3

While reviewing a 'secure communication protocol' made by a colleague, I noticed a usage of AES-128 CBC that caught my eye. I think they are trying to implement a HMAC but have made some very questionable decisions.

The steps look like this:

  1. The IV is initialized to be the same as a user's (plaintext) password with just one byte changed.
  2. AES CBC takes the password, this IV, and a key as input, however the same key is used each time.
  3. The output of this encryption is then XORed with the original password, giving the user's password hash.

Now presuming I have the key and some hashed passwords, is it possible to obtain the original plaintext passwords, in order to prove to my colleague that this system is horribly broken?

J. Doe
  • 93
  • 3
  • Do they continue on reusing that IV? Then you can probably borrow something from this question – Ruben De Smet Jun 11 '17 at 17:56
  • 1
    @RubenDeSmet the IV is almost identical to the password each time, and also I know the key, so I think the situation here is much more favourable than it is in that thread – J. Doe Jun 11 '17 at 18:32
  • You cannot create a HMAC using a symmetric cipher as HMAC is a MAC created using a hash function (that's the H, the initial letter, in the acronym). MAC constructions that are based on a cipher are simply called MAC's ("MAC" is therefore both the family name of the cryptographic construction as a specific name of a kind of MAC). – Maarten Bodewes Jun 12 '17 at 01:50

1 Answers1

2

It seems completely possible to break this scheme. Lets take 2 passwords, using some deterministic padding scheme. Now remember that the IV is XOR'ed with the plaintext before encryption:

enter image description here

Now it seems that the output of this XOR operation will only be different by one byte. So if you have enough passwords that are hashed then the input and therefore output of the blockcipher is likely to repeat. Due to the birthday bound repetition is likely with a chance of 0.5 after 16 tries.

One way to take advantage of this as attacker is to create a few accounts with different passwords. The output of the cipher can be retrieved using the output of the password hash, recovered later. It can simply XOR this value with the password given, which will result in the output of the cipher. Then the attacker can XOR this value with the other password hashes until it finds something that looks like a valid password strings (e.g. by detecting if there are no control characters in the output). This way most if not all passwords should be retrievable.

The fun thing with this attack is that you don't even need the key. The adversary just requires a hashing oracle (the server itself) and (parts of the) hash database.

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313