Pseudo-random Key Generation for Secure HMAC-MDS

Syeda Iffat Naqvi, Adeel Akram

Faculty of Telecom & Information Engineering UET Taxila

Taxila, Pakistan iffat.naqvi@uettaxila.edu.pk

adeel.akram@uettaxila.edu.pk

Abstract-Cryptographic hash functions had been very significant primitives to the cryptography. They have been utilized widely in cryptographic applications and most important of them is their use in the composition of efficient Message Authentication Codes (MACs). The cryptanalysis of hashing algorithms used in Hash Message Authentication Code(HMAC) like SHA-t and MD5 have found many attacks against themI51,161,171,181. But this does not mean that if the underlying hashing algorithms are breakable then HMAC is also breakable. It is infeasible for the attacker to break HMAC because he would not be able to generate message sets offline without predicting the key K. The goal of this paper is to improve the strength of Hash Message Authentication Code (HMAC), so that its resistance increases to the Birthday Attack and Exhaustive key Search Attack. The secret key used in calculation of HMAC is shared among the sender and the recipient. We generated the Secret key with the help of a pseudorandom MD6 hashing function so that it becomes more secure and hard to envisage by forgery.

Keywords- Message Authentication Code (MAC), Hash MessageAuthentication Code (HMAC), Message Digest Algorithm (MD6), Secure hash A 19orithm-l(SHA-l), MD5 Message Digest Algorithm.

I.INTRODUCTION

A hash function has been definedasa function which compresses an input sequence of variable length to an output sequence which is of fixed length. Cryptographic hash functions must possess properties like one-way-ness and collision resistance. Hashing functions have always been significant primitives in cryptography and are commonly utilized in applications like digital signatures and e­commerce. One of the important areas of applications of cryptographic hashing functions is their utilization in the composition of proficient message authentication codes (MACs) [1] , [2], [3]. Hashing functions constructed on Merkle-Damgard [9], [10] construction such as SHA-I [2] andMD5 [2] are used directly without any modification inconstructing MAC schemes due to their efficiency and free accessibility.

Advancements in the cryptographic analysis of well known hashing functions like MD5 and SHA-l [5], [6], [7] , and [8] led the National Institute of Standards and Technology (NIST) [4] to put out a call for the SHA-3

978-1-61284-486-2/111$26.00 ©2011 IEEE

573

competition. MD6 was one among the candidate algorithms, proposed by Ronald Rivest and his team [4].

For the attacker to break HMAC, the offline generation of message pairs is required which is difficult because for this purpose he needs to predict the key K. The aim of this paper is to improve the strength of Hash Message Authentication Code (HMAC), so that its resistance increases against the Birthday Attack [2] and the Exhaustive key Search Attack. The Secret key which has been used in the calculation of HMAC is public to the sender and the receiver. We generated the key by using a pseudorandom MD6 hashing functions so that it becomes more protected and hard to envisage by a forgery.

Section 2 provides a brief description of the Hash function. Section 3 gives an overview of the MD6 function. MAC is presented briefly in Sections 4. In section 5, Architecture of HMAC, its key and security analysis is taken into consideration. The architecture for modified HMAC­MD5 is described in Section 6. To support Section 6; Section 7 presents its simulation results. Conclusion is presented in Section 8.

II.HASH FUNCTION

A hash function H transforms an arbitrarily long input string m to a fixed-size output sequence called as hash valuei.e.h = H(m) . It has following major properties:

I. The length of input string is variable, 2. The outputs string's length is fixed, 3. It is quite easy to calculate H(m) for any knownm, 4.H(m) is one-way, 5. H(m)Is collision free. The hash function conversion of the input messagem=

m1 II m2 11 .. ·11 mt seperated into fixed length blocks mv m2, ... ... , mtcould be explained as follows:

Ho = /V,(1)

H;= <p(m;, Hi-l) for i = 1,2, ... . , t,(2)

(3)

Here, IV is the initial value, Hiis the chaining variable, <p is the function for compression and 1/J is an output after

transformation. The resulting hashed output will be Hem) of fixed length.

The block diagram of the hash function is shown in Figure 1. If mtis not of the length equal to each preceding block mv m2"'" mt-i then additional bits should be added at the end of an input stream prior to hashing so that mt becomes as lengthy as mv m2, ... . , mt-i.

