New Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Transcription

1 New Key-Recovery Attacks on MAC/NMAC-MD4 and NMAC-MD5 Lei Wang, Kazuo Ohta and Noboru Kunihiro* The University o Electro-Communications * The University o Tokyo at present. 1

2 Motivation o This Research MAC has been widely applied in many protocols including SSL, TLS, SS, IPSec and so on. NMAC is theoretical oundation o MAC: attacks on NMAC (without related-key setting) can be applied to MAC. In this presentation, we will pick NMAC as an example. 2

3 Structure o NMAC M k 2 k 1 M: massage; k 1 : the outer key; One structural weakness o NMAC based on iterating hash unctions: k 1 k 2 : the inner key; and k 2 can be recovered separately. Corresponding hash unctions will be the inner and outer hash unctions. 3

4 General Key-Recovery Attacks on NMAC Proposed by Preneel and van Oorschot in 1999: Crucial idea: generate a collision in the inner hash unction by the birthday attack. M k 2 k 1 1. Obtain one pair messages (M, M ) cause collision o NMAC. k 2 M collision 2. Randomly generate r, and check whether (M r, M r) collide. I collision does not happen, repeat steps 1 and 2. k 1 4

5 General Key-Recovery Attacks on NMAC Proposed by Preneel and van Oorschot in 1999: Crucial idea: generate a collision in the inner hash unction by the birthday attack. M k 2 To recover k 2 : k 1 1. guess the value o k 2. k 2 M collision 2. check whether the guessed k 2 can satisy that (M, M ) cause the inner collision. k 1 5

6 General Key-Recovery Attacks on NMAC Proposed by Preneel and van Oorschot in 1999: Crucial idea: generate a collision in the inner hash unction by the birthday attack. M k 2 To recover k 1 ater k 2 has been recovered: recovered k 1 1. guess the value o k 1. k 2 M 2. check whether the guessed k 1 can satisy that NMAC(M) using guessed k 1 is the same with orginal value. k 1 6

7 Security Boundary o NMAC M Suppose bit-length o hash value and secret keys is n: Whatever is, k 2 NMAC One collision can I underlying be ound by hash 2 n/2 queries unction with is weak, more a high probability powerul using the key-recovery birthday attack. attack is possible. k 1 Both secret keys o NMAC can be recovered with 2 n/2 online queries and 2 n+1 oline computations. 7

8 Key-Recovery Attacks on NMAC Wang et al. revealed weakness o several hash unctions rom MD4 amily, which leaded to key-recovery attacks on NMAC based on speciic weak hash unctions: At Asiacrypt 2006, Contini and Yin proposed inner-key recovery attacks on NMAC instantiated with MD4, MD5, SA-1. At Crypto 2007, Fouque, Leurent and Nguyen proposed ull-key recovery attacks on NMAC-MD4 and NMAC-MD5. At Financial Crypt 2007, Rechberger and Rijmen proposed ull-key recovery attacks on NMAC-MD5 and NMAC-SA-1. 8

9 Key-Recovery Attacks on NMAC Wang et al. revealed weakness o several hash unctions rom MD4 amily, which leaded to key-recovery attacks on NMAC based on speciic weak hash unctions: At Asiacrypt 2006, Contini and Yin proposed inner-key recovery attacks on NMAC instantiated with MD4, MD5, SA-1. At Crypto 2007, Fouque, Leurent and Nguyen proposed ull-key recovery attacks on NMAC-MD4 and NMAC-MD5. At Financial Crypt 2007, Rechberger and Rijmen proposed ull-key recovery attacks on NMAC-MD5 and NMAC-SA-1. Related to our research. 9

10 Framework o Key-Recovery Attacks 1. Online work. Secret key will be partially recovered by online queries. 2. Oline work. Theoretically interesting! In this presentation, we only ocus on online work. The remaining part o secret key will be recovered by the exhaustive search. 10

11 Previous Outer-Key Recovery Attack Previous outer-key recovery attacks on MAC/NMAC-MD4 and NMAC-MD5: NMAC M 1 : the value is known based on the knowledge o k 2. 2 : detect whether collision happens. k 2 1 MD4: set conditions on k 1 or collision attack. k 1 2 I collision happens with expected number o pair queries, k 1 can satisy the conditions; Otherwise, k 1 can not satisy the conditions. 11

