Hash gone bad: automated discovery of protocol attacks that exploit hash function weaknesses
AUTHORs: 
Vincent Cheval, Cas Cremers, Alexander Dax, Lucca Hirschi, Charlie Jacomme, Steve KremerAuthors Info & Claims
Vincent Cheval, Cas Cremers, Alexander Dax, Lucca Hirschi, Charlie Jacomme, Steve KremerAuthors Info & ClaimsArticle No.: 330, Pages 5899 - 5916
Abstract
Most cryptographic protocols use cryptographic hash functions as a building block. The security analyses of these protocols typically assume that the hash functions are perfect (such as in the random oracle model). However, in practice, most widely deployed hash functions are far from perfect - and as a result, the analysis may miss attacks that exploit the gap between the model and the actual hash function used.
We develop the first methodology to systematically discover attacks on security protocols that exploit weaknesses in widely deployed hash functions. We achieve this by revisiting the gap between theoretical properties of hash functions and the weaknesses of real-world hash functions, from which we develop a lattice of threat models. For all of these threat models, we develop fine-grained symbolic models.
Our methodology's fine-grained models cannot be directly encoded in existing state-of-the-art analysis tools by just using their equational reasoning. We therefore develop extensions for the two leading tools, TAMARIN and PROVERIF. In extensive case studies using our methodology, the extended tools rediscover all attacks that were previously reported for these protocols and discover several new variants.
References
[1]
Martin R Albrecht, Lenka Marekov�, Kenneth G Paterson, and Igors Stepanovs. Four Attacks and a Proof for Telegram. Long version, https://mtpsym.github.io/paper.pdf. In IEEE Symposium on Security and Privacy (S&P), 2022.
[2]
Valerie Aurora. Lifetimes of cryptographic hash functions, 2017. https://valerieaurora.org/hash.html (Retrieved Jan 2022).
[3]
Michael Backes, Birgit Pfitzmann, and Michael Waidner. Limits of the BRSIM/UC Soundness of Dolev-Yao Models with Hashes. In European Symposium on Research in Computer Security (ESORICS). Springer, 2006.
[4]
Elaine Barker, Lidong Chen, Andrew Regenscheid, and Miles Smid. Recommendation for pair-wise key establishment using integer factorization cryptography. In Special Publication (NIST SP), National Institute of Standards and Technology, 2009.
[5]
David Basin, Jannik Dreier, Lucca Hirschi, Saša Radomirović, Ralf Sasse, and Vincent Stettler. A Formal Analysis of 5G Authentication. In Conference on Computer and Communications Security (CCS). ACM, 2018.
[6]
David Basin, Ralf Sasse, and Jorge Toro-Pozo. The EMV Standard: Break, Fix, Verify. In IEEE Symposium on Security and Privacy (S&P). IEEE Computer Society, 2021.
[7]
Mihir Bellare and Phillip Rogaway. Random Oracles Are Practical: A Paradigm for Designing Efficient Protocols. In ACM Conference on Computer and Communications Security (CCS). Association for Computing Machinery, 1993.
[8]
Karthikeyan Bhargavan, Bruno Blanchet, and Nadim Kobeissi. Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate. In IEEE Symposium on Security and Privacy (S&P), 2017.
[9]
Karthikeyan Bhargavan and Gaetan Leurent. Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH. In Network and Distributed System Security Symposium (NDSS). The Internet Society, 2016.
[10]
Simon Blake-Wilson and Alfred Menezes. Authenticated Diffie-Hellman Key Agreement Protocols. In Selected Areas in Cryptography (SAC). Springer, 1998.
[11]
Simon Blake-Wilson and Alfred Menezes. Unknown Key-Share Attacks on the Station-to-Station (STS) Protocol. In International Workshop on Practice and Theory in Public Key Cryptography (PKC). Springer, 1999.
[12]
Bruno Blanchet, Vincent Cheval, and Cortier Veronique. Proverif with lemmas, induction, fast subsumption, and much more. In Proceedings of the 43th IEEE Symposium on Security and Privacy (S&P'22). IEEE Computer Society Press, May 2022.
[13]
Srdjan Capkun, Levente Butty�n, and Jean-Pierre Hubaux. SECTOR: secure tracking of node encounters in multi-hop wireless networks. In Workshop on Security of ad hoc and Sensor Networks (SASN). ACM, 2003.
[14]
Sanjit Chatterjee, Alfred Menezes, and Berkant Ustaoglu. A Generic Variant of NIST's KAS2 Key Agreement Protocol. In Australasian Conference - Information Security and Privacy (ACISP). Springer, 2011.
