## Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions", Cryptology ePrint Report 2006/319 (2006)

Citations: | 22 - 0 self |

### BibTeX

@MISC{Contini06forgeryand,

author = {Scott Contini and Yiqun Lisa Yin},

title = {Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions", Cryptology ePrint Report 2006/319},

year = {2006}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. In this paper, we analyze the security of HMAC and NMAC, both of which are hash-based message authentication codes. We present distinguishing, forgery, and partial key recovery attacks on HMAC and NMAC using collisions of MD4, MD5, SHA-0, and reduced SHA-1. Our results demonstrate that the strength of a cryptographic scheme can be greatly weakened by the insecurity of the underlying hash function. 1

### Citations

494 | Differential Cryptanalysis of DES‐like Cryposys‐ tems
- Biham, Shamir
- 1991
(Show Context)
Citation Context ...acks on NMAC-MD5. In this section, we discuss some properties of the pseudo-collisions under the framework of differential cryptanalysis. Differential cryptanalysis was introduced by Biham and Shamir =-=[8]-=- to analyze the security of DES. The idea also applies to the analysis of hash functions. In a hash collision attack, we consider input pairs with an appropriately defined difference and analyze how t... |

477 | Keying hash functions for message authentication
- Bellare, Canetti, et al.
- 1996
(Show Context)
Citation Context ...he fixed-IV variant HMAC. Let const1 and const2 be two fixed constants. The HMAC function, on input message m and a single secret key k, is defined as: k1 = f(IV, k ⊕const1) (1) k2 = f(IV, k ⊕const2) =-=(2)-=- HMACk(m) = NMAC (k1,k2)(m). In the above description for HMAC, we can consider Equations (1) and (2) together as a key derivation function KDF which takes a single secret key k and outputs a pair of ... |

215 | How to Break MD5 and Other Hash Functions
- Wang, Yu
- 2005
(Show Context)
Citation Context ...ion function in HMAC is a PRF. The provable security of HMAC, besides its efficiency and elegancy, was an important factor for its wide deployment. However, recent collision attacks on hash functions =-=[21,24]-=- imply that assumption (A2) in the original proof no longer holds when considering concrete constructions such as HMAC-MD5 and HMAC-SHA1. To fix this problem, Bellare recently showed [1] that NMAC is ... |

168 | Finding collisions in the full SHA-1 - Wang, Yin, et al. - 2005 |

158 | New types of cryptanalytic attacks using related keys
- Biham
- 1994
(Show Context)
Citation Context ...he underlying functions are MD4, SHA-0, and reduced SHA-1. They did not consider key recovery attacks. Some of our attacks are in the related-key setting. Related-key attacks were introduced by Biham =-=[5]-=- and Knudsen [14] to analyze block ciphers. A theoretical treatment of related-key attacks was given by Bellare and Kohno [4]. The relevance of related-key cryptanalysis is debated in the cryptographi... |

82 | New proofs for nmac and hmac: Security without collision-resistance
- Bellare
- 2006
(Show Context)
Citation Context ...en implemented in widely used security protocols including SSL, TLS, SSH, and IPsec. NMAC, although less known in the practical world, is the theoretical foundation of HMAC — existing security proofs =-=[2,1]-=- were first given for NMAC and then extended to HMAC. It is commonly believed that the two schemes have identical security. The constructions of HMAC and NMAC are based on a keyed hash function Fk(m) ... |

78 | MDx-MAC and Building Fast MACs from Hash Functions
- Preneel, Oorshot
- 1995
(Show Context)
Citation Context ...orgery attack, in which the adversary can produce a valid message/tag pair without knowing the secret key. For MACs that are based on iterative hash functions, there is a birthday-type forgery attack =-=[17,3]-=- that requires about 2 n/2 MAC queries, where n is the length of the authentication tag. HMAC and NMAC are both hash-based MACs. Let F be the underlying hash function and f be the compression function... |

74 | Merkle-damgård revisited: how to construct a hash function
- Coron, Dodis, et al.
- 2005
(Show Context)
Citation Context ... the driving force behind proposals with formal security proofs, namely HMAC and NMAC [2]. Since their publication, most of the security analysis was provided by the designers. Recently, Coron et al. =-=[11]-=- studied the security of HMAC and NMAC in the setting of constructing iterative hash functions. After our submission to Asiacrypt’06, we learned that Kim et al. [15] did independent work on distinguis... |

55 | Collisions for the Compression function of MD5 - Boer, Bosselaers - 1995 |

48 | A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications
- Bellare, Kohno
- 2003
(Show Context)
Citation Context ...e in the related-key setting. Related-key attacks were introduced by Biham [5] and Knudsen [14] to analyze block ciphers. A theoretical treatment of related-key attacks was given by Bellare and Kohno =-=[4]-=-. The relevance of related-key cryptanalysis is debated in the cryptographic community. For example, some suggest that the attacks are only practical in poorly implemented protocols. On the other hand... |

21 |
On the security of
- Kim, Biryukov, et al.
- 2006
(Show Context)
Citation Context ... designers. Recently, Coron et al. [11] studied the security of HMAC and NMAC in the setting of constructing iterative hash functions. After our submission to Asiacrypt’06, we learned that Kim et al. =-=[15]-=- did independent work on distinguishing and forgery attacks on HMAC and NMAC when the underlying functions are MD4, SHA-0, and reduced SHA-1. They did not consider key recovery attacks. Some of our at... |

9 | Oorschot, “A key recovery attack on - Preneel, van - 1996 |

8 | Oorschot. A key recovery attack on the ANSI X9.19 retail MAC - Preneel, van - 1996 |

4 | Note on Distinguishing, Forgery, and Second Preimage Attacks on HMAC-SHA-1 and a Method to Reduce the Key Entropy of NMAC”, 2006, URL: http://citeseer.ist.psu.edu/cache/papers/cs2/338/http:zSzzSzeprint.iacr.or gzSz2006zSz290.pdf/note-on-distinguishing-for - Rechberger, Rijmen |

3 |
Collisions for the Compression Function of MD5. EUROCRYPT
- Boer, Bosselaers
- 1993
(Show Context)
Citation Context ...d NMAC based upon weaknesses of the underlying hash function. Our analysis is based upon existing analyses of hash functions, especially the attacks on MD4, MD5, SHA-0, and reduced SHA-1 presented in =-=[25,9,10,7]-=-. We first show that the collision differential path in these earlier attacks can be used to construct distinguishing attacks on the keyed compression function fk. Hence, for MD4, MD5 4 , SHA-0, and r... |

1 | Merkle-Damgard Revisited : how to Construct a Hash Function. CRYPTO 2005. 12. The GNU Crypto project - Chabaud, Joux - 1998 |

1 | On the Security of Two MAC Algorithms. EUROCRYPT - Preneel, Oorschot - 1996 |

1 |
The Second-Preimage Attack on MD4. CANS 2005. Available on Springerlink web site. A The bit flipping algorithms We first give the bit flipping algorithm in Figure 1. This is for the simplified MD5 step function where the rotation is eliminated. For j
- Yu, Wang, et al.
(Show Context)
Citation Context ...d NMAC based upon weaknesses of the underlying hash function. Our analysis is based upon existing analyses of hash functions, especially the attacks on MD4, MD5, SHA-0, and reduced SHA-1 presented in =-=[25,9,10,7]-=-. We first show that the collision differential path in these earlier attacks can be used to construct distinguishing attacks on the keyed compression function fk. Hence, for MD4, MD5 4 , SHA-0, and r... |