Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC

Authors:
Xiaoyun Wang;Hongbo Yu;Wei Wang;Haina Zhang;Tao Zhan
Affiliations:
Center for Advanced Study, Tsinghua University, Beijing, China 100084 and Key Laboratory of Cryptographic Technology and Information Security, Ministry of Education, Shandong University, Jinan, Ch ...;Center for Advanced Study, Tsinghua University, Beijing, China 100084;Key Laboratory of Cryptographic Technology and Information Security, Ministry of Education, Shandong University, Jinan, China 250100;Key Laboratory of Cryptographic Technology and Information Security, Ministry of Education, Shandong University, Jinan, China 250100;Shandong University, Jinan, China 250100
Venue:
EUROCRYPT '09 Proceedings of the 28th Annual International Conference on Advances in Cryptology: the Theory and Applications of Cryptographic Techniques
Year:
2009

Citing 15
Cited 10

Message authentication with one-way hash functions

ACM SIGCOMM Computer Communication Review
Collisions for the compression function of MD5

EUROCRYPT '93 Workshop on the theory and application of cryptographic techniques on Advances in cryptology
MDx-MAC and Building Fast MACs from Hash Functions

CRYPTO '95 Proceedings of the 15th Annual International Cryptology Conference on Advances in Cryptology
Keying Hash Functions for Message Authentication

CRYPTO '96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology
Full key-recovery attacks on HMAC/NMAC-MD4 and NMAC-MD5

CRYPTO'07 Proceedings of the 27th annual international cryptology conference on Advances in cryptology
On authentication with HMAC and non-random properties

FC'07/USEC'07 Proceedings of the 11th International Conference on Financial cryptography and 1st International conference on Usable Security
New key-recovery attacks on HMAC/NMAC-MD4 and NMAC-MD5

EUROCRYPT'08 Proceedings of the theory and applications of cryptographic techniques 27th annual international conference on Advances in cryptology
Forgery and partial key-recovery attacks on HMAC and NMAC using hash collisions

ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
Efficient collision search attacks on SHA-0

CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
Finding collisions in the full SHA-1

CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
Cryptanalysis of the hash functions MD4 and RIPEMD

EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
How to break MD5 and other hash functions

EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
Collisions of SHA-0 and reduced SHA-1

EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
On the security of HMAC and NMAC based on HAVAL, MD4, MD5, SHA-0 and SHA-1 (extended abstract)

SCN'06 Proceedings of the 5th international conference on Security and Cryptography for Networks
New proofs for NMAC and HMAC: security without collision-resistance

CRYPTO'06 Proceedings of the 26th annual international conference on Advances in Cryptology

Distinguishing Attack on the Secret-Prefix MAC Based on the 39-Step SHA-256

ACISP '09 Proceedings of the 14th Australasian Conference on Information Security and Privacy
Distinguishing and Second-Preimage Attacks on CBC-Like MACs

CANS '09 Proceedings of the 8th International Conference on Cryptology and Network Security
Cryptanalysis of ESSENCE

FSE'10 Proceedings of the 17th international conference on Fast software encryption
Another look at complementation properties

FSE'10 Proceedings of the 17th international conference on Fast software encryption
Distinguishing attack on secret prefix MAC instantiated with reduced SHA-1

ICISC'09 Proceedings of the 12th international conference on Information security and cryptology
Cryptography for network security: failures, successes and challenges

MMM-ACNS'10 Proceedings of the 5th international conference on Mathematical methods, models and architectures for computer network security
Collisions of MMO-MD5 and their impact on original MD5

AFRICACRYPT'11 Proceedings of the 4th international conference on Progress in cryptology in Africa
Distinguishing attacks on LPMAC based on the full RIPEMD and reduced-step RIPEMD-{256, 320}

Inscrypt'10 Proceedings of the 6th international conference on Information security and cryptology
Cryptanalyses on a merkle-damgård based MAC -- almost universal forgery and distinguishing-h attacks

EUROCRYPT'12 Proceedings of the 31st Annual international conference on Theory and Applications of Cryptographic Techniques
Generic related-key attacks for HMAC

ASIACRYPT'12 Proceedings of the 18th international conference on The Theory and Application of Cryptology and Information Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this paper, we present the first distinguishing attack on HMAC and NMAC based on MD5 without related keys, which distinguishes the HMAC/NMAC-MD5 from HMAC/NMAC with a random function. The attack needs 297 queries, with a success probability 0.87, while the previous distinguishing attack on HMAC-MD5 reduced to 33 rounds takes 2126.1 messages with a success rate of 0.92. Furthermore, we give distinguishing and partial key recovery attacks on MDx -MAC based on MD5. The MDx -MAC was proposed by Preneel and van Oorschot in Crypto'95 which uses three subkeys derived from the initial key. We are able to recover one 128-bit subkey with 297 queries.