Classical usage of Hash-based Message Authentication Code (HMAC) is known to be subject to Side-Channel Attacks (SCA). In case physical leakage of information occurs, and without proper countermeasures, the variability of known message endangers the secret key through statistical attacks. These attacks are not always applicable due to strict constraints on attacker model. However, some protocols can choose not to use the HMAC the way it was designed by swapping the roles of message and key, and therefore modify the condition of applicability of such attacks. In this paper, we describe a new attack method that takes advantage of the reduction of constraints induced by the choice to swap roles. Moreover, we describe two methods that can optimize previously existing attacks against HMAC. One allowing to reduce the trace cost of some attacks by \(\sim 25\%\) , the other allowing to adapt existing attacks even in presence of partial countermeasures.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

The Dangerous Message/Key Swap in HMAC

  • Antoine Wurcker,
  • David Marçais

摘要

Classical usage of Hash-based Message Authentication Code (HMAC) is known to be subject to Side-Channel Attacks (SCA). In case physical leakage of information occurs, and without proper countermeasures, the variability of known message endangers the secret key through statistical attacks. These attacks are not always applicable due to strict constraints on attacker model. However, some protocols can choose not to use the HMAC the way it was designed by swapping the roles of message and key, and therefore modify the condition of applicability of such attacks. In this paper, we describe a new attack method that takes advantage of the reduction of constraints induced by the choice to swap roles. Moreover, we describe two methods that can optimize previously existing attacks against HMAC. One allowing to reduce the trace cost of some attacks by \(\sim 25\%\) , the other allowing to adapt existing attacks even in presence of partial countermeasures.