12 Previous Outer-Key Recovery Attack Previous outer-key recovery attacks on MAC/NMAC-MD4 and NMAC-MD5: NMAC M 1 : the value is known based on the knowledge o k 2. 2 : detect whether collision happens. k 2 1 MD5: recover internal states in outer MD5, and then inverse calculate k 1. k 1 2 modiying the value at point conditions on internal states. 1 to set I collision happens with expexted number o queries, internal states satisy conditions. 12

13 Analysis o previous work k 2 NMAC M We will reduce the complexity or these two cases! k The outer-key recovery attack is much more expensive than the inner key recovery attack. Main reason: control ability and reedom lost at point. 1 MD4: pre-determined pair dierence should be generated. MD5: partially pre-ixed pair values should be generated during modiiying inner hash values. 13

14 Advantages o Our Attack (MD4) MAC/NMAC-MD4: Previous work: Point 1 : generate pre-determined pair dierence. Dierential attack: real collision. Our work: Point 1 : the same with previous work. Dierential attack: near collision attack, which reduces the complexity, since generating one near-collision needs less pair queries. Moreover it can recover more bit- values. 14

15 Advantages o Our Attack (MD4) [FLN 07] Our Work Online complexity #bits by online Oline comlexity Total complexity MAC/NMAC-MD4: both online and oline complexities have been improved. 15

16 Advantages o Our Attack (MD5) NMAC-MD5: Previous work: Point 1 the number o pre-ixed values will increase with the number o recovered bits. : generate partially pre-ixed values. Dierential attack: real collision (FLN work), near-collision (RR work). Our work: Point 1 : not necessary (online work). k 1 can be recovered partially without the knowledge o k 2 at all. Dierential attack: near-collision. 16

17 NMAC-MD5: Previous work: Point Advantages o Our Attack (MD5) 1 : generate partially pre-ixed values. Dierential attack: real collision (FLN work), near-collision (RR work). Up to 53 bits can be recovered. Our work: Point 1 Complexity becomes higher than the exhaustive search to recover remaining bits ater 28 bits recovered. : not necessary (online work). k 1 can be recovered partially without the knowledge o k 2. Dierential attack: near collision attack. 17

18 Usage o Near-collision attacks In Financial Cryptography 2007, Rechberger and Rijmen utilized near-collisions on MD5 to recover the outer key o NMAC-MD5, which might be the irst usage o near-collision to attack MAC and NMAC. 18

19 Advantages o Our Attack (MD5) [FLN 07] [RR 07] Our Work Online complexity #bits by online Oline comlexity Total complexity NMAC-MD5: more bit-values can be recovered by online work. The outer key can be partially recovered without the knowledge o the inner key. 19

20 One Novelty o Our Attack k 2 NMAC M k 1 A new approach o key-recovery technique: utilizing eed-orward operation. The inner hash value ater padding is only one block: CF: compression unction. M 0 M 1 M n IV CF CF CF 20

21 One Novelty o Our Attack k 2 NMAC M k 1 A new approach o key-recovery technique: utilizing eed-orward operation. The inner hash value ater padding is only one block: CF: compression unction. h in k 1 CF NMAC value 21

22 CFs o MD4 and MD5 CFs o MD5 and MD4 : h in E denotes n-step updating unctions: n is 64 and 48 or MD5 and MD4 respectively. CF k 1 E + NMAC value We will obtain output o E, then recover k 1. 22

23 Our outer key-recovery attacks on MAC/NMAC-MD4 We will omit description o NMAC-MD5 case because o limited time. 23

24 Procedure o Our Attack 1. Obtain output o E in the outer MD4. h in E k 1 + NMAC value 24

25 Obtain Output o E or MD4 Case 1. Determine message dierence and dierential path or nearcollision attack: Model o near-collision attack: Local collisions. The other dierences only exist in last several steps. 25

26 Our Near-Collision on MD4 Message dierences: m 3 = 2 i Dierential path: The local Collision rom step 1 until step 29; The other dierences only exist in the last 4 steps in third round. 26

