Re: Strength of HMAC-SHA1-32



Kristian Gjøsteen wrote:
If you can have a sufficiently long key, a 32-bit HMAC-SHA1-32 will
ensure that the attacker can forge MAC tags with probability at most
2^(-32). If you can live with that forgery probability (few packets,
not so big a problem if a few packets are forged, etc.), then you
can probably live with HMAC-SHA1-32.

One technique that can help in some settings is to use hash chaining:
Each packet contains the HMAC of the packet payload as well as a hash
of all prior packets. In this way, an attacker who modifies one packet
will have a 1/2^32 chance of escaping immediate detection, but even if
the attack is not immediately detected, the attack will likely be
detected on the next packet (when the attacker will not be able to fix
up the MAC on the subsequent packet). In some settings, this may be
tolerable, because there may not be much harm that an attacker can do
by tampering with a single packet. For instance, consider VOIP, where
disrupting a single packet of voice data is probably not going to have
much of an impact on overall call quality.

Now there are several pitfalls and shortcomings here. For one thing,
this approach can only be applied straightforwardly if the underlying
medium provides in-order reliable delivery -- which is usually not the
case, where short MACs are needed. There are some more complex schemes
that attempt to do something about this but I'm not sure how convincing
they are. Also, the application layer has to be designed carefully to
ensure that introducing a single forged packet is not sufficient to
cause devastating harm. Nonetheless, if there is no other alternative,
some approach along these lines may be worth considering, as it may well
be better than nothing.
.



Relevant Pages

  • Re: Authentication of a messages using a counter and a MAC
    ... used to do MAC of the message, so when the want to communicate the use ... Because you are taking a random walk, the odds of finding a collision ... the attacker build the data series they want ... forging the MAC for a single malicious packet." ...
    (sci.crypt)
  • Re: Authentication of a messages using a counter and a MAC
    ... I was thinking to have a MAC of size 3 byte, does it mean that i can ... Because you are taking a random walk, the odds of finding a collision ... the attacker build the data series they want ... forging the MAC for a single malicious packet." ...
    (sci.crypt)
  • Re: Smurf ,land attacks
    ... Using libnet/libpcap you can write directly to the ... > What the attacker does is not allowing the Kernel to ... > from the packet he's spoofing, ... >> wire? ...
    (Security-Basics)
  • [UNIX] Security Analysis of VTun
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... An attacker can modify ... Packet forwarding: ... password) as encryption key. ...
    (Securiteam)
  • Re: Voice encryption (Stream vs CBC mode)
    ... proposal was to cover more than just the current packet with the 1-bit ... If the MAC in a *sent* packet also covers an earlier *received* ... attacker has negligible probability to modify many packets in the same ... voice stream without detection. ...
    (sci.crypt)