Practical Electromagnetic Template Attack on HMAC
نویسندگان
چکیده
In this paper, we show a very efficient side channel attack against HMAC. Our attack assumes the presence of a side channel that reveals the Hamming distance of some registers. After a profiling phase in which the adversary has access to a device and can configure it, the attack recovers the secret key by monitoring a single execution of HMAC-SHA-1. The secret key can be recovered using a "template attack" with a computation of about 23 compression functions, where κ is the number of 32-bit words of the key. Finally, we show that our attack can also be used to break the secrecy of network protocols usually implemented on embedded devices. We have performed experiments using a NIOS processor executed on a Field Programmable Gate Array (FPGA) to confirm the leakage model. We hope that our results shed some light on the requirements in term of side channel attack for the future SHA-3 function.
منابع مشابه
HMAC-Based Authentication Protocol: Attacks and Improvements
As a response to a growing interest in RFID systems such as Internet of Things technology along with satisfying the security of these networks, proposing secure authentication protocols are indispensable part of the system design. Hence, authentication protocols to increase security and privacy in RFID applications have gained much attention in the literature. In this study, security and privac...
متن کاملCryptanalysis on HMAC/NMAC-MD5 and MD5-MAC
In this paper, we present the first distinguishing attack on HMAC and NMAC based on MD5 without related keys, which distinguishes the HMAC/NMAC-MD5 from HMAC/NMAC with a random function. The attack needs 2 queries, with a success probability 0.87, while the previous distinguishing attack on HMAC-MD5 reduced to 33 rounds takes 2 messages with a success rate of 0.92. Furthermore, we give distingu...
متن کاملAnother look at HMAC
HMAC is the most widely-deployed cryptographic-hash-function-based message authentication code. First, we describe a security issue that arises because of inconsistencies in the standards and the published literature regarding keylength. We prove a separation result between two versions of HMAC, which we denote HMAC and HMAC, the former being the real-world version standardized by Bellare et al...
متن کاملA Full Key Recovery Attack on HMAC-AURORA-512
In this note, we present a full key recovery attack on HMACAURORA-512 when 512-bit secret keys are used and the MAC length is 512-bit long. Our attack requires 2 queries and the off-line complexity is 2 AURORA-512 operations, which is significantly less than the complexity of the exhaustive search for a 512-bit key. The attack can be carried out with a negligible amount of memory. Our attack ca...
متن کاملDistinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework
A new distinguishing attack on HMAC and NMAC based on a dedicated compression function framework H, proposed in ChinaCrypt2008, is first presented in this paper, which distinguish the HMAC/NMACH from HMAC/NMAC with a random function. The attack needs 2 chosen messages and 2 queries, with a success rate of 0.873. Furthermore, according to distinguishing attack on SPMAC-H, a key recovery attack o...
متن کامل