27 3R o MD4 a 32 b 32 c 32 d 32 a 36 b 36 c 36 d 36 a 40 b 40 c 40 d 40 a 44 b 44 c 44 d 44 m 0 m 2 m 1 2 i m 3 <<< 3 <<< 3 <<< 3 <<< 3 a 33 b 33 c 33 d 33 a 37 b 37 c 37 d 37 a 41 b 41 c 41 d 41 a 45 b 45 c 45 d 45 m 8 m 10 m 9 m 11 <<< 9 <<< 9 <<< 9 <<< 9 a 34 b 34 c 34 d 34 a 38 b 38 c 38 d Local collision 38 a 42 b 42 c 42 d 42 a 46 b 46 c 46 d 46 m 4 m 6 m 5 m 7 <<< 11 <<< 11 <<< 11 <<< 11 a 35 b 35 c 35 d 35 a 39 b 39 c 39 d 39 a 43 b 43 c 43 d 43 a 47 b 47 c 47 d 47 m 12 m 14 Local m 13 collision <<< 15 <<< 15 <<< 15 <<< 15 m 15 a 36 b 36 c 36 d 36 a 40 b 40 c 40 d 40 a 44 b 44 c 44 d 44 a 48 b 48 c 48 d 48 27

28 Obtain Output o E or MD4 Case 1. Determine message dierence and dierential path or nearcollision attack 2. Obtain output o E by detecting near-colliding shape. 28

29 One Weakness o Feed-Forward Operation (k a, k b, k c, k d ): 128-bit k 1 divided into our 32-bit values. (a 48, b 48, c 48, d 48 ): output o E in the outer MD4 divied into our 32- bit values. (h a, h b, h c, h d ): inal output o NMAC divided into our 32-bit values. (h a, h b, h c, h d ) = (k a + a 48, k b + b 48, k c + c 48, k d + d 48 ) Consequently, we can obtain output o E by detecting dierence propagation in last 4 steps. h a = a 48 h b = b 48 h c = c 48 h d = d 48 29

30 a 44 b 44 c 44 d 44 One Toy Example collision a 44 b 44 c 44 d 44 m 3 m 11 <<< 3 <<< a 45 b 45 c 45 d 45 9 a 46 b 46 c 46 d 46 m 3 m 3 = 2 i+3 near-collision shape: h a = 2 i+3 ; h c = 2 i i i+23 ; h d = 2 i+12 ; m 3 m 11 <<< 3 a 45 b 45 c 45 d 45 <<< 9 a 46 b 46 c 46 d 46 m 7 m 7 <<< 11 <<< 11 m 15 a 47 b 47 c 47 d 47 <<< 15 a 48 b 48 c 48 d 48 a 48 = 2 i+3 ; c 48 = 2 i i i+23 ; d 48 = 2 i+12 ; m 15 a 47 b 47 c 47 d 47 <<< 15 a 48 b 48 c 48 d 48 30

31 a 44 b 44 c 44 d 44 One Toy Example collision a 44 b 44 c 44 d 44 m 3 m 11 <<< 3 <<< a 45 b 45 c 45 d 45 9 a 46 b 46 c 46 d 46 m 3 m 3 = 2 i+3 near-collision shape: h a = 2 i+3 ; h c = 2 i i i+23 ; h d = 2 i+12 ; m 3 m 11 <<< 3 a 45 b 45 c 45 d 45 <<< 9 a 46 b 46 c 46 d 46 m 7 m 7 <<< 11 <<< 11 m 15 a 47 b 47 c 47 d 47 <<< 15 a 48 b 48 c 48 d 48 a 48 = 2 i+3 ; c 48 = 2 i i i+23 ; d 48 = 2 i+12 ; m 15 a 47 b 47 c 47 d 47 <<< 15 a 48 b 48 c 48 d 48 31

32 m 3 a 44 b 44 c 44 d 44 <<< 3 One Toy Example collision a 44 b 44 c 44 d 44 m 3 <<< 3 m 11 a 45 b 45 c 45 d 45 <<< 9 b 45 = a 48 = 2 i+3 ; m 11 a 45 b 45 c 45 d 45 <<< 9 m 7 a 46 b 46 c 46 d 46 b 46 = d 48 = 2 i+12 ; m 7 a 46 b 46 c 46 d 46 <<< 11 a 47 b 47 c 47 d 47 b 47 = c 48 = 2 i i i+23 ; <<< 11 a 47 b 47 c 47 d 47 m 15 <<< 15 m 15 <<< 15 a 48 b 48 c 48 d 48 a 48 b 48 c 48 d 48 32

