Skip to content (access key 's')
Logo of Technion
Logo of CS Department


Unintended Features of APIs: Cryptanalysis of Incremental HMAC
event speaker icon
Gal Benmocha, M.Sc. Thesis Seminar
event date icon
Thursday, 13.5.2021, 16:00
event location icon
Zoom Lecture: 99410484579
event speaker icon
Advisor:  Prof. Eli Biham
Many cryptographic APIs provide extra functionality that was not intended by the designers. In this seminar we discuss such an unintended functionality in the API of HMAC as implemented by Siemens and OpenSSL. HMAC authenticates a single message at a time with a single authentication tag. However, most HMAC implementations do not complain when extra data is added to the stream after a tag is computed. We call such primitives Incremental MACs. Though HMAC is not intended to be called incrementally, it appears that some applications (e.g., Siemens S7 protocol) use the standard HMAC API to provide an incremental MAC. We observe that calling most standard HMAC implementations incrementally did not take into consideration that they might be called incrementally, and thus cause unfortunate side-effects during tag computation. We show that due to these side-effects, the Siemens and OpenSSL implementations are not as secure as HMAC. We also discuss other results from my research.
[Back to the index of events]