Figure I. Block diagram of the Hash function h.

III.OVERVIEW OF MD6

Hashing function of the MD6 consists of two major parts: the compression function and the mode of operation [4]. These components have been described in more depth in the following:

A. Compression Function

The MD6 compression function f is applied on w = 64 bits long binary words. It maps an input of 89 words t04.

the output of 16 words. f : W89 ---> W16.(4)

The input words consist of 15 constant words Q, a key K of 8-words, 2 optional information words (a one-word unique node ID U and a control word V of I-word) and a data block B of 64-words.

The number of rounds in MD6 compression function is controllable, while every round consists of 16 steps. Every step calculates a I-word output. The main loop is being followed by the truncation operation, which cut out the end output to 16 words as shown in Figure 2 (Algorithm I).

B. Mode o/Operation

571

The mode of operation of MD6 hash function specifies the repetitive application of the compression function on an arbitrarily long input string and convert it to a constant length output called message digest. The customary operational mode is a bottom-up, tree-based mode[4](commonly known as parallel mode), which is parameterized by a parameter L providing maximum level numbers. If L = 0 then chosen operational mode would be the sequential, which is same as the standard Merkle­Damgard [9], [10] construction.

IV.MESSAGE AUTHENTICATIONCODE(MAC)

MAC is a sort of hashing function for which a secret key is used to assure authentication among the sender and the receiver.

V.HMAC

HMAC [1],[2] ,[3] is a well-known cryptographic algorithm which is used for the assurance of data integrity and authentication.

HMAC is an explicit kind of MAC function (Message Authentication Code). It uses a hash function operating on an input string and the key. Presently, among the prime techniques it is one in use for the certification, that message has not been distorted or tailored by any forgery during transmission over unprotected links(like Internet).

A:Architecture 0/ HMAC

The major goals for the HMAC composition [3] are: I. Usage of existing hash functions devoid of any

optimization; particularly, hashing functions which have good software performance, and easy availability of the code,

2. Conservation ofthe actual functioningof thehash function without any noteworthy deprivation,

Algorithm 1: MD6's compression function

N:input data array ofn = 89 words; r: a positive number of rounds e :output array e of c = 16 words

Let t = c. r Let an inner array A[O ..... t + n - 1] which is n + t words long

A[O ... n - 1] = N[O ... n - 1] for i = n to t + n - 1 do word = Si 81 Ai-n 81 Ai-17 word = word 81 (Ai-31 A Ai-67)EI1 (Ai-18 /\ Ai-21) /* nonlinear part */

word = word 81 (word» rSi-n) Ai = word 81 ( word « ISi-n)

end for

e[o ... c - 1] = A[t + n - c ... t + n - 1]

Figure 2 Algorithm of MD6'sCompression Function.

3. Usage and control of keys in a simpler way. 4. A detailed cryptanalysis of the potency of

authentication procedure founded on equitable supposition C.

on the underlying hash function, and to permit effortless substitution capability of the underlying hashingfunction in the consequence if it would be more rapid and non vulnerable.

HMAC uses a cryptographic hash function denoted by h, and the secret key k . We presume h a hash function in which data stream is hashed by repeatedly applying a fundamental compressing function on data divided in to l blocks where l is the number of blocks in m after being padded. The length of these blocks in bits is denoted by b (where l * bis the length of padded message m in bits), and the length of hash result in bits by n (for M D5 n= 128 bits, for SHA-l n=160 bits and n=S12 bits for MD6). The length of the key K could be up tob, equal to the block size of the hash function. Those applications which use the key larger than b bits will initially compress key by using h and later on uses the resulting n bit string as the tangible key for HMAC. For any situation the minimum suggested length for K is n bits (equal to the length of the hashed output). The functional model of the HMAC function is shown in Figure 3.

HMAC could be computed as: HMACk(m) = h((K+ EB opad)11 h((K+EBipadllm))(5)

It could be accomplished by following the steps given below:

1. a) [f the key length is shorter than b then add on zeros to

the left ending of K to form a string K+ of b bits, whereK+ is the key used to calculate HMAC.

b) If the key length is b then use K as K+ without any modification.

c) [f the key has length which is longer than b then use hash function h to hash the key K to a b bit long string.

