlinkisp.net ([98.97.57.108] EXTERNAL) (EHLO [192.168.1.223]) with TLS/SSL by kitty.bergandi.net ([10.0.42.19]) (PreciseMail V3.3); Fri, 13 May 2022 09:05:07 -0700
Date: Fri, 13 May 2022 09:05:06 -0700
From: Dan Harkins <dharkins@lounge.org>
In-reply-to: <5eec9c58-4bfd-7ada-2fdd-90d1180100e1@htt-consult.com>
To: cfrg@irtf.org
Message-id: <17ec03ed-4420-cff4-729a-e18af595b20d@lounge.org>
MIME-version: 1.0
Content-type: text/plain; charset="UTF-8"; format="flowed"
Content-language: en-US
Content-transfer-encoding: 8bit
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.8.0
X-PMAS-SPF: SPF check skipped for authenticated session (recv=kitty.bergandi.net, send-ip=98.97.57.108)
X-PMAS-External-Auth: customer.lsancax1.pop.starlinkisp.net [98.97.57.108] (EHLO [192.168.1.223])
References: <5eec9c58-4bfd-7ada-2fdd-90d1180100e1@htt-consult.com>
X-PMAS-Software: PreciseMail V3.3 [220511] (kitty.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/ruFlMHkbCVSQ7zew8DgmJrppy2I>
Subject: Re: [CFRG] Reference for weakness in MAC=hash(key|msg) construct
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 May 2022 16:05:27 -0000
Hi Bob, I see you have gotten quite a few suggestions on how to do it right but your question as I read it is more of "how can I show this is wrong?" You should ask the designers what security properties they think they have in their protocol and how that is going to be proven. You don't say what "hash" is in the Drone Command and Control protocol but if it's, say, the SHA2-family then you can point to Bellare and Rogaway's paper "Random Oracles are Practical" [1] where it says, "When instantiating a random oracle by a concrete function h, care must be taken first to ensure that h is adequately conservative in its design so as not to succumb to cryptanalytic attack, and second to ensure that h exposes no relevant 'structure' attributable to its being defined from some lower-level primitive. Examples of both types of pitfalls are given in Section 6. As explained in that section, standard hash functions like MD5 and SHA don't by themselves make good replacements for a random oracles; but one doesn't have to look much further. Candidate instantiations include hash functions with their outputs truncated; hash functions with their input lengths restricted; and hash functions used in some nonstandard way, such as h(x) = MD5(x | x). See Section 6." And I believe HMAC's construction is a suitable instantiation using a hash algorithm to produce a primitive with the desired properties. They're not doing HMAC though, so if they're using one of the SHA2-family of hash algorithms I think Bellare and Rogaway's paper is the reference you're looking for. regards, Dan. [1] https://dl.acm.org/doi/pdf/10.1145/168588.168596 On 5/13/22 7:24 AM, Robert Moskowitz wrote: > > I need to show that a MAC based on hash(key|msg) is bad and this has > been known since the mid-90s. > > This is for the Drone Command and Control (C2) open protocol MAVlink's > 6 byte authentication: > > https://mavlink.io/en/guide/message_signing.html > > I am familiar with "Keying hash functions for message authentication > (1996)" by Mihir Bellare , Ran Canetti , Hugo Krawczyk, but it does > not clearly show the weakness of hash (key|msg). > (https://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.134.8430) > > I attended Hugo's presentations of HMAC and SIGMA at the ISOC Security > Conference in '96 and have been using them since. But now I > encounter, and have to deal with what I believe is a flawed design. I > need to show references that this was known flawed for 20 years prior > to MAVlink 2.0 (that added the auth). > > Well, anyway, what I learned 25 years ago set my mind that > MAC=hash(key|msg) construct is flawed. Details tend to get hazy over > time. > > Note that MAVlink may be transported over UDP on port 14550. By using > RFC8750 (and a 12-byte ICV for GCM) and draft-mglt-ipsecme-diet-esp I > can have ESP/AES-GCM-12/UDP in 16 bytes. Compress the MAVlink Seq, > Checksum, and Sig out, replacing them with this design in the same > length (and include the 8 byte UDP cost). > > So anyway, the basic need is a reference on the weakness of > MAC=hash(key|msg) construct > > thanks. > > > _______________________________________________ > CFRG mailing list > CFRG@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg -- "The object of life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane." -- Marcus Aurelius
- [CFRG] Reference for weakness in MAC=hash(key|msg… Robert Moskowitz
- Re: [CFRG] Reference for weakness in MAC=hash(key… Nimrod Aviram
- Re: [CFRG] Reference for weakness in MAC=hash(key… John Mattsson
- Re: [CFRG] Reference for weakness in MAC=hash(key… Richard Barnes
- Re: [CFRG] Reference for weakness in MAC=hash(key… Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Reference for weakness in MAC=hash(key… Dan Harkins
- Re: [CFRG] Reference for weakness in MAC=hash(key… Robert Moskowitz
- Re: [CFRG] Reference for weakness in MAC=hash(key… Samuel Neves
- Re: [CFRG] Reference for weakness in MAC=hash(key… Yann Droneaud