Journal of Applied Mathematics

Volume 2013, Article ID 101907, 6 pages

http://dx.doi.org/10.1155/2013/101907

## Security Analysis of HMAC/NMAC by Using Fault Injection

^{1}Center for Information Security Technologies (CIST), Korea University, Anam-dong, Seongbuk-gu, Seoul 136-713, Republic of Korea^{2}Department of Mathematics, University of Seoul, Jeonnong-dong, Dongdaemun-gu, Seoul 130-743, Republic of Korea

Received 18 July 2013; Accepted 22 August 2013

Academic Editor: Jongsung Kim

Copyright © 2013 Kitae Jeong et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

In Choukri and Tunstall (2005), the authors showed that if they decreased the number of rounds in AES by injecting faults, it is possible to recover the secret key. In this paper, we propose fault injection attacks on HMAC/NMAC by applying the main idea of their attack. These attacks are applicable to HMAC/NMAC based on the MD-family hash functions and can recover the secret key with the negligible computational complexity. Particularly, these results on HMAC/NMAC-SHA-2 are the first known key recovery attacks so far.

#### 1. Introduction

HMAC and NMAC are hash-based message authentication codes proposed in [1]. The construction of HMAC/NMAC is based on a keyed hash function. Let be an iterated Merkle-Damgård hash function, which defines a keyed hash function by replacing with the key . Then, HMAC and NMAC can be defined as follows:
Here, is a message and and are the secret keys of HMAC and NMAC, respectively; means padded to a single block, and and are two one-block length constants. Until now, many theoretical cryptanalytic results on HMAC/NMAC have been proposed [2–4]. For example, Wang et al. presented key recovery attacks on HMAC/NMAC-MD4 with 2^{72} MAC queries and 2^{77} MD4 computations [4]. On the other hand, McEvoy et al. introduced a differential power analysis on HMAC-SHA-256 in [5]. This attack does not allow the recovery of the secret key, but rather a secret intermediate hash value of SHA-256. It leads to forging the MACs for arbitrary messages. Correlation power analysis on HMAC based on six SHA-3 candidates was presented in [6]. This is also a forgery attack. To our knowledge, there is no key recovery attack on HMAC by using side channel analyss.

Side channel analysis exploits the easily accessible information such as power consumption, running time, and input-output behavior under malfunctions. It is often much more powerful than the classical cryptanalysis such as differential cryptanalysis and linear cryptanalysis. Since Kocher had introduced timing attacks in [7], many side channel analyses such as differential fault analysis [8] and fault injection attack [9] have been proposed [10–12].

Choukri and Tunstall proposed a fault injection attack on AES [13]. The fault injection method used a transient glitch on the power supplied to the smart card. In general, the implementation of a symmetric cryptographic algorithm in the PIC assembly language will have the following format: The RAM variable () is set to the number of rounds required (in the case of AES, in hexadecimal). The round function is executed, which has been represented by a call to the function . The variable is then decremented, and the round is repeated until is equal to zero, at which the loop point exits. It is this loop that we are trying to change so that it exits earlier than expected. The target of the fault is the step, which consists of a decrement, a test, and a conditional jump. The conditional jump is presented as a jump of one instruction when the test is positive; otherwise, the next instruction is executed. The aim of the attack is to reduce the algorithm to one round. It is not possible to remove the first round entirely as the first conditional test is after the first round. Thus, the cryptanalysis of the resulting algorithm can be simple and only requires two plaintext/ciphertext pairs.

In this paper, we propose fault injection attacks on HMAC/NMAC. Our fault assumption is based on that of [13]. That is, it is assumed that we can decrease the number of steps in the target compression function by injecting some faults. Our attack can be applied to HMAC/NMAC based on the MD-family hash functions and recover the secret key with the negligible computational complexity. As concrete examples, we apply our attack to HMAC/NMAC based on MD4, MD5 and SHA-2. Our attack results are summarized in Table 1. In the case of HMAC-SHA-256, for any message, we can recover the -word secret key with fault injections and only a negligible computational complexity. Also, we need only fault injections to recover the -word secret key of NMAC-SHA-256. Thus, when is , that is, the -word secret key, we require just two(four) fault injections to recover the secret key of HMAC-SHA-256 (NMAC-SHA-256), respectively. Note that the attack results on HMAC/NMAC-SHA-2 are the first known key recovery attacks on them.

This paper is organized as follows: in Section 2, we briefly introduce the MD-family hash functions. Then, we describe the fault injection attacks on HMAC and NMAC in Sections 3 and 4, respectively. Finally, we give a conclusion in Section 5.

#### 2. MD-Family Hash Function

Since MD4 [14] had been introduced in 1990, the MD-family hash functions such as MD5 [15] and SHA-2 [16], where the design rationale is based on that of MD4, have been proposed. To compute the hash value for a message of any size, the MD-family hash functions divide into message blocks of fixed length and obtain the hash value by using a compression function . A compression function takes a -bit message string and a -bit chaining variable as input values and outputs an updated -bit chaining variable . is computed by iteratively using a step function. It consists of addition, Boolean function, and rotation operations. After operating a step function repeatedly, is updated by adding . Table 2 presents the parameters of MD4, MD5, and SHA-2.