2. XOR (bitwise exclusive-OR) K+ with ipad value which is constant OX36 repeated b /8 times to generate the block Si of b-bit length.

3. Append m withSi. 4. Operate hon the stream produced in step 3.

S. XOR K+ with opadwhich is constant value OXSC to produce the block So of length b-bit.

6. Attach the hash output computed in Step 4 with So. 7. Finally to get HMAC apply hto the output computed

in the above step.

B. Keysfor HMAC The HMAC [3] key could vary in length. Keys

which are larger in length than bbits are firstly compressed by means ofh. However, keys shorter than nbits are always dejected because it will reduce the randomness of the respective function. Keys larger than n bits are adequate however; the additional length will not considerably improve

575

the strength of the function. A larger key might be prudent if the unpredictability of the key is inadequate.

Resistance Against Attacks The success probability of any attack on HMAC is

considered equal to any of the subsequent attacks over the hashing function [2]:

Even if the initial value is kept random and protected, the attacker is still capable of figuring out the compression function's output.

Even if the initial value is random and kept secret, the attacker is still capable of finding collisions in the hashing function.

The attack mentioned first needs either the brute­force attack over the secret key, that requires more effort 2ncomputations, or the birthday attack. While in the second attack, in order to find collisions the attacker have to apply the birthday attack - to discover two such distinct messages m1 and mz that same hash result is generated for them i.e.h(ml) = h(mz). This attack will need 2n/z

computations. That means in order to crack MDS we need 264 trials.

Figure 3 HMAC function [2].

But does this mean that HMAC could be broken by using 264 trials? The absolute reply is not the reason is that for MDS the hashing function and its fixed initial value IV is known by the attacker , which is helpful for the attacker in a way that he/she could select several pair of input messages and exert effort on them offline to discover collision.

Conversely, whenever the attacker desires to smash HMAC, he could not be able to produce message sets offline because for this purpose he requires to know the K. Thus any flaw in underlying hash function does not have any

influence on HMAC; it is the key which must be so much random that its prediction becomes difficult.

VI.MODIFIED HMAC FUNCTION

In order to enhance the strength of Hash Message Authentication Code (HMAC), we generated the Secret key used in calculation of MAC by using MD6 hashing function. So far it has been proved that the MD6 keeps some cryptographic properties such as pseudo randomness, unpredictability, parallelism, first pre-image resistance[12] etc. Thus the key generated by MD6 compression function will become more random and hard to envisage by a forgery, thus escalating collision resistance of HMAC. The key thus generated will require 2511 off-line trials to be retrieved by the Exhaustive key search attack, which is a very large number of trials.

The modified architecture is shown in Figure 4 and steps for computation of modified HMAC-MD5 are:

1. Compute the secret key K by using MD6 function. 2. If the key has length which is longer than b i.e. 512

bits we will use hash function h to hash the key K to a b bit long string K+ or will pad zeros if the keyis shorter than 512 bits.

3. XOR (bitwise exclusive-OR) K+ with ipad value which is constant OX36 repeated b /8 times to generate the block S;of b-bit length.

4. Append m withS;. 5. Operate hon the stream produced in step 3. 6. XOR K+ with opadwhich is constant value OX5C to

produce the block So of length b-bit. 7. Attach the hash output computed in Step 4 with So.

Figure 4 Modified HMAC algorithm.

VII.SIMULATION RESULTS

Simulations were carried out on a 2 GHz Intel Core 2 Duo T5800 laptop using MATLAB for the verification of the results of the modified algorithm mentioned above. Simulations comprises of the simulation of MD6 compression function for different no of rounds. The computational complexity and security of the MD6 function rises with the increasing number of rounds. We can see in Figure 5 that with increase in no of rounds simulation time also increases but the increase is minimal. For no of rounds r explicitly set to 104, simulation time is approximately 430ms.

Simulations also include simulation for the computation of original HMAC-MD5 algorithm and modified HMAC-MD5 with key generated by pseudo­random MD6 function thus increasing the security and unpredictability of the HMAC. The no. of rounds r is set to 104 as output size d is predetermined to be 256 bits.

The simulation times for both the original and modified HMAC-MD5 algorithms have been shown in Table I.As we can see that comparatively modified HMAC is consuming more computational time but the delay is negligible and acceptable for such a large no of rounds and is not as much over whelming to compromise for the security.

