New HMAC Message Patches: Secret Patch and CrOw Patch

Abstract

At Asiacrypt 2012, Peyrin et al. showed generic attacks against the HMAC design. They utilized a pair of related keys where only the relation between the keys is known to the attacker but not the keys themselves (the secret key model). On similar lines, at Crypto 2012, Dodis et al. showed differentiability attacks based on ambiguous and colliding keys on HMAC in known/chosen key model. Peyrin et al. also proposed a patching scheme for HMAC and claimed that the proposed patch thwarts their attacks.

In this work, we first show that the patch proposed by Peyrin et al. will not prevent their attacks for the HMAC construction for certain “good” cryptographic hash functions. Specifically, we show that no public and reversible patch will prevent their attack on HMAC instantiated with a weakly collision resistant hash function. Following this, we propose two different patches, called the secret patch and the collision resistant one way (CrOw) patch, to thwart the attacks of Peyrin et al. and Dodis et al. Our work is theoretical in nature, and does not threaten the security of HMAC used with standard hash functions. Further, both our patches are designed to be used as wrappers and do not affect the underlying HMAC construction. This property is similar to Peyrin et al.’s patch.

Appendices

A Explanation of Complexities in Table 1

The generic attack complexities in single key model and for related key model (cycle attack) is provided in [11] by Peyrin et al., but they didn’t provide any calculations of complexities after applying their patch. In our views, as the patch prevents the cycle formation, the attack is not possible hence the complexity will be that is in single key setting. However in secret patch the attacker can guess the key in \(2^{k}\) efforts where k is length of unpadded key. So, the efforts for getting cycle will be \(2^{n/2}+2^k\). The point to note here is that adversary has to guess the key only once for whole cycle but if he can find key, the security of HMAC is completely broken (now the key is known to adversary) and it needs very high effort. For CrOw patch in order to crack patch attacker needs to find the preimage of output of CrOw patch, which will require \(2^{u}\) efforts where u is output length of CrOw patch. Unlike secret patch, here it has to be done for all \(2^{n/2}\) steps so the complexity will be \(2^{n/2+2+u}\).

B Explanation for Secret Patch SP

HMAC\(^{SP_{K}}\)-H(K, M) is HMAC-H(K, M) which is using secret patch SP(K,  M) as the patching scheme, any collision resistant, preimage resistant and second preimage resistant hash function H (not necessarily a random oracle). Here \(\overline{K} = K00\ldots \) whereas \(|\overline{K}| = d\) and M is the message. For subsequent sections, we will consider \(K = \overline{K}\). To analyse the security of HMAC\(^{SP_{K}}\)-H(K, M), in Fig. 9, we have path generation by using oracles HMAC\(^{SP_{K}}\)-H(K, M) and HMAC\(^{SP_{K'}}\)-H\((K',M)\).

As discussed earlier, HMAC\(^{SP_{K}}\)-H(K, M) will behave like a black box. So an attacker can only mount attack between two calls to oracle HMAC\(^{SP_{K}}\)-H(K, M) (or HMAC\(^{SP_{K'}}\)-H\((K',M)\)). If \(h_{0}\) and \(t'_{0}\) collide then for a successful attack b and \(c'\) should also collide, so that the collision chain can propagate. In case of HMAC\(^{SP_{K}}\)-H(K, M), \(h_{0}\) will be applied upon by patch SP(K, M). Therefore, the only way to make b and \(h_{0}\) same is to apply SP\(^{-1}(K,M)\) on \(h_{0}\) so that when SP(K, M) is applied on it, it remains \(h_{0}\) i.e. \(h_{0}\) = SP(K, a) = \(K \oplus a[1]||a[2]a[3].....a[s]\).

Fig. 9.

Path generation using oracle HMAC\(^{SP_{K}}\)-H(K, M) and HMAC\(^{SP_{K'}}\)-H\((K',M)\).

Hence the attacker needs the secret key K to carve such a out of \(h_{0}\). The attacker attempt to guess the key and guesses K. The probability of guessing the right key is

$$ \text{ Prob } [K = h_{0} \oplus a] \le 2^{-d} \le \text{ Negligible }$$

where the total effort required is \(2^{d} + 2^{n/2}\). Note that \(2^{d}\) is the effort of getting the key K and \(2^{n/2}\) is number of consecutive rounds needed to construct a cycle. As

$$ \text{ Total } \text{ Complexity } = 2^{d} + 2^{n/2}$$

which is very high, so the probability of getting a synchronized cycle in this case is negligible. We emphasize the use of same key K for secret patch as well as for HMAC. Use of two different keys for secret patch and HMAC leads to forgery attack explained in Appendix C.

C HMAC\(^{SP_{K_2}}\)-H\((K_{1},M)\) is not Secure

If secret patch is used with two different keys \(K_{1}\),\(K_{2}\) are used i.e. HMAC\(^{SP_{K_2}}\)-H\((K_{1},M)\), then the construction prevents related key attacks based on cycle detection techniques but it allows forgery attack on HMAC(K, M). If we use two different keys \(K_{1}\),\(K_{2}\) when calculating secure tag of message M then tag can be forged by using keys \(K_{1}\),\(K'_{2}\) on a crafted message \(M'\) such that \(K_{2} \oplus M = K'_{2} \oplus M'\). When such message, key pair is fed to the construction it will produce the same secure tag h in both the cases. Therefore, by using this attack, an adversary can forge secure tags. If single key K is used and the attacker tries to forge a secure tag on HMAC\(^{SP_{K}}\)-H(K, M). It is impossible to have two messages \(M,M'\) such that \(K \oplus M = K \oplus M'\). If the attacker chooses different K for two separate HMAC\(^{SP_{K}}\)-H(K, M) calls then the inner and the outer keys will be different in both the cases. This will prevent forgery attacks on the scheme. Therefore we can not use two different keys for this purpose.