Equivalent Key Recovery Attack to H-MAC
نویسندگان
چکیده
In this paper, we propose an efficient method to break H2-MAC, by using a generalized birthday attack to recover the equivalent key, under the assumption that the underlying hash function is secure (collision resistance). We can successfully recover the equivalent key of H2-MAC in about 2n/2 on-line MAC queries and 2n/2 off-line hash computations with great probability. This attack shows that the security of H2-MAC is totally dependent on the collision resistance of the underlying hash function, instead of the PRF-AX of the underlying compression function in the origin security proof of H2-MAC.
منابع مشابه
Equivalent Key Recovery Attack on H 2-MAC Instantiated with MD5
This paper presents the first equivalent key recovery attack on H2-MAC-MD5, which conduces to a selective forgery attack directly. H2-MAC is similar with HMAC except that the outer key is omitted. For HMAC-MD5, since the available differential paths are pseudocollisions, all the key recovery attacks are in the related-key setting, while our attack on H2MAC-MD5 gets rid of this restriction. Base...
متن کاملOn the Security of NMAC and Its Variants
We first propose a general equivalent key recovery attack to a H-MAC variant NMAC1, which is also provable secure, by applying a generalized birthday attack. Our result shows that NMAC1, even instantiated with a secure Merkle-Damg̊ard hash function, is not secure. We further show that this equivalent key recovery attack to NMAC1 is also applicable to NMAC for recovering the equivalent inner key ...
متن کاملBreaking H-MAC Using Birthday Paradox
H-MAC was proposed to increase efficiency over HMAC by omitting its outer key, and keep the advantage and security of HMAC at the same time. However, as pointed out by the designer, the security of H-MAC also depends on the secrecy of the intermediate value (the equivalent key) of the inner hashing. In this paper, we propose an efficient method to break H-MAC, by using a generalized birthday at...
متن کاملCryptanalysis of HMAC/NMAC-Whirlpool
In this paper, we present universal forgery and key recovery attacks on the most popular hash-based MAC constructions, e.g., HMAC and NMAC, instantiated with an AES-like hash function Whirlpool. These attacks work with Whirlpool reduced to 6 out of 10 rounds in single-key setting. To the best of our knowledge, this is the first result on “original” key recovery for HMAC (previous works only suc...
متن کاملA new key recovery attack on the ANSI retail MAC
A new type of attack is introduced which takes advantage of MAC truncation to simplify key recovery attacks based on MAC verifications. One example of the attack is described which, in certain circumstances, enables a more efficient attack than was previously known to be launched against the ANSI retail MAC. The existence of this attack means that truncation for this MAC scheme should be used w...
متن کامل