Abstract:
HMAC or keyed-hash message authentication code is a security implementation
using cryptographic hash function (where hash function is iterative i.e. classical
Merkle-Damgård construction [7] [12]) and a secret key. It was designed by
Bellare, Canetti and Krawczyk in 1996 [3]. It was subsequently adopted by IETF
working group as RFC 2104 [10] and made a standard for authentication in secure
internet protocols. It is widely used in banking industry and secure web connections
via its use in TLS and IPSEC. The security of HMAC was proven in [2] but
this proof of security does not consider related key model.
In Asiacrypt 2012, Peyrin et al. [13] showed related key attacks against HMAC
design. Following this, they also proposed a patching scheme for standard HMAC
and claimed that the proposed patch thwarts their attacks. However they didn't
provide any security proof/explanation for the same.
In this work, we show that the patch proposed by Peyrin et al. [13] will not disallow
their attack for the HMAC construction for certain hash functions. We emphasize
that our approach is valid for the general HMAC construction and not for the standardized
version of HMAC, which uses a specific hash function, namely SHA-1. We
show that the related key attacks of Peyrin et al. still work when HMAC is constructed
from a "good" cryptographic hash function satisfying collision resistance,
preimage resistance and second preimage resistance under certain circumstances.
On similar lines, in Crypto 2012, Dodis et al. [8] showed differentiability attacks
on HMAC based on weak keys (ambiguous and colliding). In order to thwart the
two types of attacks, we propose two tweaks for thwarting the both attacks. One of
them requires using wrapper patch, while the other uses a new padding scheme for
HMAC. Our first modification requires our new patching schemes for HMAC which
ensure the safety of HMAC scheme from the attacks discussed by Peyrin et al. [13].
Our second modification ensures that the HMAC will not have any colliding keys
hence thwarting the attack of Dodis et al. [8]. Thus we show that the HMAC with
one of our patches and new padding scheme is safe from cycle detection based
related key attacks discussed by Peyrin et al. [13] and indifferentiability attacks
using colliding pairs by Dodis et al. [8].