Score:0

Crypto

Can a one time public key'd HMAC be secure?

Paul Uszak

2/28/23, 2:26 PM

Imagine authentication like $hmac = H(nonce, ciphertext)$. $nonce$ is truly random and chosen (randomly and WITHOUT replacement) from predetermined set $N$. So ${nonce} \in N$ and once used cannot be reused ever again. And $N$ is publicly known. There is no algorithmic relationship between $nonce$ and $ciphertext$.

Is the HMAC secure given $N$ is public?

0 + 0

hmac

initialization-vector

one-time-password

Morrolan

2/28/23, 3:29 PM

Given the nonce is chosen randomly, I would imagine it'll somehow be communicated -- in plain -- as part of the message / MAC tuple? Then surely an attacker able to intercept this communication can simply substitute their own message and recalculate the MAC using the communicated nonce.

Paul Uszak

2/28/23, 4:48 PM

@Morrolan Hiya. Of course they can. But $N$ is a predetermined fixed set. _" the communicated nonce"_ must be a member of $N$. And it can only be used once, and $|nonce|$ is very large.

Manish Adhikari

3/1/23, 4:20 AM

Yes, this question is hard to follow without proper description of the protocol for the interaction, like who chooses the nonce, what kind of set N is, and who calculates hmac and how it is communicated

Morrolan

3/1/23, 10:07 AM

@PaulUszak In this case it does seem to break down fully - being from a well-known set, and only being able to be used once, do not protect against an adversary able to intercept the message. They would modify it, recalculate the MAC and send the modified message on its way. If the nonce-to-be-used was chosen in some deterministic-but-secret (think PRF) way, then you could make it work. But of course then you need a shared secret key for the PRF. Maybe we're missing some point - might be worth it to reword / provide some more details. :)

Paul Uszak

3/1/23, 1:23 PM

@Morrolan I'm looking for a One-time MAC. Apologies.

Paul Uszak

3/1/23, 1:24 PM

@ManishAdhikari I'm looking for a One-time MAC. Apologies.

Morrolan

3/1/23, 1:58 PM

@PaulUszak consider the following scenario: A wants to send message $m$. Picks nonce $n \leftarrow N$ and computes MAC $h := HMAC(n, m)$. Sends $(n, h, m)$ to B. E intercepts $(n, h, m)$ (message does not reach B!). Picks arbitrary message $m'$, computes $h' = HMAC(n, m')$. Sends $(n, h', m')$ to Bob. B verifies that $n$ was never used before and that $HMAC(n, m') = h'$. Both checks pass => Forgery. Do you agree with this being an issue? Or do e.g. your parties have a secure out-of-band mechanism through which they communicate the nonce?

Paul Uszak

3/1/23, 5:05 PM

@Morrolan Yes, the nonce is predetermined out-of-band from a fixed and immutable set $N$. So $n$ is always unique, of the order of 160 truly random bits.

Morrolan

3/1/23, 9:55 PM

I see! In that case it seems pretty much equivalent to how an HMAC is normally used - namely with a secret key. Except that in your case the key is ephemeral, only ever used for one message. Assuming a sufficiently large key space (which 160 bits is), I personally see no issue with it, then. (Maybe do add that tidbit to the question though, for the benefit of future visitors. As-is it's not super clear - at least it wasn't to me)

Score:2

Crypto

Maarten Bodewes

2/28/23, 4:56 PM

If the nonce is known then HMAC is turned into a hash function, and an adversary can perform an active attack by simply replacing the authentication tag $t$ with $t' = H_{k=nonce}(ciphertext')$.

If a large $N$ is known or not doesn't matter; if the nonce remains secret then $N$ is simply the domain from which the secret is taken; i.e. in that case you've described a secret key generation function for which $N$ is generally known (e.g. it's $2^{256}$ for HMAC-SHA-256, general described as a function $\text{Gen}$ with output $1^{256}$ or $\{0, 1\}^{256}$).

Of course, as long as the tag value $t$ cannot be altered by the attacker then the construct is secure, assuming that $t$ is large enough. This is after all equivalent to having a static hash value for a specific message which cannot be altered, similar to a hash over a file on the original site which can be downloaded from a mirror.

Beware that this may not be the case for other MAC functions, e.g. you don't want to use GMAC with a known key.

0 + 0