IETF Logo Mail Archive

Re: [saag] [Cfrg] attacks on keyed-hash constructions [was: Re: [cfrg] Further MD5 breaks: Creating a rogue CA certificate]

Christian Rechberger <christian.rechberger@iaik.tugraz.at> Wed, 07 January 2009 06:35 UTC

Return-Path: <saag-bounces@ietf.org>
X-Original-To: saag-archive@ietf.org
Delivered-To: ietfarch-saag-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8DB5328C139; Tue, 6 Jan 2009 22:35:16 -0800 (PST)
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 097223A67A1 for <saag@core3.amsl.com>; Mon, 5 Jan 2009 12:35:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.43
X-Spam-Level:
X-Spam-Status: No, score=-2.43 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_AT=0.424, HOST_EQ_AT=0.745, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cmHxJp4AOgFk for <saag@core3.amsl.com>; Mon, 5 Jan 2009 12:35:36 -0800 (PST)
Received: from mailrelay.tugraz.at (mailrelay.tu-graz.ac.at [129.27.2.202]) by core3.amsl.com (Postfix) with ESMTP id 3F65A3A67CC for <saag@ietf.org>; Mon, 5 Jan 2009 12:35:35 -0800 (PST)
Received: from webmail.tugraz.at (webmail.tu-graz.ac.at [129.27.2.204]) by mailrelay2.tugraz.at (8.14.3/8.14.3) with ESMTP id n05KZBbn002295; Mon, 5 Jan 2009 21:35:11 +0100 (CET)
X-DKIM: Sendmail DKIM Filter v2.7.2 mailrelay2.tugraz.at n05KZBbn002295
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tugraz.at; s=mailrelay; t=1231187712; bh=kanRSSAYnxzn35yKrNrdwpJFCIfbYiFa0dUg9 4xcLD8=; h=Message-ID:Date:From:To:Cc:Subject:References: In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=YOca1YUZTB+Hsu2gj3d7pZ13M9WydL96Rprs9unGJfu1oHB88CmA2sp7LH5Zeipnb eQ+kv9/wuNgUi9ZxsnfPI/72SNQ1Of1kgS56J3tUCK6tjwVNUiot2A/Yrb5/ktfVgOb eCtNDOKIwlpB9S/Ao4xr0SzGMDua80E2XVmME6w=
Received: from mk084020178200.a1.net (mk084020178200.a1.net [84.20.178.200]) by webmail.tugraz.at (Horde Framework) with HTTP; Mon, 05 Jan 2009 21:35:08 +0100
Message-ID: <20090105213508.14361u6iuolikois@webmail.tugraz.at>
X-Priority: 3 (Normal)
Date: Mon, 05 Jan 2009 21:35:08 +0100
From: Christian Rechberger <christian.rechberger@iaik.tugraz.at>
To: RJ Atkinson <rja@extremenetworks.com>
References: <200812301605.mBUG5cKU027325@raisinbran.srv.cs.cmu.edu> <9535147E88DA266C69B983D0@atlantis.pc.cs.cmu.edu> <p0624081dc5802a331eac@[10.20.30.158]> <alpine.LFD.1.10.0812301313570.2644@perf.cac.washington.edu> <200901051006.FAA20784@Sparkle.Rodents-Montreal.ORG> <EDF5EEB5-4363-4ED1-A865-66C073E17969@extremenetworks.com> <5F8E31B0-CD96-4ED1-83FD-883F0AD78657@cisco.com> <23490481-F122-4CEE-B0DE-57CBD06CCF11@extremenetworks.com>
In-Reply-To: <23490481-F122-4CEE-B0DE-57CBD06CCF11@extremenetworks.com>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Internet Messaging Program (IMP) H3 (5.0-cvs)
X-Organization: Graz University of Technology
X-Originating-IP: 84.20.178.200
X-Remote-Browser: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16
X-TUG-Backscatter-control: hn0LrPnJ+/fhju8CMzmpjQ
X-Spam-Scanner: SpamAssassin 3.002005
X-Spam-Score-relay: 0.1
X-Scanned-By: MIMEDefang 2.65 on 129.27.10.19
X-Mailman-Approved-At: Tue, 06 Jan 2009 22:35:14 -0800
Cc: "ietf-pkix@imc.org" <ietf-pkix@imc.org>, "cfrg@irtf.org" <cfrg@irtf.org>, "saag@ietf.org" <saag@ietf.org>, "ietf-smime@imc.org" <ietf-smime@imc.org>
Subject: Re: [saag] [Cfrg] attacks on keyed-hash constructions [was: Re: [cfrg] Further MD5 breaks: Creating a rogue CA certificate]
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: base64
Content-Type: text/plain; charset="utf-8"; Format="flowed"; DelSp="Yes"
Sender: saag-bounces@ietf.org
Errors-To: saag-bounces@ietf.org

Quoting RJ Atkinson <rja@extremenetworks.com>:

>
>> HMAC seems to be secure given some reasonable assumptions about the  
>> hash functions (namely, that the underlying hash has a compression  
>> function that is a PRF - no collision resistance is required); see  
>> http://eprint.iacr.org/2006/043
>
> Thank you very much.
> Pointers to the literature are very helpful.
>
> One followup question, if I might, as a non-mathematician here.
>
> Does the community agree on whether MD5, SHA-0, SHA-1, and/or SHA-2
> meet the assumptions required by the HMAC proofs (e.g. your mention
> above that the hash "is a PRF -- no collision resistance is
> required") ???

That seems a very valid question, and indeed cryptographers have been  
working on  PRF properties, and violations of it can be used to  
construct attacks on HMAC.

As opposed to unkeyed modes, none of the attacks which have been  
developed in recent years on HMAC (when instantiated with one of the  
popular hash functions) are practical.

Still, there are attacks on HMAC-MD4 (see e.g. [1]), NMAC-MD5 (see  
e.g. [1,2]). For HMAC-SHA-1, the best result is on reduced variants  
(61/62 out of its 80 steps, see [2]).

To conclude, from a cryptanalyst point of view:
HMAC-MD4: please don't, attacks might become practical anytime
HMAC-MD5: only certificational attacks, nothing real or serious, but  
MD5 just does not look like a good PRF
HMAC-SHA-1: ok, some security margin left
HMAC-SHA-2: no concrete cryptanalytic results, most likely ok.


hth,
  Christian



[1]  Pierre-Alain Fouque, Gaëtan Leurent, Phong Nguyen: Full  
Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5, CRYPTO 2007.

[2] Christian Rechberger and Vincent Rijmen: On Authentication with  
HMAC and Non-Random Properties, Financial Cryptography 2007.


-- 
Christian Rechberger <Christian.Rechberger@iaik.tugraz.at>
Krypto Group - IAIK - TU Graz, Inffeldgasse 16a, A-8010 Graz, Austria
http://www.iaik.tugraz.at/content/research/krypto/
phone: +43 (0)316 873 5534  ---  fax: +43 (0)316 873 5594

_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

v2.23.0 | Report a Bug | By Email