Join Log in
Score:2
CuriousCrypto avatar Crypto

Does having more than one HMAC provide more information to the attacker?

st flag
CuriousCrypto

Suppose $N$ many messages has been sent from $A$ to $B$ in this format:

  • $\operatorname{HMAC}(K, C(i)) \mathbin\| C(i)$.

Where

  • $C(i)$ is some cipher-text encrypted with some secure algorithm using some key
  • $K(i) \ne K$ for any $i$ in range $[0, N-1]$.

There is no implication whether $K(i) = K(j)$ for any $i \ne j$.

Thus, it is just "some" encryption algorithm but encryption key used to encrypt the message is not directly equal to $K$, the key for HMAC which is constant for each $N$ messages.

Now my question is:

If the attacker captures these $N$ messages and $\operatorname{HMAC}$s, does it give any more advantage to the attacker than just "brute-forcing" the key $K$ to find it (whether he can draw some conclusions, etc)? We can say that the cryptographic hash function used in the $\operatorname{HMAC}$ is secure.

90
1 + 4
Maarten Bodewes avatar
in flag
Maarten Bodewes
Having access to multiple $T_i$ and $M_i$ where $T_i=\text{HMAC}(K, M_i)$ is known should not give you any information about $K$ (other than allowing to evaluate if $K$ is correctly guessed). So I surmise that this doesn't provide any information to the attacker by extension; the creation of the ciphertext is nothing other than a function to generate $M_i$ after all.
0
Reply
Maarten Bodewes avatar
in flag
Maarten Bodewes
As in Wikipedia: "A secure message authentication code must resist attempts by an adversary to forge tags, for arbitrary, **select**, or all messages, including under conditions of known- or **chosen-message**. It should be computationally infeasible to compute a valid tag of the given message without knowledge of the key, even if for the worst case, we assume the adversary knows the tag of any message but the one in question.[3] " Calculating a message using whatever function is strictly weaker than that notion.
0
Reply
kr flag
mentallurg
@MaartenBodewes: It's a good answer. Comments can be deleted. I'd suggest you convert your comments to an answer.
0
Reply
Maarten Bodewes avatar
in flag
Maarten Bodewes
I've done so, but I'd be happy if somebody else would create a more scientific argument based on e.g. the NMAC security proof & more focus on the possibilities of collisions.
0
Reply
Score:2
Maarten Bodewes avatar Crypto
in flag
Maarten Bodewes

As stated on Wikipedia with regards to MAC security: "A secure message authentication code must resist attempts by an adversary to forge tags, for arbitrary, select, or all messages, including under conditions of known- or chosen-message. It should be computationally infeasible to compute a valid tag of the given message without knowledge of the key, even if for the worst case, we assume the adversary knows the tag of any message but the one in question. [3]" Calculating a message using whatever function is strictly weaker than that notion.

Although the reference is a bit suspect, it is corroborated by the security proof by Rybar on NMAC / HMAC security, where it is stated that "The adversary $A$ is given input $1n$ and oracle access to $\text{Mac}_k(·)$"

Having access to multiple $T_i$ and $M_i$ where $T_i=\text{HMAC}(K, M_i)$ is known should not give you any information about $K$ (other than allowing to evaluate if $K$ is correctly guessed). So I surmise that this doesn't provide any information to the attacker by extension; the creation of the ciphertext is nothing other than a function to generate $M_i$ after all.

This does presume a random (and therefore unrelated) key for HMAC of course, but that's stated in the question as a given.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.