possible security risk wrt my HMAC cipher...

19 views
Skip to first unread message

Chris M. Thomasson

unread,
Nov 20, 2021, 7:22:05 PM11/20/21
to
An interesting effect of my HMAC cipher... Take notice of the following
sha-256 hash that is used for my default key:

9478b59e54aaf70459fdd2ca747ff5e2a1089f09672bb8eaad741072481b9c3f

Okay... Take notice of the following three ciphertexts all encrypting
the plaintext, between the quotes, "Plaintext". It happens to be using
the default plaintext, anyway:

http://fractallife247.com/test/hmac_cipher/ver_0_0_0_1?ct_hmac_cipher=8ae22f48161a8a0d090a486d0533f752ad10d81cc3b690dfc9fff13d48531331041c229cdb582e593d532a8ce3bda71287fb6d869a86b81144fe29ff9a5845700968dd3484f1426207

http://fractallife247.com/test/hmac_cipher/ver_0_0_0_1?ct_hmac_cipher=36182e81241e19d6ad950bd38b2f95656ebaf7e719fbe08dc6a8836f0a6fe853d8d13fafb4f879d5b110f9545c06d92250fb101e0f1b06097580c885e642e5b6e6968d42c22f0ad8bc

http://fractallife247.com/test/hmac_cipher/ver_0_0_0_1?ct_hmac_cipher=9cc85b3da042aebef4af5f18bd8e732b74ad0661aa3d50bfcb857983edc69e485e345f004107cc99eb025ac9308bcb45e6939aa44e6f1af00ac9d6b1d69e892e47a9f809bae398d3a7

Notice how all of the ciphertexts are all different. Okay, fine...


Now, keep in mind that the first hash is always:

9478b59e54aaf70459fdd2ca747ff5e2a1089f09672bb8eaad741072481b9c3f

YIKES! I think this is a security risk in my system... Working with the
Salsa20 core with Leo made me think of it again. I noticed it a while
back, but never really took a deep hold on it.

Even if the ciphertexts are different, if Eve can get at that initial
hash, say:
__________________________
Encrypting 73 bytes...
Round 0...
[0]:9478b59e54aaf70459fdd2ca747ff5e2a1089f09672bb8eaad741072481b9c3f
[1]:9091257e3d5baf663ea9cf9b65c8882fe5330f6992b25bdae88039bd343e37f6
[2]:609299d84aaec305111f0074e54b7718df62507bcf8a3f1750789bf804d7c395
Round 1...
[0]:9478b59e54aaf70459fdd2ca747ff5e2a1089f09672bb8eaad741072481b9c3f
[1]:17ad5c68eff7846ad36cb9579662279ce133e2f59f01825fa598887ac39b929e
[2]:72ddc6345bc6bbc6ecc11df17f54ce99a67df0c7fc191b520145eb1b3c525405
__________________________


I think she can decrypt all messages encrypted with the default secret
key. So, I am thinking about adding in a public aspect. Say a nonce. I
can put on a little spice, so to speak... Say, send a nonce in the
clear, and just concat it to the password, for starters. The default
password is "Password". So, let me manually try "Password_0",
"Password_1", "Password_n", and so on.

Here is a ciphertext using "Password_0":

http://fractallife247.com/test/hmac_cipher/ver_0_0_0_1?ct_hmac_cipher=d8bc09ab2905a9e41c7260eab4f882e16bdf47d624a09451a7243e38b44ae814ee5d071f78d66c5506f61508c371aca61085c9b01fd0713fe676fae37da783f1ee2d0449b575630d58

Ahhh! The initial digest is different at:

ebbd54b84e43c89e3b68ffb7898b4232b9e9ef1dfb783c53d6ea508f7d4794d9


Let me try, "Password_1":

http://fractallife247.com/test/hmac_cipher/ver_0_0_0_1?ct_hmac_cipher=3d9c265775f5d5a0c5ea0b09602359fd99a48f3f8f76b7be5296f34fe4238b365f675d88611757ffdcf118fa5935f864fe64c2d9170bbc5dc40f7ce468bf6542cd8141543420aba0fb

d7e60189854db218f135fca340269759d480de1f11dfcb8169298ee851bba6fb

Going for: "Password_2":

http://fractallife247.com/test/hmac_cipher/ver_0_0_0_1?ct_hmac_cipher=94c783cca4d35994ce9980d29d74e6a82294d89fe764bbe78b1e6791c3245a10bd676c470289a02f658a413b40444f131a3e4d3426f514f9a1279b2175f34adfd50f56a59372ae06fc

Initial hash at:

7f05b30a302d8b504af50ddaa79482efa2bd9ad366d9ef7c134873280f692b36


Now, just augmenting the Password with a nonce... Password_n, gives
different initial hashes.