[15]
Vincent Cheval, Cas Cremers, Alexander Dax, Hirschi Lucca, Charlie Jacomme, and Steve Kremer. Docker image and models. https://github.com/charlie-j/symbolic-hash-models.
[16]
Vincent Cheval, Cas Cremers, Alexander Dax, Hirschi Lucca, Charlie Jacomme, and Steve Kremer. Long version of this paper. https://hal.archives-ouvertes.fr/hal-03795715.
[17]
Veronique Cortier, David Galindo, and Mathieu Turuani. A Formal Analysis of the Neuchatel e-Voting Protocol. In IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 2018.
[18]
Veronique Cortier, Steve Kremer, Ralf Kusters, and Bogdan Warinschi. Computationally Sound Symbolic Secrecy in the Presence of Hash Functions. In Conference on Foundations of Software Technology and Theoretical Computer Science (FSTTCS). Springer, 2006.
[19]
Cas Cremers, Marko Horvat, Jonathan Hoyland, Sam Scott, and Thyla van der Merwe. A Comprehensive Symbolic Analysis of TLS 1.3. In Conference on Computer and Communications Security (CCS). ACM, 2017.
[20]
Danny Dolev and Andrew C. Yao. On the security of public key protocols. Information Theory, IEEE Transactions on, 1981.
[21]
Thai Duong. Flickr's API signature forgery vulnerability, 2009. https://vnhacker.blogspot.com/2009/09/flickrs-api-signature-forgery.html (Retrieved Jan 2022).
[22]
Francisco Dur�n, Steven Eker, Santiago Escobar, Narciso Marti-Oliet, Jose Meseguer, and Carolyn L. Talcott. Associative Unification and Symbolic Reasoning Modulo Associativity in Maude. In International Workshop on Rewriting Logic and Its Applications (WRLA). Springer, 2018.
[23]
EU Federation Gateway Service (EFGS), 2020. https://github.com/eu-federation-gateway-service/efgs-federation-gateway (Retrieved Jan 2022).
[24]
Ik Rae Jeong, Jonathan Katz, and Dong Hoon Lee. One-round protocols for two-party authenticated key exchange, 2008.
[25]
Charlie Kaufman, Paul E. Hoffman, Yoav Nir, Pasi Eronen, and Tero Kivinen. Internet Key Exchange Protocol Version 2 (IKEv2). RFC 7296, 2014.
[26]
John Kelsey and Tadayoshi Kohno. Herding hash functions and the nostradamus attack. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 183-200. Springer, 2006.
[27]
Chong Hee Kim and Gildas Avoine. RFID Distance Bounding Protocol with Mixed Challenges to Prevent Relay Attacks. In Cryptology and Network Security (CANS). Springer, 2009.
[28]
Nadim Kobeissi, Karthikeyan Bhargavan, and Bruno Blanchet. Automated verification for secure messaging protocols and their implementations: A symbolic and computational approach. In IEEE European Symposium on Security and Privacy (EuroS&P), 2017.
[29]
Hugo Krawczyk. SIGMA: The 'SIGn-and-MAc' Approach to Authenticated Diffie-Hellman and Its Use in the IKE Protocols. In Advances in Cryptology - CRYPTO 2003. Springer Berlin Heidelberg, 2003.
[30]
Brian A. LaMacchia, Kristin E. Lauter, and Anton Mityagin. Stronger Security of Authenticated Key Exchange. In Provable Security, First International Conference, ProvSec. Springer, 2007.
[31]
Kristin E. Lauter and Anton Mityagin. Security Analysis of KEA Authenticated Key Exchange Protocol. In International Conference on Theory and Practice of Public-Key Cryptography. Springer, 2006.
[32]
Gaetan Leurent and Thomas Peyrin. Sha-1 is a shambles: First chosen-prefix collision on sha-1 and application to the PGP web of trust. In USENIX Security Symposium. USENIX Association, 2020.
[33]
Chris M. Lonvick and Tatu Ylonen. The Secure Shell (SSH) Transport Layer Protocol. RFC 4253, 2006.
[34]
Sjouke Mauw, Zach Smith, Jorge Toro-Pozo, and Rolando Trujillo-Rasua. Distance-Bounding Protocols: Verification without Time and Location. In IEEE Symposium on Security and Privacy (S&P). IEEE Computer Society, 2018.
[35]
Sjouke Mauw, Zach Smith, Jorge Toro-Pozo, and Rolando Trujillo-Rasua. Post-collusion security and distance bounding. In Conference on Computer and Communications Security (CCS). ACM, 2019.
[36]
Catherine A. Meadows, Radha Poovendran, Dusko Pavlovic, LiWu Chang, and Paul F. Syverson. Distance Bounding Protocols: Authentication Logic Analysis and Collusion Attacks. In Secure Localization and Time Synchronization for Wireless Sensor and Ad Hoc Networks. Springer, 2007.