As a concrete example, we briefly introduce SHA-2 (SHA-224, SHA-256, SHA-384, and SHA-512), one of the most important MD-family hash functions. In SHA-224/256, the word size is 32 bits. The message string is firstly padded to be a 512-bit multiple and is divided into 512-bit blocks. A compression function takes a 512-bit message string and a 256-bit chaining variable as input values and outputs an updated 256-bit chaining variable. It consists of a message expansion and a data processing. The message block is expanded by using the following message expansion function. Here, , “+” denotes the wordwise addition, , and .

Consider

The data processing computes as follows. Here, denotes a 256-bit value consisting of eight words , , , , , , , and .

Consider A step function is defined as follows. Here, is a constant number for each step; , , , and . SHA-224 outputs the left most 224-bit value of as the hash value, and SHA-256 outputs as the hash value.

The structures of SHA-384/512 are similar to those of SHA-224/256. In SHA-384/512, the word size is double that of SHA-224/256. Thus, a message block is 1024 bits, and the size of a chaining value is 512 bits. A compression function consists of 80 steps.

#### 3. Key Recovery Attack on HMAC

Our attack can be applied to HMAC based on the MD-family hash functions. As a concrete example, we introduce a key recovery attack on HMAC-SHA-2. Other cases can be explained similarly. For the detailed attack results, see Table 1.

##### 3.1. Fault Assumption

Recall that the authors reduced the number of rounds in AES to one in [13]. We apply this fault assumption to HMAC. That is, by using several fault injections, we can reduce the number of steps in the last two compression functions (see Figure 1). Similarly to AES, the MD-family hash functions compute the hash value by iteratively using a step function. Moreover, there are some results based on similar fault models [17, 18]. Thus, our fault assumption is reasonable.

For the simplicity, we denote these two compression functions by and . Thus, we reduce the number of steps in to some values by using fault injections, respectively, and then recover the secret key of HMAC-SHA-2. When we reduced the number of steps in to , we denoted this event by in this paper.

##### 3.2. Key Recovery Attack on HMAC-SHA-256/512

As mentioned in the previous section, the structure of SHA-512 is similar to that of SHA-256 excluding parameters such as the word size. Thus, we only propose a key recovery attack on HMAC-SHA-256 in this subsection.

Since the word size of SHA-256 is 32 bits, we assume that the length of is bits. Our attack on HMAC-SHA-256 conducts the procedure recovering 96-bit iteratively times . We can recover as follows. From an event , we compute . Then, we can construct the following six equations (see Figure 2). Here, ; Since are known values in (6), we can obtain . With these values, we can compute by using the following equations:

By repeating the previous procedure, we can recover by using fault injections. Since this consists of only solving simple equations, the computational complexity is negligible.

##### 3.3. Key Recovery Attack on HMAC-SHA-224/384

Recall that SHA-224/384 outputs the left most 224/384 bits of the resulting 256/512-bit hash value as the hash value, respectively. For example, HMAC-SHA-224 outputs only as the hash value. Thus, we can not compute in (6) (see Figure 2). However, we can obtain in (6) and compute in (7). And then, we can obtain by using . By repeating this procedure, we can recover sequentially. Hence, we can recover of HMAC-SHA-224/384 with fault injections and the negligible computational complexity.

#### 4. Key Recovery Attack on NMAC

A key recovery attack on NMAC is similar to that on HMAC. This is also applicable to NMAC based on the MD-family hash functions. As a concrete example, we present a key recovery attack on NMAC-SHA-2. In the case of other MD-family hash functions, we can attack in a similar fashion. Table 1 gives the detailed results.

##### 4.1. Fault Assumption

Differently from HMAC, NMAC uses two -word secret keys (see Figure 3). Thus, our attack on NMAC consists of the following two steps. Firstly, we recover by using a key recovery attack on HMAC-SHA-2 (Fault_{1} in Figure 3). Secondly, to compute , we inject faults to (Fault_{2} in Figure 3). Note that we assume that a message is only a single block.

##### 4.2. Key Recovery Attack on NMAC-SHA-256/512

Since the structure of SHA-512 is similar to that of SHA-256, we only introduce a key recovery attack on NMAC-SHA-256 in this subsection. We assume that the length of is bits, respectively. By using a key recovery attack on HMAC-SHA-256, we firstly recover with fault injections and the negligible computational complexity. And then, we compute from an event .

Table 3 shows the results of an event . From Table 3, we can compute as follows. Since we know HMAC and can compute by using , we can compute by using the following equations: By using , we can compute the messages of easily. Since we know , we can obtain . Thus, we can recover similarly to a key recovery attack on HMAC-SHA-256.

By repeating the previous procedure, we can recover by using fault injections. Its computational complexity is also negligible.

##### 4.3. Key Recovery Attack on NMAC-SHA-224/384

Since SHA-224/384 outputs the left most 224/384 bits of the resulting 256/512-bit hash value as the hash value, respectively, we do not know (see Table 3). In this case, we can not compute . Thus, we consider different events on these algorithms. To recover of NMAC-SHA-224, we use an event . This attack needs fault injections and the negligible computational complexity. In the case of NMAC-SHA-384, we consider an event to recover . This attack requires fault injections with a negligible computational complexity.

