Re: Slow but secure has function for small data


Hello,

http://citeseer.ist.psu.edu/bellare06new.html is the core of the
argument. It doesn't say it in so many words, but it means that the
current attacks on the SHA-series (including MD5) are irrelevant to
HMAC provided the key itself is unknown (page 4 paragraph beginning
with Another Result). For the iterated construct I gave the first IV
is given to the attacker, but the final value is unknown because the
passphrase is assumed to contain entropy.

>>[..]

Thank you. As I get some spare time I'll read through that one. Very
interesting, not only for cryptographic purposes.

I think you should also have a look at this paper:

Scott Contini and Yiqun Lisa Yin,
"Forgery and Partial Key-Recovery Attacks
on HMAC and NMAC Using Hash Collisions"
ASIACRYPT'2006
http://www.springerlink.com/content/n4215443w0163746/

from the abstract:
===
In this paper, we analyze the security of HMAC and NMAC, both of which are hash-based message authentication codes. We present distinguishing, forgery, and partial key recovery attacks on HMAC and NMAC using collisions of MD4, MD5, SHA-0, and reduced SHA-1. Our results demonstrate that the strength of a cryptographic scheme can be greatly weakened by the insecurity of the underlying hash function.
===

So even though Bellare's proof shows that HMAC is secure assuming that
the hash function is a PRF it seems that this assumption is not true
for MD4 and MD5, so I would be cautious about Joseph's proposal
(at least in theory) if I needed a reduction to a really well studied
problem that is believed to be hard.


--
Krystian Matusiewicz
http://www.ics.mq.edu.au/~kmatus/
.

Relevant Pages

  • Re: HMAC issues
    ... SHA1d as defined by the book is h), in other words hash the ... attacks, so you hash the result as well. ... HMAC that i have read, a and b do not have values, so i gave them values. ... abuse as the attacker can flip several bits and then take a new MAC, ...
    (sci.crypt)
  • Re: Slow but secure has function for small data
    ... the current attacks on the SHA-series are ... irrelevant to HMAC provided the key itself is unknown (page 4 ... for MD4 and MD5, so I would be cautious about Joseph's proposal (at ... MD4 and MD5 are no PRFs anymore? ...
    (sci.crypt)
  • Re: MD5 and SHA-0 collisions
    ... Do these attacks break HMAC using MD5? ... Because of the way hash functions are used in ... hmac-md5 isn't affected. ...
    (sci.crypt)
  • Re: why HMAC (Keyed-Hashing for Message Authentication)?
    ... If you use a standard iterative hash function (e.g. SHA), ... allows length extension attacks, i.e., using the hash value for ... HMAC is designed so that it resists both. ...
    (comp.security.misc)
  • Re: Bday Attack on HMAC with Seq Nums
    ... The key used for HMAC ... > See van Oorschot and Wiener work on internal collision attacks. ... A number of theoretical attacks appear to be based on the assumption ... the van Oorschot and Wiener paper appears to address ...
    (sci.crypt)