Score:0

Can a one time public key'd HMAC be secure?

cn flag

Imagine authentication like $hmac = H(nonce, ciphertext)$. $nonce$ is truly random and chosen (randomly and WITHOUT replacement) from predetermined set $N$. So ${nonce} \in N$ and once used cannot be reused ever again. And $N$ is publicly known. There is no algorithmic relationship between $nonce$ and $ciphertext$.

Is the HMAC secure given $N$ is public?

Morrolan avatar
ng flag
Given the nonce is chosen randomly, I would imagine it'll somehow be communicated -- in plain -- as part of the message / MAC tuple? Then surely an attacker able to intercept this communication can simply substitute their own message and recalculate the MAC using the communicated nonce.
Paul Uszak avatar
cn flag
@Morrolan Hiya. Of course they can. But $N$ is a predetermined fixed set. _" the communicated nonce"_ must be a member of $N$. And it can only be used once, and $|nonce|$ is very large.
Manish Adhikari avatar
us flag
Yes, this question is hard to follow without proper description of the protocol for the interaction, like who chooses the nonce, what kind of set N is, and who calculates hmac and how it is communicated
Morrolan avatar
ng flag
@PaulUszak In this case it does seem to break down fully - being from a well-known set, and only being able to be used once, do not protect against an adversary able to intercept the message. They would modify it, recalculate the MAC and send the modified message on its way. If the nonce-to-be-used was chosen in some deterministic-but-secret (think PRF) way, then you could make it work. But of course then you need a shared secret key for the PRF. Maybe we're missing some point - might be worth it to reword / provide some more details. :)
Paul Uszak avatar
cn flag
@Morrolan I'm looking for a One-time MAC. Apologies.
Paul Uszak avatar
cn flag
@ManishAdhikari I'm looking for a One-time MAC. Apologies.
Morrolan avatar
ng flag
@PaulUszak consider the following scenario: A wants to send message $m$. Picks nonce $n \leftarrow N$ and computes MAC $h := HMAC(n, m)$. Sends $(n, h, m)$ to B. E intercepts $(n, h, m)$ (message does not reach B!). Picks arbitrary message $m'$, computes $h' = HMAC(n, m')$. Sends $(n, h', m')$ to Bob. B verifies that $n$ was never used before and that $HMAC(n, m') = h'$. Both checks pass => Forgery. Do you agree with this being an issue? Or do e.g. your parties have a secure out-of-band mechanism through which they communicate the nonce?
Paul Uszak avatar
cn flag
@Morrolan Yes, the nonce is predetermined out-of-band from a fixed and immutable set $N$. So $n$ is always unique, of the order of 160 truly random bits.
Morrolan avatar
ng flag
I see! In that case it seems pretty much equivalent to how an HMAC is normally used - namely with a secret key. Except that in your case the key is ephemeral, only ever used for one message. Assuming a sufficiently large key space (which 160 bits is), I personally see no issue with it, then. (Maybe do add that tidbit to the question though, for the benefit of future visitors. As-is it's not super clear - at least it wasn't to me)
Score:2
in flag

If the nonce is known then HMAC is turned into a hash function, and an adversary can perform an active attack by simply replacing the authentication tag $t$ with $t' = H_{k=nonce}(ciphertext')$.

If a large $N$ is known or not doesn't matter; if the nonce remains secret then $N$ is simply the domain from which the secret is taken; i.e. in that case you've described a secret key generation function for which $N$ is generally known (e.g. it's $2^{256}$ for HMAC-SHA-256, general described as a function $\text{Gen}$ with output $1^{256}$ or $\{0, 1\}^{256}$).

Of course, as long as the tag value $t$ cannot be altered by the attacker then the construct is secure, assuming that $t$ is large enough. This is after all equivalent to having a static hash value for a specific message which cannot be altered, similar to a hash over a file on the original site which can be downloaded from a mirror.

Beware that this may not be the case for other MAC functions, e.g. you don't want to use GMAC with a known key.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.