33 m 3 a 44 b 44 c 44 d 44 <<< 3 One Toy Example collision a 44 b 44 c 44 d 44 m 3 <<< 3 m 11 a 45 b 45 c 45 d 45 <<< 9 b 45 = a 48 = 2 i+3 ; m 11 a 45 b 45 c 45 d 45 <<< 9 m 7 a 46 b 46 c 46 d 46 b 46 = d 48 = 2 i+12 ; m 7 a 46 b 46 c 46 d 46 <<< 11 a 47 b 47 c 47 d 47 b 47 = c 48 = 2 i i i+23 ; <<< 11 a 47 b 47 c 47 d 47 m 15 <<< 15 m 15 <<< 15 a 48 b 48 c 48 d 48 a 48 b 48 c 48 d 48 33

34 One Toy Example a 46 b 46 c 46 d 46 a 46 b 46 c 46 d 46 m 7 m 7 <<< 11 <<< 11 a 47 b 47 c 47 d 47 b 47 should be caused by b 46 and c 46 : c 46 = 2 i+3 ; b 46 = 2 i+12 ; b 47 = 2 i i i+23 ; unction works bit-independently a 47 b 47 c 47 d 47 Both 2 i+14 and 2 i+15 are caused by 2 i+3 o c

35 One Toy Example a 46 b 46 c 46 d 46 a 46 b 46 c 46 d 46 m 7 m 7 <<< 11 <<< 11 a 47 b 47 c 47 d 47 a 47 b 47 c 47 d 47 Both 2 i+14 and 2 i+15 are caused by 2 i+3 o c 46. unction works bit-independently c 46 : + 2 i+3 : c 46 : i

36 One Toy Example a 44 b 44 c 44 d 44 m 3 <<< 3 a 45 b 45 c 45 d 45 near-collision shape: h a = 2 i+3 ; h c = 2 i i i+23 ; m 11 h d = 2 i+12 ; <<< 9 m 7 a 46 b 46 c 46 d 46 <<< 11 a 48,i+3 = c 46, i+3 =1; m 15 a 47 b 47 c 47 d 47 <<< 15 a 48 b 48 c 48 d 48 By similar way, we will obtain many messages such that bit-values o output o E has been recovered. 36

37 Procedure o Our Attack 1. Obtain output o E o the outer MD4. 2. Recover the outer key using output o E o the outer MD4. 37

38 The Toy Example We obtained one message such that a 48, i+3 =1, and its corresponding MAC value: 31 ~ i+4 i+3 i+2 ~ 0 k a : + a 48 : 1 h a : Carry inluence rom bits i+2 to i+3? Can be calculated! Known h a,(i+2)~0 k a, (i+2)~0 : no carry during k a, (i+2)~0 +a 48, (i+2)~0 h a,(i+2)~0 <k a, (i+2)~0 : a carry during k a, (i+2)~0 +a 48, (i+2)~0 38

39 The Toy Example We obtained one message such that a 48, i+3 =1, and its corresponding MAC value: 1. Guess the values k a, (i+2)~0. By similar way, we can recover the outer key 2. Compare k a, (i+2)~0 partially with using h a, (i+2)~0 the. obtained messages. h a,(i+2)~0 k a, (i+2)~0 : no carry during k a, (i+2)~0 +a 48, (i+2)~0 h a,(i+2)~0 <k a, (i+2)~0 : a carry during k a, (i+2)~0 +a 48, (i+2)~0 3. Calculate the bit-value o k a, i+3. 39

40 Experiment 2 i m 3 a 44 b 44 c 44 d 44 <<< 3 It is impossible to apply the real experiment because o complexity. m 11 a 45 b 45 c 45 d 45 Instead, we did two separate experiments: <<< 9 m 7 <<< 11 m 15 a 46 b 46 c 46 d 46 a 47 b 47 c 47 d 47 Conirm the correctness o dierential path o the local collision in irst and second rounds. Conirm the correctness o key-recovery technique: randomly generate chaining variables in step 44. <<< 15 a 48 b 48 c 48 d 48 40

41 Conclusion We proposed new outer-key recovery attacks on MAC/NMAC- MD4 and NMAC-MD5: There might be two interesting points: New approach o key-recovery attack: using eedorward operation o MD4 and MD5. One near-collision model: local collisions + the other dierence propagation in last several steps. 41

42 Complexity Comparison Standard Attack Related-Key Attack 42

43 Thank you & Question 43