6

MD5 is considered broken and SHA-1 is closely following, but HMACs built around either are still considered relatively secure. It makes me wonder if MD5 and SHA-1 HMACs can be used as secure hashes.

  1. Settle on some constant $C$ that will serve the role of $K$.
  2. Define a new hash algorithm as $H_C(x)=HMAC(C, x)$.

Could this work?

Melab
  • 3,655
  • 2
  • 22
  • 44

2 Answers2

14

HMAC remains unbroken with MD5 and SHA1 because it has a secret key that the attacker doesn't know. Therefore, the attacker cannot carry out huge computations on itself (as is required for finding collisions). [A parenthetic comment: please do not misunderstand me; MD5 is completely broken and should not be used anywhere including in HMAC.] In contrast, when you fix the HMAC key and make it public, you can once again find collisions. In fact, the specific collision-finding algorithms that we know for MD5 and SHA1 (via differentials) work for any IV. When using a key for HMAC that is known, this just gives a different IV. Thus, there is no problem whatsoever finding a collision (in practice, given known methods; not just theoretically).

The solution to SHA1 being broken is to move to SHA256 (and later to Keccak after some more validation time).

Yehuda Lindell
  • 27,820
  • 1
  • 66
  • 83
5

Yes, but doing so wouldn't be any more collision-resistant than just settling on some new IV.

(HMAC is only supposed to be a PRF. ​ Collision-resistance is significantly harder to achieve.)

  • May we say that a "random" collision is still hard to achieve? I mean that for a random but fixed key, finding a collision is still hard (meaning birthday paradox hard) – ddddavidee Jan 05 '16 at 08:05
  • Some applications of hash functions do no need collision resistance, so it might be a good idea to mention preimage resistances as well. – otus Jan 05 '16 at 08:09
  • @ddddavidee : ​ Only if it's hard in the first place. ​ ​ ​ ​ –  Jan 05 '16 at 08:10
  • Do you, @RickyDemer, mean that finding an hmac-collision for HMAC-MD5 would be as easy as for plain MD5? and HMAC-SHA256 infeasible as for plain SHA256? – ddddavidee Jan 05 '16 at 08:17
  • @ddddavidee : ​ Yes and yes, for the reason given in Yehuda's answer, and by the definition of HMAC. ​ ​ ​ ​ –  Jan 05 '16 at 08:24
  • Ok thanks, I didn't yet read the edit. (+1 to both) – ddddavidee Jan 05 '16 at 08:36