Gal Benmocha, M.Sc. Thesis Seminar
Thursday, 13.5.2021, 16:00
Many cryptographic APIs provide extra functionality that was not intended by the designers. In this seminar we discuss such an unintended functionality in the API of HMAC as implemented by Siemens and OpenSSL.
HMAC authenticates a single message at a time with a single authentication tag. However, most HMAC implementations do not complain when extra data is added to the stream after a tag is computed. We call such primitives Incremental MACs.
Though HMAC is not intended to be called incrementally, it appears that some applications (e.g., Siemens S7 protocol) use the standard HMAC API to provide an incremental MAC. We observe that calling most standard HMAC implementations incrementally did not take into consideration that they might be called incrementally, and thus cause unfortunate side-effects during tag computation.
We show that due to these side-effects, the Siemens and OpenSSL implementations are not as secure as HMAC.
We also discuss other results from my research.