Are there any good attack models of HMAC? Like how it can be attacked? If there are any possible attacks of HMAC I would be happy to know about it.
Asked
Active
Viewed 476 times
2
-
The Canonical Q/A Why does HMAC use two different keys? – kelalaka Oct 13 '21 at 15:08
-
Brute-force is the only way! – kelalaka Oct 13 '21 at 19:01
2 Answers
3
Beyond brute force and plain key leak, the only plausible attacks against HMAC are attacks on implementations.
One is: Sonia Belaïd, Luk Bettale, Emmanuelle Dottax, Laurie Genelle, Franck Rondepierre: Differential Power Analysis of HMAC SHA-2 in the Hamming Weight Model, in proceedings of SECRYPT 2013.
Another is a generic key search using fault injection, which finds an $n$-bit MAC key in $n+1$ queries (regardless of algorithm), assuming a device computes and outputs the (H)MAC of a fixed message; that device copies the key from long term storage (e.g. Flash) to RAM sequentially at each MAC computation; and (that's the difficult point) an attacker can replace a bit of their choice(s) with zero during that transfer (e.g. by laser illumination of the right location at the right instant in the execution). To find a key bit, the attacker compares the MAC with and without the replacement.
fgrieu
- 140,762
- 12
- 307
- 587
2
HMAC as message authentication code should be resistant to existential forgery under chosen message attack, this is known as EUF-CMA.
HMAC as a pseudo-random function should be resistant to distinguishing attack under, again, chosen message attack, which is known as IND-CMA.
I'm quite certain about the MAC part, but I'm not absolutely confident about PRF part. I don't know good references on this, feel free to add to here.
DannyNiu
- 9,207
- 2
- 24
- 57
-
4Bellare's paper New proofs for NMAC and HMAC: security without collision resistance shows that HMAC is a PRF if the compression function (assuming a Merkle-Damaard construction) is a PRF – Daniel S Oct 13 '21 at 15:01