Research On The Securlty Of The H~2-MAC Instantlated With SHA-1

With the fast development of information industry, the requirements on information security improve. Particularly, the rise of e-commerce makes the message encryption, authentication and security ransmission become more and more important.Message Authentication Code (MAC) is the basic algorithm to guarantee the message integrity and carry through message source authentication. It takes the key and message of arbitrary length as input, and outputs a fixed length "digital fingerprint", which can be used to verify the message sender and integrity of message transmission process. There are the main methods of constructing MAC, which are those based on block cipher, hash function, or universal hash function family. MAC based on hash function is widely applied to many kinds of security protocols, such as IPSec、SSL/TLS、SSH、 SNMP, and so on. Thus, MAC is named as hash function with secret key. HMAC is one of the most widely used MACs. Using one key and two constants opad and ipad, HMAC gets the inner key and outer key through key compressed computation. It means that computing MAC needs to access to the seed key twice, which brings inconvenience to key management. H-MAC gets rid of the disadvantage of the key management by using directly the IV of hash function instead of the outer key. H2-MAC, which was proposed by Kan Yasuda in Information Security Conference (ISC)2009, is a new type MAC construction. Compared with HMAC, H2-MAC is much easier for algorithm implementation and key management, for it accesses to the key only once.Under the guidance of my supervisor, this thesis analyzes the security of H2-MAC instantiated with SHA-1. the results are as follows:This thesis, which compares the construction of HMAC with that of H2-MAC, finds that, since the outer key of HMAC is replaced by constant number, once the intermediate chain variable was leaked out. the attacker can carry out universal forgery attack, which brings security problem.For the first time, this thesis presents a universal forgery attack method based on H2-MAC Instantiated with SHA-1reduced to61(20-80) steps. Firstly, an H2-MAC-SHA-1distinguisher is constructed. Then, the intermediate chaining variable. i.e., the equivalent key is recovered by using the distinguisher and bit flpping technology. Consequently, the universal forgery attack is processed. The adversary unknowing the secret key can process the universal forgery attack by computing the valid MAC value of M, which can be an arbitrary message. The complexity of the attack is about2queries, which is much lower than the ideal complexity of the universal forgery. Moreover, this thesis presents key recovery attack and universal forgery attack method based on H2-MAC Instantiated with SHA-1reduced to53(20-72) steps. The complexity of the key recovery attack is about299queries on MAC.Consequently, this thesis points out the problem of LPMAC distinguishing attack based on reduced SHA-1, and presents a modification method.