Cryptography Reference
In-Depth Information
the HMAC construction is that it can be proven to be secure if certain assumptions
are made.
The basic idea behind all hash-based message authentication codes is that the key
is hashed together with the message. Two obvious constructions are possible. The
first one:
m
= MAC
k
(
x
)=
h
(
k
||
x
)
is called
secret prefix MAC
, and the second one:
m
= MAC
k
(
x
)=
h
(
x
||
k
)
is known as
secret suffix MAC
. The symbol “
” denotes concatenation. Intuitively,
due to the one-wayness and the good “scrambling properties” of modern hash func-
tions, both approaches should result in strong cryptographic checksums. However,
as is often the case in cryptography, assessing the security of a scheme can be trickier
than it seems at first glance. We now demonstrate weaknesses in both constructions.
||
Attacks Against Secret Prefix MACs
We consider MACs realized as
m
=
h
(
k
x
). For the attack we assume that the
cryptographic checksum
m
is computed using a hash construction as shown in Fig-
ure 11.5. This iterated approach is used in the majority of today's hash functions.
The message
x
that Bob wants to sign is a sequence of blocks
x
=(
x
1
,
x
2
,...,
x
n
),
where the block length matches the input width of the hash function. Bob computes
an authentication tag as:
||
m
= MAC
K
(
x
)=
h
(
k
||
x
1
,
x
2
,...,
x
n
)
The problem is that the MAC for the message
x
=(
x
1
,
x
2
,...,
x
n
,
x
n
+1
), where
x
n
+1
is an arbitrary additional block, can be constructed from
m
without knowing the
secret key. The attack is shown in the protocol below.