[37]
Simon Meier. Advancing automated security protocol verification. PhD thesis, ETH Zurich, 2013.
[38]
Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1997.
[39]
Arno Mittelbach and Marc Fischlin. The Theory of Hash Functions and Random Oracles - An Approach to Modern Cryptography. Springer, 2021.
[40]
Jorge Munilla and Alberto Peinado. Distance bounding protocols for RFID enhanced by using void-challenges and analysis in noisy channels. Wirel. Commun. Mob. Comput., 2008.
[41]
A. Perrig, R. Canetti, J.D. Tygar, and Dawn Song. Efficient authentication and signing of multicast streams over lossy channels. In IEEE Symposium on Security and Privacy. (S&P), 2000.
[42]
Kasper Bonne Rasmussen and Srdjan Capkun. Realization of RF distance bounding. In USENIX Security Symposium. USENIX Association, 2010.
[43]
Phillip Rogaway and Thomas Shrimpton. Cryptographic Hash-Function Basics: Definitions, Implications and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance. IACR Cryptol. ePrint Arch., 2004.
[44]
Yu Sasaki and Kazumaro Aoki. Finding preimages in full MD5 faster than exhaustive search. In Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, 2009.
[45]
Yu Sasaki, Lei Wang, Kazuo Ohta, and Noboru Kunihiro. New message difference for MD4. In Fast Software Encryption - International Workshop FSE. Springer, 2007.
[46]
Benedikt Schmidt. Formal analysis of key exchange protocols and physical protocols. PhD thesis, ETH, 2012.
[47]
Benedikt Schmidt, Simon Meier, Cas Cremers, and David A. Basin. Automated Analysis of Diffie-Hellman Protocols and Advanced Security Properties. In Computer Security Foundations Symposium (CSF). IEEE Computer Society, 2012.
[48]
Marc Stevens. A Survey of Chosen-Prefix Collision Attacks, page 182-220. London Mathematical Society Lecture Note Series. Cambridge University Press, 2021.
[49]
Marc Stevens, Arjen Lenstra, and Benne De Weger. Chosen-prefix collisions for MD5 and colliding X.509 certificates for different identities. In Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, 2007.
[50]
Telegram. Mobile protocol: Detailed description. http://web.archive.org/web/20210126200309/https://core.telegram.org/mtproto/description, 2021.
[51]
Gene Tsudik. Message authentication with one-way hash functions. Comput. Commun. Rev., 22(5), 1992.
[52]
Zooko Wilcox. Lessons from the history of attacks on secure hash functions, 2017. https://electriccoin.co/blog/lessons-from-the-history-of-attacks-on-secure-hash-functions/ (Retrieved Jan 2022).
[53]
Tao Xie, Fanbao Liu, and Dengguo Feng. Fast collision attack on MD5. IACR Cryptol. ePrint Arch., 2013.
[54]
Jinmin Zhong and Xuejia Lai. Improved preimage attack on one-block MD4. Journal of Systems and Software, 2012.
Recommendations
Hash Function Vulnerability Index and Hash Chain Attacks
NPSEC '07: Proceedings of the 2007 3rd IEEE Workshop on Secure Network ProtocolsA hash chain is constructed by repeated hashing from an initial value. While it finds applications for network protocol design it also poses threats to hash function one-way and collision-free properties. We investigate the complexity of breaking hash ...
Bad-token: denial of service attacks on WPA3
SIN '19: Proceedings of the 12th International Conference on Security of Information and NetworksWPA3 (Wi-Fi Protected Access 3) is a certification that augments its predecessor WPA2 with protection mechanisms, such as resistance against password dictionary attacks through SAE (Simultaneous Authentication of Equals) handshake, MFP (Management Frame ...
Public-Coin concurrent zero-knowledge in the global hash model
TCC'13: Proceedings of the 10th theory of cryptography conference on Theory of CryptographyPublic-coin zero-knowledge and concurrent zero-knowledge (cZK) are two classes of zero knowledge protocols that guarantee some additional desirable properties. Still, to this date no protocol is known that is both public-coin and cZK for a language ...
Comments
Information & Contributors
Information
Published In
Copyright � 2023 The USENIX Association.
Sponsors
- Meta
- Google Inc.
- NSF
- IBM
- Futurewei Technologies
Publisher
USENIX Association
United States
Publication History
Published: 09 August 2023
Qualifiers
- Research-article
- Research
- Refereed limited
Acceptance Rates
Overall Acceptance Rate 40 of 100 submissions, 40%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 22 Oct 2024