Comments on: Stop using unsafe keyed hashes, use HMAC http://rdist.root.org/2009/10/29/stop-using-unsafe-keyed-hashes-use-hmac/ Embedded security, crypto, software protection Mon, 08 Mar 2010 21:19:29 +0000 http://wordpress.com/ hourly 1 By: B-Con http://rdist.root.org/2009/10/29/stop-using-unsafe-keyed-hashes-use-hmac/#comment-5453 B-Con Fri, 04 Dec 2009 20:14:49 +0000 http://rdist.root.org/?p=456#comment-5453 OK, thanks. I just wanted to be certain that, in order for that attack to work, the collision had to be for messages of equal lengths. OK, thanks. I just wanted to be certain that, in order for that attack to work, the collision had to be for messages of equal lengths.

]]> By: Nate Lawson http://rdist.root.org/2009/10/29/stop-using-unsafe-keyed-hashes-use-hmac/#comment-5451 Nate Lawson Fri, 04 Dec 2009 05:14:17 +0000 http://rdist.root.org/?p=456#comment-5451 I think you're confused because you're trying to compare it to the length extension attack. This is a different attack. I said nothing about the length of m and m' being different. For the case of auth tokens, the input message length is usually constant. The attack is to create an internal collision of m and m' before k is appended. At that point, the chaining variables are identical so adding k and the padding will result in identical final hashes. You are right in that this attack does not allow different lengths for m and m'. However, this is not a serious limitation for the attack since you are choosing m, and thus can make it any length you want in order to match the eventual m'. I think you’re confused because you’re trying to compare it to the length extension attack. This is a different attack. I said nothing about the length of m and m’ being different. For the case of auth tokens, the input message length is usually constant.

The attack is to create an internal collision of m and m’ before k is appended. At that point, the chaining variables are identical so adding k and the padding will result in identical final hashes. You are right in that this attack does not allow different lengths for m and m’. However, this is not a serious limitation for the attack since you are choosing m, and thus can make it any length you want in order to match the eventual m’.

]]> By: B-Con http://rdist.root.org/2009/10/29/stop-using-unsafe-keyed-hashes-use-hmac/#comment-5439 B-Con Thu, 12 Nov 2009 22:21:57 +0000 http://rdist.root.org/?p=456#comment-5439 I'm confused by the second method to defeat the hash(m || k) scheme, because most hashes have length padding that is added to the end. Could you help clear this up? If m and m' have the same length, then the length padding for m || k and m' || k will be the same and a collision with m and m' will yeild a collision for m || k and m' || k. However, if m and m' have a different length then the length padding, AFAIK, will cause problems. Here is my reasoning: Since the attacker can choose m and m', they can ensure that the hashes of m and m', including padding, are equal. This external collision relies on both m and m' and their padding. But k is concatenated before the padding which means that the new padding for both will be altered. If the padding for both messages is altered then the collision is no longer gaurenteed. (Unless adding a constant to the pre-image of a collision preserves the collision.) The paper explicitly requires an internal collision in order to make this attack work. But if the messages have different padding, then the hashes will be equal right up until the padding is added. The attacker can compensate by (assuming he knows the length of k) adjusting the padding he uses to reflect a length of length(m || k). He can then find a collision using the altered padding for m and m'. But still, adding the key to the end of the message, but before the padding, cause the internal state to be different before processing the padding, which should yield different hashes. I've read the paper by Preneel that you linked to, and it seems as if the problem I mention is because MD5 and SHA1 are not "pure" Merkle–Damgård constructions. The paper defines the "iterative" hash functions to be (from pg. 4): H_0 = IV; H_i = f(H_{i-1},m_i), 1 <= i <= t ; hash(m) = H_t and in the case of a MAC: hash(m) = g(H_t) However, for a function that includes length padding, this seems to be more like: hash(m) = g(H_t,l(m)) because the final transform is a function of both the last block and the entire message (which is the length of the entire message). Am I missing something here? This second method of attack against hash(m || k) only seems to work for substituting m' of equal length to m when dealing with hashes like SHA or MD5. I’m confused by the second method to defeat the hash(m || k) scheme, because most hashes have length padding that is added to the end. Could you help clear this up?

If m and m’ have the same length, then the length padding for m || k and m’ || k will be the same and a collision with m and m’ will yeild a collision for m || k and m’ || k. However, if m and m’ have a different length then the length padding, AFAIK, will cause problems. Here is my reasoning:

Since the attacker can choose m and m’, they can ensure that the hashes of m and m’, including padding, are equal. This external collision relies on both m and m’ and their padding. But k is concatenated before the padding which means that the new padding for both will be altered. If the padding for both messages is altered then the collision is no longer gaurenteed. (Unless adding a constant to the pre-image of a collision preserves the collision.)

The paper explicitly requires an internal collision in order to make this attack work. But if the messages have different padding, then the hashes will be equal right up until the padding is added.

The attacker can compensate by (assuming he knows the length of k) adjusting the padding he uses to reflect a length of length(m || k). He can then find a collision using the altered padding for m and m’. But still, adding the key to the end of the message, but before the padding, cause the internal state to be different before processing the padding, which should yield different hashes.

I’ve read the paper by Preneel that you linked to, and it seems as if the problem I mention is because MD5 and SHA1 are not “pure” Merkle–Damgård constructions. The paper defines the “iterative” hash functions to be (from pg. 4):

H_0 = IV; H_i = f(H_{i-1},m_i), 1 <= i <= t ; hash(m) = H_t

and in the case of a MAC:

hash(m) = g(H_t)

However, for a function that includes length padding, this seems to be more like:

hash(m) = g(H_t,l(m))

because the final transform is a function of both the last block and the entire message (which is the length of the entire message).

Am I missing something here? This second method of attack against hash(m || k) only seems to work for substituting m' of equal length to m when dealing with hashes like SHA or MD5.

]]>