VIII.CONCLUSION AND FUTURE WORK 8. Finally to get HMAC apply h to the output computed in the above step. As the hash algorithms have importance in authentication

application, they must be secure enough. Cryptographic analysis

has shown that multiple attacks have been found against hash functions like MD4, MD5 and SHA-I. Thus the utilization of

these functions and also HMAC which uses hash functions as

underlying functions, in different applications becomes

threatening. This piece of work deals with the security analysis of

MD6 function and modification in HMAC algorithm by

generating the secret key utilized for the calculation of MAC with

the help of MD6 function.

576

The modified technique presented in this paper enhances the security of the HMAC by increasing the randomness and unpredictability of the key. This paper also takes into consideration the simulation times. As the simulation times increases with increase in complexity and security but it is not as much tremendous or devastating.

Thus this novel technique provides much secure HMAC function against Birthday attack and Exhaustive key search attacks.

A lot of work has been done for the escalation of the strength of the HMAC function[II]. This paper considers the key security which definitely strengthens the HMAC.Since cryptanalysists are continously drawing efforts in terms of

Figure 5: Simulation Time for MD6 with increasing Number of Rounds.

designing different attacks to break hash algorithms, a lot of work is required to increase the strength of these functions.

There are different school of thoughts, some think that in order to make HMAC non vulnerable, we must replace existing underlying hash function in HMAC with more secure hash functions, while others think that it is the key which should be random and unpredictable enough to decrease the vulnerability of the HMAC algorithm. We give a boost to the power of HMAC by pseudo-random key generation. Other techniques could also be used for key generation which makes it more ptotected and hard to predict

577

TABLE 1: SIMULATION TIME FOR HMAC-MD5

REFERENCES

[I] NIST FIPS PUB 198, The Keyed-Hash MessageAuthentication Code (HMAC), Federal Information Processing Standards Publication Issued March 6, 2002.

[2] W. Stallings, Cryptography and Network Security, principles and Practice, Prentice Hall, New Jersey, 2003.

[3] H. Krawczyk, M.Bellare, R. Canetti HMAC: KeyingHash Functions for Message Authentication, Advances inCryptology- Crypto 96 Proceedings, Lecture Notes in Computer Science Vol. 1109, N. Koblitz ed., Springer-Verlag, 1996.

[4] Ronald L. Rivest, The MD6 hash function - A proposal to N1ST for SHA-3.Submission to NIST, 2008.

[5] Xiaoyun Wang and Hongbo Yu, How to Break MD5 and Other Hash Functions. In EUROCRYPT 2005, LNCS3494, pp 19-35, Springer­Verlag, 2005.

[6] Bert den Boer and AntoonBosselaers. Collisions for theCompression Function of MD5 In EUROCRYPT,pages 293-304, 1993.

[7] Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu, FindingCollisions in the Full SHA-l. In CRYPTO, pages 17-36, 2005.

[8] Christophe De Canniere and Christian Rechberger.Preimages for Reduced SHA-O and SHA-I. InCRYPTO, pages 179-202, 2008.

[9] Emmanuel Bresson, Benoit Chevallier-Mames, Christopher Clavier, AlineGouget, Pascal Paillier andThomas peyrin.How to Use Merkle­Damgard. On the Security relations Between Signature Schemes and theirInner Hash Functions. Provable security-proceedingsof ProvSec'08(October 30-November I, Shangai, CN), J. Baek, F. Bao, K.Chen and X.Lai, Eds. Springer-Verlag,LNCS 5324, pages 241-253.

[10] YevgeniyDodis, Thomas Ristenpart and ThomasShrimpton. Salvaging Merkle-Damgard for practicalApplications, Advances in Cryptology-EUROCRYPT '09,Lectures Notes in Computer Science Vol.5479, pp.371-388, A Joux ed , Springer-Verlag, 2009.

[II] MohannadNajjar, FirasNajjar, d-hmac- DynamicHMAC tunction, Proceedings of the lntemationalConference on Dependability of Computer Systems (DEPCOS-RELCOMEX'06), 2006.

[12] Christopher Yale Crutchfield, Security Proofs for the MD6hash function Mode of operation, Submitted to theDepartment otElectrical Engineering and ComputerScience atthe Massachusetts Institute of Technology,June 2008.