Score:2

key reuse: does knowing H(S) reveal HMAC(S)

ug flag
aep

given a hash H() , like sha256 and a secret text S and a public salt P

will knowing H(S) reveal HMAC(P, S) ?

to clarify: the question is if it possible to learn the digest, not the secret. In my specific case HMAC(S) is actually HKDF(S), but i'm assuming for this question the safety-related part is just the extract phase.

the protocol is as follows:

Alice->Bob: fetch message2 after message1 which had content H(message1)
Bob->Alice: message2 from Charlie says: chacha(HKDF(message1), plain)

It seems fairly obvious that brute forcing S is still unfeasible:

For each round an attacker would have the ability to test against H(S) or HMAC(S) but this doesn't help because the effort is identical. Testing against both of them just makes it twice as slow.

However, we care about the secrecy of the hash itself, since that's the derived key. Even if we assume it might be possible to "resume" a hash function just from its digest [1] and then continue it as HMAC, it would only work with H(S+salt), not with H(salt+S), which HKDF is [2]

Now the final thing i simply dont understand is entropy. Does revealing the hash of S reduce its entropy so that the hmac is weaker? As far as i understand, a digest of something actually disperses the entropy so that its indistinguishable from randomness. So you can't just "redo" the same dispersion, if its already gone.


  1. https://stackoverflow.com/questions/20895009/what-state-needs-to-be-stored-to-allow-resumable-hash-computations
  2. Why does HKDF use HMAC(salt, key) instead of HMAC(key, salt)?
kelalaka avatar
in flag
The key point is the length extension is possible or not!
Maarten Bodewes avatar
in flag
H is one way, and HKDF, as you've indicated, doesn't use $H(S)$ anywhere, so that kind of tells it all. You may know $H(salt \oplus ipad)$ as a prefix of $S$ and $H(S)$, but in the end you're going to need to know $H(salt \oplus ipad) \| S$ and that's going to be tricky.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.