[go: up one dir, main page]
Skip to main content
Springer Nature Link
Log in

Unintended Features of APIs: Cryptanalysis of Incremental HMAC

  • Conference paper
  • First Online:
Selected Areas in Cryptography (SAC 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12804))

Included in the following conference series:

Abstract

Many cryptographic APIs provide extra functionality that was not intended by the designers. In this paper we discuss such an unintended functionality in the API of HMAC, and study the security implications of it’s use by applications.

HMAC authenticates a single message at a time with a single authentication tag. However, most HMAC implementations do not complain when extra data is added to the stream after that tag is computed, nor they undo the side effects of the tag computation. Think of it as an API of a new authentication primitive, that provides tags to prefixes, rather than just to the full message. We call such primitives Incremental MACs (IncMACs). IncMACs may be used by applications to efficiently authenticate long messages, broken into fragments, which need their own individual authentication tag for performing an early abort or to retransmit only bad fragments, while each tag (strongly) authenticates the message prefix so far, and the last tag fully authenticates the full message.

It appears that some applications (e.g., Siemens S7 protocol) use the standard HMAC API to provide an incremental MAC, allowing to identify transmission errors as soon as the first error occurs, while also directly authenticating the full message. We discuss two common implementations, used by cryptographic libraries and programs, whose APIs do not forbid using them incrementally, continuing with extra data after computing the tag. The most common one, which Siemens uses, uses a naive implementation (as natively coded from the RFCs). The other is the implementation of the OpenSSL library.

We discuss these implementations, and show that they are not as secure as HMAC. Moreover, some of them may even be highly insecure when used incrementally, where in the particular case of OpenSSL it is possible to instantly find collisions and multi-collisions, which are also colliding under any key. We also discuss the fine details of the definition of IncMACs, and propose secure versions of such a primitive.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    For simplicity, this implementation assumes that the inputs of the update function are always in multiples of full bytes.

  2. 2.

    In their P3 protocol, e.g., between TIA V15 and PLC S7-1500 with firmware v1.8 [6].

  3. 3.

    An early version of this proof is given in [14].

  4. 4.

    Or an equivalent key with the same chaining value.

  5. 5.

    Applications using the context copy method of HMAC implementations are mostly also vulnerable to such known plaintext attacks.

  6. 6.

    Note that this decision does not affect SSL/TLS, as far as we know, as the SSL/TLS protocol [20] does not use HMAC incrementally.

References

  1. Austein, R.: [cryptech tech] incremental digest outputs. https://lists.cryptech.is/archives/tech/2014-November/001008.html. Accessed Nov 2014

  2. Bellare, M.: New proofs for NMAC and HMAC security without collision resistance. J. Cryptol. 28(4), 844–878 (2015)

    Google Scholar 

  3. Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_1

    Chapter  Google Scholar 

  4. Bellare, M., Goldreich, O., Goldwasser, S.: Incremental cryptography: the case of hashing and signing. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 216–233. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_22

    Chapter  Google Scholar 

  5. Bellare, M., Goldreich, O., Goldwasser, S.: Incremental cryptography and application to virus protection. In Proceedings of the 27th Annual ACM Symposium on the Theory of Computing, pp. 45–56. ACM Press (1995)

    Google Scholar 

  6. Biham, E., Bitan, S., Carmel, A., Dankner, A., Malin, J., Wool, A.: Rogue7: Rogue engineering-station Attacks On S7 Simatic PLCs, Black Hat, USA (2019)

    Google Scholar 

  7. Damgård, I.B.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_39

    Chapter  Google Scholar 

  8. Gennaro, R., Rohatgi, P.: How to sign digital streams. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 180–197. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052235

    Chapter  Google Scholar 

  9. Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov,V.: The most dangerous code in the world: validating SSL certificates in non-browser software. In: The ACM Conference on Computer and Communications Security (CCS 2012), Raleigh, NC, USA, October 16–18 2012, pp. 38–49 (2012)

    Google Scholar 

  10. Green, M., Smith, M.: Developers are not the enemy: the need for usable security APIS. IEEE Secur. Privacy 14(5), 40–46 (2016)

    Google Scholar 

  11. Joux, A.: multicollisions in iterated hash functions. application to cascaded constructions. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 306–316. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_19

    Chapter  MATH  Google Scholar 

  12. Kent, S.: Rfc 4301 - security architecture for the internet protocol (2005). https://tools.ietf.org/html/rfc4301

  13. Kim, J., Biryukov, A., Preneel, B., Hong, S.: On the security of HMAC and NMAC based on HAVAL, MD4, MD5, SHA-0 and SHA-1 (Extended Abstract). In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 242–256. Springer, Heidelberg (2006). https://doi.org/10.1007/11832072_17

    Chapter  MATH  Google Scholar 

  14. Merkle. R.C.: Secrecy, Authentication, and Public Key Systems. UMI Research Press, Ann Arbor (1979)

    Google Scholar 

  15. National Bureau of Standards and Technologies: Secure Hash Standard. Federal Information Processing Standards, Publication FIPS-180-1 (1995)

    Google Scholar 

  16. National Bureau of Standards and Technologies: Secure Hash Standard. Federal Information Processing Standards, Publication FIPS-180-4 (2001)

    Google Scholar 

  17. OpenSSL: Incorrect usage of the HMAC APIs. #13210. https://github.com/openssl/openssl/issues/13210

  18. OpenSSL: Openssl website. https://www.openssl.org

  19. Python.org. Python website. https://www.python.org

  20. Rescorla. E.: RTC 8446 - the transport layer security (TLS) protocol version 1.3 (2018). https://tools.ietf.org/html/rfc8446

  21. Rivest, R.: Rfc 3120 - the MD4 message-digest algorithm (1992). https://tools.ietf.org/html/rfc1320

  22. Rivest, R.L.: The MD5 message-digest algorithm. RFC 1321, 1–21 (1992)

    Google Scholar 

Download references

Acknowledgements

This research was partially supported by the Technion Hiroshi Fujiwara cyber security research center and the Israel national cyber directorate.

Author information

Authors and Affiliations

  1. Computer Science Department, Technion – Israel Institute of Technology, Haifa, Israel

    Gal Benmocha, Eli Biham & Stav Perle

Authors
  1. Gal Benmocha
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Eli Biham
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Stav Perle
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Gal Benmocha , Eli Biham or Stav Perle .

Editor information

Editors and Affiliations

  1. University of Haifa, Haifa, Israel

    Orr Dunkelman

  2. University of Calgary, Calgary, AB, Canada

    Michael J. Jacobson, Jr.

  3. Dalhousie University, Halifax, NS, Canada

    Colin O'Flynn

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Benmocha, G., Biham, E., Perle, S. (2021). Unintended Features of APIs: Cryptanalysis of Incremental HMAC. In: Dunkelman, O., Jacobson, Jr., M.J., O'Flynn, C. (eds) Selected Areas in Cryptography. SAC 2020. Lecture Notes in Computer Science(), vol 12804. Springer, Cham. https://doi.org/10.1007/978-3-030-81652-0_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-81652-0_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-81651-3

  • Online ISBN: 978-3-030-81652-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics