13

I understand how for hash functions which are vulnerable to length extension attacks (such as SHA1 and SHA2) it is safer to use a HMAC construction.

What I don't understand is, how or why is $\operatorname{HMAC\_SHA256}_\mathrm{key}(\mathrm{message})$ safer (in terms of resistant against certain attacks) than $\operatorname{SHA256}(\mathrm{key}_1 \mathbin\| \mathrm{message} \mathbin\| \mathrm{key}_2)$, assuming that all key strings are sufficient in length and entropy?

forest
  • 15,253
  • 2
  • 48
  • 103
RocketNuts
  • 1,387
  • 1
  • 11
  • 23
  • 2
    HMAC_SHA256(message,key) has a security proof; we do not have a ready-made one for SHA256(key1+message+key2). That's quite an argument. That said, for reasons similar to HMAC_SHA256, SHA256(key1+message+key2) intuitively seems quite strong: there's a key1 initially, making collision hard; then a final key2, further increasing security. However the lack of alignment to block boundary in SHA256(key1+message+key2) makes it quite hard to devise a proof. – fgrieu Mar 20 '14 at 20:19
  • @fgrieu : $:$ (I realize it's been over a year, but) One could consider SHA256(key1+message+padtoblockboundary+key2) instead. $;;;;$ –  Apr 06 '15 at 21:03

2 Answers2

14

The construction you are proposing is called the "envelope" or "sandwich" MAC, it predates HMAC, and it is in fact secure—provided the key and message are appropriately padded. That is,

$$ \text{SHA256}(k \parallel m \parallel 1 \parallel 0^{b - 1 - (|m| \bmod b)} \parallel k) $$

is secure, as long as $k$ is the underlying hash function's block length $b$ ($b = 512$ in the case of SHA256), or is padded to that effect. Note that the padding after the message is crucial: without making sure the second key is in its own block the security of the envelope MAC is lower than that of HMAC. This was proved by Yasuda, and later Koblitz and Menezes (§6) argue that there is no sound theoretical reason to prefer HMAC over (correctly padded) envelope-MAC, beyond the former's more established nature.

Samuel Neves
  • 12,460
  • 43
  • 52
  • For all messages m, if |m| is not a multiple of b then your formula will give $:$ m || 0 $:$ the same MAC as m. $;;;;$ –  May 06 '15 at 23:33
  • Right, I got the message padding wrong. Fixed now. – Samuel Neves May 06 '15 at 23:35
  • Should that be parsed as $: (10)^{-|m| \operatorname{mod} b} :$ or $;;; 1 : || : 0^{-|m| \operatorname{mod} b} ::::$? $;;;;;;;;$ –  May 06 '15 at 23:38
  • $1$, followed by enough $0$s to pad out to block length. I think it should be intelligible now? – Samuel Neves May 06 '15 at 23:39
  • I think |m|-1 should be replaced with |m|+1. $;$ –  May 06 '15 at 23:42
  • OK, changed it to a less confusing formula, that matches Yasuda's paper. – Samuel Neves May 06 '15 at 23:48
  • Your formula now describes the "envelope MAC". $:$ I think your $k$s should be replaced with $k_{\hspace{.02 in}0}$ and $k_1$. $;;;;$ –  May 06 '15 at 23:48
  • 1
    Being the envelope MAC was the point! A single key is enough to be secure, though two independent keys are also fine. – Samuel Neves May 06 '15 at 23:53
  • From Yasuda's paper: “The envelope MAC, however, is shown to be vulnerable against key recovery attack [8] (which is more threatening than forgery attack.)” $;$ –  May 06 '15 at 23:56
  • 2
    Correct; that applies to the version without the $10^t$ padding. Yasuda notes: "We note that it is the lack of appropriate filling between the message M and the last key K, rather than the usage of a single key, that contributes to this key recovery attack." – Samuel Neves May 06 '15 at 23:59
  • It may be better to switch the order of subtraction, so that storing $:b-1:$ as a constant could reduce the necessary number of arithmetic operations by one. $;;;;$ –  May 07 '15 at 00:07
  • Thanks, changed. Also added a note stressing the importance of padding. – Samuel Neves May 07 '15 at 00:11
  • To be clear, is the second k in k∥m∥1∥0b−1−(|m|modb)∥k, an exact bit copy of the first k? – chux - Reinstate Monica Jun 28 '16 at 21:58
  • 1
    @chux Yes, same key. Check Figure 1 in page 4 of 2013/248 for a graphical representation of it. – Samuel Neves Jun 30 '16 at 07:09
3

Some research brought up this paper On the Security of Two MAC Algorithms (Preneel and Oorschot, 1995).

The authors state that it's possible to significantly reduce the claimed security so that the security is about the same as collision resistance instead of preimage resistance. The details can be read there and in the references.

Artjom B.
  • 2,045
  • 1
  • 22
  • 52
SEJPM
  • 45,967
  • 7
  • 99
  • 205