[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] Serious crypto problem fixed by envelope HMAC method instead of currently used prefix

To: "Omirjan Batyrbaev" <batyr@xxxxxxxxxxxx>
Subject: Re: [TLS] Serious crypto problem fixed by envelope HMAC method instead of currently used prefix
From: EKR <ekr@xxxxxxxxxxxxxxxxxxxx>
Date: Sun, 19 Nov 2006 19:45:45 -0800
Cc: TLS@xxxxxxxxxxxxxx
In-reply-to: <> (Omirjan Batyrbaev's message of "Sun, 19 Nov 2006 21:26:09 -0500")
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <>
Reply-to: EKR <ekr@xxxxxxxxxxxxxxxxxxxx>
User-agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix)

"Omirjan Batyrbaev" <batyr@xxxxxxxxxxxx> writes:

> Hi,
>
> I propose to use envelope method instead of currently used prefix method in
> HMAC. The measure is important especially since it was pointed out that the
> NULL cipher suites have a real use and since some ciphers are intentionally
> weak. With the NULL cipher (or the 40 bits cipher) the current HMAC
> construct is exploitable by an active attacker who appends to the message
> and substitutes the new message and the newly generated HMAC value for the
> original. On the server side the HMAC operation will succeed. Of course it
> can be the server message that gets compromised this way. This attack is
> well known in the crypto community and is well documented in HAC (Handbook
> of Applied Cryptography). The book is available online and I can send you a
> page reference if you are not familiar with the attack on the HMAC prefix
> method.

I'm familiar with the appending attack on prefix-based keyed hashes
such as H(Key || Message) but AFAIK, it doesn't apply to HMAC. Indeed,
HMAC was designed in part in response to known problems in a variety
of ad hoc keyed hash MAC constructions. The reason that you can
append in H(Key || Message) is that the digest output includes the
hash state and therefore can be extended. However, because HMAC
has two hash operations, one of which only digests the output of the
first, the state after processing the message is hidden.

Even if there were an appending attack on HMAC, because the length
value is included in the MAC, I don't believe you can apply the
attack in the context of TLS.

-Ekr

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Serious crypto problem fixed by envelope HMAC method instead of currently used prefix
  - From: Omirjan Batyrbaev

References:
- [TLS] Serious crypto problem fixed by envelope HMAC method instead of currently used prefix
  - From: Omirjan Batyrbaev

Prev by Date: Re: [TLS] Serious crypto problem fixed by envelope HMAC method instead of currently used prefix
Next by Date: RE: [TLS] Truncated HMAC
Previous by thread: Re: [TLS] Serious crypto problem fixed by envelope HMAC method instead of currently used prefix
Next by thread: Re: [TLS] Serious crypto problem fixed by envelope HMAC method instead of currently used prefix
Index(es):
- Date
- Thread