I think I should do this with the next version of my online hmac example.

;^o

Any thoughts? Thanks everybody.

Rich

unread,
Nov 20, 2021, 10:00:48 PM11/20/21
to
Chris M. Thomasson <chris.m.t...@gmail.com> wrote:
> An interesting effect of my HMAC cipher... Take notice of the following
> sha-256 hash that is used for my default key:
>
> 9478b59e54aaf70459fdd2ca747ff5e2a1089f09672bb8eaad741072481b9c3f
>
> ...

> Now, keep in mind that the first hash is always:
>
> 9478b59e54aaf70459fdd2ca747ff5e2a1089f09672bb8eaad741072481b9c3f
>
> YIKES! I think this is a security risk in my system...
>
> ...

> I think she can decrypt all messages encrypted with the default secret
> key. So, I am thinking about adding in a public aspect. Say a nonce.

Ah grasshopper, you finally come around to the value of an in the clear
nonce....

Chris M. Thomasson

unread,
Nov 26, 2021, 1:17:32 AM11/26/21
to
Indeed Rich!

Leo

unread,
Nov 27, 2021, 9:56:29 AM11/27/21
to
In my end-to-end encrypted messaging app, I include a 64-byte nonce and a
64-byte MAC with each message. Those lengths are very overkill, but
sending short text messages isn't very demanding so it doesn't hurt the
performance in practice.

Speaking of MACs, does your HMAC cipher need one Chris? Is it possible to
alter message bits from the ciphertext and have a predictable effect on
the decrypted plaintext?

--
Leo

Chris M. Thomasson

unread,
Nov 27, 2021, 7:02:21 PM11/27/21
to
Altering a single bit of ciphertext creates a _radically_ different
plaintext, random garbage. Changing a single bit of plaintext creates a
_radically_ different ciphertext. It might not hurt to have a HMAC
digest sent in the clear so Bob can be sure that the ciphertext was not
altered. However, when you get some free time to burn, try it out for
yourself with your python impl. Change one bit of ciphertext, and take a
look at the plaintext. My cipher is really good in this respect. It has
total ciphertext/plaintext sensitivity. Really good.

My only concern is that if Eve can somehow get the initial digest, she
can decrypt messages from that key. So, the default key on the site
generates the following initial digest:

9478b59e54aaf70459fdd2ca747ff5e2a1089f09672bb8eaad741072481b9c3f

If Eve can brute force it, well, that would be bad.

Btw, using sha512 on the site generates the following initial digest wrt
the default key:

bdc9a47c394fe2056cf9134505f66500cdf25a5b4f54876e5f8301d5f72c43552493c937b0f5a9b54ef841b66e4b6793de557a8fc062d6085b3eb3b1f975c97f


I have some ideas that can make this much harder for Eve to brute force
the initial digest.

Chris M. Thomasson

unread,
Nov 29, 2021, 4:47:42 PM11/29/21
to
On 11/27/2021 6:56 AM, Leo wrote:
> On Sun, 21 Nov 2021 03:00:41 +0000, Rich wrote:
>
>> Chris M. Thomasson <chris.m.t...@gmail.com> wrote:
>>> An interesting effect of my HMAC cipher... Take notice of the following
>>> sha-256 hash that is used for my default key:
>>>
>>> 9478b59e54aaf70459fdd2ca747ff5e2a1089f09672bb8eaad741072481b9c3f
>>>
>>> ...
>>
>>> Now, keep in mind that the first hash is always:
>>>
>>> 9478b59e54aaf70459fdd2ca747ff5e2a1089f09672bb8eaad741072481b9c3f
>>>
>>> YIKES! I think this is a security risk in my system...
>>>
>>> ...
>>
>>> I think she can decrypt all messages encrypted with the default secret
>>> key. So, I am thinking about adding in a public aspect. Say a nonce.
[...]

Humm... The thing is if Eve was able to obtain the secret key, through
brute force, or using other clever means. Eve has found a secret key. In
my case, finding the initial digest is basically akin to finding the
secret key. The whole key is boiled down into a HMAC digest.

Is using a default digest size of 32 bytes enough? I can see how to use
multiple initial digests to increase the size of the key...
Reply all
Reply to author
Forward
0 new messages