#### 5. Conclusion

In this paper, we proposed key recovery attacks on HMAC/NAC by using a fault injection attack. Our attack can be applied to HMAC/NMAC based on the MD-family hash functions and requires a small number of fault injections with a negligible computational complexity. As concrete examples, we applied our attack to HMAC/NMAC based on MD4, MD5, and SHA-2. The results on HMAC/NMAC-SHA-2 are the first known key recovery attacks on them.

#### Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

#### Acknowledgments

This research was supported by the MSIP (Ministry of Science, ICT&Future Planning), Korea, under the C-ITRC (Convergence Information Technology Research Center) support program (NIPA-2013-H0301-13-3007) supervised by the NIPA (National IT Industry Promotion Agency).

#### References

- M. Bellare, R. Canetti, and H. Krawczyk, “Keying hash functions for message authentication,” in
*Proceedings of the Annual International Cryptology Conference (CRYPTO ’96)*, vol. 1109 of*Lecture Notes in Computer Science*, pp. 10–15, August 1996. - S. Contini and Y. L. Yin, “Forgery and partial key-recovery attacks on HMAC and NMAC using hash collisions,” in
*Advances in Cryptology*, vol. 4284 of*Lecture Notes in Computer Science*, pp. 37–53, 2006. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - P. A. Fouque, G. Leurent, and P. Q. Nguyen, “Full key-recovery attacks on HMAC/NMAC-MD4 and NMAC-MD5,” in
*Advances in Cryptology*, vol. 4622 of*Lecture Notes in Computer Science*, pp. 13–30, 2007. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - L. Wang, K. Ohta, and N. Kunihiro, “New key-recovery attacks on HMAC/NMAC-MD4 and NMAC-MD5,” in
*Advances in Cryptology (EUROCRYPT 2008)*, vol. 4965 of*Lecture Notes in Computer Science*, pp. 237–253, 2008. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - R. McEvoy, M. Tunstall, C. C. Murphy, and W. P. Marnane, “Differential power analysis of HMAC based on SHA-2, and countermeasures,” in
*Advances in Cryptology*, vol. 4867 of*Lecture Notes in Computer Science*, pp. 317–332, 2007. View at Publisher · View at Google Scholar · View at Scopus - O. Benoît and T. Peyrin, “Side-channel analysis of six sha-3 candidates,” in
*Advances in Cryptology*, vol. 6225 of*Lecture Notes in Computer Science*, pp. 140–157, 2010. View at Publisher · View at Google Scholar · View at Scopus - P. Kocher, “Timing attacks on implementation of Diffie-Hellman,” in
*Advances in Cryptology*, vol. 1109 of*Lecture Notes in Computer Science*, pp. 104–113, 1996. View at Google Scholar - E. Biham and A. Shamir, “Differential fault analysis of secret key cryptosystems,” in
*Advances in Cryptology*, vol. 1294 of*Lecture Notes in Computer Science*, pp. 513–525, 1997. View at Google Scholar - D. Boneh, R. A. DeMillo, and R. J. Lipton, “On the importance of checking cryptographic protocols for faults,” in
*Advances in Cryptology*, vol. 1233 of*Lecture Notes in Computer Science*, pp. 37–51, 1997. View at Publisher · View at Google Scholar · View at MathSciNet - K. Jeong, Y. Lee, J. Sung, and S. Hong, “Differential fault analysis on block cipher SEED,”
*Mathematical and Computer Modelling*, vol. 55, no. 1-2, pp. 26–34, 2012. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - K. Jeong and C. Lee, “Differential fault analysis on block cipher LED-64,” in
*Future Information Technology, Application, and Service*, vol. 164 of*Lecture Notes in Electrical Engineering*, pp. 747–755, 2012. View at Google Scholar - K. Jeong, J. Sung, S. Hong, and C. Lee, “A new approach of differential fault analysis on block ciphers with S-box,”
*Information*, vol. 16, no. 3, pp. 1915–1928, 2013. View at Google Scholar - H. Choukri and M. Tunstall, “Round reduction using faults,” in
*Proceedings of the Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC '05)*, pp. 13–24, 2005. - R. Rivest, “The MD4 message digest algorithm,” RFC 1320, 1992.
- R. Rivest, “The MD5 message digest algorithm,” RFC 1321, 1992.
- National Institute of Standards and Technology, FIPS PUB 180-2: Secure Hash Standard, 2002.
- C. H. Kim and J. J. Quisquater, “Fault attacks for CRT based RSA: new attacks, new results, and new countermeasures,” in
*Proceedings of the Workshop on Information Security Theory and Practices*, vol. 4462 of*Lecture Notes in Computer Science*, pp. 215–228, May 2007. View at Scopus - J. G. J. Van Woudenberg, M. F. Witteman, and F. Menarini, “Practical optical fault injection on secure microcontrollers,” in
*Proceedings of the 8th International Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC '11)*, pp. 91–99, September 2011. View at Publisher · View at Google Scholar · View at Scopus